* [PATCH 6.6 000/508] 6.6.141-rc1 review
@ 2026-05-20 16:17 Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 001/508] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
` (509 more replies)
0 siblings, 510 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.6.141 release.
There are 508 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 22 May 2026 16:20:16 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.141-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.6.141-rc1
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: fix potential data-race
Johan Hovold <johan@kernel.org>
spi: sifive: fix controller deregistration
Pei Xiao <xiaopei01@kylinos.cn>
spi: sifive: Simplify clock handling with devm_clk_get_enabled()
Guoniu Zhou <guoniu.zhou@nxp.com>
media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0
Johan Hovold <johan@kernel.org>
spi: st-ssc4: fix controller deregistration
Yang Yingliang <yangyingliang@huawei.com>
spi: st-ssc4: switch to use modern name
Shota Zaizen <s@zaizen.me>
ksmbd: validate inherited ACE SID length
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
Chao Yu <chao@kernel.org>
f2fs: fix false alarm of lockdep on cp_global_sem lock
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect file address mapping when inline inode is unwritten
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: prio: skip closed subflows
Paolo Abeni <pabeni@redhat.com>
mptcp: fix rx timestamp corruption on fastopen
Paolo Abeni <pabeni@redhat.com>
mptcp: drop __mptcp_fastopen_gen_msk_ackseq()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/mana: Validate rx_hash_key_len
Filipe Manana <fdmanana@suse.com>
btrfs: fix missing last_unlink_trans update when removing a directory
Filipe Manana <fdmanana@suse.com>
btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I()
Filipe Manana <fdmanana@suse.com>
btrfs: use inode already stored in local variable at btrfs_rmdir()
Piyush Sachdeva <s.piyush1024@gmail.com>
smb: client: Use FullSessionKey for AES-256 encryption key derivation
Ashutosh Desai <ashutoshdesai993@gmail.com>
drm/v3d: Reject empty multisync extension to prevent infinite loop
David Carlier <devnexen@gmail.com>
eventfs: Use list_add_tail_rcu() for SRCU-protected children list
Guangshuo Li <lgs201920130244@gmail.com>
btrfs: fix double free in create_space_info_sub_group() error path
Filipe Manana <fdmanana@suse.com>
btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
Ulf Hansson <ulf.hansson@linaro.org>
pmdomain: core: Fix detach procedure for virtual devices in genpd
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_lvds: fix hang on init failure
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
Gyeyoung Baek <gye976@gmail.com>
drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
Sebastian Brzezinka <sebastian.brzezinka@intel.com>
drm/i915: skip __i915_request_skip() for already signaled requests
Naval Alcalá <ari@naval.cat>
iommu/vt-d: Disable DMAR for Intel Q35 IGFX
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: handle rbtree insertion error in decode_choose_args()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in crush_decode()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential null-ptr-deref in decode_choose_args()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in osdmap_decode()
Paulo Alcantara <pc@manguebit.org>
netfs: fix error handling in netfs_extract_user_iter()
Ma Ke <make24@iscas.ac.cn>
powerpc/warp: Fix error handling in pika_dtm_thread
Nicholas Carlini <nicholas@carlini.com>
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
ceph: fix a buffer leak in __ceph_setxattr()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Bound MIDI endpoint descriptor scans
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
Ye Bin <yebin10@huawei.com>
smb/client: fix possible infinite loop and oob read in symlink_data()
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
ASoC: SOF: Intel: hda: Fix NULL pointer dereference
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ASoC: SOF: Intel: hda-dai: remove dspless special case
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: unconditionally bump set->nelems before insertion
Qiang Ma <maqianga@uniontech.com>
KVM: x86: Fix Xen hypercall tracepoint argument assignment
Junrui Luo <moonafterrain@outlook.com>
KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
Aaron Sacks <contact@xchglabs.com>
KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
Sergio Correia <scorreia@redhat.com>
audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
Zoran Ilievski <goodboy@rexbytes.com>
net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
Li Xiasong <lixiasong1@huawei.com>
netfilter: nft_ct: fix missing expect put in obj eval
Sergio Correia <scorreia@redhat.com>
audit: fix incorrect inheritable capability in CAPSET records
Li Xiasong <lixiasong1@huawei.com>
netfilter: nf_conntrack_sip: get helper before allocating expectation
Breno Leitao <leitao@debian.org>
workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
Matt Vollrath <tactii@gmail.com>
i40e: Cleanup PTP pins on probe failure
Herbert Xu <herbert@gondor.apana.org.au>
crypto: af_alg - Cap AEAD AD length to 0x80000000
Hangbin Liu <liuhangbin@gmail.com>
bonding: fix NULL pointer dereference in actor_port_prio setting
Breno Leitao <leitao@debian.org>
netconsole: avoid out-of-bounds access on empty string in trim_newline()
Eric Dumazet <edumazet@google.com>
net/sched: sch_pie: annotate more data-races in pie_dump_stats()
Michael Bommarito <michael.bommarito@gmail.com>
ksmbd: validate response sizes in ipc_validate_msg()
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix leaking free_bds
Ryo Takakura <ryotkkr98@gmail.com>
net: bcmgenet: Initialize u64 stats seq counter
Thorsten Blum <thorsten.blum@linux.dev>
crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
smb: client: fix OOB reads parsing symlink error response
Liang Jie <liangjie@lixiang.com>
smb: client: correctly handle ErrorContextData as a flexible array
Sasha Levin <sashal@kernel.org>
Revert "crypto: nx - Migrate to scomp API"
Sasha Levin <sashal@kernel.org>
Revert "crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx"
Sasha Levin <sashal@kernel.org>
Revert "crypto: nx - fix context leak in nx842_crypto_free_ctx"
Al Viro <viro@zeniv.linux.org.uk>
ntfs: ->d_compare() must not block
Paolo Abeni <pabeni@redhat.com>
net/sched: cls_flower: revert unintended changes
Dan Carpenter <error27@gmail.com>
sfc: fix error code in efx_devlink_info_running_versions()
Jakub Kicinski <kuba@kernel.org>
net: tls: fix strparser anchor skb leak on offload RX setup failure
Petr Oros <poros@redhat.com>
ice: fix NULL pointer dereference in ice_reset_all_vfs()
Petr Oros <poros@redhat.com>
iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
Petr Oros <poros@redhat.com>
iavf: wait for PF confirmation before removing VLAN filters
Petr Oros <poros@redhat.com>
iavf: stop removing VLAN filters from PF on interface down
Petr Oros <poros@redhat.com>
iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
Eric Dumazet <edumazet@google.com>
bonding: 3ad: implement proper RCU rules for port->aggregator
Hangbin Liu <liuhangbin@gmail.com>
bonding: print churn state via netlink
Hangbin Liu <liuhangbin@gmail.com>
bonding: add support for per-port LACP actor priority
Tonghao Zhang <tonghao@bamaicloud.com>
net: bonding: add broadcast_neighbor option for 802.3ad
Jones Syue 薛懷宗 <jonessyue@qnap.com>
bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Read EDID from VBIOS embedded panel info
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Allow DCE link encoder without AUX registers
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
wangdicheng <wangdicheng@kylinos.cn>
ALSA: hda/conexant: Fix missing error check for jack detection
wangdicheng <wangdicheng@kylinos.cn>
ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
Oldherl Oh <me@oldherl.one>
ALSA: hda/conexant: fix some typos
Breno Leitao <leitao@debian.org>
netconsole: propagate device name truncation in dev_name_store()
Matthew Wood <thepacketgeek@gmail.com>
net: netconsole: move newline trimming to function
Eric Dumazet <edumazet@google.com>
net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
Weiming Shi <bestswngs@gmail.com>
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
Beniamino Galvani <b.galvani@gmail.com>
ipv6: rename and move ip6_dst_lookup_tunnel()
Beniamino Galvani <b.galvani@gmail.com>
ipv4: add new arguments to udp_tunnel_dst_lookup()
Beniamino Galvani <b.galvani@gmail.com>
ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
Beniamino Galvani <b.galvani@gmail.com>
ipv4: rename and move ip_route_output_tunnel()
Xin Long <lucien.xin@gmail.com>
sctp: discard stale INIT after handshake completion
Xin Long <lucien.xin@gmail.com>
netfilter: skip recording stale or retransmitted INIT
Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
ASoC: codecs: ab8500: Fix casting of private data
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
Heiko Schocher <hs@nabladev.com>
net: phy: dp83869: fix setting CLK_O_SEL field.
William A. Kennington III <william@wkennington.com>
net: mctp i2c: check length before marking flow active
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
Florian Westphal <fw@strlen.de>
neigh: let neigh_xmit take skb ownership
Eric Dumazet <edumazet@google.com>
neighbour: add RCU protection to neigh_tables[]
Weiming Shi <bestswngs@gmail.com>
net/sched: taprio: fix NULL pointer dereference in class dump
Paul Geurts <paul.geurts@prodrive-technologies.com>
NFC: trf7970a: Ignore antenna noise when checking for RF field
Morduan Zang <zhangdandan@uniontech.com>
net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
Zhan Jun <zhanjun@uniontech.com>
net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
Ido Schimmel <idosch@nvidia.com>
vrf: Fix a potential NPD when removing a port from a VRF
Eric Dumazet <edumazet@google.com>
net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_choke: annotate data-races in choke_dump_stats()
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: check for negative latency and jitter
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix slot delay calculation overflow
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: validate slot configuration
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: only reseed PRNG when seed is explicitly provided
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix queue limit check to include reordered packets
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix probability gaps in 4-state loss model
Nikola Z. Ivanov <zlatistiv@gmail.com>
netdevsim: zero initialize struct iphdr in dummy sk_buff
Daan De Meyer <daan@amutable.com>
cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
Wentao Guan <guanwentao@uniontech.com>
arm64/scs: Fix potential sign extension issue of advance_loc4
Yuho Choi <dbgh9129@gmail.com>
drm/sysfb: ofdrm: fix PCI device reference leaks
John Madieu <john.madieu@gmail.com>
spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
Florian Westphal <fw@strlen.de>
netfilter: nf_conntrack_sip: don't use simple_strtoul
Jiexun Wang <wangjiexun2025@gmail.com>
netfilter: xt_policy: fix strict mode inbound policy matching
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
Alexandre Demers <alexandre.f.demers@gmail.com>
drm/amdgpu: fix spelling typos
Christian König <christian.koenig@amd.com>
drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
Keith Busch <kbusch@kernel.org>
nvme-pci: fix missed admin queue sq doorbell write
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Maurizio Lombardi <mlombard@redhat.com>
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Breno Leitao <leitao@debian.org>
tracing: branch: Fix inverted check on stat tracer registration
Mark Harmstone <mark@harmstone.com>
btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: make data_ready a per-instance variable
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: initialize struct earlier
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: don't free the reused channel
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: add sanity check for channel array
cuitao <cuitao@kylinos.cn>
cgroup/rdma: fix integer overflow in rdmacg_try_charge()
Edward Adam Davis <eadavis@qq.com>
sched/psi: fix race between file release and pressure write
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: free channels on probe error
Yuho Choi <dbgh9129@gmail.com>
fbdev: offb: fix PCI device reference leak on probe failure
Anthony Pighin (Nokia) <anthony.pighin@nokia.com>
rtc: abx80x: Disable alarm feature if no interrupt attached
Bae Yeonju <iwasbaeyz@gmail.com>
fs/adfs: validate nzones in adfs_validate_bblk()
Kohei Enju <kohei@enjuk.jp>
vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
Lee Jones <lee@kernel.org>
tipc: fix double-free in tipc_buf_append()
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: fix mode mask calculation
Eric Dumazet <edumazet@google.com>
net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_red: annotate data-races in red_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_pie: annotate data-races in pie_dump_stats()
Eric Dumazet <edumazet@google.com>
net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
Michael Bommarito <michael.bommarito@gmail.com>
net/rds: zero per-item info buffer before handing it to visitors
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: scope conn->binding slowpath to bound sessions only
DaeMyung Kang <charsyam@gmail.com>
ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
DaeMyung Kang <charsyam@gmail.com>
ksmbd: destroy async_ida in ksmbd_conn_free()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: add support for supplementary groups
Thorsten Blum <thorsten.blum@linux.dev>
ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
DaeMyung Kang <charsyam@gmail.com>
ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
Jun Yan <jerrysteve1101@gmail.com>
arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
Weiming Shi <bestswngs@gmail.com>
slip: bound decode() reads against the compressed packet length
Weiming Shi <bestswngs@gmail.com>
slip: reject VJ receive packets on instances with no rstate array
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
Yingnan Zhang <342144303@qq.com>
ipvs: fix MTU check for GSO packets in tunnel mode
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xtables: restrict several matches to inet family
Florian Westphal <fw@strlen.de>
netfilter: conntrack: remove sprintf usage
Xiang Mei <xmei5@asu.edu>
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_osf: restrict it to ipv4
Weiming Shi <bestswngs@gmail.com>
openvswitch: cap upcall PID array size and pre-size vport replies
Qingfang Deng <qingfang.deng@linux.dev>
pppoe: drop PFC frames
Michael Bommarito <michael.bommarito@gmail.com>
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
Eric Dumazet <edumazet@google.com>
ipv6: fix possible UAF in icmpv6_rcv()
Matt Vollrath <tactii@gmail.com>
e1000e: Unroll PTP in probe error handling
Kohei Enju <kohei@enjuk.jp>
i40e: don't advertise IFF_SUPP_NOFCS
Michal Schmidt <mschmidt@redhat.com>
ice: fix double-free of tx_buf skb
Alice Mikityanska <alice@isovalent.com>
ice: Remove jumbo_remove step from TX path
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->plb_rehash
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->dsack_dups
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->bytes_retrans
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->bytes_sent
Eric Dumazet <edumazet@google.com>
tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
Vinicius Costa Gomes <vinicius.gomes@intel.com>
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
Jiayuan Chen <jiayuan.chen@linux.dev>
nexthop: fix IPv6 route referencing IPv4 nexthop
Dudu Lu <phx0fer@gmail.com>
net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
Dudu Lu <phx0fer@gmail.com>
macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
René Rebe <rene@exactco.de>
PCMCIA: Fix garbled log messages for KERN_CONT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
Paul Moses <p@1g4.org>
crypto: ccp - copy IV using skcipher ivsize
T Pratham <t-pratham@ti.com>
crypto: sa2ul - Fix AEAD fallback algorithm names
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915/wm: Verify the correct plane DDB entry
Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
drm/i915: Loop over all active pipes in intel_mbus_dbox_update
Gustavo Sousa <gustavo.sousa@intel.com>
drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Simplify watermark state checker calling convention
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Constify watermark state checker
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
f2fs: Use sysfs_emit_at() to simplify code
Brian Masney <bmasney@redhat.com>
clk: visconti: pll: initialize clk_init_data to zero
Geert Uytterhoeven <geert+renesas@glider.be>
lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
clk: qcom: dispcc-sc7180: Add missing MDSS resets
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
Geert Uytterhoeven <geert+renesas@glider.be>
clk: xgene: Fix mapping leak in xgene_pllclk_init()
Arnd Bergmann <arnd@arndb.de>
clk: qoriq: avoid format string warning
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
clk: imx8mq: Correct the CSI PHY sels
Felix Gu <ustc.gu@gmail.com>
clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
Felix Gu <ustc.gu@gmail.com>
clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
Val Packett <val@packett.cool>
clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
Val Packett <val@packett.cool>
clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Use retention for USB power domains
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Add missing GDSCs
Val Packett <val@packett.cool>
dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
Junrui Luo <moonafterrain@outlook.com>
scsi: target: core: Fix integer overflow in UNMAP bounds check
White Lewis <liu224806@gmail.com>
clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers
Yang Erkun <yangerkun@huawei.com>
scsi: sg: Resolve soft lockup issue when opening /dev/sgX
Yang Erkun <yangerkun@huawei.com>
scsi: sg: Fix sysctl sg-big-buff register during sg_init()
Ricardo B. Marliere <ricardo@marliere.net>
scsi: sg: Make sg_sysfs_class constant
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
Florian Westphal <fw@strlen.de>
RDMA/core: Prefer NLA_NUL_STRING
Pengpeng Hou <pengpeng@iscas.ac.cn>
platform/x86: dell-wmi-sysman: bound enumeration string aggregation
Fedor Pchelkin <pchelkin@ispras.ru>
platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
Pengpeng Hou <pengpeng@iscas.ac.cn>
fs/ntfs3: terminate the cached volume label after UTF-8 conversion
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
Randy Dunlap <rdunlap@infradead.org>
tty: hvc_iucv: fix off-by-one in number of supported devices
Chen Ni <nichen@iscas.ac.cn>
leds: lgm-sso: Remove duplicate assignments for priv->mmap
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/surface: surfacepro3_button: Drop wakeup source on remove
Chen Ni <nichen@iscas.ac.cn>
backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
Nuno Sa <nuno.sa@analog.com>
dev_printk: add new dev_err_probe() helpers
Billy Tsai <billy_tsai@aspeedtech.com>
i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
Jorge Marques <jorge.marques@analog.com>
i3c: master: Fix error codes at send_ccc_cmd
Arnaldo Carvalho de Melo <acme@redhat.com>
perf util: Kill die() prototype, dead for a long time
Jian Zhang <zhangjian.3032@bytedance.com>
ipmi: ssif_bmc: change log level to dbg in irq callback
Jian Zhang <zhangjian.3032@bytedance.com>
ipmi: ssif_bmc: fix message desynchronization after truncated response
Jian Zhang <zhangjian.3032@bytedance.com>
ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
Leo Yan <leo.yan@arm.com>
perf expr: Return -EINVAL for syntax error in expr__find_ids()
Chuck Lever <chuck.lever@oracle.com>
perf tools: Fix module symbol resolution for non-zero .text sh_addr
Ian Rogers <irogers@google.com>
perf lock: Fix option value type in parse_max_stack
Yu-Chun Lin <eleanor15x@gmail.com>
pinctrl: abx500: Fix type of 'argument' variable
Mike Leach <mike.leach@arm.com>
perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
Ian Rogers <irogers@google.com>
perf branch: Avoid incrementing NULL
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: Avoid returning positive values to user space
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: remove duplicate error message
Ethan Tidmore <ethantidmore06@gmail.com>
pinctrl: pinctrl-pic32: Fix resource leak
Puranjay Mohan <puranjay@kernel.org>
bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
Yihan Ding <dingyihan@uniontech.com>
bpf: allow UTF-8 literals in bpf_bprintf_prepare()
Mykyta Yatsenko <yatsenko@meta.com>
bpf: Fix NULL deref in map_kptr_match_type for scalar regs
Daniel Borkmann <daniel@iogearbox.net>
bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Take state lock for af_unix iter
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Fix af_unix null-ptr-deref in proto update
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Fix af_unix iter deadlock
Puranjay Mohan <puranjay@kernel.org>
bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize
Daniel Borkmann <daniel@iogearbox.net>
bpf, arm64: Fix off-by-one in check_imm signed range check
Oliver Neukum <oneukum@suse.com>
HID: usbhid: fix deadlock in hid_post_reset()
Richard Genoud <richard.genoud@bootlin.com>
mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
Shiji Yang <yangshiji66@outlook.com>
mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
Jonas Gorski <jonas.gorski@gmail.com>
mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
Haibo Chen <haibo.chen@nxp.com>
mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
Geert Uytterhoeven <geert+renesas@glider.be>
dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
Chen Ni <nichen@iscas.ac.cn>
mtd: physmap_of_gemini: Fix disabled pinctrl state check
Denis Benato <denis.benato@linux.dev>
HID: asus: do not abort probe when not necessary
Denis Benato <denis.benato@linux.dev>
HID: asus: make asus_resume adhere to linux kernel coding standards
Daniel Hodges <hodgesd@meta.com>
ima: check return value of crypto_shash_final() in boot aggregate
Pengpeng Hou <pengpeng@iscas.ac.cn>
tracing: Rebuild full_name on each hist_field_name() call
Richard Fitzgerald <rf@opensource.cirrus.com>
soundwire: cadence: Clear message complete before signaling waiting thread
Frank Li <Frank.Li@nxp.com>
dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
Cole Leavitt <cole@unwrap.rs>
soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
Khairul Anuar Romli <karom.9560@gmail.com>
dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
ZhengYuan Huang <gality369@gmail.com>
ocfs2: validate group add input before caching
ZhengYuan Huang <gality369@gmail.com>
ocfs2: validate bg_bits during freefrag scan
ZhengYuan Huang <gality369@gmail.com>
ocfs2: fix listxattr handling when the buffer is full
Frank Li <Frank.Li@nxp.com>
ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
Christoph Hellwig <hch@lst.de>
arm64/xor: fix conflicting attributes for xor_block_template
Aaro Koskinen <aaro.koskinen@iki.fi>
ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
Alexander Koskovich <AKoskovich@pm.me>
arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
Alok Tiwari <alok.a.tiwari@oracle.com>
soc: qcom: aoss: compare against normalized cooling state
Alok Tiwari <alok.a.tiwari@oracle.com>
soc: qcom: llcc: fix v1 SB syndrome register offset
Junrui Luo <moonafterrain@outlook.com>
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
Junrui Luo <moonafterrain@outlook.com>
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
Michal Grzedzicki <mge@meta.com>
unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
Sumit Gupta <sumitg@nvidia.com>
soc/tegra: cbb: Set ERD on resume for err interrupt
Xu Yang <xu.yang_2@nxp.com>
arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
David Heidelberg <david@ixit.cz>
arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
Luca Weiss <luca.weiss@fairphone.com>
arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: sm8550: Fix GIC_ITS range length
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: sm8450: Fix GIC_ITS range length
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: register reasons for probe deferrals
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
soc: qcom: ocmem: use scoped device node handling to simplify error paths
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: make the core clock optional
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
Akari Tsuyukusa <akkun11.open@gmail.com>
arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
Akari Tsuyukusa <akkun11.open@gmail.com>
arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
Jacob Pan <jacob.pan@linux.microsoft.com>
iommufd: vfio compatibility extension check for noiommu mode
Sherry Sun <sherry.sun@nxp.com>
arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
Francesco Dolcini <francesco.dolcini@toradex.com>
arm64: dts: imx8-apalis: Fix LEDs name collision
Mikko Perttunen <mperttunen@nvidia.com>
memory: tegra30-emc: Fix dll_change check
Mikko Perttunen <mperttunen@nvidia.com>
memory: tegra124-emc: Fix dll_change check
Rafał Miłecki <rafal@milecki.pl>
ARM: dts: mediatek: mt7623: fix efuse fallback compatible
Joshua Klinesmith <joshuaklinesmith@gmail.com>
ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
Thomas Huth <thuth@redhat.com>
efi/capsule-loader: fix incorrect sizeof in phys array reallocation
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: prevent NULL pointer dereference during unmount
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: add some missing log locking
Jan Kara <jack@suse.cz>
quota: Fix race of dquot_scan_active() with quota deactivation
Ricardo B. Marlière <rbm@suse.com>
ktest: Run POST_KTEST hooks on failure and cancellation
Ricardo B. Marlière <rbm@suse.com>
ktest: Honor empty per-test option overrides
Ricardo B. Marlière <rbm@suse.com>
ktest: Avoid undef warning when WARNINGS_FILE is unset
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Call unlock_new_inode before d_instantiate
Haixin Xu <jerryxucs@gmail.com>
crypto: jitterentropy - replace long-held spinlock with mutex
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix missing return in invalidate_committed's error path
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: sc6000: Keep the programmed board state in card-private data
Takashi Iwai <tiwai@suse.de>
ALSA: sc6000: Use standard print API
Pei Xiao <xiaopei01@kylinos.cn>
spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Use DWC IP core version
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Allow system suspend when the Endpoint link is not up
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Disable direct speed change for Endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Don't force the device into the D0 state before L2
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in tegra_pcie_downstream_dev_to_D0()
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Increase LTSSM poll time on surprise link down
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Fix polling delay for L2 state
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: SOF: compress: return the configured codec from get_params
Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
ALSA: scarlett2: Add missing sentinel initializer field
Waiman Long <longman@redhat.com>
selftest: memcg: skip memcg_sock test if address family not supported
Jane Chu <jane.chu@oracle.com>
Documentation: fix a hugetlbfs reservation statement
AnishMulay <anishm7030@gmail.com>
selftests/mm: skip migration tests if NUMA is unavailable
Chen-Yu Tsai <wenst@chromium.org>
PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
Gerd Bayer <gbayer@linux.ibm.com>
PCI: Enable AtomicOps only if Root Port supports them
Denis Rastyogin <gerben@altlinux.org>
ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - use swab32 macro
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: qdsp6: topology: check widget type before accessing data
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Change the type for iec958 channel status controls
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Add access property for "VAD Detected"
Felix Gu <ustc.gu@gmail.com>
pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
Felix Gu <gu_0233@qq.com>
pmdomain: ti: omap_prm: Fix a reference leak on device node
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Use barriers while updating HFI Q headers
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm/shrinker: Fix can_block() logic
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm/a6xx: Fix HLSQ register dumping
Ethan Tidmore <ethantidmore06@gmail.com>
ASoC: SOF: Intel: hda: Place check before dereference
Lei Huang <huanglei@kylinos.cn>
ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}')
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Fill DW8 fields from SMC
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: core: Validate compress device numbers without dynamic minors
Sebastian Reichel <sebastian.reichel@collabora.com>
drm/panel: simple: Correct G190EAN01 prepare timing
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/panel: sharp-ls043t1le01: make use of prepare_prev_first
Alexander Koskovich <akoskovich@pm.me>
drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: add the missing parameter description
Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
drm/msm/dpu: fix mismatch between power and frequency
Pei Xiao <xiaopei01@kylinos.cn>
spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gfx10: look at the right prop for gfx queue priority
Daniel Jordan <daniel.m.jordan@oracle.com>
padata: Put CPU offline callback in ONLINE section to allow failure
Chuyi Zhou <zhouchuyi@bytedance.com>
padata: Remove cpu online check from cpu add and removal
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel - Use unregister_{aeads,ahashes,skciphers}
Herbert Xu <herbert@gondor.apana.org.au>
crypto: atmel - Remove cfb and ofb
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break
Guillaume Gonnet <ggonnet.linux@gmail.com>
dm init: ensure device probing has finished in dm-mod.waitfor=
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdgpu: Add default case in DVI mode validation
Ethan Tidmore <ethantidmore06@gmail.com>
drm/sun4i: Fix resource leaks
Felix Gu <ustc.gu@gmail.com>
spi: fsl-qspi: Use reinit_completion() for repeated operations
Harikrishna Shenoy <h-shenoy@ti.com>
drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check
Jayesh Choudhary <j-choudhary@ti.com>
drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs
Jayesh Choudhary <j-choudhary@ti.com>
drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()
Junrui Luo <moonafterrain@outlook.com>
dm log: fix out-of-bounds write due to region_count overflow
Ming-Hung Tsai <mtsai@redhat.com>
dm cache metadata: fix memory leak on metadata abort retry
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/chrome: chromeos_tbmc: Drop wakeup source on remove
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix dirty mapping checking in passthrough mode switching
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: support shrinking the origin device
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix concurrent write failure in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache policy smq: fix missing locks in invalidating cache blocks
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix write hang in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix write path cache coherency in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix null-deref with concurrent writes in passthrough mode
Sander Vanheule <sander@svanheule.net>
ASoC: sti: use managed regmap_field allocations
Sander Vanheule <sander@svanheule.net>
ASoC: sti: Return errors from regmap_field_alloc()
Ethan Tidmore <ethantidmore06@gmail.com>
drm/sun4i: backend: fix error pointer dereference
Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
drm/komeda: fix integer overflow in AFBC framebuffer size check
Jiayuan Chen <jiayuan.chen@linux.dev>
net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
Xin Long <lucien.xin@gmail.com>
sctp: fix missing encap_port propagation for GSO fragments
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: phy: qcom: at803x: Use the correct bit to disable extended next page
Christian Marangi <ansuelsmth@gmail.com>
net: phy: move at803x PHY driver to dedicated directory
FUJITA Tomonori <fujita.tomonori@gmail.com>
net: phy: add Rust Asix PHY driver
Christian Marangi <ansuelsmth@gmail.com>
net: phy: aquantia: move to separate directory
Dudu Lu <phx0fer@gmail.com>
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
Pauli Virtanen <pav@iki.fi>
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
Jonathan Rissanen <jonathan.rissanen@axis.com>
Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
Sun Jian <sun.jian.kdev@gmail.com>
bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
Gal Pressman <gal@nvidia.com>
net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()
Gal Pressman <gal@nvidia.com>
net/mlx5e: Fix features not applied during netdev registration
Josua Mayer <josua@solid-run.com>
dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110
Luca Weiss <luca.weiss@fairphone.com>
net: ipa: Fix decoding EV_PER_EE for IPA v5.0+
Luca Weiss <luca.weiss@fairphone.com>
net: ipa: Fix programming of QTIME_TIMESTAMP_CFG
Taegu Ha <hataegu0826@gmail.com>
ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
Lang Xu <xulang@uniontech.com>
bpf: Fix OOB in pcpu_init_value
Greg Jumper <greg.jumper@oracle.com>
net/rds: Restrict use of RDS/IB to the initial network namespace
Håkon Bugge <haakon.bugge@oracle.com>
net/rds: Optimize rds_ib_laddr_check
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_ct: Only release RCU read lock after ct_ft
Mashiro Chen <mashiro.chen@mailbox.org>
net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
Jiri Slaby (SUSE) <jirislaby@kernel.org>
6pack: propagage new tty types
Sechang Lim <rhkrqnwk98@gmail.com>
bpf: Fix RCU stall in bpf_fd_array_map_clear()
Florian Westphal <fw@strlen.de>
netfilter: nft_fwd_netdev: check ttl/hl before forwarding
Florian Westphal <fw@strlen.de>
netfilter: xt_socket: enable defrag after all other checks
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix racing timeout handler
Zak Kemble <zakkemble@gmail.com>
net: bcmgenet: switch to use 64bit statistics
Doug Berger <opendmb@gmail.com>
net: bcmgenet: support reclaiming unsent Tx packets
Doug Berger <opendmb@gmail.com>
net: bcmgenet: move DESC_INDEX flow to ring 0
Doug Berger <opendmb@gmail.com>
net: bcmgenet: add bcmgenet_has_* helpers
Florian Fainelli <florian.fainelli@broadcom.com>
net: bcmgenet: Remove custom ndo_poll_controller()
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
Wang Wensheng <wsw9603@163.com>
arm64: kexec: Remove duplicate allocation for trans_pgd
Haoyu Lu <hechushiguitu666@gmail.com>
ACPI: AGDI: fix missing newline in error message
Weiming Shi <bestswngs@gmail.com>
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
Ethan Tidmore <ethantidmore06@gmail.com>
wifi: brcmfmac: Fix error pointer dereference
MingTao Huang <mintaohuang@tencent.com>
bpf: Fix stale offload->prog pointer after constant blinding
Weiming Shi <bestswngs@gmail.com>
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Eric Dumazet <edumazet@google.com>
macvlan: annotate data-races around port->bc_queue_len_used
Amit Machhiwal <amachhiw@linux.ibm.com>
selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
Madhavan Srinivasan <maddy@linux.ibm.com>
selftests/powerpc: Re-order *FLAGS to follow lib.mk
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/crash: fix backup region offset update to elfcorehdr
Chih Kai Hsu <hsu.chih.kai@realtek.com>
r8152: fix incorrect register write to USB_UPHY_XTAL
Alexey Velichayshiy <a.velichayshiy@ispras.ru>
wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
David Carlier <devnexen@gmail.com>
bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
Thorsten Blum <thorsten.blum@toblux.com>
bpf, devmap: Remove unnecessary if check in for loop
Duoming Zhou <duoming@zju.edu.cn>
wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
StanleyYP Wang <StanleyYP.Wang@mediatek.com>
wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event
James Clark <james.clark@linaro.org>
arm64: cpufeature: Make PMUVer and PerfMon unsigned
Alok Tiwari <alok.a.tiwari@oracle.com>
wifi: mt76: mt7996: fix FCS error flag check in RX descriptor
Ryder Lee <ryder.lee@mediatek.com>
wifi: mt76: mt7915: fix use_cts_prot support
Ryder Lee <ryder.lee@mediatek.com>
wifi: mt76: mt7615: fix use_cts_prot support
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr()
Petr Pavlu <petr.pavlu@suse.com>
module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
Petr Pavlu <petr.pavlu@suse.com>
params: Replace __modinit with __init_or_module
Ilya Leoshkevich <iii@linux.ibm.com>
s390/bpf: Zero-extend bpf prog return values and kfunc arguments
Cai Xinchen <caixinchen1@huawei.com>
dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
Cai Xinchen <caixinchen1@huawei.com>
dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
Feng Yang <yangfeng@kylinos.cn>
bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
Vadim Fedorenko <vadfed@meta.com>
bpf: Add CHECKSUM_COMPLETE to bpf test progs
Duoming Zhou <duoming@zju.edu.cn>
wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
Zilin Guan <zilin@seu.edu.cn>
wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
Mario Limonciello (AMD) <superm1@kernel.org>
firmware: dmi: Correct an indexing error in dmi.h
Bart Van Assche <bvanassche@acm.org>
locking: Fix rwlock support in <linux/spinlock_up.h>
Thomas Gleixner <tglx@kernel.org>
hrtimer: Reduce trace noise in hrtimer_start()
Peter Zijlstra <peterz@infradead.org>
hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
Richard Clark <richard.xnu.clark@gmail.com>
hrtimers: Update the return type of enqueue_hrtimer()
Brian Masney <bmasney@redhat.com>
irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter
Danilo Krummrich <dakr@kernel.org>
s390/cio: use generic driver_override infrastructure
Li Zhijian <lizhijian@fujitsu.com>
s390/cio: convert sprintf()/snprintf() to sysfs_emit()
Halil Pasic <pasic@linux.ibm.com>
s390/cio: make sch->lock spinlock pointer a member
Gui-Dong Han <hanguidong02@gmail.com>
debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()
Gui-Dong Han <hanguidong02@gmail.com>
debugfs: check for NULL pointer in debugfs_create_str()
Gopi Krishna Menon <krishnagopi487@gmail.com>
thermal/drivers/spear: Fix error condition for reading st,thermal-flags
Danilo Krummrich <dakr@kernel.org>
devres: fix missing node debug info in devm_krealloc()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: x86: cmos_rtc: Clean up address space handler driver
Cole Leavitt <cole@unwrap.rs>
pstore/ram: fix resource leak when ioremap() fails
Jackie Liu <liuyun01@kylinos.cn>
blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
Deepanshu Kartikey <kartikey406@gmail.com>
nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
Daan De Meyer <daan.j.demeyer@gmail.com>
loop: fix partition scan race between udev and loop_reread_partitions()
Bart Van Assche <bvanassche@acm.org>
drbd: Balance RCU calls in drbd_adm_dump_devices()
HyungJung Joo <jhj140711@gmail.com>
fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
Ming Lei <ming.lei@redhat.com>
blk-cgroup: wait for blkcg cleanup before initializing new disk
-------------
Diffstat:
.../bindings/interrupt-controller/arm,gic-v3.yaml | 2 +-
.../devicetree/bindings/net/dsa/nxp,sja1105.yaml | 2 -
Documentation/mm/hugetlbfs_reserv.rst | 2 +-
Documentation/networking/bonding.rst | 15 +
MAINTAINERS | 8 +
Makefile | 4 +-
arch/arm/boot/dts/mediatek/mt7623.dtsi | 2 +-
.../boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi | 8 +-
.../nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +-
arch/arm/mach-omap1/clock_data.c | 4 +-
arch/arm/net/bpf_jit_32.c | 6 +
.../boot/dts/amlogic/meson-gxl-s905d-p230.dts | 3 +-
.../boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi | 4 +
.../boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi | 4 +
.../arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi | 4 +-
.../arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi | 2 +-
.../arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 2 +-
.../dts/freescale/imx8mp-data-modul-edm-sbc.dts | 2 +-
.../boot/dts/freescale/imx8mp-debix-model-a.dts | 2 +-
.../dts/freescale/imx8mp-debix-som-a-bmb-08.dts | 2 +-
.../boot/dts/freescale/imx8mp-debix-som-a.dtsi | 2 +-
.../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 +-
.../boot/dts/freescale/imx8mp-icore-mx8mp.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8qxp-mek.dts | 10 +-
arch/arm64/boot/dts/mediatek/mt6795.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts | 2 +-
arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts | 2 +-
.../dts/qcom/sdm845-xiaomi-beryllium-common.dtsi | 1 +
arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts | 4 +
arch/arm64/boot/dts/qcom/sm8250.dtsi | 5 +
arch/arm64/boot/dts/qcom/sm8450.dtsi | 5 +-
arch/arm64/boot/dts/qcom/sm8550.dtsi | 7 +-
arch/arm64/include/asm/xor.h | 2 +-
arch/arm64/kernel/cpufeature.c | 4 +-
arch/arm64/kernel/machine_kexec.c | 3 -
arch/arm64/kernel/patch-scs.c | 4 +-
arch/arm64/net/bpf_jit_comp.c | 4 +-
arch/powerpc/kexec/file_load_64.c | 2 +-
arch/powerpc/platforms/44x/warp.c | 2 +
arch/riscv/net/bpf_jit.h | 6 -
arch/riscv/net/bpf_jit_core.c | 7 -
arch/s390/kvm/interrupt.c | 3 +-
arch/s390/kvm/pci.c | 6 +-
arch/s390/net/bpf_jit_comp.c | 39 +-
arch/x86/kvm/trace.h | 2 +-
block/blk-cgroup.c | 16 +
block/disk-events.c | 3 +-
crypto/af_alg.c | 2 +
crypto/jitterentropy-kcapi.c | 14 +-
drivers/acpi/acpi_cmos_rtc.c | 79 ++-
drivers/acpi/arm64/agdi.c | 2 +-
drivers/base/devres.c | 2 +
drivers/base/power/domain.c | 10 +-
drivers/block/drbd/drbd_nl.c | 8 +-
drivers/bluetooth/hci_ldisc.c | 3 +
drivers/cdrom/cdrom.c | 73 ++-
drivers/char/ipmi/ssif_bmc.c | 34 +-
drivers/clk/clk-qoriq.c | 17 +-
drivers/clk/clk-xgene.c | 2 +
drivers/clk/imx/clk-imx6q.c | 12 +-
drivers/clk/imx/clk-imx8mq.c | 4 +-
drivers/clk/qcom/dispcc-sc7180.c | 8 +
drivers/clk/qcom/dispcc-sc8280xp.c | 4 -
drivers/clk/qcom/dispcc-sm8250.c | 6 +-
drivers/clk/qcom/dispcc-sm8450.c | 2 +-
drivers/clk/qcom/gcc-sc8180x.c | 64 +-
drivers/clk/visconti/pll.c | 2 +-
drivers/crypto/atmel-aes.c | 237 +------
drivers/crypto/atmel-sha.c | 27 +-
drivers/crypto/atmel-tdes.c | 230 +------
drivers/crypto/ccp/ccp-crypto-aes.c | 7 +-
.../intel/qat/qat_common/icp_qat_hw_20_comp.h | 10 +-
drivers/crypto/nx/nx-842.c | 37 +-
drivers/crypto/nx/nx-842.h | 15 +-
drivers/crypto/nx/nx-common-powernv.c | 31 +-
drivers/crypto/nx/nx-common-pseries.c | 33 +-
drivers/crypto/sa2ul.c | 4 +-
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 2 -
drivers/dma/mxs-dma.c | 1 +
drivers/firmware/efi/capsule-loader.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 57 +-
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 66 ++
drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 +
drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 1 +
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 16 +-
drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 3 +-
drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 2 +
drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 2 +
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 3 +
drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 +
drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 62 ++
.../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 4 +-
.../amd/display/include/grph_object_ctrl_defs.h | 4 +
drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c | 15 +
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 118 +++-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h | 1 +
drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h | 1 +
.../gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 15 +-
.../drm/arm/display/komeda/komeda_framebuffer.c | 6 +-
.../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 72 ++-
.../gpu/drm/bridge/cadence/cdns-mhdp8546-core.h | 1 +
.../gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c | 18 +-
drivers/gpu/drm/gma500/oaktrail_hdmi.c | 1 +
drivers/gpu/drm/gma500/oaktrail_lvds.c | 9 +-
drivers/gpu/drm/i915/display/intel_dp.c | 9 +-
.../gpu/drm/i915/display/intel_modeset_verify.c | 2 +-
drivers/gpu/drm/i915/display/skl_watermark.c | 49 +-
drivers/gpu/drm/i915/display/skl_watermark.h | 4 +-
drivers/gpu/drm/i915/gt/intel_reset.c | 3 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 14 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 -
drivers/gpu/drm/msm/dsi/dsi_cfg.c | 4 +-
drivers/gpu/drm/msm/dsi/dsi_cfg.h | 2 +-
drivers/gpu/drm/msm/dsi/dsi_host.c | 1 +
drivers/gpu/drm/msm/msm_gem_shrinker.c | 5 +-
drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c | 1 +
drivers/gpu/drm/panel/panel-simple.c | 2 +-
drivers/gpu/drm/panfrost/panfrost_drv.c | 2 +
drivers/gpu/drm/sun4i/sun4i_backend.c | 6 +-
drivers/gpu/drm/tiny/ofdrm.c | 2 +
drivers/gpu/drm/v3d/v3d_gem.c | 5 +
drivers/hid/hid-asus.c | 28 +-
drivers/hid/usbhid/hid-core.c | 2 +-
drivers/i3c/master.c | 32 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 5 +-
drivers/infiniband/core/iwpm_msg.c | 6 +-
drivers/infiniband/hw/mana/qp.c | 7 +-
drivers/iommu/intel/iommu.c | 3 +
drivers/iommu/iommufd/vfio_compat.c | 2 +-
drivers/irqchip/irq-pic32-evic.c | 2 +-
drivers/leds/blink/leds-lgm-sso.c | 2 -
drivers/mailbox/mailbox-test.c | 39 +-
drivers/mailbox/mailbox.c | 3 +-
drivers/md/dm-cache-metadata.c | 24 +-
drivers/md/dm-cache-metadata.h | 5 -
drivers/md/dm-cache-policy-smq.c | 4 +
drivers/md/dm-cache-target.c | 143 +++-
drivers/md/dm-init.c | 4 +-
drivers/md/dm-log.c | 6 +-
.../media/platform/nxp/imx8-isi/imx8-isi-video.c | 2 +-
drivers/memory/tegra/tegra124-emc.c | 2 +-
drivers/memory/tegra/tegra30-emc.c | 6 +-
drivers/mfd/mc13xxx-core.c | 2 +-
drivers/mtd/maps/physmap-gemini.c | 2 +-
drivers/mtd/nand/raw/sunxi_nand.c | 6 +-
drivers/mtd/parsers/ofpart_core.c | 4 +-
drivers/mtd/spi-nor/core.c | 2 +-
drivers/mtd/spi-nor/core.h | 8 +-
drivers/mtd/spi-nor/sfdp.c | 30 +-
drivers/mtd/spi-nor/swp.c | 4 +-
drivers/net/bareudp.c | 24 +-
drivers/net/bonding/bond_3ad.c | 123 ++--
drivers/net/bonding/bond_main.c | 74 ++-
drivers/net/bonding/bond_netlink.c | 37 +-
drivers/net/bonding/bond_options.c | 71 ++
drivers/net/bonding/bond_procfs.c | 3 +-
drivers/net/bonding/bond_sysfs_slave.c | 17 +-
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
.../net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 718 +++++++++------------
drivers/net/ethernet/broadcom/genet/bcmgenet.h | 68 +-
drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 4 +-
drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 +-
drivers/net/ethernet/freescale/Makefile | 3 +-
drivers/net/ethernet/freescale/dpaa2/Kconfig | 4 +
drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
drivers/net/ethernet/intel/i40e/i40e.h | 1 +
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 +-
drivers/net/ethernet/intel/iavf/iavf.h | 9 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 52 +-
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 76 ++-
drivers/net/ethernet/intel/ice/ice_txrx.c | 7 +-
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 +-
.../mellanox/mlx5/core/en_accel/ipsec_offload.c | 12 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 +
.../ethernet/netronome/nfp/nfpcore/nfp_target.c | 17 +-
drivers/net/ethernet/sfc/efx_devlink.c | 2 +-
drivers/net/hamradio/6pack.c | 39 +-
drivers/net/ipa/gsi.c | 1 +
drivers/net/ipa/ipa_main.c | 6 +-
drivers/net/macvlan.c | 9 +-
drivers/net/mctp/mctp-i2c.c | 4 +-
drivers/net/netconsole.c | 26 +-
drivers/net/netdevsim/dev.c | 2 +-
drivers/net/phy/Kconfig | 20 +-
drivers/net/phy/Makefile | 12 +-
drivers/net/phy/aquantia/Kconfig | 5 +
drivers/net/phy/aquantia/Makefile | 6 +
drivers/net/phy/{ => aquantia}/aquantia.h | 0
drivers/net/phy/{ => aquantia}/aquantia_hwmon.c | 0
drivers/net/phy/{ => aquantia}/aquantia_main.c | 0
drivers/net/phy/ax88796b_rust.rs | 135 ++++
drivers/net/phy/dp83869.c | 13 +-
drivers/net/phy/qcom/Kconfig | 7 +
drivers/net/phy/qcom/Makefile | 2 +
drivers/net/phy/{ => qcom}/at803x.c | 2 +-
drivers/net/ppp/ppp_generic.c | 5 +-
drivers/net/ppp/pppoe.c | 8 +-
drivers/net/slip/slhc.c | 49 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/rtl8150.c | 12 +-
drivers/net/vrf.c | 15 +-
.../wireless/broadcom/brcm80211/brcmfmac/chip.c | 15 +
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 15 -
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 47 ++
drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h | 5 +-
drivers/net/wireless/mediatek/mt76/mt7615/regs.h | 2 -
.../net/wireless/mediatek/mt76/mt76_connac_mac.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 13 -
drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 62 ++
drivers/net/wireless/mediatek/mt76/mt7915/mcu.h | 11 +
drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h | 4 +
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 4 +-
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
drivers/net/wireless/realtek/rtw89/phy.c | 2 +-
drivers/nfc/trf7970a.c | 3 +-
drivers/nvme/host/pci.c | 1 +
drivers/nvme/target/tcp.c | 51 +-
drivers/pci/controller/dwc/pcie-designware.c | 16 +-
drivers/pci/controller/dwc/pcie-designware.h | 2 +
drivers/pci/controller/dwc/pcie-tegra194.c | 155 +++--
drivers/pci/controller/pcie-mediatek-gen3.c | 8 +-
drivers/pci/pci.c | 41 +-
drivers/pcmcia/rsrc_nonstatic.c | 6 +-
drivers/pinctrl/nomadik/pinctrl-abx500.c | 2 +-
drivers/pinctrl/pinctrl-cy8c95x0.c | 27 +-
drivers/pinctrl/pinctrl-pic32.c | 20 +-
drivers/platform/chrome/chromeos_tbmc.c | 6 +
drivers/platform/surface/surfacepro3_button.c | 1 +
.../x86/dell/dell-wmi-sysman/enum-attributes.c | 34 +-
drivers/platform/x86/dell/dell_rbu.c | 6 +-
drivers/platform/x86/panasonic-laptop.c | 5 +-
drivers/pmdomain/imx/scu-pd.c | 1 +
drivers/pmdomain/ti/omap_prm.c | 1 +
drivers/rtc/rtc-abx80x.c | 2 +
drivers/s390/cio/chsc.c | 18 +-
drivers/s390/cio/chsc_sch.c | 6 +-
drivers/s390/cio/cio.c | 6 +-
drivers/s390/cio/cio.h | 7 +-
drivers/s390/cio/css.c | 82 +--
drivers/s390/cio/device.c | 66 +-
drivers/s390/cio/device_pgid.c | 12 +-
drivers/s390/cio/eadm_sch.c | 36 +-
drivers/s390/cio/vfio_ccw_drv.c | 8 +-
drivers/s390/cio/vfio_ccw_fsm.c | 24 +-
drivers/scsi/sg.c | 49 +-
drivers/scsi/sr.c | 11 +-
drivers/scsi/sr.h | 1 -
drivers/soc/qcom/llcc-qcom.c | 2 +-
drivers/soc/qcom/ocmem.c | 24 +-
drivers/soc/qcom/qcom_aoss.c | 2 +-
drivers/soc/tegra/cbb/tegra234-cbb.c | 4 +
drivers/soundwire/bus.c | 8 +-
drivers/soundwire/cadence_master.c | 8 +
drivers/spi/spi-fsl-qspi.c | 3 +-
drivers/spi/spi-hisi-kunpeng.c | 12 +-
drivers/spi/spi-mtk-snfi.c | 14 +
drivers/spi/spi-rockchip.c | 3 +-
drivers/spi/spi-sifive.c | 29 +-
drivers/spi/spi-st-ssc4.c | 76 ++-
drivers/target/target_core_sbc.c | 3 +-
drivers/thermal/spear_thermal.c | 2 +-
drivers/tty/hvc/hvc_iucv.c | 2 +-
drivers/vhost/net.c | 4 +-
drivers/video/backlight/sky81452-backlight.c | 3 +
drivers/video/fbdev/matrox/g450_pll.c | 2 +-
drivers/video/fbdev/offb.c | 7 +-
fs/adfs/super.c | 3 +
fs/btrfs/inode.c | 36 +-
fs/btrfs/space-info.c | 8 +-
fs/btrfs/sysfs.c | 5 +-
fs/btrfs/sysfs.h | 3 +-
fs/ceph/xattr.c | 1 +
fs/debugfs/file.c | 7 +-
fs/f2fs/f2fs.h | 3 +
fs/f2fs/inline.c | 13 +-
fs/f2fs/super.c | 11 +
fs/f2fs/sysfs.c | 52 +-
fs/gfs2/inode.c | 3 +-
fs/gfs2/log.c | 33 +-
fs/netfs/iterator.c | 13 +-
fs/nfs/blocklayout/blocklayout.c | 4 +-
fs/nilfs2/ioctl.c | 6 +
fs/ntfs3/dir.c | 5 +-
fs/ntfs3/fsntfs.c | 4 +-
fs/ntfs3/inode.c | 13 +-
fs/ntfs3/namei.c | 17 +-
fs/ntfs3/super.c | 7 +-
fs/ntfs3/xattr.c | 5 +-
fs/ocfs2/dlm/dlmdomain.c | 10 +-
fs/ocfs2/ioctl.c | 18 +-
fs/ocfs2/resize.c | 12 +-
fs/ocfs2/xattr.c | 4 +-
fs/omfs/inode.c | 6 +
fs/pstore/ram_core.c | 4 +
fs/quota/dquot.c | 38 +-
fs/smb/client/ioctl.c | 2 +-
fs/smb/client/smb2file.c | 27 +-
fs/smb/client/smb2pdu.h | 2 +-
fs/smb/client/smb2transport.c | 32 +-
fs/smb/server/auth.c | 17 +-
fs/smb/server/connection.c | 9 +
fs/smb/server/ksmbd_netlink.h | 17 +
fs/smb/server/mgmt/user_config.c | 39 +-
fs/smb/server/mgmt/user_config.h | 5 +-
fs/smb/server/mgmt/user_session.c | 12 +-
fs/smb/server/smb2pdu.c | 2 +
fs/smb/server/smb_common.c | 15 +-
fs/smb/server/smbacl.c | 66 +-
fs/smb/server/transport_ipc.c | 80 ++-
fs/smb/server/transport_ipc.h | 2 +
fs/smb/server/transport_rdma.c | 4 +-
fs/tracefs/event_inode.c | 2 +-
include/dt-bindings/clock/qcom,dispcc-sc7180.h | 7 +-
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 5 +
include/linux/cdrom.h | 1 +
include/linux/cpuhotplug.h | 1 -
include/linux/dev_printk.h | 8 +
include/linux/dmi.h | 5 +
include/linux/moduleparam.h | 11 +-
include/linux/padata.h | 8 +-
include/linux/ppp_defs.h | 16 +
include/linux/printk.h | 5 +-
include/linux/quotaops.h | 9 +-
include/linux/spinlock_up.h | 20 +-
include/net/bond_3ad.h | 3 +-
include/net/bond_options.h | 2 +
include/net/bonding.h | 3 +
include/net/ipv6.h | 6 -
include/net/pie.h | 2 +-
include/net/route.h | 6 -
include/net/udp_tunnel.h | 15 +
include/trace/events/timer.h | 11 +-
include/uapi/linux/bpf.h | 2 +
include/uapi/linux/if_link.h | 3 +
include/uapi/linux/mii.h | 3 +-
io_uring/io-wq.c | 3 +-
kernel/audit.c | 4 +
kernel/auditsc.c | 2 +-
kernel/bpf/arraymap.c | 4 +-
kernel/bpf/bpf_lsm.c | 1 -
kernel/bpf/core.c | 2 +
kernel/bpf/devmap.c | 8 +-
kernel/bpf/hashtab.c | 2 +-
kernel/bpf/helpers.c | 17 +-
kernel/bpf/local_storage.c | 2 +-
kernel/bpf/verifier.c | 5 +-
kernel/cgroup/cgroup.c | 24 +-
kernel/cgroup/rdma.c | 2 +-
kernel/fork.c | 11 +-
kernel/futex/requeue.c | 13 +-
kernel/module/main.c | 4 +-
kernel/padata.c | 130 ++--
kernel/params.c | 42 +-
kernel/time/hrtimer.c | 56 +-
kernel/trace/trace_branch.c | 8 +-
kernel/trace/trace_events_hist.c | 12 +-
kernel/workqueue.c | 4 +-
net/bluetooth/hci_event.c | 3 -
net/bluetooth/l2cap_core.c | 8 +-
net/bpf/test_run.c | 63 +-
net/ceph/crush/crush.c | 6 +-
net/ceph/osdmap.c | 14 +-
net/core/filter.c | 4 +-
net/core/neighbour.c | 34 +-
net/ipv4/netfilter/arp_tables.c | 18 +-
net/ipv4/netfilter/arpt_mangle.c | 8 +
net/ipv4/nexthop.c | 4 +-
net/ipv4/route.c | 48 --
net/ipv4/tcp.c | 18 +-
net/ipv4/tcp_input.c | 2 +-
net/ipv4/tcp_output.c | 13 +-
net/ipv4/tcp_plb.c | 2 +-
net/ipv4/udp_tunnel_core.c | 48 ++
net/ipv6/icmp.c | 10 +-
net/ipv6/ip6_output.c | 68 --
net/ipv6/ip6_udp_tunnel.c | 69 ++
net/mptcp/fastopen.c | 28 +-
net/mptcp/pm_netlink.c | 26 +-
net/mptcp/protocol.c | 4 +-
net/mptcp/protocol.h | 5 +-
net/mptcp/subflow.c | 3 -
net/netfilter/ipvs/ip_vs_xmit.c | 19 +-
net/netfilter/nf_conntrack_proto_sctp.c | 10 +-
net/netfilter/nf_conntrack_sip.c | 160 +++--
net/netfilter/nf_nat_amanda.c | 2 +-
net/netfilter/nf_nat_sip.c | 34 +-
net/netfilter/nf_tables_api.c | 28 +-
net/netfilter/nfnetlink_osf.c | 45 +-
net/netfilter/nft_ct.c | 2 +
net/netfilter/nft_fwd_netdev.c | 10 +
net/netfilter/nft_osf.c | 6 +-
net/netfilter/xt_mac.c | 34 +-
net/netfilter/xt_owner.c | 37 +-
net/netfilter/xt_physdev.c | 29 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_realm.c | 2 +-
net/netfilter/xt_socket.c | 23 +-
net/openvswitch/datapath.c | 35 +-
net/openvswitch/vport.c | 3 +
net/rds/af_rds.c | 10 +-
net/rds/connection.c | 14 +
net/rds/ib.c | 24 +-
net/rds/ib.h | 1 +
net/rds/ib_rdma.c | 2 +-
net/sched/act_ct.c | 8 +-
net/sched/sch_cake.c | 15 +-
net/sched/sch_choke.c | 26 +-
net/sched/sch_fq_codel.c | 3 +-
net/sched/sch_fq_pie.c | 19 +-
net/sched/sch_hhf.c | 19 +-
net/sched/sch_netem.c | 76 ++-
net/sched/sch_pie.c | 52 +-
net/sched/sch_red.c | 31 +-
net/sched/sch_sfb.c | 54 +-
net/sched/sch_taprio.c | 22 +-
net/sctp/inqueue.c | 1 +
net/sctp/sm_statefuns.c | 6 +
net/sctp/socket.c | 2 +-
net/tipc/msg.c | 14 +-
net/tls/tls.h | 1 +
net/tls/tls_strp.c | 6 +
net/tls/tls_sw.c | 4 +
net/unix/af_unix.c | 9 +-
net/unix/unix_bpf.c | 3 +
rust/uapi/uapi_helper.h | 2 +
security/integrity/ima/ima_crypto.c | 2 +-
sound/core/compress_offload.c | 7 -
sound/core/sound.c | 7 +
sound/isa/sc6000.c | 285 ++++----
sound/pci/hda/patch_conexant.c | 34 +-
sound/pci/hda/patch_realtek.c | 4 +-
sound/soc/codecs/ab8500-codec.c | 6 +-
sound/soc/fsl/fsl_easrc.c | 123 +++-
sound/soc/fsl/fsl_micfil.c | 60 +-
sound/soc/fsl/fsl_xcvr.c | 22 +-
sound/soc/qcom/qdsp6/topology.c | 8 +-
sound/soc/sh/rcar/core.c | 2 +-
sound/soc/sof/compress.c | 8 +-
sound/soc/sof/intel/hda-dai.c | 29 +-
sound/soc/sof/intel/hda-stream.c | 10 +-
sound/soc/sof/sof-priv.h | 2 +
sound/soc/sti/uniperif_player.c | 9 +-
sound/usb/midi.c | 12 +-
sound/usb/midi2.c | 12 +-
sound/usb/mixer_scarlett2.c | 2 +-
sound/usb/quirks.c | 2 +-
sound/usb/stream.c | 58 +-
sound/usb/stream.h | 3 +-
tools/include/uapi/linux/bpf.h | 2 +
tools/lib/bpf/relo_core.c | 2 +
tools/perf/builtin-lock.c | 2 +-
tools/perf/util/branch.h | 3 +
tools/perf/util/cs-etm-decoder/cs-etm-decoder.c | 51 +-
tools/perf/util/expr.c | 3 +-
tools/perf/util/symbol-elf.c | 8 +-
tools/perf/util/util.h | 1 -
tools/testing/ktest/ktest.pl | 35 +-
tools/testing/selftests/bpf/prog_tests/snprintf.c | 3 +-
tools/testing/selftests/cgroup/test_memcontrol.c | 11 +-
tools/testing/selftests/mm/migration.c | 3 +-
.../testing/selftests/powerpc/benchmarks/Makefile | 4 +-
tools/testing/selftests/powerpc/copyloops/Makefile | 20 +-
tools/testing/selftests/powerpc/nx-gzip/Makefile | 4 +-
tools/testing/selftests/powerpc/pmu/ebb/Makefile | 20 +-
.../powerpc/pmu/event_code_tests/Makefile | 4 +-
.../selftests/powerpc/pmu/sampling_tests/Makefile | 4 +-
.../testing/selftests/powerpc/primitives/Makefile | 4 +-
tools/testing/selftests/powerpc/security/Makefile | 4 +-
tools/testing/selftests/powerpc/signal/Makefile | 3 +-
.../testing/selftests/powerpc/stringloops/Makefile | 10 +-
.../selftests/powerpc/switch_endian/Makefile | 4 +-
tools/testing/selftests/powerpc/syscalls/Makefile | 4 +-
tools/testing/selftests/powerpc/vphn/Makefile | 4 +-
virt/kvm/dirty_ring.c | 3 +-
492 files changed, 5183 insertions(+), 3404 deletions(-)
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 001/508] blk-cgroup: wait for blkcg cleanup before initializing new disk
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 002/508] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
` (508 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Zhang, Ming Lei,
Christoph Hellwig, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 3dbaacf6ab68f81e3375fe769a2ecdbd3ce386fd ]
When a queue is shared across disk rebind (e.g., SCSI unbind/bind), the
previous disk's blkcg state is cleaned up asynchronously via
disk_release() -> blkcg_exit_disk(). If the new disk's blkcg_init_disk()
runs before that cleanup finishes, we may overwrite q->root_blkg while
the old one is still alive, and radix_tree_insert() in blkg_create()
fails with -EEXIST because the old blkg entries still occupy the same
queue id slot in blkcg->blkg_tree. This causes the sd probe to fail
with -ENOMEM.
Fix it by waiting in blkcg_init_disk() for root_blkg to become NULL,
which indicates the previous disk's blkcg cleanup has completed.
Fixes: 1059699f87eb ("block: move blkcg initialization/destroy into disk allocation/release handler")
Cc: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260311032837.2368714-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-cgroup.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 75e9d5a9d707c..40c9d5805b88b 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -24,6 +24,7 @@
#include <linux/backing-dev.h>
#include <linux/slab.h>
#include <linux/delay.h>
+#include <linux/wait_bit.h>
#include <linux/atomic.h>
#include <linux/ctype.h>
#include <linux/resume_user_mode.h>
@@ -618,6 +619,8 @@ static void blkg_destroy_all(struct gendisk *disk)
q->root_blkg = NULL;
spin_unlock_irq(&q->queue_lock);
+
+ wake_up_var(&q->root_blkg);
}
static void blkg_iostat_set(struct blkg_iostat *dst, struct blkg_iostat *src)
@@ -1459,6 +1462,18 @@ int blkcg_init_disk(struct gendisk *disk)
bool preloaded;
int ret;
+ /*
+ * If the queue is shared across disk rebind (e.g., SCSI), the
+ * previous disk's blkcg state is cleaned up asynchronously via
+ * disk_release() -> blkcg_exit_disk(). Wait for that cleanup to
+ * finish (indicated by root_blkg becoming NULL) before setting up
+ * new blkcg state. Otherwise, we may overwrite q->root_blkg while
+ * the old one is still alive, and radix_tree_insert() in
+ * blkg_create() will fail with -EEXIST because the old entries
+ * still occupy the same queue id slot in blkcg->blkg_tree.
+ */
+ wait_var_event(&q->root_blkg, !READ_ONCE(q->root_blkg));
+
new_blkg = blkg_alloc(&blkcg_root, disk, GFP_KERNEL);
if (!new_blkg)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 002/508] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 001/508] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 003/508] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
` (507 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyungjung Joo, Christian Brauner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyungJung Joo <jhj140711@gmail.com>
[ Upstream commit 0621c385fda1376e967f37ccd534c26c3e511d14 ]
omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).
Later, omfs_make_empty() uses
sbi->s_sys_blocksize - OMFS_DIR_START
as the length argument to memset(). Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32. That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.
Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.
Fixes: a3ab7155ea21 ("omfs: add directory routines")
Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Link: https://patch.msgid.link/20260317054827.1822061-1-jhj140711@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/omfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 2f8c1882f45c8..60ef691aeb702 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -514,6 +514,12 @@ static int omfs_fill_super(struct super_block *sb, void *data, int silent)
goto out_brelse_bh;
}
+ if (sbi->s_sys_blocksize < OMFS_DIR_START) {
+ printk(KERN_ERR "omfs: sysblock size (%d) is too small\n",
+ sbi->s_sys_blocksize);
+ goto out_brelse_bh;
+ }
+
if (sbi->s_blocksize < sbi->s_sys_blocksize ||
sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) {
printk(KERN_ERR "omfs: block size (%d) is out of range\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 003/508] drbd: Balance RCU calls in drbd_adm_dump_devices()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 001/508] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 002/508] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 004/508] loop: fix partition scan race between udev and loop_reread_partitions() Greg Kroah-Hartman
` (506 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Böhmwalder,
Christoph Hellwig, Andreas Gruenbacher, Bart Van Assche,
Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 2b31e86387e60b3689339f0f0fbb4d3623d9d494 ]
Make drbd_adm_dump_devices() call rcu_read_lock() before
rcu_read_unlock() is called. This has been detected by the Clang
thread-safety analyzer.
Tested-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Fixes: a55bbd375d18 ("drbd: Backport the "status" command")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260326214054.284593-1-bvanassche@acm.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/drbd/drbd_nl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index d3538bd83fb3b..1ba81a5e77215 100644
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -3368,8 +3368,10 @@ int drbd_adm_dump_devices(struct sk_buff *skb, struct netlink_callback *cb)
if (resource_filter) {
retcode = ERR_RES_NOT_KNOWN;
resource = drbd_find_resource(nla_data(resource_filter));
- if (!resource)
+ if (!resource) {
+ rcu_read_lock();
goto put_result;
+ }
cb->args[0] = (long)resource;
}
}
@@ -3618,8 +3620,10 @@ int drbd_adm_dump_peer_devices(struct sk_buff *skb, struct netlink_callback *cb)
if (resource_filter) {
retcode = ERR_RES_NOT_KNOWN;
resource = drbd_find_resource(nla_data(resource_filter));
- if (!resource)
+ if (!resource) {
+ rcu_read_lock();
goto put_result;
+ }
}
cb->args[0] = (long)resource;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 004/508] loop: fix partition scan race between udev and loop_reread_partitions()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 003/508] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 005/508] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
` (505 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daan De Meyer, Christian Brauner,
Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daan De Meyer <daan.j.demeyer@gmail.com>
[ Upstream commit 267ec4d7223a783f029a980f41b93c39b17996da ]
When LOOP_CONFIGURE is called with LO_FLAGS_PARTSCAN, the following
sequence occurs:
1. disk_force_media_change() sets GD_NEED_PART_SCAN
2. Uevent suppression is lifted and a KOBJ_CHANGE uevent is sent
3. loop_global_unlock() releases the lock
4. loop_reread_partitions() calls bdev_disk_changed() to scan
There is a race between steps 2 and 4: when udev receives the uevent
and opens the device before loop_reread_partitions() runs,
blkdev_get_whole() in bdev.c sees GD_NEED_PART_SCAN set and calls
bdev_disk_changed() for a first scan. Then loop_reread_partitions()
does a second scan. The open_mutex serializes these two scans, but
does not prevent both from running.
The second scan in bdev_disk_changed() drops all partition devices
from the first scan (via blk_drop_partitions()) before re-adding
them, causing partition block devices to briefly disappear. This
breaks any systemd unit with BindsTo= on the partition device: systemd
observes the device going dead, fails the dependent units, and does
not retry them when the device reappears.
Fix this by removing the GD_NEED_PART_SCAN set from
disk_force_media_change() entirely. None of the current callers need
the lazy on-open partition scan triggered by this flag:
- floppy: sets GENHD_FL_NO_PART, so disk_has_partscan() is always
false and GD_NEED_PART_SCAN has no effect.
- loop (loop_configure, loop_change_fd): when LO_FLAGS_PARTSCAN is
set, loop_reread_partitions() performs an explicit scan. When not
set, GD_SUPPRESS_PART_SCAN prevents the lazy scan path.
- loop (__loop_clr_fd): calls bdev_disk_changed() explicitly if
LO_FLAGS_PARTSCAN is set.
- nbd (nbd_clear_sock_ioctl): capacity is set to zero immediately
after; nbd manages GD_NEED_PART_SCAN explicitly elsewhere.
With GD_NEED_PART_SCAN no longer set by disk_force_media_change(),
udev opening the loop device after the uevent no longer triggers a
redundant scan in blkdev_get_whole(), and only the single explicit
scan from loop_reread_partitions() runs.
A regression test for this bug has been submitted to blktests:
https://github.com/linux-blktests/blktests/pull/240.
Fixes: 9f65c489b68d ("loop: raise media_change event")
Signed-off-by: Daan De Meyer <daan@amutable.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Link: https://patch.msgid.link/20260331105130.1077599-1-daan@amutable.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/disk-events.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/disk-events.c b/block/disk-events.c
index 13c3372c465a3..6987e4dd8d417 100644
--- a/block/disk-events.c
+++ b/block/disk-events.c
@@ -294,13 +294,14 @@ EXPORT_SYMBOL(disk_check_media_change);
* Should be called when the media changes for @disk. Generates a uevent
* and attempts to free all dentries and inodes and invalidates all block
* device page cache entries in that case.
+ *
+ * Callers that need a partition re-scan should arrange for one explicitly.
*/
void disk_force_media_change(struct gendisk *disk)
{
disk_event_uevent(disk, DISK_EVENT_MEDIA_CHANGE);
inc_diskseq(disk);
bdev_mark_dead(disk->part0, true);
- set_bit(GD_NEED_PART_SCAN, &disk->state);
}
EXPORT_SYMBOL_GPL(disk_force_media_change);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 005/508] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 004/508] loop: fix partition scan race between udev and loop_reread_partitions() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 006/508] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Greg Kroah-Hartman
` (504 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+98a040252119df0506f8,
Ryusuke Konishi, Deepanshu Kartikey, syzbot+466a45fcfb0562f5b9a0,
Junjie Cao, Viacheslav Dubeyko, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit be3e5d10643d3be1cbac9d9939f220a99253f980 ]
nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks
by comparing it with the current block number bd_blocknr. If they differ,
the block is considered dead and skipped.
However, bd_oblocknr should never be 0 since block 0 typically stores the
primary superblock and is never a valid GC target block. A corrupted ioctl
request with bd_oblocknr set to 0 causes the comparison to incorrectly
match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing
the dead block check and calling nilfs_bmap_mark() on a non-existent
block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering
the WARN_ON(ret == -ENOENT).
Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the
beginning of each iteration.
[ryusuke: slightly modified the commit message and comments for accuracy]
Fixes: 7942b919f732 ("nilfs2: ioctl operations")
Reported-by: syzbot+98a040252119df0506f8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=98a040252119df0506f8
Suggested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Reported-by: syzbot+466a45fcfb0562f5b9a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=466a45fcfb0562f5b9a0
Cc: Junjie Cao <junjie.cao@linux.dev>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/ioctl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 53022bfe0b72d..1a6868afa9143 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -751,6 +751,12 @@ static int nilfs_ioctl_mark_blocks_dirty(struct the_nilfs *nilfs,
int ret, i;
for (i = 0; i < nmembs; i++) {
+ /*
+ * bd_oblocknr must never be 0 as block 0
+ * is never a valid GC target block
+ */
+ if (unlikely(!bdescs[i].bd_oblocknr))
+ return -EINVAL;
/* XXX: use macro or inline func to check liveness */
ret = nilfs_bmap_lookup_at_level(bmap,
bdescs[i].bd_offset,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 006/508] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 005/508] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 007/508] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
` (503 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jackie Liu, Tejun Heo,
Christoph Hellwig, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jackie Liu <liuyun01@kylinos.cn>
[ Upstream commit 23308af722fefed00af5f238024c11710938fba3 ]
Add the missing put_disk() on the error path in
blkcg_maybe_throttle_current(). When blkcg lookup, blkg lookup, or
blkg_tryget() fails, the function jumps to the out label which only
calls rcu_read_unlock() but does not release the disk reference acquired
by blkcg_schedule_throttle() via get_device(). Since current->throttle_disk
is already set to NULL before the lookup, blkcg_exit() cannot release
this reference either, causing the disk to never be freed.
Restore the reference release that was present as blk_put_queue() in the
original code but was inadvertently dropped during the conversion from
request_queue to gendisk.
Fixes: f05837ed73d0 ("blk-cgroup: store a gendisk to throttle in struct task_struct")
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260331085054.46857-1-liu.yun@linux.dev
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-cgroup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 40c9d5805b88b..4ac2f53e7f51f 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -1993,6 +1993,7 @@ void blkcg_maybe_throttle_current(void)
return;
out:
rcu_read_unlock();
+ put_disk(disk);
}
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 007/508] pstore/ram: fix resource leak when ioremap() fails
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 006/508] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 008/508] ACPI: x86: cmos_rtc: Clean up address space handler driver Greg Kroah-Hartman
` (502 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cole Leavitt, Kees Cook, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cole Leavitt <cole@unwrap.rs>
[ Upstream commit 2ddb69f686ef7a621645e97fc7329c50edf5d0e5 ]
In persistent_ram_iomap(), ioremap() or ioremap_wc() may return NULL on
failure. Currently, if this happens, the function returns NULL without
releasing the memory region acquired by request_mem_region().
This leads to a resource leak where the memory region remains reserved
but unusable.
Additionally, the caller persistent_ram_buffer_map() handles NULL
correctly by returning -ENOMEM, but without this check, a NULL return
combined with request_mem_region() succeeding leaves resources in an
inconsistent state.
This is the ioremap() counterpart to commit 05363abc7625 ("pstore:
ram_core: fix incorrect success return when vmap() fails") which fixed
a similar issue in the vmap() path.
Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory")
Signed-off-by: Cole Leavitt <cole@unwrap.rs>
Link: https://patch.msgid.link/20260225235406.11790-1-cole@unwrap.rs
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/ram_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index 7b6d6378a3b87..95675d4bab141 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -489,6 +489,10 @@ static void *persistent_ram_iomap(phys_addr_t start, size_t size,
else
va = ioremap_wc(start, size);
+ /* We must release the mem region if ioremap fails. */
+ if (!va)
+ release_mem_region(start, size);
+
/*
* Since request_mem_region() and ioremap() are byte-granularity
* there is no need handle anything special like we do when the
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 008/508] ACPI: x86: cmos_rtc: Clean up address space handler driver
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 007/508] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 009/508] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver Greg Kroah-Hartman
` (501 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit ba0b236736dde4059bdcb8e99beaa50d6e5b6e7e ]
Make multiple changes that do not alter functionality to the CMOS RTC
ACPI address space handler driver, including the following:
- Drop the unused .detach() callback from cmos_rtc_handler.
- Rename acpi_cmos_rtc_attach_handler() to acpi_cmos_rtc_attach().
- Rearrange acpi_cmos_rtc_space_handler() to reduce the number of
redundant checks and make white space follow the coding style.
- Adjust an error message in acpi_install_cmos_rtc_space_handler()
and make the white space follow the coding style.
- Rearrange acpi_remove_cmos_rtc_space_handler() and adjust an error
message in it.
No intentional functional impact.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5094429.31r3eYUQgx@rafael.j.wysocki
Stable-dep-of: 6cee29ad9d7e ("ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpi_cmos_rtc.c | 61 +++++++++++++++++++-----------------
1 file changed, 32 insertions(+), 29 deletions(-)
diff --git a/drivers/acpi/acpi_cmos_rtc.c b/drivers/acpi/acpi_cmos_rtc.c
index 9b55d1593d160..65e89e23c5c84 100644
--- a/drivers/acpi/acpi_cmos_rtc.c
+++ b/drivers/acpi/acpi_cmos_rtc.c
@@ -24,31 +24,35 @@ static const struct acpi_device_id acpi_cmos_rtc_ids[] = {
{}
};
-static acpi_status
-acpi_cmos_rtc_space_handler(u32 function, acpi_physical_address address,
- u32 bits, u64 *value64,
- void *handler_context, void *region_context)
+static acpi_status acpi_cmos_rtc_space_handler(u32 function,
+ acpi_physical_address address,
+ u32 bits, u64 *value64,
+ void *handler_context,
+ void *region_context)
{
- int i;
+ unsigned int i, bytes = DIV_ROUND_UP(bits, 8);
u8 *value = (u8 *)value64;
if (address > 0xff || !value64)
return AE_BAD_PARAMETER;
- if (function != ACPI_WRITE && function != ACPI_READ)
- return AE_BAD_PARAMETER;
+ guard(spinlock_irq)(&rtc_lock);
+
+ if (function == ACPI_WRITE) {
+ for (i = 0; i < bytes; i++, address++, value++)
+ CMOS_WRITE(*value, address);
- spin_lock_irq(&rtc_lock);
+ return AE_OK;
+ }
- for (i = 0; i < DIV_ROUND_UP(bits, 8); ++i, ++address, ++value)
- if (function == ACPI_READ)
+ if (function == ACPI_READ) {
+ for (i = 0; i < bytes; i++, address++, value++)
*value = CMOS_READ(address);
- else
- CMOS_WRITE(*value, address);
- spin_unlock_irq(&rtc_lock);
+ return AE_OK;
+ }
- return AE_OK;
+ return AE_BAD_PARAMETER;
}
int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
@@ -56,11 +60,11 @@ int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
acpi_status status;
status = acpi_install_address_space_handler(handle,
- ACPI_ADR_SPACE_CMOS,
- &acpi_cmos_rtc_space_handler,
- NULL, NULL);
+ ACPI_ADR_SPACE_CMOS,
+ acpi_cmos_rtc_space_handler,
+ NULL, NULL);
if (ACPI_FAILURE(status)) {
- pr_err("Error installing CMOS-RTC region handler\n");
+ pr_err("Failed to install CMOS-RTC address space handler\n");
return -ENODEV;
}
@@ -70,26 +74,25 @@ EXPORT_SYMBOL_GPL(acpi_install_cmos_rtc_space_handler);
void acpi_remove_cmos_rtc_space_handler(acpi_handle handle)
{
- if (ACPI_FAILURE(acpi_remove_address_space_handler(handle,
- ACPI_ADR_SPACE_CMOS, &acpi_cmos_rtc_space_handler)))
- pr_err("Error removing CMOS-RTC region handler\n");
+ acpi_status status;
+
+ status = acpi_remove_address_space_handler(handle,
+ ACPI_ADR_SPACE_CMOS,
+ acpi_cmos_rtc_space_handler);
+ if (ACPI_FAILURE(status))
+ pr_err("Failed to remove CMOS-RTC address space handler\n");
}
EXPORT_SYMBOL_GPL(acpi_remove_cmos_rtc_space_handler);
-static int acpi_cmos_rtc_attach_handler(struct acpi_device *adev, const struct acpi_device_id *id)
+static int acpi_cmos_rtc_attach(struct acpi_device *adev,
+ const struct acpi_device_id *id)
{
return acpi_install_cmos_rtc_space_handler(adev->handle);
}
-static void acpi_cmos_rtc_detach_handler(struct acpi_device *adev)
-{
- acpi_remove_cmos_rtc_space_handler(adev->handle);
-}
-
static struct acpi_scan_handler cmos_rtc_handler = {
.ids = acpi_cmos_rtc_ids,
- .attach = acpi_cmos_rtc_attach_handler,
- .detach = acpi_cmos_rtc_detach_handler,
+ .attach = acpi_cmos_rtc_attach,
};
void __init acpi_cmos_rtc_init(void)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 009/508] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 008/508] ACPI: x86: cmos_rtc: Clean up address space handler driver Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 010/508] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
` (500 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 6cee29ad9d7e400d39ae0b1a54447fedcb62eecd ]
If a CMOS RTC (PNP0B00/PNP0B01/PNP0B02) device coexists with an ACPI
TAD (timer and event alarm device, ACPI000E), the ACPI TAD driver will
attempt to install the CMOS RTC address space hanlder that has been
installed already and the TAD probing will fail.
Avoid that by changing acpi_install_cmos_rtc_space_handler() to return
zero and acpi_remove_cmos_rtc_space_handler() to do nothing if the CMOS
RTC address space handler has been installed already.
Fixes: 596ca52a56da ("ACPI: TAD: Install SystemCMOS address space handler for ACPI000E")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2415111.ElGaqSPkdT@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpi_cmos_rtc.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/acpi_cmos_rtc.c b/drivers/acpi/acpi_cmos_rtc.c
index 65e89e23c5c84..594753203fdf0 100644
--- a/drivers/acpi/acpi_cmos_rtc.c
+++ b/drivers/acpi/acpi_cmos_rtc.c
@@ -24,6 +24,8 @@ static const struct acpi_device_id acpi_cmos_rtc_ids[] = {
{}
};
+static bool cmos_rtc_space_handler_present __read_mostly;
+
static acpi_status acpi_cmos_rtc_space_handler(u32 function,
acpi_physical_address address,
u32 bits, u64 *value64,
@@ -59,6 +61,9 @@ int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
{
acpi_status status;
+ if (cmos_rtc_space_handler_present)
+ return 0;
+
status = acpi_install_address_space_handler(handle,
ACPI_ADR_SPACE_CMOS,
acpi_cmos_rtc_space_handler,
@@ -68,6 +73,8 @@ int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
return -ENODEV;
}
+ cmos_rtc_space_handler_present = true;
+
return 1;
}
EXPORT_SYMBOL_GPL(acpi_install_cmos_rtc_space_handler);
@@ -76,6 +83,9 @@ void acpi_remove_cmos_rtc_space_handler(acpi_handle handle)
{
acpi_status status;
+ if (cmos_rtc_space_handler_present)
+ return;
+
status = acpi_remove_address_space_handler(handle,
ACPI_ADR_SPACE_CMOS,
acpi_cmos_rtc_space_handler);
@@ -87,7 +97,13 @@ EXPORT_SYMBOL_GPL(acpi_remove_cmos_rtc_space_handler);
static int acpi_cmos_rtc_attach(struct acpi_device *adev,
const struct acpi_device_id *id)
{
- return acpi_install_cmos_rtc_space_handler(adev->handle);
+ int ret;
+
+ ret = acpi_install_cmos_rtc_space_handler(adev->handle);
+ if (ret < 0)
+ return ret;
+
+ return 1;
}
static struct acpi_scan_handler cmos_rtc_handler = {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 010/508] devres: fix missing node debug info in devm_krealloc()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 009/508] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 011/508] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
` (499 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Danilo Krummrich, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit f813ec9e84b4d0ca81ec1da94ab07bfb4a29266c ]
Fix missing call to set_node_dbginfo() for new devres nodes created by
devm_krealloc().
Fixes: f82485722e5d ("devres: provide devm_krealloc()")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/20260202235210.55176-2-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/devres.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 8a0f000221271..8069b7ca26fbc 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -913,6 +913,8 @@ void *devm_krealloc(struct device *dev, void *ptr, size_t new_size, gfp_t gfp)
if (!new_dr)
return NULL;
+ set_node_dbginfo(&new_dr->node, "devm_krealloc_release", new_size);
+
/*
* The spinlock protects the linked list against concurrent
* modifications but not the resource itself.
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 011/508] thermal/drivers/spear: Fix error condition for reading st,thermal-flags
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 010/508] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 012/508] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
` (498 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gopi Krishna Menon, Daniel Lezcano,
Daniel Baluta, Lukasz Luba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gopi Krishna Menon <krishnagopi487@gmail.com>
[ Upstream commit da2c4f332a0504d9c284e7626a561d343c8d6f57 ]
of_property_read_u32 returns 0 on success. The current check returns
-EINVAL if the property is read successfully.
Fix the check by removing ! from of_property_read_u32
Fixes: b9c7aff481f1 ("drivers/thermal/spear_thermal.c: add Device Tree probing capability")
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Suggested-by: Daniel Baluta <daniel.baluta@nxp.com>
Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Link: https://patch.msgid.link/20260327090526.59330-1-krishnagopi487@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/spear_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/thermal/spear_thermal.c b/drivers/thermal/spear_thermal.c
index 96d99289799a1..a935002c2bdbe 100644
--- a/drivers/thermal/spear_thermal.c
+++ b/drivers/thermal/spear_thermal.c
@@ -93,7 +93,7 @@ static int spear_thermal_probe(struct platform_device *pdev)
struct device_node *np = pdev->dev.of_node;
int ret = 0, val;
- if (!np || !of_property_read_u32(np, "st,thermal-flags", &val)) {
+ if (!np || of_property_read_u32(np, "st,thermal-flags", &val)) {
dev_err(&pdev->dev, "Failed: DT Pdata not passed\n");
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 012/508] debugfs: check for NULL pointer in debugfs_create_str()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 011/508] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 013/508] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() Greg Kroah-Hartman
` (497 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, yangshiguang, Gui-Dong Han,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 31de83980d3764d784f79ff1bc93c42b324f4013 ]
Passing a NULL pointer to debugfs_create_str() leads to a NULL pointer
dereference when the debugfs file is read. Following upstream
discussions, forbid the creation of debugfs string files with NULL
pointers. Add a WARN_ON() to expose offending callers and return early.
Fixes: 9af0440ec86e ("debugfs: Implement debugfs_create_str()")
Reported-by: yangshiguang <yangshiguang@xiaomi.com>
Closes: https://lore.kernel.org/lkml/2025122221-gag-malt-75ba@gregkh/
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260323085930.88894-2-hanguidong02@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/debugfs/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index e40229c47fe58..3089d7146f366 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -987,7 +987,7 @@ static const struct file_operations fops_str_wo = {
* directory dentry if set. If this parameter is %NULL, then the
* file will be created in the root of the debugfs filesystem.
* @value: a pointer to the variable that the file should read to and write
- * from.
+ * from. This pointer and the string it points to must not be %NULL.
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @value. If the @mode variable is so
@@ -996,6 +996,9 @@ static const struct file_operations fops_str_wo = {
void debugfs_create_str(const char *name, umode_t mode,
struct dentry *parent, char **value)
{
+ if (WARN_ON(!value || !*value))
+ return;
+
debugfs_create_mode_unsafe(name, mode, parent, value, &fops_str,
&fops_str_ro, &fops_str_wo);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 013/508] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 012/508] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 014/508] s390/cio: make sch->lock spinlock pointer a member Greg Kroah-Hartman
` (496 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 4afc929c0f74c4f22b055a82b371d50586da58ca ]
The EXPORT_SYMBOL_GPL() for debugfs_create_str was placed incorrectly
away from the function definition. Move it immediately below the
debugfs_create_str() function where it belongs.
Fixes: d60b59b96795 ("debugfs: Export debugfs_create_str symbol")
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260323085930.88894-3-hanguidong02@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/debugfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 3089d7146f366..a9097a6c7b5a3 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -907,7 +907,6 @@ ssize_t debugfs_read_file_str(struct file *file, char __user *user_buf,
return ret;
}
-EXPORT_SYMBOL_GPL(debugfs_create_str);
static ssize_t debugfs_write_file_str(struct file *file, const char __user *user_buf,
size_t count, loff_t *ppos)
@@ -1002,6 +1001,7 @@ void debugfs_create_str(const char *name, umode_t mode,
debugfs_create_mode_unsafe(name, mode, parent, value, &fops_str,
&fops_str_ro, &fops_str_wo);
}
+EXPORT_SYMBOL_GPL(debugfs_create_str);
static ssize_t read_file_blob(struct file *file, char __user *user_buf,
size_t count, loff_t *ppos)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 014/508] s390/cio: make sch->lock spinlock pointer a member
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 013/508] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 015/508] s390/cio: convert sprintf()/snprintf() to sysfs_emit() Greg Kroah-Hartman
` (495 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Halil Pasic, Vineeth Vijayan,
Vasily Gorbik, Alexander Gordeev, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Halil Pasic <pasic@linux.ibm.com>
[ Upstream commit b8fa3e90965eeb2f83aa637ba0d0d6fd2a524004 ]
The lock member of struct subchannel used to be a spinlock, but became
a pointer to a spinlock with commit 2ec2298412e1 ("[S390] subchannel
lock conversion."). This might have been justified back then, but with
the current state of affairs, there is no reason to manage a separate
spinlock object.
Let's simplify things and pull the spinlock back into struct subchannel.
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Link: https://lore.kernel.org/r/20231101115751.2308307-1-pasic@linux.ibm.com
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Stable-dep-of: ac4d8bb6e2e1 ("s390/cio: use generic driver_override infrastructure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/chsc.c | 18 ++++-----
drivers/s390/cio/chsc_sch.c | 6 +--
drivers/s390/cio/cio.c | 6 +--
drivers/s390/cio/cio.h | 2 +-
drivers/s390/cio/css.c | 36 +++++-------------
drivers/s390/cio/device.c | 66 ++++++++++++++++-----------------
drivers/s390/cio/device_pgid.c | 12 +++---
drivers/s390/cio/eadm_sch.c | 36 +++++++++---------
drivers/s390/cio/vfio_ccw_drv.c | 8 ++--
drivers/s390/cio/vfio_ccw_fsm.c | 24 ++++++------
10 files changed, 99 insertions(+), 115 deletions(-)
diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c
index 0abd77f4b6646..2988a699e3ef2 100644
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -219,16 +219,16 @@ EXPORT_SYMBOL_GPL(chsc_sadc);
static int s390_subchannel_remove_chpid(struct subchannel *sch, void *data)
{
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
if (sch->driver && sch->driver->chp_event)
if (sch->driver->chp_event(sch, data, CHP_OFFLINE) != 0)
goto out_unreg;
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
return 0;
out_unreg:
sch->lpm = 0;
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
css_schedule_eval(sch->schid);
return 0;
}
@@ -258,10 +258,10 @@ void chsc_chp_offline(struct chp_id chpid)
static int __s390_process_res_acc(struct subchannel *sch, void *data)
{
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
if (sch->driver && sch->driver->chp_event)
sch->driver->chp_event(sch, data, CHP_ONLINE);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
return 0;
}
@@ -292,10 +292,10 @@ static void s390_process_res_acc(struct chp_link *link)
static int process_fces_event(struct subchannel *sch, void *data)
{
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
if (sch->driver && sch->driver->chp_event)
sch->driver->chp_event(sch, data, CHP_FCES_EVENT);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
return 0;
}
@@ -769,11 +769,11 @@ static void __s390_subchannel_vary_chpid(struct subchannel *sch,
memset(&link, 0, sizeof(struct chp_link));
link.chpid = chpid;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
if (sch->driver && sch->driver->chp_event)
sch->driver->chp_event(sch, &link,
on ? CHP_VARY_ON : CHP_VARY_OFF);
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
}
static int s390_subchannel_vary_chpid_off(struct subchannel *sch, void *data)
diff --git a/drivers/s390/cio/chsc_sch.c b/drivers/s390/cio/chsc_sch.c
index 180ab899289c5..902237d0baefe 100644
--- a/drivers/s390/cio/chsc_sch.c
+++ b/drivers/s390/cio/chsc_sch.c
@@ -211,10 +211,10 @@ static int chsc_async(struct chsc_async_area *chsc_area,
chsc_area->header.key = PAGE_DEFAULT_KEY >> 4;
while ((sch = chsc_get_next_subchannel(sch))) {
- spin_lock(sch->lock);
+ spin_lock(&sch->lock);
private = dev_get_drvdata(&sch->dev);
if (private->request) {
- spin_unlock(sch->lock);
+ spin_unlock(&sch->lock);
ret = -EBUSY;
continue;
}
@@ -239,7 +239,7 @@ static int chsc_async(struct chsc_async_area *chsc_area,
default:
ret = -ENODEV;
}
- spin_unlock(sch->lock);
+ spin_unlock(&sch->lock);
CHSC_MSG(2, "chsc on 0.%x.%04x returned cc=%d\n",
sch->schid.ssid, sch->schid.sch_no, cc);
if (ret == -EINPROGRESS)
diff --git a/drivers/s390/cio/cio.c b/drivers/s390/cio/cio.c
index 81ef9002f0640..7843c69abee6c 100644
--- a/drivers/s390/cio/cio.c
+++ b/drivers/s390/cio/cio.c
@@ -550,7 +550,7 @@ static irqreturn_t do_cio_interrupt(int irq, void *dummy)
return IRQ_HANDLED;
}
sch = phys_to_virt(tpi_info->intparm);
- spin_lock(sch->lock);
+ spin_lock(&sch->lock);
/* Store interrupt response block to lowcore. */
if (tsch(tpi_info->schid, irb) == 0) {
/* Keep subchannel information word up to date. */
@@ -562,7 +562,7 @@ static irqreturn_t do_cio_interrupt(int irq, void *dummy)
inc_irq_stat(IRQIO_CIO);
} else
inc_irq_stat(IRQIO_CIO);
- spin_unlock(sch->lock);
+ spin_unlock(&sch->lock);
return IRQ_HANDLED;
}
@@ -667,7 +667,7 @@ struct subchannel *cio_probe_console(void)
if (IS_ERR(sch))
return sch;
- lockdep_set_class(sch->lock, &console_sch_key);
+ lockdep_set_class(&sch->lock, &console_sch_key);
isc_register(CONSOLE_ISC);
sch->config.isc = CONSOLE_ISC;
sch->config.intparm = (u32)virt_to_phys(sch);
diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
index fa8df50bb49e3..a9057a5b670a6 100644
--- a/drivers/s390/cio/cio.h
+++ b/drivers/s390/cio/cio.h
@@ -83,7 +83,7 @@ enum sch_todo {
/* subchannel data structure used by I/O subroutines */
struct subchannel {
struct subchannel_id schid;
- spinlock_t *lock; /* subchannel lock */
+ spinlock_t lock; /* subchannel lock */
struct mutex reg_mutex;
enum {
SUBCHANNEL_TYPE_IO = 0,
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
index e50592c3d30ca..4e63e6d45e6e1 100644
--- a/drivers/s390/cio/css.c
+++ b/drivers/s390/cio/css.c
@@ -148,16 +148,10 @@ int for_each_subchannel_staged(int (*fn_known)(struct subchannel *, void *),
static void css_sch_todo(struct work_struct *work);
-static int css_sch_create_locks(struct subchannel *sch)
+static void css_sch_create_locks(struct subchannel *sch)
{
- sch->lock = kmalloc(sizeof(*sch->lock), GFP_KERNEL);
- if (!sch->lock)
- return -ENOMEM;
-
- spin_lock_init(sch->lock);
+ spin_lock_init(&sch->lock);
mutex_init(&sch->reg_mutex);
-
- return 0;
}
static void css_subchannel_release(struct device *dev)
@@ -167,7 +161,6 @@ static void css_subchannel_release(struct device *dev)
sch->config.intparm = 0;
cio_commit_config(sch);
kfree(sch->driver_override);
- kfree(sch->lock);
kfree(sch);
}
@@ -219,9 +212,7 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,
sch->schib = *schib;
sch->st = schib->pmcw.st;
- ret = css_sch_create_locks(sch);
- if (ret)
- goto err;
+ css_sch_create_locks(sch);
INIT_WORK(&sch->todo_work, css_sch_todo);
sch->dev.release = &css_subchannel_release;
@@ -233,19 +224,17 @@ struct subchannel *css_alloc_subchannel(struct subchannel_id schid,
*/
ret = dma_set_coherent_mask(&sch->dev, DMA_BIT_MASK(31));
if (ret)
- goto err_lock;
+ goto err;
/*
* But we don't have such restrictions imposed on the stuff that
* is handled by the streaming API.
*/
ret = dma_set_mask(&sch->dev, DMA_BIT_MASK(64));
if (ret)
- goto err_lock;
+ goto err;
return sch;
-err_lock:
- kfree(sch->lock);
err:
put_device(&sch->dev);
return ERR_PTR(ret);
@@ -604,12 +593,12 @@ static void css_sch_todo(struct work_struct *work)
sch = container_of(work, struct subchannel, todo_work);
/* Find out todo. */
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
todo = sch->todo;
CIO_MSG_EVENT(4, "sch_todo: sch=0.%x.%04x, todo=%d\n", sch->schid.ssid,
sch->schid.sch_no, todo);
sch->todo = SCH_TODO_NOTHING;
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
/* Perform todo. */
switch (todo) {
case SCH_TODO_NOTHING:
@@ -617,9 +606,9 @@ static void css_sch_todo(struct work_struct *work)
case SCH_TODO_EVAL:
ret = css_evaluate_known_subchannel(sch, 1);
if (ret == -EAGAIN) {
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
css_sched_sch_todo(sch, todo);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
}
break;
case SCH_TODO_UNREG:
@@ -1028,12 +1017,7 @@ static int __init setup_css(int nr)
css->pseudo_subchannel->dev.parent = &css->device;
css->pseudo_subchannel->dev.release = css_subchannel_release;
mutex_init(&css->pseudo_subchannel->reg_mutex);
- ret = css_sch_create_locks(css->pseudo_subchannel);
- if (ret) {
- kfree(css->pseudo_subchannel);
- device_unregister(&css->device);
- goto out_err;
- }
+ css_sch_create_locks(css->pseudo_subchannel);
dev_set_name(&css->pseudo_subchannel->dev, "defunct");
ret = device_register(&css->pseudo_subchannel->dev);
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index 3942aa4921769..93307ca75c10b 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -751,7 +751,7 @@ static int io_subchannel_initialize_dev(struct subchannel *sch,
mutex_init(&cdev->reg_mutex);
atomic_set(&priv->onoff, 0);
- cdev->ccwlock = sch->lock;
+ cdev->ccwlock = &sch->lock;
cdev->dev.parent = &sch->dev;
cdev->dev.release = ccw_device_release;
cdev->dev.bus = &ccw_bus_type;
@@ -767,9 +767,9 @@ static int io_subchannel_initialize_dev(struct subchannel *sch,
goto out_put;
}
priv->flags.initialized = 1;
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
sch_set_cdev(sch, cdev);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
return 0;
out_put:
@@ -854,9 +854,9 @@ static void io_subchannel_register(struct ccw_device *cdev)
CIO_MSG_EVENT(0, "Could not register ccw dev 0.%x.%04x: %d\n",
cdev->private->dev_id.ssid,
cdev->private->dev_id.devno, ret);
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
sch_set_cdev(sch, NULL);
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
mutex_unlock(&cdev->reg_mutex);
/* Release initial device reference. */
put_device(&cdev->dev);
@@ -907,9 +907,9 @@ static void io_subchannel_recog(struct ccw_device *cdev, struct subchannel *sch)
atomic_inc(&ccw_device_init_count);
/* Start async. device sensing. */
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
ccw_device_recognition(cdev);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
}
static int ccw_device_move_to_sch(struct ccw_device *cdev,
@@ -924,12 +924,12 @@ static int ccw_device_move_to_sch(struct ccw_device *cdev,
return -ENODEV;
if (!sch_is_pseudo_sch(old_sch)) {
- spin_lock_irq(old_sch->lock);
+ spin_lock_irq(&old_sch->lock);
old_enabled = old_sch->schib.pmcw.ena;
rc = 0;
if (old_enabled)
rc = cio_disable_subchannel(old_sch);
- spin_unlock_irq(old_sch->lock);
+ spin_unlock_irq(&old_sch->lock);
if (rc == -EBUSY) {
/* Release child reference for new parent. */
put_device(&sch->dev);
@@ -947,9 +947,9 @@ static int ccw_device_move_to_sch(struct ccw_device *cdev,
sch->schib.pmcw.dev, rc);
if (old_enabled) {
/* Try to re-enable the old subchannel. */
- spin_lock_irq(old_sch->lock);
+ spin_lock_irq(&old_sch->lock);
cio_enable_subchannel(old_sch, (u32)virt_to_phys(old_sch));
- spin_unlock_irq(old_sch->lock);
+ spin_unlock_irq(&old_sch->lock);
}
/* Release child reference for new parent. */
put_device(&sch->dev);
@@ -957,19 +957,19 @@ static int ccw_device_move_to_sch(struct ccw_device *cdev,
}
/* Clean up old subchannel. */
if (!sch_is_pseudo_sch(old_sch)) {
- spin_lock_irq(old_sch->lock);
+ spin_lock_irq(&old_sch->lock);
sch_set_cdev(old_sch, NULL);
- spin_unlock_irq(old_sch->lock);
+ spin_unlock_irq(&old_sch->lock);
css_schedule_eval(old_sch->schid);
}
/* Release child reference for old parent. */
put_device(&old_sch->dev);
/* Initialize new subchannel. */
- spin_lock_irq(sch->lock);
- cdev->ccwlock = sch->lock;
+ spin_lock_irq(&sch->lock);
+ cdev->ccwlock = &sch->lock;
if (!sch_is_pseudo_sch(sch))
sch_set_cdev(sch, cdev);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
if (!sch_is_pseudo_sch(sch))
css_update_ssd_info(sch);
return 0;
@@ -1080,9 +1080,9 @@ static int io_subchannel_probe(struct subchannel *sch)
return 0;
out_schedule:
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
css_sched_sch_todo(sch, SCH_TODO_UNREG);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
return 0;
}
@@ -1096,10 +1096,10 @@ static void io_subchannel_remove(struct subchannel *sch)
goto out_free;
ccw_device_unregister(cdev);
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
sch_set_cdev(sch, NULL);
set_io_private(sch, NULL);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
out_free:
dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area),
io_priv->dma_area, io_priv->dma_area_dma);
@@ -1206,7 +1206,7 @@ static void io_subchannel_quiesce(struct subchannel *sch)
struct ccw_device *cdev;
int ret;
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
cdev = sch_get_cdev(sch);
if (cio_is_console(sch->schid))
goto out_unlock;
@@ -1223,15 +1223,15 @@ static void io_subchannel_quiesce(struct subchannel *sch)
ret = ccw_device_cancel_halt_clear(cdev);
if (ret == -EBUSY) {
ccw_device_set_timeout(cdev, HZ/10);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
wait_event(cdev->private->wait_q,
cdev->private->state != DEV_STATE_QUIESCE);
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
}
ret = cio_disable_subchannel(sch);
}
out_unlock:
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
}
static void io_subchannel_shutdown(struct subchannel *sch)
@@ -1467,7 +1467,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
enum io_sch_action action;
int rc = -EAGAIN;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
if (!device_is_registered(&sch->dev))
goto out_unlock;
if (work_pending(&sch->todo_work))
@@ -1521,7 +1521,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
default:
break;
}
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
/* All other actions require process context. */
if (!process)
goto out;
@@ -1537,9 +1537,9 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
break;
case IO_SCH_UNREG_CDEV:
case IO_SCH_UNREG_ATTACH:
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
sch_set_cdev(sch, NULL);
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
/* Unregister ccw device. */
ccw_device_unregister(cdev);
break;
@@ -1568,9 +1568,9 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
put_device(&cdev->dev);
goto out;
}
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
ccw_device_trigger_reprobe(cdev);
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
/* Release reference from get_ccwdev_by_dev_id() */
put_device(&cdev->dev);
break;
@@ -1580,7 +1580,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
return 0;
out_unlock:
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
out:
return rc;
}
@@ -1876,9 +1876,9 @@ static void ccw_device_todo(struct work_struct *work)
css_schedule_eval(sch->schid);
fallthrough;
case CDEV_TODO_UNREG:
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
sch_set_cdev(sch, NULL);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
ccw_device_unregister(cdev);
break;
default:
diff --git a/drivers/s390/cio/device_pgid.c b/drivers/s390/cio/device_pgid.c
index 3862961697eb6..ad90045873e25 100644
--- a/drivers/s390/cio/device_pgid.c
+++ b/drivers/s390/cio/device_pgid.c
@@ -698,29 +698,29 @@ int ccw_device_stlck(struct ccw_device *cdev)
return -ENOMEM;
init_completion(&data.done);
data.rc = -EIO;
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
rc = cio_enable_subchannel(sch, (u32)virt_to_phys(sch));
if (rc)
goto out_unlock;
/* Perform operation. */
cdev->private->state = DEV_STATE_STEAL_LOCK;
ccw_device_stlck_start(cdev, &data, &buffer[0], &buffer[32]);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
/* Wait for operation to finish. */
if (wait_for_completion_interruptible(&data.done)) {
/* Got a signal. */
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
ccw_request_cancel(cdev);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
wait_for_completion(&data.done);
}
rc = data.rc;
/* Check results. */
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
cio_disable_subchannel(sch);
cdev->private->state = DEV_STATE_BOXED;
out_unlock:
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
kfree(buffer);
return rc;
diff --git a/drivers/s390/cio/eadm_sch.c b/drivers/s390/cio/eadm_sch.c
index 826364d2facd8..1caedf931a5f0 100644
--- a/drivers/s390/cio/eadm_sch.c
+++ b/drivers/s390/cio/eadm_sch.c
@@ -101,12 +101,12 @@ static void eadm_subchannel_timeout(struct timer_list *t)
struct eadm_private *private = from_timer(private, t, timer);
struct subchannel *sch = private->sch;
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
EADM_LOG(1, "timeout");
EADM_LOG_HEX(1, &sch->schid, sizeof(sch->schid));
if (eadm_subchannel_clear(sch))
EADM_LOG(0, "clear failed");
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
}
static void eadm_subchannel_set_timeout(struct subchannel *sch, int expires)
@@ -163,16 +163,16 @@ static struct subchannel *eadm_get_idle_sch(void)
spin_lock_irqsave(&list_lock, flags);
list_for_each_entry(private, &eadm_list, head) {
sch = private->sch;
- spin_lock(sch->lock);
+ spin_lock(&sch->lock);
if (private->state == EADM_IDLE) {
private->state = EADM_BUSY;
list_move_tail(&private->head, &eadm_list);
- spin_unlock(sch->lock);
+ spin_unlock(&sch->lock);
spin_unlock_irqrestore(&list_lock, flags);
return sch;
}
- spin_unlock(sch->lock);
+ spin_unlock(&sch->lock);
}
spin_unlock_irqrestore(&list_lock, flags);
@@ -190,7 +190,7 @@ int eadm_start_aob(struct aob *aob)
if (!sch)
return -EBUSY;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
eadm_subchannel_set_timeout(sch, EADM_TIMEOUT);
ret = eadm_subchannel_start(sch, aob);
if (!ret)
@@ -203,7 +203,7 @@ int eadm_start_aob(struct aob *aob)
css_sched_sch_todo(sch, SCH_TODO_EVAL);
out_unlock:
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
return ret;
}
@@ -221,7 +221,7 @@ static int eadm_subchannel_probe(struct subchannel *sch)
INIT_LIST_HEAD(&private->head);
timer_setup(&private->timer, eadm_subchannel_timeout, 0);
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
set_eadm_private(sch, private);
private->state = EADM_IDLE;
private->sch = sch;
@@ -229,11 +229,11 @@ static int eadm_subchannel_probe(struct subchannel *sch)
ret = cio_enable_subchannel(sch, (u32)virt_to_phys(sch));
if (ret) {
set_eadm_private(sch, NULL);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
kfree(private);
goto out;
}
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
spin_lock_irq(&list_lock);
list_add(&private->head, &eadm_list);
@@ -248,7 +248,7 @@ static void eadm_quiesce(struct subchannel *sch)
DECLARE_COMPLETION_ONSTACK(completion);
int ret;
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
if (private->state != EADM_BUSY)
goto disable;
@@ -256,11 +256,11 @@ static void eadm_quiesce(struct subchannel *sch)
goto disable;
private->completion = &completion;
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
wait_for_completion_io(&completion);
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
private->completion = NULL;
disable:
@@ -269,7 +269,7 @@ static void eadm_quiesce(struct subchannel *sch)
ret = cio_disable_subchannel(sch);
} while (ret == -EBUSY);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
}
static void eadm_subchannel_remove(struct subchannel *sch)
@@ -282,9 +282,9 @@ static void eadm_subchannel_remove(struct subchannel *sch)
eadm_quiesce(sch);
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
set_eadm_private(sch, NULL);
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
kfree(private);
}
@@ -309,7 +309,7 @@ static int eadm_subchannel_sch_event(struct subchannel *sch, int process)
struct eadm_private *private;
unsigned long flags;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
if (!device_is_registered(&sch->dev))
goto out_unlock;
@@ -325,7 +325,7 @@ static int eadm_subchannel_sch_event(struct subchannel *sch, int process)
private->state = EADM_IDLE;
out_unlock:
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
return 0;
}
diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
index 43601816ea4e4..a3e25bdd6a76b 100644
--- a/drivers/s390/cio/vfio_ccw_drv.c
+++ b/drivers/s390/cio/vfio_ccw_drv.c
@@ -65,14 +65,14 @@ int vfio_ccw_sch_quiesce(struct subchannel *sch)
* cancel/halt/clear completion.
*/
private->completion = &completion;
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
if (ret == -EBUSY)
wait_for_completion_timeout(&completion, 3*HZ);
private->completion = NULL;
flush_workqueue(vfio_ccw_work_q);
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
ret = cio_disable_subchannel(sch);
} while (ret == -EBUSY);
@@ -249,7 +249,7 @@ static int vfio_ccw_sch_event(struct subchannel *sch, int process)
unsigned long flags;
int rc = -EAGAIN;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
if (!device_is_registered(&sch->dev))
goto out_unlock;
@@ -264,7 +264,7 @@ static int vfio_ccw_sch_event(struct subchannel *sch, int process)
}
out_unlock:
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
return rc;
}
diff --git a/drivers/s390/cio/vfio_ccw_fsm.c b/drivers/s390/cio/vfio_ccw_fsm.c
index 757b73141246d..09877b46181d4 100644
--- a/drivers/s390/cio/vfio_ccw_fsm.c
+++ b/drivers/s390/cio/vfio_ccw_fsm.c
@@ -25,7 +25,7 @@ static int fsm_io_helper(struct vfio_ccw_private *private)
unsigned long flags;
int ret;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
orb = cp_get_orb(&private->cp, sch);
if (!orb) {
@@ -72,7 +72,7 @@ static int fsm_io_helper(struct vfio_ccw_private *private)
ret = ccode;
}
out:
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
return ret;
}
@@ -83,7 +83,7 @@ static int fsm_do_halt(struct vfio_ccw_private *private)
int ccode;
int ret;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
VFIO_CCW_TRACE_EVENT(2, "haltIO");
VFIO_CCW_TRACE_EVENT(2, dev_name(&sch->dev));
@@ -111,7 +111,7 @@ static int fsm_do_halt(struct vfio_ccw_private *private)
default:
ret = ccode;
}
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
return ret;
}
@@ -122,7 +122,7 @@ static int fsm_do_clear(struct vfio_ccw_private *private)
int ccode;
int ret;
- spin_lock_irqsave(sch->lock, flags);
+ spin_lock_irqsave(&sch->lock, flags);
VFIO_CCW_TRACE_EVENT(2, "clearIO");
VFIO_CCW_TRACE_EVENT(2, dev_name(&sch->dev));
@@ -147,7 +147,7 @@ static int fsm_do_clear(struct vfio_ccw_private *private)
default:
ret = ccode;
}
- spin_unlock_irqrestore(sch->lock, flags);
+ spin_unlock_irqrestore(&sch->lock, flags);
return ret;
}
@@ -376,18 +376,18 @@ static void fsm_open(struct vfio_ccw_private *private,
struct subchannel *sch = to_subchannel(private->vdev.dev->parent);
int ret;
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
sch->isc = VFIO_CCW_ISC;
ret = cio_enable_subchannel(sch, (u32)(unsigned long)sch);
if (ret)
goto err_unlock;
private->state = VFIO_CCW_STATE_IDLE;
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
return;
err_unlock:
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_NOT_OPER);
}
@@ -397,7 +397,7 @@ static void fsm_close(struct vfio_ccw_private *private,
struct subchannel *sch = to_subchannel(private->vdev.dev->parent);
int ret;
- spin_lock_irq(sch->lock);
+ spin_lock_irq(&sch->lock);
if (!sch->schib.pmcw.ena)
goto err_unlock;
@@ -409,12 +409,12 @@ static void fsm_close(struct vfio_ccw_private *private,
goto err_unlock;
private->state = VFIO_CCW_STATE_STANDBY;
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
cp_free(&private->cp);
return;
err_unlock:
- spin_unlock_irq(sch->lock);
+ spin_unlock_irq(&sch->lock);
vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_NOT_OPER);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 015/508] s390/cio: convert sprintf()/snprintf() to sysfs_emit()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 014/508] s390/cio: make sch->lock spinlock pointer a member Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 016/508] s390/cio: use generic driver_override infrastructure Greg Kroah-Hartman
` (494 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vineeth Vijayan, Peter Oberparleiter,
Li Zhijian, Heiko Carstens, Alexander Gordeev, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Zhijian <lizhijian@fujitsu.com>
[ Upstream commit aaebea959efb2cccd870990f1b6016ff324b0fb6 ]
Per filesystems/sysfs.rst, show() should only use sysfs_emit()
or sysfs_emit_at() when formatting the value to be returned to user space.
coccinelle complains that there are still a couple of functions that use
snprintf(). Convert them to sysfs_emit().
Generally, this patch is generated by
make coccicheck M=<path/to/file> MODE=patch \
COCCI=scripts/coccinelle/api/device_attr_show.cocci
No functional change intended.
Cc: Vineeth Vijayan <vneethv@linux.ibm.com>
Cc: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
Link: https://lore.kernel.org/r/20240314095209.1325229-1-lizhijian@fujitsu.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Stable-dep-of: ac4d8bb6e2e1 ("s390/cio: use generic driver_override infrastructure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/css.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
index 4e63e6d45e6e1..36c46c7f2fb80 100644
--- a/drivers/s390/cio/css.c
+++ b/drivers/s390/cio/css.c
@@ -309,7 +309,7 @@ static ssize_t type_show(struct device *dev, struct device_attribute *attr,
{
struct subchannel *sch = to_subchannel(dev);
- return sprintf(buf, "%01x\n", sch->st);
+ return sysfs_emit(buf, "%01x\n", sch->st);
}
static DEVICE_ATTR_RO(type);
@@ -319,7 +319,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
{
struct subchannel *sch = to_subchannel(dev);
- return sprintf(buf, "css:t%01X\n", sch->st);
+ return sysfs_emit(buf, "css:t%01X\n", sch->st);
}
static DEVICE_ATTR_RO(modalias);
@@ -345,7 +345,7 @@ static ssize_t driver_override_show(struct device *dev,
ssize_t len;
device_lock(dev);
- len = snprintf(buf, PAGE_SIZE, "%s\n", sch->driver_override);
+ len = sysfs_emit(buf, "%s\n", sch->driver_override);
device_unlock(dev);
return len;
}
@@ -396,8 +396,8 @@ static ssize_t pimpampom_show(struct device *dev,
struct subchannel *sch = to_subchannel(dev);
struct pmcw *pmcw = &sch->schib.pmcw;
- return sprintf(buf, "%02x %02x %02x\n",
- pmcw->pim, pmcw->pam, pmcw->pom);
+ return sysfs_emit(buf, "%02x %02x %02x\n",
+ pmcw->pim, pmcw->pam, pmcw->pom);
}
static DEVICE_ATTR_RO(pimpampom);
@@ -881,7 +881,7 @@ static ssize_t real_cssid_show(struct device *dev, struct device_attribute *a,
if (!css->id_valid)
return -EINVAL;
- return sprintf(buf, "%x\n", css->cssid);
+ return sysfs_emit(buf, "%x\n", css->cssid);
}
static DEVICE_ATTR_RO(real_cssid);
@@ -904,7 +904,7 @@ static ssize_t cm_enable_show(struct device *dev, struct device_attribute *a,
int ret;
mutex_lock(&css->mutex);
- ret = sprintf(buf, "%x\n", css->cm_enabled);
+ ret = sysfs_emit(buf, "%x\n", css->cm_enabled);
mutex_unlock(&css->mutex);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 016/508] s390/cio: use generic driver_override infrastructure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 015/508] s390/cio: convert sprintf()/snprintf() to sysfs_emit() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 017/508] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
` (493 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Vineeth Vijayan,
Danilo Krummrich, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit ac4d8bb6e2e13e8684a76ea48d13ebaaaf5c24c4 ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: ebc3d1791503 ("s390/cio: introduce driver_override on the css bus")
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Link: https://patch.msgid.link/20260324005919.2408620-10-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/cio.h | 5 -----
drivers/s390/cio/css.c | 34 ++++------------------------------
2 files changed, 4 insertions(+), 35 deletions(-)
diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
index a9057a5b670a6..23374604c6b01 100644
--- a/drivers/s390/cio/cio.h
+++ b/drivers/s390/cio/cio.h
@@ -103,11 +103,6 @@ struct subchannel {
struct work_struct todo_work;
struct schib_config config;
u64 dma_mask;
- /*
- * Driver name to force a match. Do not set directly, because core
- * frees it. Use driver_set_override() to set or clear it.
- */
- const char *driver_override;
} __attribute__ ((aligned(8)));
DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb);
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
index 36c46c7f2fb80..97a2c23f4ce0f 100644
--- a/drivers/s390/cio/css.c
+++ b/drivers/s390/cio/css.c
@@ -160,7 +160,6 @@ static void css_subchannel_release(struct device *dev)
sch->config.intparm = 0;
cio_commit_config(sch);
- kfree(sch->driver_override);
kfree(sch);
}
@@ -324,37 +323,9 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
static DEVICE_ATTR_RO(modalias);
-static ssize_t driver_override_store(struct device *dev,
- struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct subchannel *sch = to_subchannel(dev);
- int ret;
-
- ret = driver_set_override(dev, &sch->driver_override, buf, count);
- if (ret)
- return ret;
-
- return count;
-}
-
-static ssize_t driver_override_show(struct device *dev,
- struct device_attribute *attr, char *buf)
-{
- struct subchannel *sch = to_subchannel(dev);
- ssize_t len;
-
- device_lock(dev);
- len = sysfs_emit(buf, "%s\n", sch->driver_override);
- device_unlock(dev);
- return len;
-}
-static DEVICE_ATTR_RW(driver_override);
-
static struct attribute *subch_attrs[] = {
&dev_attr_type.attr,
&dev_attr_modalias.attr,
- &dev_attr_driver_override.attr,
NULL,
};
@@ -1352,9 +1323,11 @@ static int css_bus_match(struct device *dev, struct device_driver *drv)
struct subchannel *sch = to_subchannel(dev);
struct css_driver *driver = to_cssdriver(drv);
struct css_device_id *id;
+ int ret;
/* When driver_override is set, only bind to the matching driver */
- if (sch->driver_override && strcmp(sch->driver_override, drv->name))
+ ret = device_match_driver_override(dev, drv);
+ if (ret == 0)
return 0;
for (id = driver->subchannel_type; id->match_flags; id++) {
@@ -1411,6 +1384,7 @@ static int css_uevent(const struct device *dev, struct kobj_uevent_env *env)
static struct bus_type css_bus_type = {
.name = "css",
+ .driver_override = true,
.match = css_bus_match,
.probe = css_probe,
.remove = css_remove,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 017/508] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 016/508] s390/cio: use generic driver_override infrastructure Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 018/508] hrtimers: Update the return type of enqueue_hrtimer() Greg Kroah-Hartman
` (492 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 86be659415b0ddefebc3120e309091aa215a9064 ]
This driver is currently only build on 32 bit MIPS systems. When building
it on x86_64, the following warning occurs:
drivers/irqchip/irq-pic32-evic.c: In function ‘pic32_ext_irq_of_init’:
./include/linux/kern_levels.h:5:25: error: format ‘%d’ expects argument of type
‘int’, but argument 2 has type ‘long unsigned int’ [-Werror=format=]
Update the printf() formatter in preparation for allowing this driver to
be compiled on all architectures.
Fixes: aaa8666ada780 ("IRQCHIP: irq-pic32-evic: Add support for PIC32 interrupt controller")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260222-irqchip-pic32-v1-1-37f50d1f14af@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-pic32-evic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-pic32-evic.c b/drivers/irqchip/irq-pic32-evic.c
index 5d6b8e025bb87..3cc6b439f5f90 100644
--- a/drivers/irqchip/irq-pic32-evic.c
+++ b/drivers/irqchip/irq-pic32-evic.c
@@ -196,7 +196,7 @@ static void __init pic32_ext_irq_of_init(struct irq_domain *domain)
of_property_for_each_u32(node, pname, hwirq) {
if (i >= ARRAY_SIZE(priv->ext_irqs)) {
- pr_warn("More than %d external irq, skip rest\n",
+ pr_warn("More than %zu external irq, skip rest\n",
ARRAY_SIZE(priv->ext_irqs));
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 018/508] hrtimers: Update the return type of enqueue_hrtimer()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 017/508] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 019/508] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
` (491 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Clark, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Clark <richard.xnu.clark@gmail.com>
[ Upstream commit da7100d3bf7d6f5c49ef493ea963766898e9b069 ]
The return type should be 'bool' instead of 'int' according to the calling
context in the kernel, and its internal implementation, i.e. :
return timerqueue_add();
which is a bool-return function.
[ tglx: Adjust function arguments ]
Signed-off-by: Richard Clark <richard.xnu.clark@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/Z2ppT7me13dtxm1a@MBC02GN1V4Q05P
Stable-dep-of: f2e388a019e4 ("hrtimer: Reduce trace noise in hrtimer_start()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 03f488f93cddf..9f41327d3a6d6 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1099,11 +1099,10 @@ EXPORT_SYMBOL_GPL(hrtimer_forward);
* The timer is inserted in expiry order. Insertion into the
* red black tree is O(log(n)). Must hold the base lock.
*
- * Returns 1 when the new timer is the leftmost timer in the tree.
+ * Returns true when the new timer is the leftmost timer in the tree.
*/
-static int enqueue_hrtimer(struct hrtimer *timer,
- struct hrtimer_clock_base *base,
- enum hrtimer_mode mode)
+static bool enqueue_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
+ enum hrtimer_mode mode)
{
debug_activate(timer, mode);
WARN_ON_ONCE(!base->cpu_base->online);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 019/508] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 018/508] hrtimers: Update the return type of enqueue_hrtimer() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 020/508] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
` (490 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel),
Thomas Gleixner, Juri Lelli, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit d19ff16c11db38f3ee179d72751fb9b340174330 ]
Much like hrtimer_reprogram(), skip programming if the cpu_base is running
the hrtimer interrupt.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260224163429.069535561@kernel.org
Stable-dep-of: f2e388a019e4 ("hrtimer: Reduce trace noise in hrtimer_start()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 9f41327d3a6d6..3bc3111ca5317 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1287,6 +1287,14 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
}
first = enqueue_hrtimer(timer, new_base, mode);
+
+ /*
+ * If the hrtimer interrupt is running, then it will reevaluate the
+ * clock bases and reprogram the clock event device.
+ */
+ if (new_base->cpu_base->in_hrtirq)
+ return false;
+
if (!force_local) {
/*
* If the current CPU base is online, then the timer is
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 020/508] hrtimer: Reduce trace noise in hrtimer_start()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 019/508] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 021/508] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
` (489 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
[ Upstream commit f2e388a019e4cf83a15883a3d1f1384298e9a6aa ]
hrtimer_start() when invoked with an already armed timer traces like:
<comm>-.. [032] d.h2. 5.002263: hrtimer_cancel: hrtimer= ....
<comm>-.. [032] d.h1. 5.002263: hrtimer_start: hrtimer= ....
Which is incorrect as the timer doesn't get canceled. Just the expiry time
changes. The internal dequeue operation which is required for that is not
really interesting for trace analysis. But it makes it tedious to keep real
cancellations and the above case apart.
Remove the cancel tracing in hrtimer_start() and add a 'was_armed'
indicator to the hrtimer start tracepoint, which clearly indicates what the
state of the hrtimer is when hrtimer_start() is invoked:
<comm>-.. [032] d.h1. 6.200103: hrtimer_start: hrtimer= .... was_armed=0
<comm>-.. [032] d.h1. 6.200558: hrtimer_start: hrtimer= .... was_armed=1
Fixes: c6a2a1770245 ("hrtimer: Add tracepoint for hrtimers")
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260224163430.208491877@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/timer.h | 11 +++++----
kernel/time/hrtimer.c | 43 +++++++++++++++++-------------------
2 files changed, 27 insertions(+), 27 deletions(-)
diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
index b4bc2828fa09f..ec8d0de1ad225 100644
--- a/include/trace/events/timer.h
+++ b/include/trace/events/timer.h
@@ -198,12 +198,13 @@ TRACE_EVENT(hrtimer_init,
* hrtimer_start - called when the hrtimer is started
* @hrtimer: pointer to struct hrtimer
* @mode: the hrtimers mode
+ * @was_armed: Was armed when hrtimer_start*() was invoked
*/
TRACE_EVENT(hrtimer_start,
- TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode),
+ TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode, bool was_armed),
- TP_ARGS(hrtimer, mode),
+ TP_ARGS(hrtimer, mode, was_armed),
TP_STRUCT__entry(
__field( void *, hrtimer )
@@ -211,6 +212,7 @@ TRACE_EVENT(hrtimer_start,
__field( s64, expires )
__field( s64, softexpires )
__field( enum hrtimer_mode, mode )
+ __field( bool, was_armed )
),
TP_fast_assign(
@@ -219,13 +221,14 @@ TRACE_EVENT(hrtimer_start,
__entry->expires = hrtimer_get_expires(hrtimer);
__entry->softexpires = hrtimer_get_softexpires(hrtimer);
__entry->mode = mode;
+ __entry->was_armed = was_armed;
),
TP_printk("hrtimer=%p function=%ps expires=%llu softexpires=%llu "
- "mode=%s", __entry->hrtimer, __entry->function,
+ "mode=%s was_armed=%d", __entry->hrtimer, __entry->function,
(unsigned long long) __entry->expires,
(unsigned long long) __entry->softexpires,
- decode_hrtimer_mode(__entry->mode))
+ decode_hrtimer_mode(__entry->mode), __entry->was_armed)
);
/**
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 3bc3111ca5317..d3071b81c0640 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -499,17 +499,10 @@ debug_init(struct hrtimer *timer, clockid_t clockid,
trace_hrtimer_init(timer, clockid, mode);
}
-static inline void debug_activate(struct hrtimer *timer,
- enum hrtimer_mode mode)
+static inline void debug_activate(struct hrtimer *timer, enum hrtimer_mode mode, bool was_armed)
{
debug_hrtimer_activate(timer, mode);
- trace_hrtimer_start(timer, mode);
-}
-
-static inline void debug_deactivate(struct hrtimer *timer)
-{
- debug_hrtimer_deactivate(timer);
- trace_hrtimer_cancel(timer);
+ trace_hrtimer_start(timer, mode, was_armed);
}
static struct hrtimer_clock_base *
@@ -1102,9 +1095,9 @@ EXPORT_SYMBOL_GPL(hrtimer_forward);
* Returns true when the new timer is the leftmost timer in the tree.
*/
static bool enqueue_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
- enum hrtimer_mode mode)
+ enum hrtimer_mode mode, bool was_armed)
{
- debug_activate(timer, mode);
+ debug_activate(timer, mode, was_armed);
WARN_ON_ONCE(!base->cpu_base->online);
base->cpu_base->active_bases |= 1 << base->index;
@@ -1164,6 +1157,8 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
if (state & HRTIMER_STATE_ENQUEUED) {
bool reprogram;
+ debug_hrtimer_deactivate(timer);
+
/*
* Remove the timer and force reprogramming when high
* resolution mode is active and the timer is on the current
@@ -1172,7 +1167,6 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
* reprogramming happens in the interrupt handler. This is a
* rare case and less expensive than a smp call.
*/
- debug_deactivate(timer);
reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
/*
@@ -1239,15 +1233,15 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
{
struct hrtimer_cpu_base *this_cpu_base = this_cpu_ptr(&hrtimer_bases);
struct hrtimer_clock_base *new_base;
- bool force_local, first;
+ bool force_local, first, was_armed;
/*
* If the timer is on the local cpu base and is the first expiring
* timer then this might end up reprogramming the hardware twice
- * (on removal and on enqueue). To avoid that by prevent the
- * reprogram on removal, keep the timer local to the current CPU
- * and enforce reprogramming after it is queued no matter whether
- * it is the new first expiring timer again or not.
+ * (on removal and on enqueue). To avoid that prevent the reprogram
+ * on removal, keep the timer local to the current CPU and enforce
+ * reprogramming after it is queued no matter whether it is the new
+ * first expiring timer again or not.
*/
force_local = base->cpu_base == this_cpu_base;
force_local &= base->cpu_base->next_timer == timer;
@@ -1269,7 +1263,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
* avoids programming the underlying clock event twice (once at
* removal and once after enqueue).
*/
- remove_hrtimer(timer, base, true, force_local);
+ was_armed = remove_hrtimer(timer, base, true, force_local);
if (mode & HRTIMER_MODE_REL)
tim = ktime_add_safe(tim, base->get_time());
@@ -1286,7 +1280,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
new_base = base;
}
- first = enqueue_hrtimer(timer, new_base, mode);
+ first = enqueue_hrtimer(timer, new_base, mode, was_armed);
/*
* If the hrtimer interrupt is running, then it will reevaluate the
@@ -1390,8 +1384,11 @@ int hrtimer_try_to_cancel(struct hrtimer *timer)
base = lock_hrtimer_base(timer, &flags);
- if (!hrtimer_callback_running(timer))
+ if (!hrtimer_callback_running(timer)) {
ret = remove_hrtimer(timer, base, false, false);
+ if (ret)
+ trace_hrtimer_cancel(timer);
+ }
unlock_hrtimer_base(timer, &flags);
@@ -1771,7 +1768,7 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
*/
if (restart != HRTIMER_NORESTART &&
!(timer->state & HRTIMER_STATE_ENQUEUED))
- enqueue_hrtimer(timer, base, HRTIMER_MODE_ABS);
+ enqueue_hrtimer(timer, base, HRTIMER_MODE_ABS, false);
/*
* Separate the ->running assignment from the ->state assignment.
@@ -2253,7 +2250,7 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
while ((node = timerqueue_getnext(&old_base->active))) {
timer = container_of(node, struct hrtimer, node);
BUG_ON(hrtimer_callback_running(timer));
- debug_deactivate(timer);
+ debug_hrtimer_deactivate(timer);
/*
* Mark it as ENQUEUED not INACTIVE otherwise the
@@ -2270,7 +2267,7 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
* sort out already expired timers and reprogram the
* event device.
*/
- enqueue_hrtimer(timer, new_base, HRTIMER_MODE_ABS);
+ enqueue_hrtimer(timer, new_base, HRTIMER_MODE_ABS, true);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 021/508] locking: Fix rwlock support in <linux/spinlock_up.h>
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 020/508] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 022/508] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
` (488 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 756a0e011cfca0b45a48464aa25b05d9a9c2fb0b ]
Architecture support for rwlocks must be available whether or not
CONFIG_DEBUG_SPINLOCK has been defined. Move the definitions of the
arch_{read,write}_{lock,trylock,unlock}() macros such that these become
visbile if CONFIG_DEBUG_SPINLOCK=n.
This patch prepares for converting do_raw_{read,write}_trylock() into
inline functions. Without this patch that conversion triggers a build
failure for UP architectures, e.g. arm-ep93xx. I used the following
kernel configuration to build the kernel for that architecture:
CONFIG_ARCH_MULTIPLATFORM=y
CONFIG_ARCH_MULTI_V7=n
CONFIG_ATAGS=y
CONFIG_MMU=y
CONFIG_ARCH_MULTI_V4T=y
CONFIG_CPU_LITTLE_ENDIAN=y
CONFIG_ARCH_EP93XX=y
Fixes: fb1c8f93d869 ("[PATCH] spinlock consolidation")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260313171510.230998-2-bvanassche@acm.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/spinlock_up.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/include/linux/spinlock_up.h b/include/linux/spinlock_up.h
index c87204247592f..a132fc562297a 100644
--- a/include/linux/spinlock_up.h
+++ b/include/linux/spinlock_up.h
@@ -48,16 +48,6 @@ static inline void arch_spin_unlock(arch_spinlock_t *lock)
lock->slock = 1;
}
-/*
- * Read-write spinlocks. No debug version.
- */
-#define arch_read_lock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_write_lock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_read_trylock(lock) ({ barrier(); (void)(lock); 1; })
-#define arch_write_trylock(lock) ({ barrier(); (void)(lock); 1; })
-#define arch_read_unlock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_write_unlock(lock) do { barrier(); (void)(lock); } while (0)
-
#else /* DEBUG_SPINLOCK */
#define arch_spin_is_locked(lock) ((void)(lock), 0)
/* for sched/core.c and kernel_lock.c: */
@@ -68,4 +58,14 @@ static inline void arch_spin_unlock(arch_spinlock_t *lock)
#define arch_spin_is_contended(lock) (((void)(lock), 0))
+/*
+ * Read-write spinlocks. No debug version.
+ */
+#define arch_read_lock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_write_lock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_read_trylock(lock) ({ barrier(); (void)(lock); 1; })
+#define arch_write_trylock(lock) ({ barrier(); (void)(lock); 1; })
+#define arch_read_unlock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_write_unlock(lock) do { barrier(); (void)(lock); } while (0)
+
#endif /* __LINUX_SPINLOCK_UP_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 022/508] firmware: dmi: Correct an indexing error in dmi.h
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 021/508] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 023/508] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
` (487 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD),
Borislav Petkov (AMD), Jean Delvare, Yazen Ghannam, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
[ Upstream commit c064abc68e009d2cc18416e7132d9c25e03125b6 ]
The entries later in enum dmi_entry_type don't match the SMBIOS
specification¹.
The entry for type 33: `64-Bit Memory Error Information` is not present and
thus the index for all later entries is incorrect.
Add it.
Also, add missing entry types 43-46, while at it.
¹ Search for "System Management BIOS (SMBIOS) Reference Specification"
[ bp: Drop the flaky SMBIOS spec URL. ]
Fixes: 93c890dbe5287 ("firmware: Add DMI entry types to the headers")
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Reviewed-by: Yazen Ghannam <yazen.ghannam@amd.com>
Link: https://patch.msgid.link/20260307141024.819807-2-superm1@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dmi.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/linux/dmi.h b/include/linux/dmi.h
index 927f8a8b7a1dd..2eedf44e68012 100644
--- a/include/linux/dmi.h
+++ b/include/linux/dmi.h
@@ -60,6 +60,7 @@ enum dmi_entry_type {
DMI_ENTRY_OOB_REMOTE_ACCESS,
DMI_ENTRY_BIS_ENTRY,
DMI_ENTRY_SYSTEM_BOOT,
+ DMI_ENTRY_64_MEM_ERROR,
DMI_ENTRY_MGMT_DEV,
DMI_ENTRY_MGMT_DEV_COMPONENT,
DMI_ENTRY_MGMT_DEV_THRES,
@@ -69,6 +70,10 @@ enum dmi_entry_type {
DMI_ENTRY_ADDITIONAL,
DMI_ENTRY_ONBOARD_DEV_EXT,
DMI_ENTRY_MGMT_CONTROLLER_HOST,
+ DMI_ENTRY_TPM_DEVICE,
+ DMI_ENTRY_PROCESSOR_ADDITIONAL,
+ DMI_ENTRY_FIRMWARE_INVENTORY,
+ DMI_ENTRY_STRING_PROPERTY,
DMI_ENTRY_INACTIVE = 126,
DMI_ENTRY_END_OF_TABLE = 127,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 023/508] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 022/508] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 024/508] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
` (486 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Jeff Chen, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 990a73dec3fdc145fef6c827c29205437d533ece ]
In mwifiex_11n_aggregate_pkt(), skb_aggr is allocated via
mwifiex_alloc_dma_align_buf(). If mwifiex_is_ralist_valid() returns false,
the function currently returns -1 immediately without freeing the
previously allocated skb_aggr, causing a memory leak.
Since skb_aggr has not yet been queued via skb_queue_tail(), no other
references to this memory exist. Therefore, it has to be freed locally
before returning the error.
Fix this by calling mwifiex_write_data_complete() to free skb_aggr before
returning the error status.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>
Link: https://patch.msgid.link/20260119092625.1349934-1-zilin@seu.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
index 34b4b34276d6d..042b1fe5f0d67 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -203,6 +203,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
if (!mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
spin_unlock_bh(&priv->wmm.ra_list_spinlock);
+ mwifiex_write_data_complete(adapter, skb_aggr, 1, -1);
return -1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 024/508] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 023/508] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 025/508] bpf: Add CHECKSUM_COMPLETE to bpf test progs Greg Kroah-Hartman
` (485 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 039cd522dc70151da13329a5e3ae19b1736f468a ]
The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().
Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.
The issue was identified through static analysis.
Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260223045522.48377-1-duoming@zju.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 40112b2c37775..b978d31e47ca9 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -1675,6 +1675,7 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
synchronize_irq(rtlpci->pdev->irq);
tasklet_kill(&rtlpriv->works.irq_tasklet);
+ tasklet_kill(&rtlpriv->works.irq_prepare_bcn_tasklet);
cancel_work_sync(&rtlpriv->works.lps_change_work);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 025/508] bpf: Add CHECKSUM_COMPLETE to bpf test progs
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 024/508] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 026/508] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
` (484 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vadim Fedorenko, Daniel Borkmann,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vadim Fedorenko <vadfed@meta.com>
[ Upstream commit a3cfe84cca28f205761a0450016593b0d728165e ]
Add special flag to validate that TC BPF program properly updates
checksum information in skb.
Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240606145851.229116-1-vadfed@meta.com
Stable-dep-of: 972787479ee7 ("bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/bpf.h | 2 ++
net/bpf/test_run.c | 28 +++++++++++++++++++++++++++-
tools/include/uapi/linux/bpf.h | 2 ++
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 08a0494736e6e..6950169329ef1 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1344,6 +1344,8 @@ enum {
#define BPF_F_TEST_RUN_ON_CPU (1U << 0)
/* If set, XDP frames will be transmitted after processing */
#define BPF_F_TEST_XDP_LIVE_FRAMES (1U << 1)
+/* If set, apply CHECKSUM_COMPLETE to skb and validate the checksum */
+#define BPF_F_TEST_SKB_CHECKSUM_COMPLETE (1U << 2)
/* type for BPF_ENABLE_STATS */
enum bpf_stats_type {
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 3a1c82b797a30..774287ac17955 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -966,7 +966,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
void *data;
int ret;
- if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size)
+ if ((kattr->test.flags & ~BPF_F_TEST_SKB_CHECKSUM_COMPLETE) ||
+ kattr->test.cpu || kattr->test.batch_size)
return -EINVAL;
if (size < ETH_HLEN)
@@ -1017,6 +1018,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
__skb_put(skb, size);
+
if (ctx && ctx->ifindex > 1) {
dev = dev_get_by_index(net, ctx->ifindex);
if (!dev) {
@@ -1052,9 +1054,19 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
__skb_push(skb, hh_len);
if (is_direct_pkt_access)
bpf_compute_data_pointers(skb);
+
ret = convert___skb_to_skb(skb, ctx);
if (ret)
goto out;
+
+ if (kattr->test.flags & BPF_F_TEST_SKB_CHECKSUM_COMPLETE) {
+ const int off = skb_network_offset(skb);
+ int len = skb->len - off;
+
+ skb->csum = skb_checksum(skb, off, len, 0);
+ skb->ip_summed = CHECKSUM_COMPLETE;
+ }
+
ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
if (ret)
goto out;
@@ -1069,6 +1081,20 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
}
memset(__skb_push(skb, hh_len), 0, hh_len);
}
+
+ if (kattr->test.flags & BPF_F_TEST_SKB_CHECKSUM_COMPLETE) {
+ const int off = skb_network_offset(skb);
+ int len = skb->len - off;
+ __wsum csum;
+
+ csum = skb_checksum(skb, off, len, 0);
+
+ if (csum_fold(skb->csum) != csum_fold(csum)) {
+ ret = -EBADMSG;
+ goto out;
+ }
+ }
+
convert_skb_to___skb(skb, ctx);
size = skb->len;
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 2e064a1032a05..8967952de0c2e 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1344,6 +1344,8 @@ enum {
#define BPF_F_TEST_RUN_ON_CPU (1U << 0)
/* If set, XDP frames will be transmitted after processing */
#define BPF_F_TEST_XDP_LIVE_FRAMES (1U << 1)
+/* If set, apply CHECKSUM_COMPLETE to skb and validate the checksum */
+#define BPF_F_TEST_SKB_CHECKSUM_COMPLETE (1U << 2)
/* type for BPF_ENABLE_STATS */
enum bpf_stats_type {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 026/508] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 025/508] bpf: Add CHECKSUM_COMPLETE to bpf test progs Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 027/508] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
` (483 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yinhao Hu, Kaiyan Mei, Yun Lu,
Feng Yang, Martin KaFai Lau, syzbot, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Yang <yangfeng@kylinos.cn>
[ Upstream commit 972787479ee73006fddb5e59ab5c8e733810ff42 ]
The bpf_lwt_xmit_push_encap helper needs to access skb_dst(skb)->dev to
calculate the needed headroom:
err = skb_cow_head(skb,
len + LL_RESERVED_SPACE(skb_dst(skb)->dev));
But skb->_skb_refdst may not be initialized when the skb is set up by
bpf_prog_test_run_skb function. Executing bpf_lwt_push_ip_encap function
in this scenario will trigger null pointer dereference, causing a kernel
crash as Yinhao reported:
[ 105.186365] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 105.186382] #PF: supervisor read access in kernel mode
[ 105.186388] #PF: error_code(0x0000) - not-present page
[ 105.186393] PGD 121d3d067 P4D 121d3d067 PUD 106c83067 PMD 0
[ 105.186404] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 105.186412] CPU: 3 PID: 3250 Comm: poc Kdump: loaded Not tainted 6.19.0-rc5 #1
[ 105.186423] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 105.186427] RIP: 0010:bpf_lwt_push_ip_encap+0x1eb/0x520
[ 105.186443] Code: 0f 84 de 01 00 00 0f b7 4a 04 66 85 c9 0f 85 47 01 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8b 73 58 48 83 e6 fe <48> 8b 36 0f b7 be ec 00 00 00 0f b7 b6 e6 00 00 00 01 fe 83 e6 f0
[ 105.186449] RSP: 0018:ffffbb0e0387bc50 EFLAGS: 00010246
[ 105.186455] RAX: 000000000000004e RBX: ffff94c74e036500 RCX: ffff94c74874da00
[ 105.186460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff94c74e036500
[ 105.186463] RBP: 0000000000000001 R08: 0000000000000002 R09: 0000000000000000
[ 105.186467] R10: ffffbb0e0387bd50 R11: 0000000000000000 R12: ffffbb0e0387bc98
[ 105.186471] R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000002
[ 105.186484] FS: 00007f166aa4d680(0000) GS:ffff94c8b7780000(0000) knlGS:0000000000000000
[ 105.186490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 105.186494] CR2: 0000000000000000 CR3: 000000015eade001 CR4: 0000000000770ee0
[ 105.186499] PKRU: 55555554
[ 105.186502] Call Trace:
[ 105.186507] <TASK>
[ 105.186513] bpf_lwt_xmit_push_encap+0x2b/0x40
[ 105.186522] bpf_prog_a75eaad51e517912+0x41/0x49
[ 105.186536] ? kvm_clock_get_cycles+0x18/0x30
[ 105.186547] ? ktime_get+0x3c/0xa0
[ 105.186554] bpf_test_run+0x195/0x320
[ 105.186563] ? bpf_test_run+0x10f/0x320
[ 105.186579] bpf_prog_test_run_skb+0x2f5/0x4f0
[ 105.186590] __sys_bpf+0x69c/0xa40
[ 105.186603] __x64_sys_bpf+0x1e/0x30
[ 105.186611] do_syscall_64+0x59/0x110
[ 105.186620] entry_SYSCALL_64_after_hwframe+0x76/0xe0
[ 105.186649] RIP: 0033:0x7f166a97455d
Temporarily add the setting of skb->_skb_refdst before bpf_test_run to resolve the issue.
Fixes: 52f278774e79 ("bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap")
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Closes: https://groups.google.com/g/hust-os-kernel-patches/c/8-a0kPpBW2s
Signed-off-by: Yun Lu <luyun@kylinos.cn>
Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Tested-by: syzbot@syzkaller.appspotmail.com
Link: https://patch.msgid.link/20260304094429.168521-2-yangfeng59949@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 774287ac17955..c9c6f675d8e21 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1067,6 +1067,21 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb->ip_summed = CHECKSUM_COMPLETE;
}
+ if (prog->type == BPF_PROG_TYPE_LWT_XMIT) {
+ if (!ipv6_bpf_stub) {
+ pr_warn_once("Please test this program with the IPv6 module loaded\n");
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
+#if IS_ENABLED(CONFIG_IPV6)
+ /* For CONFIG_IPV6=n, ipv6_bpf_stub is NULL which is
+ * handled by the above if statement.
+ */
+ dst_hold(&net->ipv6.ip6_null_entry->dst);
+ skb_dst_set(skb, &net->ipv6.ip6_null_entry->dst);
+#endif
+ }
+
ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
if (ret)
goto out;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 027/508] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 026/508] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 028/508] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
` (482 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Cai Xinchen,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit 12589892f41c4c645c80ef9f036f7451a6045624 ]
Since the commit 84cba72956fd ("dpaa2-switch: integrate
the MAC endpoint support") included dpaa2-mac.o in the driver,
but it didn't select PCS_LYNX, PHYLINK and FSL_XGMAC_MDIO. it
will lead to link error, such as
undefined reference to `phylink_ethtool_ksettings_set'
undefined reference to `lynx_pcs_create_fwnode'
And the same reason as the commit d2624e70a2f53 ("dpaa2-eth: select
XGMAC_MDIO for MDIO bus support"), enable the FSL_XGMAC_MDIO Kconfig
option in order to have MDIO access to internal and external PHYs.
Because dpaa2-switch uses fsl_mc_driver APIs, add depends on FSL_MC_BUS
&& FSL_MC_DPIO as FSL_DPAA2_SWITCH do.
FSL_XGMAC_MDIO and FSL_MC_BUS depend on OF, thus the dependence of
FSL_MC_BUS can satisfy FSL_XGMAC_MDIO's OF requirement.
Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support")
Suggested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Link: https://patch.msgid.link/20260312065907.476663-2-caixinchen1@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/Kconfig | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/freescale/dpaa2/Kconfig b/drivers/net/ethernet/freescale/dpaa2/Kconfig
index d029b69c3f183..36280e5d99e1f 100644
--- a/drivers/net/ethernet/freescale/dpaa2/Kconfig
+++ b/drivers/net/ethernet/freescale/dpaa2/Kconfig
@@ -34,6 +34,10 @@ config FSL_DPAA2_SWITCH
tristate "Freescale DPAA2 Ethernet Switch"
depends on BRIDGE || BRIDGE=n
depends on NET_SWITCHDEV
+ depends on FSL_MC_BUS && FSL_MC_DPIO
+ select PHYLINK
+ select PCS_LYNX
+ select FSL_XGMAC_MDIO
help
Driver for Freescale DPAA2 Ethernet Switch. This driver manages
switch objects discovered on the Freeescale MC bus.
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 028/508] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 027/508] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 029/508] s390/bpf: Zero-extend bpf prog return values and kfunc arguments Greg Kroah-Hartman
` (481 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Cai Xinchen,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit 97daf00745f7f9f261b0e91418de6e79d7826c36 ]
CONFIG_FSL_DPAA2_ETH and CONFIG_FSL_DPAA2_SWITCH are not
associated, but the compilation of FSL_DPAA2_SWITCH depends on
the compilation of the dpaa2 folder. The files controlled by
CONFIG_FSL_DPAA2_SWITCH in the dpaa2 folder are not controlled
by CONFIG_FSL_DPAA2_ETH, except for the files controlled by
CONFIG_FSL_DPAA2_SWITCH. Therefore, removing the restriction will
not affect the compilation of the files in the directory.
Fixes: f48298d3fbfaa ("staging: dpaa2-switch: move the driver out of staging")
Suggested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Link: https://patch.msgid.link/20260312065907.476663-3-caixinchen1@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/Makefile | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/Makefile b/drivers/net/ethernet/freescale/Makefile
index de7b318422330..d0a259e47960f 100644
--- a/drivers/net/ethernet/freescale/Makefile
+++ b/drivers/net/ethernet/freescale/Makefile
@@ -22,6 +22,5 @@ ucc_geth_driver-objs := ucc_geth.o ucc_geth_ethtool.o
obj-$(CONFIG_FSL_FMAN) += fman/
obj-$(CONFIG_FSL_DPAA_ETH) += dpaa/
-obj-$(CONFIG_FSL_DPAA2_ETH) += dpaa2/
-
+obj-y += dpaa2/
obj-y += enetc/
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 029/508] s390/bpf: Zero-extend bpf prog return values and kfunc arguments
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 028/508] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 030/508] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
` (480 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Bathini, Ilya Leoshkevich,
Ihor Solodrai, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Leoshkevich <iii@linux.ibm.com>
[ Upstream commit 202e42e4aa890172366354b233c42c73107a3f59 ]
s390x ABI requires callers to zero-extend unsigned arguments and
sign-extend signed arguments, and callees to zero-extend unsigned
return values and sign-extend signed return values.
s390 BPF JIT currently implements only sign extension. Fix this
omission and implement zero extension too.
Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()")
Reported-by: Hari Bathini <hbathini@linux.ibm.com>
Closes: https://lore.kernel.org/bpf/20260312080113.843408-1-hbathini@linux.ibm.com/
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Link: https://lore.kernel.org/r/20260313174807.581826-1-iii@linux.ibm.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/net/bpf_jit_comp.c | 39 ++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 5a64d34a37482..491789420d7c0 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -759,25 +759,34 @@ static int bpf_jit_probe_mem(struct bpf_jit *jit, struct bpf_prog *fp,
}
/*
- * Sign-extend the register if necessary
+ * Sign- or zero-extend the register if necessary
*/
-static int sign_extend(struct bpf_jit *jit, int r, u8 size, u8 flags)
+static int sign_zero_extend(struct bpf_jit *jit, int r, u8 size, u8 flags)
{
- if (!(flags & BTF_FMODEL_SIGNED_ARG))
- return 0;
-
switch (size) {
case 1:
- /* lgbr %r,%r */
- EMIT4(0xb9060000, r, r);
+ if (flags & BTF_FMODEL_SIGNED_ARG)
+ /* lgbr %r,%r */
+ EMIT4(0xb9060000, r, r);
+ else
+ /* llgcr %r,%r */
+ EMIT4(0xb9840000, r, r);
return 0;
case 2:
- /* lghr %r,%r */
- EMIT4(0xb9070000, r, r);
+ if (flags & BTF_FMODEL_SIGNED_ARG)
+ /* lghr %r,%r */
+ EMIT4(0xb9070000, r, r);
+ else
+ /* llghr %r,%r */
+ EMIT4(0xb9850000, r, r);
return 0;
case 4:
- /* lgfr %r,%r */
- EMIT4(0xb9140000, r, r);
+ if (flags & BTF_FMODEL_SIGNED_ARG)
+ /* lgfr %r,%r */
+ EMIT4(0xb9140000, r, r);
+ else
+ /* llgfr %r,%r */
+ EMIT4(0xb9160000, r, r);
return 0;
case 8:
return 0;
@@ -1452,9 +1461,9 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
return -1;
for (j = 0; j < m->nr_args; j++) {
- if (sign_extend(jit, BPF_REG_1 + j,
- m->arg_size[j],
- m->arg_flags[j]))
+ if (sign_zero_extend(jit, BPF_REG_1 + j,
+ m->arg_size[j],
+ m->arg_flags[j]))
return -1;
}
}
@@ -2186,7 +2195,7 @@ static int invoke_bpf_prog(struct bpf_tramp_jit *tjit,
call_r1(jit);
/* stg %r2,retval_off(%r15) */
if (save_ret) {
- if (sign_extend(jit, REG_2, m->ret_size, m->ret_flags))
+ if (sign_zero_extend(jit, REG_2, m->ret_size, m->ret_flags))
return -1;
EMIT6_DISP_LH(0xe3000000, 0x0024, REG_2, REG_0, REG_15,
tjit->retval_off);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 030/508] params: Replace __modinit with __init_or_module
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 029/508] s390/bpf: Zero-extend bpf prog return values and kfunc arguments Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 031/508] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
` (479 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Aaron Tomlin,
Daniel Gomez, Sami Tolvanen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit 3cb0c3bdea5388519bc1bf575dca6421b133302b ]
Remove the custom __modinit macro from kernel/params.c and instead use the
common __init_or_module macro from include/linux/module.h. Both provide the
same functionality.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Stable-dep-of: deffe1edba62 ("module: Fix freeing of charp module parameters when CONFIG_SYSFS=n")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/params.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/kernel/params.c b/kernel/params.c
index e39ac5420cd6d..2cfa12404ed0b 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -593,12 +593,6 @@ static ssize_t param_attr_store(struct module_attribute *mattr,
}
#endif
-#ifdef CONFIG_MODULES
-#define __modinit
-#else
-#define __modinit __init
-#endif
-
#ifdef CONFIG_SYSFS
void kernel_param_lock(struct module *mod)
{
@@ -623,9 +617,9 @@ EXPORT_SYMBOL(kernel_param_unlock);
* create file in sysfs. Returns an error on out of memory. Always cleans up
* if there's an error.
*/
-static __modinit int add_sysfs_param(struct module_kobject *mk,
- const struct kernel_param *kp,
- const char *name)
+static __init_or_module int add_sysfs_param(struct module_kobject *mk,
+ const struct kernel_param *kp,
+ const char *name)
{
struct module_param_attrs *new_mp;
struct attribute **new_attrs;
@@ -759,7 +753,8 @@ void destroy_params(const struct kernel_param *params, unsigned num)
params[i].ops->free(params[i].arg);
}
-struct module_kobject __modinit * lookup_or_create_module_kobject(const char *name)
+struct module_kobject * __init_or_module
+lookup_or_create_module_kobject(const char *name)
{
struct module_kobject *mk;
struct kobject *kobj;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 031/508] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 030/508] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 032/508] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() Greg Kroah-Hartman
` (478 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Sami Tolvanen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit deffe1edba626d474fef38007c03646ca5876a0e ]
When setting a charp module parameter, the param_set_charp() function
allocates memory to store a copy of the input value. Later, when the module
is potentially unloaded, the destroy_params() function is called to free
this allocated memory.
However, destroy_params() is available only when CONFIG_SYSFS=y, otherwise
only a dummy variant is present. In the unlikely case that the kernel is
configured with CONFIG_MODULES=y and CONFIG_SYSFS=n, this results in
a memory leak of charp values when a module is unloaded.
Fix this issue by making destroy_params() always available when
CONFIG_MODULES=y. Rename the function to module_destroy_params() to clarify
that it is intended for use by the module loader.
Fixes: e180a6b7759a ("param: fix charp parameters set via sysfs")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/moduleparam.h | 11 +++--------
kernel/module/main.c | 4 ++--
kernel/params.c | 27 ++++++++++++++++++---------
3 files changed, 23 insertions(+), 19 deletions(-)
diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
index 061e19c94a6bc..f73ca4d62683b 100644
--- a/include/linux/moduleparam.h
+++ b/include/linux/moduleparam.h
@@ -392,14 +392,9 @@ extern char *parse_args(const char *name,
const char *doing, void *arg));
/* Called by module remove. */
-#ifdef CONFIG_SYSFS
-extern void destroy_params(const struct kernel_param *params, unsigned num);
-#else
-static inline void destroy_params(const struct kernel_param *params,
- unsigned num)
-{
-}
-#endif /* !CONFIG_SYSFS */
+#ifdef CONFIG_MODULES
+void module_destroy_params(const struct kernel_param *params, unsigned int num);
+#endif
/* All the helper functions */
/* The macros to do compile-time type checking stolen from Jakub
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 76d90c20de674..ac528fbb62824 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1261,7 +1261,7 @@ static void free_module(struct module *mod)
module_unload_free(mod);
/* Free any allocated parameters. */
- destroy_params(mod->kp, mod->num_kp);
+ module_destroy_params(mod->kp, mod->num_kp);
if (is_livepatch_module(mod))
free_module_elf(mod);
@@ -2998,7 +2998,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
mod_sysfs_teardown(mod);
coming_cleanup:
mod->state = MODULE_STATE_GOING;
- destroy_params(mod->kp, mod->num_kp);
+ module_destroy_params(mod->kp, mod->num_kp);
blocking_notifier_call_chain(&module_notify_list,
MODULE_STATE_GOING, mod);
klp_module_going(mod);
diff --git a/kernel/params.c b/kernel/params.c
index 2cfa12404ed0b..9d09ea99363fc 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -744,15 +744,6 @@ void module_param_sysfs_remove(struct module *mod)
}
#endif
-void destroy_params(const struct kernel_param *params, unsigned num)
-{
- unsigned int i;
-
- for (i = 0; i < num; i++)
- if (params[i].ops->free)
- params[i].ops->free(params[i].arg);
-}
-
struct module_kobject * __init_or_module
lookup_or_create_module_kobject(const char *name)
{
@@ -987,3 +978,21 @@ static int __init param_sysfs_builtin_init(void)
late_initcall(param_sysfs_builtin_init);
#endif /* CONFIG_SYSFS */
+
+#ifdef CONFIG_MODULES
+
+/*
+ * module_destroy_params - free all parameters for one module
+ * @params: module parameters (array)
+ * @num: number of module parameters
+ */
+void module_destroy_params(const struct kernel_param *params, unsigned int num)
+{
+ unsigned int i;
+
+ for (i = 0; i < num; i++)
+ if (params[i].ops->free)
+ params[i].ops->free(params[i].arg);
+}
+
+#endif /* CONFIG_MODULES */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 032/508] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 031/508] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 033/508] wifi: mt76: mt7615: fix use_cts_prot support Greg Kroah-Hartman
` (477 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Wang, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
[ Upstream commit 53ffffeb9624ffab6d9a3b1da8635a23f1172b5e ]
Reset ampdu_state if ieee80211_start_tx_ba_session() fails in
mt76_connac2_tx_check_aggr(), otherwise the driver may incorrectly
assume aggregation is active and skip future BA setup attempts.
Fixes: 163f4d22c118 ("mt76: mt7921: add MAC support")
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20251216005930.9412-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
index 6a637d4f42360..a24b2fd3c7b82 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
@@ -1121,8 +1121,10 @@ void mt76_connac2_tx_check_aggr(struct ieee80211_sta *sta, __le32 *txwi)
return;
wcid = (struct mt76_wcid *)sta->drv_priv;
- if (!test_and_set_bit(tid, &wcid->ampdu_state))
- ieee80211_start_tx_ba_session(sta, tid, 0);
+ if (!test_and_set_bit(tid, &wcid->ampdu_state)) {
+ if (ieee80211_start_tx_ba_session(sta, tid, 0))
+ clear_bit(tid, &wcid->ampdu_state);
+ }
}
EXPORT_SYMBOL_GPL(mt76_connac2_tx_check_aggr);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 033/508] wifi: mt76: mt7615: fix use_cts_prot support
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 032/508] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 034/508] wifi: mt76: mt7915: " Greg Kroah-Hartman
` (476 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryder Lee, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryder Lee <ryder.lee@mediatek.com>
[ Upstream commit 1974a67d9b65c29a0a9426e32e8cd8c056de48b7 ]
Driver should not directly write WTBL to prevent overwritten issues.
With this fix, when driver needs to adjust its behavior for compatibility,
especially concerning older 11g/n devices, by enabling or disabling CTS
protection frames, often for hidden SSIDs or to manage legacy clients.
Fixes: e34235ccc5e3 ("wifi: mt76: mt7615: enable use_cts_prot support")
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Link: https://patch.msgid.link/edb87088b0111b32fafc6c4179f54a5286dd37d8.1768879119.git.ryder.lee@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7615/mac.c | 15 ------
.../net/wireless/mediatek/mt76/mt7615/main.c | 7 +--
.../net/wireless/mediatek/mt76/mt7615/mcu.c | 47 +++++++++++++++++++
.../wireless/mediatek/mt76/mt7615/mt7615.h | 5 +-
.../net/wireless/mediatek/mt76/mt7615/regs.h | 2 -
5 files changed, 53 insertions(+), 23 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index 7ba789834e8df..1e473f490b4bd 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -1174,21 +1174,6 @@ void mt7615_mac_set_rates(struct mt7615_phy *phy, struct mt7615_sta *sta,
}
EXPORT_SYMBOL_GPL(mt7615_mac_set_rates);
-void mt7615_mac_enable_rtscts(struct mt7615_dev *dev,
- struct ieee80211_vif *vif, bool enable)
-{
- struct mt7615_vif *mvif = (struct mt7615_vif *)vif->drv_priv;
- u32 addr;
-
- addr = mt7615_mac_wtbl_addr(dev, mvif->sta.wcid.idx) + 3 * 4;
-
- if (enable)
- mt76_set(dev, addr, MT_WTBL_W3_RTS);
- else
- mt76_clear(dev, addr, MT_WTBL_W3_RTS);
-}
-EXPORT_SYMBOL_GPL(mt7615_mac_enable_rtscts);
-
static int
mt7615_mac_wtbl_update_key(struct mt7615_dev *dev, struct mt76_wcid *wcid,
struct ieee80211_key_conf *key,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
index dab16b5fc3861..b908ccfa48778 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
@@ -597,9 +597,6 @@ static void mt7615_bss_info_changed(struct ieee80211_hw *hw,
}
}
- if (changed & BSS_CHANGED_ERP_CTS_PROT)
- mt7615_mac_enable_rtscts(dev, vif, info->use_cts_prot);
-
if (changed & BSS_CHANGED_BEACON_ENABLED && info->enable_beacon) {
mt7615_mcu_add_bss_info(phy, vif, NULL, true);
mt7615_mcu_sta_add(phy, vif, NULL, true);
@@ -612,6 +609,10 @@ static void mt7615_bss_info_changed(struct ieee80211_hw *hw,
BSS_CHANGED_BEACON_ENABLED))
mt7615_mcu_add_beacon(dev, hw, vif, info->enable_beacon);
+ if (changed & BSS_CHANGED_HT || changed & BSS_CHANGED_ERP_CTS_PROT)
+ mt7615_mcu_set_protection(phy, vif, info->ht_operation_mode,
+ info->use_cts_prot);
+
if (changed & BSS_CHANGED_PS)
mt76_connac_mcu_set_vif_ps(&dev->mt76, vif);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
index 94adb22f8570f..d5071981014ee 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
@@ -2560,3 +2560,50 @@ int mt7615_mcu_set_roc(struct mt7615_phy *phy, struct ieee80211_vif *vif,
return mt76_mcu_send_msg(&dev->mt76, MCU_CE_CMD(SET_ROC),
&req, sizeof(req), false);
}
+
+int mt7615_mcu_set_protection(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot)
+{
+ struct mt7615_dev *dev = phy->dev;
+ struct {
+ u8 prot_idx;
+ u8 band;
+ u8 rsv[2];
+
+ bool long_nav;
+ bool prot_mm;
+ bool prot_gf;
+ bool prot_bw40;
+ bool prot_rifs;
+ bool prot_bw80;
+ bool prot_bw160;
+ u8 prot_erp_mask;
+ } __packed req = {
+ .prot_idx = 0x2,
+ .band = phy != &dev->phy,
+ };
+
+ switch (ht_mode & IEEE80211_HT_OP_MODE_PROTECTION) {
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER:
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED:
+ req.prot_mm = true;
+ req.prot_gf = true;
+ fallthrough;
+ case IEEE80211_HT_OP_MODE_PROTECTION_20MHZ:
+ req.prot_bw40 = true;
+ break;
+ }
+
+ if (ht_mode & IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT)
+ req.prot_gf = true;
+
+ if (use_cts_prot) {
+ struct mt7615_vif *mvif = (struct mt7615_vif *)vif->drv_priv;
+ u8 i = mvif->mt76.omac_idx > HW_BSSID_MAX ? HW_BSSID_0 : mvif->mt76.omac_idx;
+
+ req.prot_erp_mask = BIT(i);
+ }
+
+ return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(PROTECT_CTRL), &req,
+ sizeof(req), true);
+}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h b/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h
index fa83b255e180c..39388acfb94ba 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h
@@ -466,8 +466,6 @@ void mt7615_mac_reset_counters(struct mt7615_phy *phy);
void mt7615_mac_cca_stats_reset(struct mt7615_phy *phy);
void mt7615_mac_set_scs(struct mt7615_phy *phy, bool enable);
void mt7615_mac_enable_nf(struct mt7615_dev *dev, bool ext_phy);
-void mt7615_mac_enable_rtscts(struct mt7615_dev *dev,
- struct ieee80211_vif *vif, bool enable);
void mt7615_mac_sta_poll(struct mt7615_dev *dev);
int mt7615_mac_write_txwi(struct mt7615_dev *dev, __le32 *txwi,
struct sk_buff *skb, struct mt76_wcid *wcid,
@@ -522,7 +520,8 @@ int mt7615_mcu_set_sku_en(struct mt7615_phy *phy, bool enable);
int mt7615_mcu_apply_rx_dcoc(struct mt7615_phy *phy);
int mt7615_mcu_apply_tx_dpd(struct mt7615_phy *phy);
int mt7615_dfs_init_radar_detector(struct mt7615_phy *phy);
-
+int mt7615_mcu_set_protection(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot);
int mt7615_mcu_set_roc(struct mt7615_phy *phy, struct ieee80211_vif *vif,
struct ieee80211_channel *chan, int duration);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
index 806b3887c541c..9e6d55c91b269 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
@@ -455,8 +455,6 @@ enum mt7615_reg_base {
#define MT_WTBL_RIUCR3_RATE6 GENMASK(19, 8)
#define MT_WTBL_RIUCR3_RATE7 GENMASK(31, 20)
-#define MT_WTBL_W3_RTS BIT(22)
-
#define MT_WTBL_W5_CHANGE_BW_RATE GENMASK(7, 5)
#define MT_WTBL_W5_SHORT_GI_20 BIT(8)
#define MT_WTBL_W5_SHORT_GI_40 BIT(9)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 034/508] wifi: mt76: mt7915: fix use_cts_prot support
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 033/508] wifi: mt76: mt7615: fix use_cts_prot support Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 035/508] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor Greg Kroah-Hartman
` (475 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryder Lee, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryder Lee <ryder.lee@mediatek.com>
[ Upstream commit 8b2c26562b95c6397e132d21f2bd3d73aaee0c0a ]
With this fix, when driver needs to adjust its behavior for compatibility,
especially concerning older 11g/n devices, by enabling or disabling CTS
protection frames, often for hidden SSIDs or to manage legacy clients.
Fixes: 150b91419d3d ("wifi: mt76: mt7915: enable use_cts_prot support")
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Link: https://patch.msgid.link/eb8db4d0bf1c89b7486e89facb788ae3e510dd8b.1768879119.git.ryder.lee@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7915/mac.c | 13 ----
.../net/wireless/mediatek/mt76/mt7915/main.c | 7 ++-
.../net/wireless/mediatek/mt76/mt7915/mcu.c | 62 +++++++++++++++++++
.../net/wireless/mediatek/mt76/mt7915/mcu.h | 11 ++++
.../wireless/mediatek/mt76/mt7915/mt7915.h | 4 ++
5 files changed, 81 insertions(+), 16 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 92d7dc8e3cc55..e2983dbf05a90 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -228,19 +228,6 @@ static void mt7915_mac_sta_poll(struct mt7915_dev *dev)
rcu_read_unlock();
}
-void mt7915_mac_enable_rtscts(struct mt7915_dev *dev,
- struct ieee80211_vif *vif, bool enable)
-{
- struct mt7915_vif *mvif = (struct mt7915_vif *)vif->drv_priv;
- u32 addr;
-
- addr = mt7915_mac_wtbl_lmac_addr(dev, mvif->sta.wcid.idx, 5);
- if (enable)
- mt76_set(dev, addr, BIT(5));
- else
- mt76_clear(dev, addr, BIT(5));
-}
-
static void
mt7915_wed_check_ppe(struct mt7915_dev *dev, struct mt76_queue *q,
struct mt7915_sta *msta, struct sk_buff *skb,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index c312a0fa199ae..bad92fa4c8fc6 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -68,7 +68,7 @@ int mt7915_run(struct ieee80211_hw *hw)
if (ret)
goto out;
- ret = mt76_connac_mcu_set_rts_thresh(&dev->mt76, 0x92b,
+ ret = mt76_connac_mcu_set_rts_thresh(&dev->mt76, MT7915_RTS_LEN_THRES,
phy->mt76->band_idx);
if (ret)
goto out;
@@ -623,8 +623,9 @@ static void mt7915_bss_info_changed(struct ieee80211_hw *hw,
if (set_sta == 1)
mt7915_mcu_add_sta(dev, vif, NULL, true);
- if (changed & BSS_CHANGED_ERP_CTS_PROT)
- mt7915_mac_enable_rtscts(dev, vif, info->use_cts_prot);
+ if (changed & BSS_CHANGED_HT || changed & BSS_CHANGED_ERP_CTS_PROT)
+ mt7915_mcu_set_protection(phy, vif, info->ht_operation_mode,
+ info->use_cts_prot);
if (changed & BSS_CHANGED_ERP_SLOT) {
int slottime = info->use_short_slot ? 9 : 20;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index fae9ec98da3b9..f826089396e48 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -3730,6 +3730,68 @@ int mt7915_mcu_get_rx_rate(struct mt7915_phy *phy, struct ieee80211_vif *vif,
return ret;
}
+int mt7915_mcu_set_protection(struct mt7915_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot)
+{
+ struct mt7915_dev *dev = phy->dev;
+ int len = sizeof(struct sta_req_hdr) + sizeof(struct bss_info_prot);
+ struct mt7915_vif *mvif = (struct mt7915_vif *)vif->drv_priv;
+ struct bss_info_prot *prot;
+ struct sk_buff *skb;
+ struct tlv *tlv;
+ enum {
+ PROT_NONMEMBER = BIT(1),
+ PROT_20MHZ = BIT(2),
+ PROT_NONHT_MIXED = BIT(3),
+ PROT_LEGACY_ERP = BIT(5),
+ PROT_NONGF_STA = BIT(7),
+ };
+ u32 rts_threshold;
+
+ skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
+ NULL, len);
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+
+ tlv = mt76_connac_mcu_add_tlv(skb, BSS_INFO_PROTECT_INFO,
+ sizeof(*prot));
+ prot = (struct bss_info_prot *)tlv;
+
+ switch (ht_mode & IEEE80211_HT_OP_MODE_PROTECTION) {
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER:
+ prot->prot_mode = cpu_to_le32(PROT_NONMEMBER);
+ break;
+ case IEEE80211_HT_OP_MODE_PROTECTION_20MHZ:
+ prot->prot_mode = cpu_to_le32(PROT_20MHZ);
+ break;
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED:
+ prot->prot_mode = cpu_to_le32(PROT_NONHT_MIXED);
+ break;
+ }
+
+ if (ht_mode & IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT)
+ prot->prot_mode |= cpu_to_le32(PROT_NONGF_STA);
+
+ if (use_cts_prot)
+ prot->prot_mode |= cpu_to_le32(PROT_LEGACY_ERP);
+
+ /* reuse current RTS setting */
+ rts_threshold = phy->mt76->hw->wiphy->rts_threshold;
+ if (rts_threshold == (u32)-1)
+ prot->rts_len_thres = cpu_to_le32(MT7915_RTS_LEN_THRES);
+ else
+ prot->rts_len_thres = cpu_to_le32(rts_threshold);
+
+ prot->rts_pkt_thres = 0x2;
+
+ prot->he_rts_thres = cpu_to_le16(vif->bss_conf.frame_time_rts_th);
+ if (!prot->he_rts_thres)
+ prot->he_rts_thres = cpu_to_le16(DEFAULT_HE_DURATION_RTS_THRES);
+
+ return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+ MCU_EXT_CMD(BSS_INFO_UPDATE), true);
+}
+
int mt7915_mcu_update_bss_color(struct mt7915_dev *dev, struct ieee80211_vif *vif,
struct cfg80211_he_bss_color *he_bss_color)
{
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
index 1592b5d6751a0..acc1371a94b10 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
@@ -399,6 +399,17 @@ struct bss_info_inband_discovery {
__le16 prob_rsp_len;
} __packed __aligned(4);
+struct bss_info_prot {
+ __le16 tag;
+ __le16 len;
+ __le32 prot_type;
+ __le32 prot_mode;
+ __le32 rts_len_thres;
+ __le16 he_rts_thres;
+ u8 rts_pkt_thres;
+ u8 rsv[5];
+} __packed;
+
enum {
BSS_INFO_BCN_CSA,
BSS_INFO_BCN_BCC,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h b/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h
index 14d4bbeae9d63..b16c798ec2824 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h
@@ -83,6 +83,8 @@
#define MT7915_CRIT_TEMP 110
#define MT7915_MAX_TEMP 120
+#define MT7915_RTS_LEN_THRES 0x92b
+
struct mt7915_vif;
struct mt7915_sta;
struct mt7915_dfs_pulse;
@@ -453,6 +455,8 @@ int mt7915_mcu_add_inband_discov(struct mt7915_dev *dev, struct ieee80211_vif *v
u32 changed);
int mt7915_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
int enable, u32 changed);
+int mt7915_mcu_set_protection(struct mt7915_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot);
int mt7915_mcu_add_obss_spr(struct mt7915_phy *phy, struct ieee80211_vif *vif,
struct ieee80211_he_obss_pd *he_obss_pd);
int mt7915_mcu_add_rate_ctrl(struct mt7915_dev *dev, struct ieee80211_vif *vif,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 035/508] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 034/508] wifi: mt76: mt7915: " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 036/508] arm64: cpufeature: Make PMUVer and PerfMon unsigned Greg Kroah-Hartman
` (474 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari,
AngeloGioacchino Del Regno, Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit d8db56142e531f060c938fa0b5175ed6c8cabb11 ]
The mt7996 driver currently checks the MT_RXD3_NORMAL_FCS_ERR bit in
rxd1 whereas other Connac3-based drivers(mt7925) correctly check this
bit in rxd3.
Since the MT_RXD3_NORMAL_FCS_ERR bit is defined in the fourth RX
descriptor word (rxd3), update mt7996 to use the proper descriptor
field. This change aligns mt7996 with mt7925 and the rest of the
Connac3 family.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patch.msgid.link/20251013090826.753992-1-alok.a.tiwari@oracle.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 3dd503b363ce0..9270a68e6a38d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -528,7 +528,7 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, struct sk_buff *skb)
!(csum_status & (BIT(0) | BIT(2) | BIT(3))))
skb->ip_summed = CHECKSUM_UNNECESSARY;
- if (rxd1 & MT_RXD3_NORMAL_FCS_ERR)
+ if (rxd3 & MT_RXD3_NORMAL_FCS_ERR)
status->flag |= RX_FLAG_FAILED_FCS_CRC;
if (rxd1 & MT_RXD1_NORMAL_TKIP_MIC_ERR)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 036/508] arm64: cpufeature: Make PMUVer and PerfMon unsigned
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 035/508] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 037/508] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event Greg Kroah-Hartman
` (473 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Marc Zyngier,
Colton Lewis, Will Deacon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Clark <james.clark@linaro.org>
[ Upstream commit d1dcc20bcc40efe1f1c71639376c91dafa489222 ]
On the host, this change doesn't make a difference because the fields
are defined as FTR_EXACT. However, KVM allows userspace to set these
fields for a guest and overrides the type to be FTR_LOWER_SAFE. And
while KVM used to do an unsigned comparison to validate that the new
value is lower than what the hardware provides, since the linked commit
it uses the generic sanitization framework which does a signed
comparison.
Fix it by defining these fields as unsigned. In theory, without this
fix, userspace could set a higher PMU version than the hardware supports
by providing any value with the top bit set.
Fixes: c118cead07a7 ("KVM: arm64: Use generic sanitisation for ID_(AA64)DFR0_EL1")
Signed-off-by: James Clark <james.clark@linaro.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Colton Lewis <coltonlewis@google.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/cpufeature.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 4561c4a670afb..5db25bfb854ff 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -453,7 +453,7 @@ static const struct arm64_ftr_bits ftr_id_aa64dfr0[] = {
* We can instantiate multiple PMU instances with different levels
* of support.
*/
- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_AA64DFR0_EL1_PMUVer_SHIFT, 4, 0),
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_AA64DFR0_EL1_PMUVer_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_EXACT, ID_AA64DFR0_EL1_DebugVer_SHIFT, 4, 0x6),
ARM64_FTR_END,
};
@@ -597,7 +597,7 @@ static const struct arm64_ftr_bits ftr_id_pfr2[] = {
static const struct arm64_ftr_bits ftr_id_dfr0[] = {
/* [31:28] TraceFilt */
- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_DFR0_EL1_PerfMon_SHIFT, 4, 0),
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_DFR0_EL1_PerfMon_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_DFR0_EL1_MProfDbg_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_DFR0_EL1_MMapTrc_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_DFR0_EL1_CopTrc_SHIFT, 4, 0),
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 037/508] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 036/508] arm64: cpufeature: Make PMUVer and PerfMon unsigned Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 038/508] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() Greg Kroah-Hartman
` (472 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, StanleyYP Wang, Shayne Chen,
Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
[ Upstream commit efbd5bf395f4e6b45a87f3835d4c2e28170c77c5 ]
The cid field is defined as a two-byte value in the firmware.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20260203155532.1098290-2-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index 8ab55fc705f07..9f8c312b64d75 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -204,7 +204,7 @@ mt7996_mcu_parse_response(struct mt76_dev *mdev, int cmd,
event = (struct mt7996_mcu_uni_event *)skb->data;
ret = le32_to_cpu(event->status);
/* skip invalid event */
- if (mcu_cmd != event->cid)
+ if (mcu_cmd != le16_to_cpu(event->cid))
ret = -EAGAIN;
} else {
skb_pull(skb, sizeof(struct mt7996_mcu_rxd));
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
index 58504b80eae8b..fee79666fe162 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
@@ -25,8 +25,8 @@ struct mt7996_mcu_rxd {
};
struct mt7996_mcu_uni_event {
- u8 cid;
- u8 __rsv[3];
+ __le16 cid;
+ u8 __rsv[2];
__le32 status; /* 0: success, others: fail */
} __packed;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 038/508] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 037/508] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 039/508] bpf, devmap: Remove unnecessary if check in for loop Greg Kroah-Hartman
` (471 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 1146d0946b5358fad24812bd39d68f31cd40cc34 ]
When the mt7915 pci chip is detaching, the mt7915_crash_data is
released in mt7915_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7915_mac_dump_work().
The race condition can occur as follows:
CPU 0 (removal path) | CPU 1 (workqueue)
mt7915_pci_remove() | mt7915_sys_recovery_set()
mt7915_unregister_device() | mt7915_reset()
mt7915_coredump_unregister() | queue_work()
vfree(dev->coredump.crash_data) | mt7915_mac_dump_work()
| crash_data-> // UAF
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7915_unregister_device() to synchronize with any pending
or executing dump work.
Fixes: 4dbcb9125cc3 ("wifi: mt76: mt7915: enable coredump support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20260130145759.84272-1-duoming@zju.edu.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
index e9068718b3d1f..529a3640944b5 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
@@ -1254,6 +1254,7 @@ int mt7915_register_device(struct mt7915_dev *dev)
void mt7915_unregister_device(struct mt7915_dev *dev)
{
+ cancel_work_sync(&dev->dump_work);
mt7915_unregister_ext_phy(dev);
mt7915_coredump_unregister(dev);
mt7915_unregister_thermal(&dev->phy);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 039/508] bpf, devmap: Remove unnecessary if check in for loop
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 038/508] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 040/508] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
` (470 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Daniel Borkmann,
Toke Høiland-Jørgensen, Jiri Olsa, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@toblux.com>
[ Upstream commit 2317dc2c22cc353b699c7d1db47b2fe91f54055c ]
The iterator variable dst cannot be NULL and the if check can be removed.
Remove it and fix the following Coccinelle/coccicheck warning reported
by itnull.cocci:
ERROR: iterator variable bound on line 762 cannot be NULL
Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/bpf/20240529101900.103913-2-thorsten.blum@toblux.com
Stable-dep-of: 8ed82f807bb0 ("bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/devmap.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 3bdec239be610..3939221bd6098 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -765,9 +765,6 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
hlist_for_each_entry_safe(dst, next, head, index_hlist) {
- if (!dst)
- continue;
-
if (is_ifindex_excluded(excluded_devices, num_excluded,
dst->dev->ifindex))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 040/508] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 039/508] bpf, devmap: Remove unnecessary if check in for loop Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 041/508] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
` (469 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Martin KaFai Lau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19 ]
The DEVMAP_HASH branch in dev_map_redirect_multi() uses
hlist_for_each_entry_safe() to iterate hash buckets, but this function
runs under RCU protection (called from xdp_do_generic_redirect_map()
in softirq context). Concurrent writers (__dev_map_hash_update_elem,
dev_map_hash_delete_elem) modify the list using RCU primitives
(hlist_add_head_rcu, hlist_del_rcu).
hlist_for_each_entry_safe() performs plain pointer dereferences without
rcu_dereference(), missing the acquire barrier needed to pair with
writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64,
POWER), a reader can observe a partially-constructed node. It also
defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race
detection.
Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held()
as the lockdep condition, consistent with the rcu_dereference_check()
used in the DEVMAP (non-hash) branch of the same functions. Also fix
the same incorrect lockdep_is_held(&dtab->index_lock) condition in
dev_map_enqueue_multi(), where the lock is not held either.
Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20260320072645.16731-1-devnexen@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/devmap.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 3939221bd6098..c169f0624e100 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -642,7 +642,7 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx,
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
hlist_for_each_entry_rcu(dst, head, index_hlist,
- lockdep_is_held(&dtab->index_lock)) {
+ rcu_read_lock_bh_held()) {
if (!is_valid_dst(dst, xdpf))
continue;
@@ -724,7 +724,6 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
struct bpf_dtab_netdev *dst, *last_dst = NULL;
int excluded_devices[1+MAX_NEST_DEV];
struct hlist_head *head;
- struct hlist_node *next;
int num_excluded = 0;
unsigned int i;
int err;
@@ -764,7 +763,7 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
} else { /* BPF_MAP_TYPE_DEVMAP_HASH */
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
- hlist_for_each_entry_safe(dst, next, head, index_hlist) {
+ hlist_for_each_entry_rcu(dst, head, index_hlist, rcu_read_lock_bh_held()) {
if (is_ifindex_excluded(excluded_devices, num_excluded,
dst->dev->ifindex))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 041/508] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 040/508] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 042/508] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
` (468 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Velichayshiy, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
[ Upstream commit 047cddf88c611e616d49a00311d4722e46286234 ]
In the rtw89_phy_cfo_set_crystal_cap() function, for chips other than
RTL8852A/RTL8851B, the values read by rtw89_mac_read_xtal_si() are
stored into the local variables sc_xi_val and sc_xo_val. If either
read fails, these variables remain uninitialized, they are later
used to update cfo->crystal_cap and in debug print statements. This
can lead to undefined behavior.
Fix the issue by initializing sc_xi_val and sc_xo_val to zero,
like is implemented in vendor driver.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 8379fa611536 ("rtw89: 8852c: add write/read crystal function in CFO tracking")
Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260323140613.1615574-1-a.velichayshiy@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/phy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
index 457c1dd31bf9d..3da2f623c01c6 100644
--- a/drivers/net/wireless/realtek/rtw89/phy.c
+++ b/drivers/net/wireless/realtek/rtw89/phy.c
@@ -2434,7 +2434,7 @@ static void rtw89_phy_cfo_set_crystal_cap(struct rtw89_dev *rtwdev,
{
struct rtw89_cfo_tracking_info *cfo = &rtwdev->cfo_tracking;
const struct rtw89_chip_info *chip = rtwdev->chip;
- u8 sc_xi_val, sc_xo_val;
+ u8 sc_xi_val = 0, sc_xo_val = 0;
if (!force && cfo->crystal_cap == crystal_cap)
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 042/508] r8152: fix incorrect register write to USB_UPHY_XTAL
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 041/508] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 043/508] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
` (467 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chih Kai Hsu, Hayes Wang,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chih Kai Hsu <hsu.chih.kai@realtek.com>
[ Upstream commit 48afd5124fd6129c46fd12cb06155384b1c4a0c4 ]
The old code used ocp_write_byte() to clear the OOBS_POLLING bit
(BIT(8)) in the USB_UPHY_XTAL register, but this doesn't correctly
clear a bit in the upper byte of the 16-bit register.
Fix this by using ocp_write_word() instead.
Fixes: 195aae321c82 ("r8152: support new chips")
Signed-off-by: Chih Kai Hsu <hsu.chih.kai@realtek.com>
Reviewed-by: Hayes Wang <hayeswang@realtek.com>
Link: https://patch.msgid.link/20260326073925.32976-454-nic_swsd@realtek.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 91cf24fb5531f..d39d66e25b01b 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -3859,7 +3859,7 @@ static void r8156_ups_en(struct r8152 *tp, bool enable)
case RTL_VER_15:
ocp_data = ocp_read_word(tp, MCU_TYPE_USB, USB_UPHY_XTAL);
ocp_data &= ~OOBS_POLLING;
- ocp_write_byte(tp, MCU_TYPE_USB, USB_UPHY_XTAL, ocp_data);
+ ocp_write_word(tp, MCU_TYPE_USB, USB_UPHY_XTAL, ocp_data);
break;
default:
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 043/508] powerpc/crash: fix backup region offset update to elfcorehdr
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 042/508] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 044/508] selftests/powerpc: Re-order *FLAGS to follow lib.mk Greg Kroah-Hartman
` (466 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Gupta, Sourabh Jain,
Hari Bathini, Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 789335cacdf37da93bb7c70322dff8c7e82881df ]
update_backup_region_phdr() in file_load_64.c iterates over all the
program headers in the kdump kernel’s elfcorehdr and updates the
p_offset of the program header whose physical address starts at 0.
However, the loop logic is incorrect because the program header pointer
is not updated during iteration. Since elfcorehdr typically contains
PT_NOTE entries first, the PT_LOAD program header with physical address
0 is never reached. As a result, its p_offset is not updated to point to
the backup region.
Because of this behavior, the capture kernel exports the first 64 KB of
the crashed kernel’s memory at offset 0, even though that memory
actually lives in the backup region. When a crash happens, purgatory
copies the first 64 KB of the crashed kernel’s memory into the backup
region so the capture kernel can safely use it.
This has not caused problems so far because the first 64 KB is usually
identical in both the crashed and capture kernels. However, this is
just an assumption and is not guaranteed to always hold true.
Fix update_backup_region_phdr() to correctly update the p_offset of the
program header with a starting physical address of 0 by correcting the
logic used to iterate over the program headers.
Fixes: cb350c1f1f86 ("powerpc/kexec_file: Prepare elfcore header for crashing kernel")
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260312083051.1935737-2-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/file_load_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index 7b71737ae24cc..12cbfc9fce451 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -773,7 +773,7 @@ static void update_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr)
unsigned int i;
phdr = (Elf64_Phdr *)(ehdr + 1);
- for (i = 0; i < ehdr->e_phnum; i++) {
+ for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
if (phdr->p_paddr == BACKUP_SRC_START) {
phdr->p_offset = image->arch.backup_start;
pr_debug("Backup region offset updated to 0x%lx\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 044/508] selftests/powerpc: Re-order *FLAGS to follow lib.mk
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 043/508] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 045/508] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15 Greg Kroah-Hartman
` (465 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Madhavan Srinivasan,
Michael Ellerman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Madhavan Srinivasan <maddy@linux.ibm.com>
[ Upstream commit 37496845c812db2a470d51088a59ee38156e8058 ]
In some powerpc/ sub-folder Makefiles, CFLAGS are defined before lib.mk
include. Clean it up by re-ordering the flags to follow after the mk
include. This is needed to support sub-folders in powerpc/ buildable on
its own.
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240229093711.581230-1-maddy@linux.ibm.com
Stable-dep-of: 6e65886fceb2 ("selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/powerpc/benchmarks/Makefile | 4 ++--
.../selftests/powerpc/copyloops/Makefile | 20 +++++++++----------
.../selftests/powerpc/nx-gzip/Makefile | 4 ++--
.../selftests/powerpc/pmu/ebb/Makefile | 20 +++++++++----------
.../powerpc/pmu/event_code_tests/Makefile | 4 ++--
.../powerpc/pmu/sampling_tests/Makefile | 4 ++--
.../selftests/powerpc/primitives/Makefile | 4 ++--
.../selftests/powerpc/security/Makefile | 4 ++--
.../testing/selftests/powerpc/signal/Makefile | 3 ++-
.../selftests/powerpc/stringloops/Makefile | 10 +++++-----
.../selftests/powerpc/switch_endian/Makefile | 4 ++--
.../selftests/powerpc/syscalls/Makefile | 4 ++--
tools/testing/selftests/powerpc/vphn/Makefile | 4 ++--
13 files changed, 45 insertions(+), 44 deletions(-)
diff --git a/tools/testing/selftests/powerpc/benchmarks/Makefile b/tools/testing/selftests/powerpc/benchmarks/Makefile
index a32a6ab899144..75f5232c3aeca 100644
--- a/tools/testing/selftests/powerpc/benchmarks/Makefile
+++ b/tools/testing/selftests/powerpc/benchmarks/Makefile
@@ -4,11 +4,11 @@ TEST_GEN_FILES := exec_target
TEST_FILES := settings
-CFLAGS += -O2
-
top_srcdir = ../../../../..
include ../../lib.mk
+CFLAGS += -O2
+
$(TEST_GEN_PROGS): ../harness.c
$(OUTPUT)/context_switch: ../utils.c
diff --git a/tools/testing/selftests/powerpc/copyloops/Makefile b/tools/testing/selftests/powerpc/copyloops/Makefile
index 77594e697f2fa..72684ed589c0a 100644
--- a/tools/testing/selftests/powerpc/copyloops/Makefile
+++ b/tools/testing/selftests/powerpc/copyloops/Makefile
@@ -1,14 +1,4 @@
# SPDX-License-Identifier: GPL-2.0
-# The loops are all 64-bit code
-CFLAGS += -m64
-CFLAGS += -I$(CURDIR)
-CFLAGS += -D SELFTEST
-CFLAGS += -maltivec
-CFLAGS += -mcpu=power4
-
-# Use our CFLAGS for the implicit .S rule & set the asm machine type
-ASFLAGS = $(CFLAGS) -Wa,-mpower4
-
TEST_GEN_PROGS := copyuser_64_t0 copyuser_64_t1 copyuser_64_t2 \
copyuser_p7_t0 copyuser_p7_t1 \
memcpy_64_t0 memcpy_64_t1 memcpy_64_t2 \
@@ -21,6 +11,16 @@ EXTRA_SOURCES := validate.c ../harness.c stubs.S
top_srcdir = ../../../../..
include ../../lib.mk
+# The loops are all 64-bit code
+CFLAGS += -m64
+CFLAGS += -I$(CURDIR)
+CFLAGS += -D SELFTEST
+CFLAGS += -maltivec
+CFLAGS += -mcpu=power4
+
+# Use our CFLAGS for the implicit .S rule & set the asm machine type
+ASFLAGS = $(CFLAGS) -Wa,-mpower4
+
$(OUTPUT)/copyuser_64_t%: copyuser_64.S $(EXTRA_SOURCES)
$(CC) $(CPPFLAGS) $(CFLAGS) \
-D COPY_LOOP=test___copy_tofrom_user_base \
diff --git a/tools/testing/selftests/powerpc/nx-gzip/Makefile b/tools/testing/selftests/powerpc/nx-gzip/Makefile
index 0785c2e99d407..b40991f902b2c 100644
--- a/tools/testing/selftests/powerpc/nx-gzip/Makefile
+++ b/tools/testing/selftests/powerpc/nx-gzip/Makefile
@@ -1,8 +1,8 @@
-CFLAGS = -O3 -m64 -I./include -I../include
-
TEST_GEN_FILES := gzfht_test gunz_test
TEST_PROGS := nx-gzip-test.sh
include ../../lib.mk
+CFLAGS = -O3 -m64 -I./include -I../include
+
$(TEST_GEN_FILES): gzip_vas.c ../utils.c
diff --git a/tools/testing/selftests/powerpc/pmu/ebb/Makefile b/tools/testing/selftests/powerpc/pmu/ebb/Makefile
index 0101606902272..b3946ce17e0c1 100644
--- a/tools/testing/selftests/powerpc/pmu/ebb/Makefile
+++ b/tools/testing/selftests/powerpc/pmu/ebb/Makefile
@@ -4,16 +4,6 @@ include ../../../../../build/Build.include
noarg:
$(MAKE) -C ../../
-# The EBB handler is 64-bit code and everything links against it
-CFLAGS += -m64
-
-TMPOUT = $(OUTPUT)/TMPDIR/
-# Toolchains may build PIE by default which breaks the assembly
-no-pie-option := $(call try-run, echo 'int main() { return 0; }' | \
- $(CC) -Werror $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -no-pie -x c - -o "$$TMP", -no-pie)
-
-LDFLAGS += $(no-pie-option)
-
TEST_GEN_PROGS := reg_access_test event_attributes_test cycles_test \
cycles_with_freeze_test pmc56_overflow_test \
ebb_vs_cpu_event_test cpu_event_vs_ebb_test \
@@ -29,6 +19,16 @@ TEST_GEN_PROGS := reg_access_test event_attributes_test cycles_test \
top_srcdir = ../../../../../..
include ../../../lib.mk
+# The EBB handler is 64-bit code and everything links against it
+CFLAGS += -m64
+
+TMPOUT = $(OUTPUT)/TMPDIR/
+# Toolchains may build PIE by default which breaks the assembly
+no-pie-option := $(call try-run, echo 'int main() { return 0; }' | \
+ $(CC) -Werror $(KBUILD_CPPFLAGS) $(CC_OPTION_CFLAGS) -no-pie -x c - -o "$$TMP", -no-pie)
+
+LDFLAGS += $(no-pie-option)
+
$(TEST_GEN_PROGS): ../../harness.c ../../utils.c ../event.c ../lib.c \
ebb.c ebb_handler.S trace.c busy_loop.S
diff --git a/tools/testing/selftests/powerpc/pmu/event_code_tests/Makefile b/tools/testing/selftests/powerpc/pmu/event_code_tests/Makefile
index 4e07d70464574..509d4b235b9e5 100644
--- a/tools/testing/selftests/powerpc/pmu/event_code_tests/Makefile
+++ b/tools/testing/selftests/powerpc/pmu/event_code_tests/Makefile
@@ -1,6 +1,4 @@
# SPDX-License-Identifier: GPL-2.0
-CFLAGS += -m64
-
TEST_GEN_PROGS := group_constraint_pmc56_test group_pmc56_exclude_constraints_test group_constraint_pmc_count_test \
group_constraint_repeat_test group_constraint_radix_scope_qual_test reserved_bits_mmcra_sample_elig_mode_test \
group_constraint_mmcra_sample_test invalid_event_code_test reserved_bits_mmcra_thresh_ctl_test \
@@ -12,4 +10,6 @@ TEST_GEN_PROGS := group_constraint_pmc56_test group_pmc56_exclude_constraints_te
top_srcdir = ../../../../../..
include ../../../lib.mk
+CFLAGS += -m64
+
$(TEST_GEN_PROGS): ../../harness.c ../../utils.c ../event.c ../lib.c ../sampling_tests/misc.h ../sampling_tests/misc.c
diff --git a/tools/testing/selftests/powerpc/pmu/sampling_tests/Makefile b/tools/testing/selftests/powerpc/pmu/sampling_tests/Makefile
index 9e67351fb252b..d45892151e05d 100644
--- a/tools/testing/selftests/powerpc/pmu/sampling_tests/Makefile
+++ b/tools/testing/selftests/powerpc/pmu/sampling_tests/Makefile
@@ -1,6 +1,4 @@
# SPDX-License-Identifier: GPL-2.0
-CFLAGS += -m64
-
TEST_GEN_PROGS := mmcr0_exceptionbits_test mmcr0_cc56run_test mmcr0_pmccext_test \
mmcr0_pmcjce_test mmcr0_fc56_pmc1ce_test mmcr0_fc56_pmc56_test \
mmcr1_comb_test mmcr2_l2l3_test mmcr2_fcs_fch_test \
@@ -12,4 +10,6 @@ TEST_GEN_PROGS := mmcr0_exceptionbits_test mmcr0_cc56run_test mmcr0_pmccext_test
top_srcdir = ../../../../../..
include ../../../lib.mk
+CFLAGS += -m64
+
$(TEST_GEN_PROGS): ../../harness.c ../../utils.c ../event.c ../lib.c misc.c misc.h ../loop.S ../branch_loops.S
diff --git a/tools/testing/selftests/powerpc/primitives/Makefile b/tools/testing/selftests/powerpc/primitives/Makefile
index 9b9491a632136..6dc5c5a42ca95 100644
--- a/tools/testing/selftests/powerpc/primitives/Makefile
+++ b/tools/testing/selftests/powerpc/primitives/Makefile
@@ -1,9 +1,9 @@
# SPDX-License-Identifier: GPL-2.0-only
-CFLAGS += -I$(CURDIR)
-
TEST_GEN_PROGS := load_unaligned_zeropad
top_srcdir = ../../../../..
include ../../lib.mk
+CFLAGS += -I$(CURDIR)
+
$(TEST_GEN_PROGS): ../harness.c
diff --git a/tools/testing/selftests/powerpc/security/Makefile b/tools/testing/selftests/powerpc/security/Makefile
index e0d979ab02040..0a08386be9696 100644
--- a/tools/testing/selftests/powerpc/security/Makefile
+++ b/tools/testing/selftests/powerpc/security/Makefile
@@ -5,10 +5,10 @@ TEST_PROGS := mitigation-patching.sh
top_srcdir = ../../../../..
-CFLAGS += $(KHDR_INCLUDES)
-
include ../../lib.mk
+CFLAGS += $(KHDR_INCLUDES)
+
$(TEST_GEN_PROGS): ../harness.c ../utils.c
$(OUTPUT)/spectre_v2: CFLAGS += -m64
diff --git a/tools/testing/selftests/powerpc/signal/Makefile b/tools/testing/selftests/powerpc/signal/Makefile
index f679d260afc87..b15d5dbccc24b 100644
--- a/tools/testing/selftests/powerpc/signal/Makefile
+++ b/tools/testing/selftests/powerpc/signal/Makefile
@@ -3,7 +3,6 @@ TEST_GEN_PROGS := signal signal_tm sigfuz sigreturn_vdso sig_sc_double_restart
TEST_GEN_PROGS += sigreturn_kernel
TEST_GEN_PROGS += sigreturn_unaligned
-CFLAGS += -maltivec
$(OUTPUT)/signal_tm: CFLAGS += -mhtm
$(OUTPUT)/sigfuz: CFLAGS += -pthread -m64
@@ -12,4 +11,6 @@ TEST_FILES := settings
top_srcdir = ../../../../..
include ../../lib.mk
+CFLAGS += -maltivec
+
$(TEST_GEN_PROGS): ../harness.c ../utils.c signal.S
diff --git a/tools/testing/selftests/powerpc/stringloops/Makefile b/tools/testing/selftests/powerpc/stringloops/Makefile
index 9c39f55a58ff3..87c8c8f238daa 100644
--- a/tools/testing/selftests/powerpc/stringloops/Makefile
+++ b/tools/testing/selftests/powerpc/stringloops/Makefile
@@ -1,7 +1,4 @@
# SPDX-License-Identifier: GPL-2.0
-# The loops are all 64-bit code
-CFLAGS += -I$(CURDIR)
-
EXTRA_SOURCES := ../harness.c
build_32bit = $(shell if ($(CC) $(CFLAGS) -m32 -o /dev/null memcmp.c >/dev/null 2>&1) then echo "1"; fi)
@@ -27,9 +24,12 @@ $(OUTPUT)/strlen_32: CFLAGS += -m32
TEST_GEN_PROGS += strlen_32
endif
-ASFLAGS = $(CFLAGS)
-
top_srcdir = ../../../../..
include ../../lib.mk
+# The loops are all 64-bit code
+CFLAGS += -I$(CURDIR)
+
+ASFLAGS = $(CFLAGS)
+
$(TEST_GEN_PROGS): $(EXTRA_SOURCES)
diff --git a/tools/testing/selftests/powerpc/switch_endian/Makefile b/tools/testing/selftests/powerpc/switch_endian/Makefile
index bdc081afedb0f..8f0c2a1d3333b 100644
--- a/tools/testing/selftests/powerpc/switch_endian/Makefile
+++ b/tools/testing/selftests/powerpc/switch_endian/Makefile
@@ -1,13 +1,13 @@
# SPDX-License-Identifier: GPL-2.0
TEST_GEN_PROGS := switch_endian_test
-ASFLAGS += -O2 -Wall -g -nostdlib -m64
-
EXTRA_CLEAN = $(OUTPUT)/*.o $(OUTPUT)/check-reversed.S
top_srcdir = ../../../../..
include ../../lib.mk
+ASFLAGS += -O2 -Wall -g -nostdlib -m64
+
$(OUTPUT)/switch_endian_test: ASFLAGS += -I $(OUTPUT)
$(OUTPUT)/switch_endian_test: $(OUTPUT)/check-reversed.S
diff --git a/tools/testing/selftests/powerpc/syscalls/Makefile b/tools/testing/selftests/powerpc/syscalls/Makefile
index ee1740ddfb0c2..83dc335007732 100644
--- a/tools/testing/selftests/powerpc/syscalls/Makefile
+++ b/tools/testing/selftests/powerpc/syscalls/Makefile
@@ -1,9 +1,9 @@
# SPDX-License-Identifier: GPL-2.0-only
TEST_GEN_PROGS := ipc_unmuxed rtas_filter
-CFLAGS += $(KHDR_INCLUDES)
-
top_srcdir = ../../../../..
include ../../lib.mk
+CFLAGS += $(KHDR_INCLUDES)
+
$(TEST_GEN_PROGS): ../harness.c ../utils.c
diff --git a/tools/testing/selftests/powerpc/vphn/Makefile b/tools/testing/selftests/powerpc/vphn/Makefile
index cf65cbf33085a..ddc09a20b80fb 100644
--- a/tools/testing/selftests/powerpc/vphn/Makefile
+++ b/tools/testing/selftests/powerpc/vphn/Makefile
@@ -1,10 +1,10 @@
# SPDX-License-Identifier: GPL-2.0-only
TEST_GEN_PROGS := test-vphn
-CFLAGS += -m64 -I$(CURDIR)
-
top_srcdir = ../../../../..
include ../../lib.mk
+CFLAGS += -m64 -I$(CURDIR)
+
$(TEST_GEN_PROGS): ../harness.c
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 045/508] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 044/508] selftests/powerpc: Re-order *FLAGS to follow lib.mk Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 046/508] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
` (464 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vaibhav Jain, Amit Machhiwal,
Venkat Rao Bagalkote, Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Machhiwal <amachhiw@linux.ibm.com>
[ Upstream commit 6e65886fceb23605eff952d6b1975737b4c4b154 ]
GCC 15 reports the below false positive '-Wmaybe-uninitialized' warning
in vphn_unpack_associativity() when building the powerpc selftests.
# make -C tools/testing/selftests TARGETS="powerpc"
[...]
CC test-vphn
In file included from test-vphn.c:3:
In function ‘vphn_unpack_associativity’,
inlined from ‘test_one’ at test-vphn.c:371:2,
inlined from ‘test_vphn’ at test-vphn.c:399:9:
test-vphn.c:10:33: error: ‘be_packed’ may be used uninitialized [-Werror=maybe-uninitialized]
10 | #define be16_to_cpup(x) bswap_16(*x)
| ^~~~~~~~
vphn.c:42:27: note: in expansion of macro ‘be16_to_cpup’
42 | u16 new = be16_to_cpup(field++);
| ^~~~~~~~~~~~
In file included from test-vphn.c:19:
vphn.c: In function ‘test_vphn’:
vphn.c:27:16: note: ‘be_packed’ declared here
27 | __be64 be_packed[VPHN_REGISTER_COUNT];
| ^~~~~~~~~
cc1: all warnings being treated as errors
When vphn_unpack_associativity() is called from hcall_vphn() in kernel
the error is not seen while building vphn.c during kernel compilation.
This is because the top level Makefile includes '-fno-strict-aliasing'
flag always.
The issue here is that GCC 15 emits '-Wmaybe-uninitialized' due to type
punning between __be64[] and __b16* when accessing the buffer via
be16_to_cpup(). The underlying object is fully initialized but GCC 15
fails to track the aliasing due to the strict aliasing violation here.
Please refer [1] and [2]. This results in a false positive warning which
is promoted to an error under '-Werror'. This problem is not seen when
the compilation is performed with GCC 13 and 14. An issue [1] has also
been created on GCC bugzilla.
The selftest compiles fine with '-fno-strict-aliasing'. Since this GCC
flag is used to compile vphn.c in kernel too, the same flag should be
used to build vphn tests when compiling vphn.c in the selftest as well.
Fix this by including '-fno-strict-aliasing' during vphn.c compilation
in the selftest. This keeps the build working while limiting the scope
of the suppression to building vphn tests.
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=124427
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99768
Fixes: 58dae82843f5 ("selftests/powerpc: Add test for VPHN")
Reviewed-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Signed-off-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260313165426.43259-1-amachhiw@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/powerpc/vphn/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/powerpc/vphn/Makefile b/tools/testing/selftests/powerpc/vphn/Makefile
index ddc09a20b80fb..873bc6b3739a6 100644
--- a/tools/testing/selftests/powerpc/vphn/Makefile
+++ b/tools/testing/selftests/powerpc/vphn/Makefile
@@ -4,7 +4,7 @@ TEST_GEN_PROGS := test-vphn
top_srcdir = ../../../../..
include ../../lib.mk
-CFLAGS += -m64 -I$(CURDIR)
+CFLAGS += -m64 -I$(CURDIR) -fno-strict-aliasing
$(TEST_GEN_PROGS): ../harness.c
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 046/508] macvlan: annotate data-races around port->bc_queue_len_used
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 045/508] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15 Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 047/508] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
` (463 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ef5789d9906df3771c99b7f413caaf2bf473ca5 ]
port->bc_queue_len_used is read and written locklessly,
add READ_ONCE()/WRITE_ONCE() annotations.
While WRITE_ONCE() in macvlan_fill_info() is not yet needed,
it is a prereq for future RTNL avoidance.
Fixes: d4bff72c8401 ("macvlan: Support for high multicast packet rate")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260401103809.3038139-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macvlan.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 4e28fcbf13c74..1035a95beee6f 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -351,6 +351,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
const struct macvlan_dev *src,
struct sk_buff *skb)
{
+ u32 bc_queue_len_used = READ_ONCE(port->bc_queue_len_used);
struct sk_buff *nskb;
int err = -ENOMEM;
@@ -361,7 +362,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
MACVLAN_SKB_CB(nskb)->src = src;
spin_lock(&port->bc_queue.lock);
- if (skb_queue_len(&port->bc_queue) < port->bc_queue_len_used) {
+ if (skb_queue_len(&port->bc_queue) < bc_queue_len_used) {
if (src)
dev_hold(src->dev);
__skb_queue_tail(&port->bc_queue, nskb);
@@ -1732,7 +1733,8 @@ static int macvlan_fill_info(struct sk_buff *skb,
}
if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN, vlan->bc_queue_len_req))
goto nla_put_failure;
- if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN_USED, port->bc_queue_len_used))
+ if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN_USED,
+ READ_ONCE(port->bc_queue_len_used)))
goto nla_put_failure;
if (port->bc_cutoff != 1 &&
nla_put_s32(skb, IFLA_MACVLAN_BC_CUTOFF, port->bc_cutoff))
@@ -1792,7 +1794,7 @@ static void update_port_bc_queue_len(struct macvlan_port *port)
if (vlan->bc_queue_len_req > max_bc_queue_len_req)
max_bc_queue_len_req = vlan->bc_queue_len_req;
}
- port->bc_queue_len_used = max_bc_queue_len_req;
+ WRITE_ONCE(port->bc_queue_len_used, max_bc_queue_len_req);
}
static int macvlan_device_event(struct notifier_block *unused,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 047/508] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 046/508] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 048/508] bpf: Fix stale offload->prog pointer after constant blinding Greg Kroah-Hartman
` (462 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Sun Jian,
Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 5828b9e5b272ecff7cf5d345128d3de7324117f7 ]
list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.
Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.
Fixes: de9cbbaadba5 ("bpf: introduce cgroup storage maps")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260403132951.43533-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/local_storage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
index a04f505aefe9b..c8b8dcc37ed4a 100644
--- a/kernel/bpf/local_storage.c
+++ b/kernel/bpf/local_storage.c
@@ -259,7 +259,7 @@ static int cgroup_storage_get_next_key(struct bpf_map *_map, void *key,
goto enoent;
storage = list_next_entry(storage, list_map);
- if (!storage)
+ if (list_entry_is_head(storage, &map->list, list_map))
goto enoent;
} else {
storage = list_first_entry(&map->list,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 048/508] bpf: Fix stale offload->prog pointer after constant blinding
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 047/508] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 049/508] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
` (461 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, MingTao Huang, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: MingTao Huang <mintaohuang@tencent.com>
[ Upstream commit a1aa9ef47c299c5bbc30594d3c2f0589edf908e6 ]
When a dev-bound-only BPF program (BPF_F_XDP_DEV_BOUND_ONLY) undergoes
JIT compilation with constant blinding enabled (bpf_jit_harden >= 2),
bpf_jit_blind_constants() clones the program. The original prog is then
freed in bpf_jit_prog_release_other(), which updates aux->prog to point
to the surviving clone, but fails to update offload->prog.
This leaves offload->prog pointing to the freed original program. When
the network namespace is subsequently destroyed, cleanup_net() triggers
bpf_dev_bound_netdev_unregister(), which iterates ondev->progs and calls
__bpf_prog_offload_destroy(offload->prog). Accessing the freed prog
causes a page fault:
BUG: unable to handle page fault for address: ffffc900085f1038
Workqueue: netns cleanup_net
RIP: 0010:__bpf_prog_offload_destroy+0xc/0x80
Call Trace:
__bpf_offload_dev_netdev_unregister+0x257/0x350
bpf_dev_bound_netdev_unregister+0x4a/0x90
unregister_netdevice_many_notify+0x2a2/0x660
...
cleanup_net+0x21a/0x320
The test sequence that triggers this reliably is:
1. Set net.core.bpf_jit_harden=2 (echo 2 > /proc/sys/net/core/bpf_jit_harden)
2. Run xdp_metadata selftest, which creates a dev-bound-only XDP
program on a veth inside a netns (./test_progs -t xdp_metadata)
3. cleanup_net -> page fault in __bpf_prog_offload_destroy
Dev-bound-only programs are unique in that they have an offload structure
but go through the normal JIT path instead of bpf_prog_offload_compile().
This means they are subject to constant blinding's prog clone-and-replace,
while also having offload->prog that must stay in sync.
Fix this by updating offload->prog in bpf_jit_prog_release_other(),
alongside the existing aux->prog update. Both are back-pointers to
the prog that must be kept in sync when the prog is replaced.
Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
Signed-off-by: MingTao Huang <mintaohuang@tencent.com>
Link: https://lore.kernel.org/r/tencent_BCF692F45859CCE6C22B7B0B64827947D406@qq.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 3011add7c4a88..d708cf3e6207f 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1422,6 +1422,8 @@ void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
* know whether fp here is the clone or the original.
*/
fp->aux->prog = fp;
+ if (fp->aux->offload)
+ fp->aux->offload->prog = fp;
bpf_prog_clone_free(fp_other);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 049/508] wifi: brcmfmac: Fix error pointer dereference
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 048/508] bpf: Fix stale offload->prog pointer after constant blinding Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 050/508] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
` (460 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Arend van Spriel,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit dd8592fc6007a451c3e4b9025de365e39de8178a ]
The function brcmf_chip_add_core() can return an error pointer and is
not checked. Add checks for error pointer.
Detected by Smatch:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1010 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1013 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1016 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1019 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1022 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
Fixes: cb7cf7be9eba7 ("brcmfmac: make chip related functions host interface independent")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260217023043.73631-1-ethantidmore06@gmail.com
[add missing wifi: prefix]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/broadcom/brcm80211/brcmfmac/chip.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
index 2ef92ef25517e..4dbb1898f3065 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
@@ -1006,18 +1006,33 @@ static int brcmf_chip_recognition(struct brcmf_chip_priv *ci)
core = brcmf_chip_add_core(ci, BCMA_CORE_CHIPCOMMON,
SI_ENUM_BASE_DEFAULT, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_SDIO_DEV,
BCM4329_CORE_BUS_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_INTERNAL_MEM,
BCM4329_CORE_SOCRAM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_ARM_CM3,
BCM4329_CORE_ARM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_80211, 0x18001000, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
} else if (socitype == SOCI_AI) {
ci->iscoreup = brcmf_chip_ai_iscoreup;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 050/508] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 049/508] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 051/508] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
` (459 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quan Sun, Yinhao Hu, Kaiyan Mei,
Dongliang Mu, Jiayuan Chen, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit beaf0e96b1da74549a6cabd040f9667d83b2e97e ]
bpf_lsm_task_to_inode() is called under rcu_read_lock() and
bpf_lsm_inet_conn_established() is called from softirq context, so
neither hook can be used by sleepable LSM programs.
Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/3ab69731-24d1-431a-a351-452aafaaf2a5@std.uestc.edu.cn/T/#u
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20260407122334.344072-1-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/bpf_lsm.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index e14c822f8911c..92486a7b916e3 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -340,7 +340,6 @@ BTF_ID(func, bpf_lsm_current_getsecid_subj)
BTF_ID(func, bpf_lsm_task_getsecid_obj)
BTF_ID(func, bpf_lsm_task_prctl)
BTF_ID(func, bpf_lsm_task_setscheduler)
-BTF_ID(func, bpf_lsm_task_to_inode)
BTF_ID(func, bpf_lsm_userns_create)
BTF_SET_END(sleepable_lsm_hooks)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 051/508] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 050/508] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 052/508] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
` (458 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Emil Tsalapatis, Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 1c22483a2c4bbf747787f328392ca3e68619c4dc ]
CO-RE accessor strings are colon-separated indices that describe a path
from a root BTF type to a target field, e.g. "0:1:2" walks through
nested struct members. bpf_core_parse_spec() parses each component with
sscanf("%d"), so negative values like -1 are silently accepted. The
subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
upper bound and always pass for negative values because C integer
promotion converts the __u16 btf_vlen result to int, making the
comparison (int)(-1) >= (int)(N) false for any positive N.
When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,
producing an out-of-bounds read far past the members array. A crafted
BPF program with a negative CO-RE accessor on any struct that exists in
vmlinux BTF (e.g. task_struct) crashes the kernel deterministically
during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y
(default on major distributions). The bug is reachable with CAP_BPF:
BUG: unable to handle page fault for address: ffffed11818b6626
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)
RAX: 00000000ffffffff
Call Trace:
<TASK>
bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)
bpf_core_apply (kernel/bpf/btf.c:9507)
check_core_relo (kernel/bpf/verifier.c:19475)
bpf_check (kernel/bpf/verifier.c:26031)
bpf_prog_load (kernel/bpf/syscall.c:3089)
__sys_bpf (kernel/bpf/syscall.c:6228)
</TASK>
CO-RE accessor indices are inherently non-negative (struct member index,
array element index, or enumerator index), so reject them immediately
after parsing.
Fixes: ddc7c3042614 ("libbpf: implement BPF CO-RE offset relocation algorithm")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260404161221.961828-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/relo_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 63a4d5ad12d1a..04c8febfc0aa7 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -293,6 +293,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
++spec_str;
if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
return -EINVAL;
+ if (access_idx < 0)
+ return -EINVAL;
if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
return -E2BIG;
spec_str += parsed_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 052/508] ACPI: AGDI: fix missing newline in error message
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 051/508] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 053/508] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
` (457 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilkka Koskinen, Haoyu Lu, Hanjun Guo,
Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoyu Lu <hechushiguitu666@gmail.com>
[ Upstream commit b178330b67abb7293b6de28b2a49d49c83962db5 ]
Add the missing trailing newline to the dev_err() message
printed when SDEI event registration fails.
This keeps the error output as a properly terminated log line.
Fixes: a2a591fb76e6 ("ACPI: AGDI: Add driver for Arm Generic Diagnostic Dump and Reset device")
Reviewed-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
Signed-off-by: Haoyu Lu <hechushiguitu666@gmail.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/arm64/agdi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/arm64/agdi.c b/drivers/acpi/arm64/agdi.c
index 8b3c7d42b41bc..419a9f6c0a827 100644
--- a/drivers/acpi/arm64/agdi.c
+++ b/drivers/acpi/arm64/agdi.c
@@ -32,7 +32,7 @@ static int agdi_sdei_probe(struct platform_device *pdev,
err = sdei_event_register(adata->sdei_event, agdi_sdei_handler, pdev);
if (err) {
- dev_err(&pdev->dev, "Failed to register for SDEI event %d",
+ dev_err(&pdev->dev, "Failed to register for SDEI event %d\n",
adata->sdei_event);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 053/508] arm64: kexec: Remove duplicate allocation for trans_pgd
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 052/508] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 054/508] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
` (456 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Wensheng, Pasha Tatashin,
Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Wensheng <wsw9603@163.com>
[ Upstream commit ee020bf6f14094c9ae434bb37e6957a1fdad513c ]
trans_pgd would be allocated in trans_pgd_create_copy(), so remove the
duplicate allocation before calling trans_pgd_create_copy().
Fixes: 3744b5280e67 ("arm64: kexec: install a copy of the linear-map")
Signed-off-by: Wang Wensheng <wsw9603@163.com>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/machine_kexec.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/kernel/machine_kexec.c b/arch/arm64/kernel/machine_kexec.c
index 078910db77a41..9307a1421d67e 100644
--- a/arch/arm64/kernel/machine_kexec.c
+++ b/arch/arm64/kernel/machine_kexec.c
@@ -143,9 +143,6 @@ int machine_kexec_post_load(struct kimage *kimage)
}
/* Create a copy of the linear map */
- trans_pgd = kexec_page_alloc(kimage);
- if (!trans_pgd)
- return -ENOMEM;
rc = trans_pgd_create_copy(&info, &trans_pgd, PAGE_OFFSET, PAGE_END);
if (rc)
return rc;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 054/508] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 053/508] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 055/508] net: bcmgenet: Remove custom ndo_poll_controller() Greg Kroah-Hartman
` (455 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Nicolai Buchwitz,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 57f3f53d2c9c5a9e133596e2f7bc1c50688a6d38 ]
The write_ptr points to the next open tx_cb. We want to return the
tx_cb that gets rewinded, so we must rewind the pointer first then
return the tx_cb that it points to. That way the txcb can be correctly
cleaned up.
Fixes: 876dbadd53a7 ("net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit()")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-2-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 79d096a371ae7..cdbe47c7ba280 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1749,15 +1749,15 @@ static struct enet_cb *bcmgenet_put_txcb(struct bcmgenet_priv *priv,
{
struct enet_cb *tx_cb_ptr;
- tx_cb_ptr = ring->cbs;
- tx_cb_ptr += ring->write_ptr - ring->cb_ptr;
-
/* Rewinding local write pointer */
if (ring->write_ptr == ring->cb_ptr)
ring->write_ptr = ring->end_ptr;
else
ring->write_ptr--;
+ tx_cb_ptr = ring->cbs;
+ tx_cb_ptr += ring->write_ptr - ring->cb_ptr;
+
return tx_cb_ptr;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 055/508] net: bcmgenet: Remove custom ndo_poll_controller()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 054/508] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 056/508] net: bcmgenet: add bcmgenet_has_* helpers Greg Kroah-Hartman
` (454 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Eric Dumazet,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <florian.fainelli@broadcom.com>
[ Upstream commit 19537e125cc7cf2da43a606f5bcebbe0c9aea4cc ]
The driver gained a .ndo_poll_controller() at a time where the TX
cleaning process was always done from NAPI which makes this unnecessary.
See commit ac3d9dd034e5 ("netpoll: make ndo_poll_controller() optional")
for more background.
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 20 -------------------
1 file changed, 20 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index cdbe47c7ba280..6ba26feed4588 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -3255,23 +3255,6 @@ static irqreturn_t bcmgenet_wol_isr(int irq, void *dev_id)
return IRQ_HANDLED;
}
-#ifdef CONFIG_NET_POLL_CONTROLLER
-static void bcmgenet_poll_controller(struct net_device *dev)
-{
- struct bcmgenet_priv *priv = netdev_priv(dev);
-
- /* Invoke the main RX/TX interrupt handler */
- disable_irq(priv->irq0);
- bcmgenet_isr0(priv->irq0, priv);
- enable_irq(priv->irq0);
-
- /* And the interrupt handler for RX/TX priority queues */
- disable_irq(priv->irq1);
- bcmgenet_isr1(priv->irq1, priv);
- enable_irq(priv->irq1);
-}
-#endif
-
static void bcmgenet_umac_reset(struct bcmgenet_priv *priv)
{
u32 reg;
@@ -3741,9 +3724,6 @@ static const struct net_device_ops bcmgenet_netdev_ops = {
.ndo_set_mac_address = bcmgenet_set_mac_addr,
.ndo_eth_ioctl = phy_do_ioctl_running,
.ndo_set_features = bcmgenet_set_features,
-#ifdef CONFIG_NET_POLL_CONTROLLER
- .ndo_poll_controller = bcmgenet_poll_controller,
-#endif
.ndo_get_stats = bcmgenet_get_stats,
.ndo_change_carrier = bcmgenet_change_carrier,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 056/508] net: bcmgenet: add bcmgenet_has_* helpers
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 055/508] net: bcmgenet: Remove custom ndo_poll_controller() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 057/508] net: bcmgenet: move DESC_INDEX flow to ring 0 Greg Kroah-Hartman
` (453 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit 07c1a756a50b1180a085ab61819a388bbb906a95 ]
Introduce helper functions to indicate whether the driver should
make use of a particular feature that it supports. These helpers
abstract the implementation of how the feature availability is
encoded.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250306192643.2383632-3-opendmb@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 20 +++++++-------
.../net/ethernet/broadcom/genet/bcmgenet.h | 27 ++++++++++++++++++-
drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 ++---
3 files changed, 39 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 6ba26feed4588..1046b4f8544c9 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -104,7 +104,7 @@ static inline void dmadesc_set_addr(struct bcmgenet_priv *priv,
* the platform is explicitly configured for 64-bits/LPAE.
*/
#ifdef CONFIG_PHYS_ADDR_T_64BIT
- if (priv->hw_params->flags & GENET_HAS_40BITS)
+ if (bcmgenet_has_40bits(priv))
bcmgenet_writel(upper_32_bits(addr), d + DMA_DESC_ADDRESS_HI);
#endif
}
@@ -1653,9 +1653,9 @@ static int bcmgenet_power_down(struct bcmgenet_priv *priv,
case GENET_POWER_PASSIVE:
/* Power down LED */
- if (priv->hw_params->flags & GENET_HAS_EXT) {
+ if (bcmgenet_has_ext(priv)) {
reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
- if (GENET_IS_V5(priv) && !priv->ephy_16nm)
+ if (GENET_IS_V5(priv) && !bcmgenet_has_ephy_16nm(priv))
reg |= EXT_PWR_DOWN_PHY_EN |
EXT_PWR_DOWN_PHY_RD |
EXT_PWR_DOWN_PHY_SD |
@@ -1683,7 +1683,7 @@ static void bcmgenet_power_up(struct bcmgenet_priv *priv,
{
u32 reg;
- if (!(priv->hw_params->flags & GENET_HAS_EXT))
+ if (!bcmgenet_has_ext(priv))
return;
reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
@@ -1692,7 +1692,7 @@ static void bcmgenet_power_up(struct bcmgenet_priv *priv,
case GENET_POWER_PASSIVE:
reg &= ~(EXT_PWR_DOWN_DLL | EXT_PWR_DOWN_BIAS |
EXT_ENERGY_DET_MASK);
- if (GENET_IS_V5(priv) && !priv->ephy_16nm) {
+ if (GENET_IS_V5(priv) && !bcmgenet_has_ephy_16nm(priv)) {
reg &= ~(EXT_PWR_DOWN_PHY_EN |
EXT_PWR_DOWN_PHY_RD |
EXT_PWR_DOWN_PHY_SD |
@@ -2525,7 +2525,7 @@ static void bcmgenet_link_intr_enable(struct bcmgenet_priv *priv)
} else if (priv->ext_phy) {
int0_enable |= UMAC_IRQ_LINK_EVENT;
} else if (priv->phy_interface == PHY_INTERFACE_MODE_MOCA) {
- if (priv->hw_params->flags & GENET_HAS_MOCA_LINK_DET)
+ if (bcmgenet_has_moca_link_det(priv))
int0_enable |= UMAC_IRQ_LINK_EVENT;
}
bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR);
@@ -2590,7 +2590,7 @@ static void init_umac(struct bcmgenet_priv *priv)
}
/* Enable MDIO interrupts on GENET v3+ */
- if (priv->hw_params->flags & GENET_HAS_MDIO_INTR)
+ if (bcmgenet_has_mdio_intr(priv))
int0_enable |= (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR);
bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR);
@@ -3230,7 +3230,7 @@ static irqreturn_t bcmgenet_isr0(int irq, void *dev_id)
}
}
- if ((priv->hw_params->flags & GENET_HAS_MDIO_INTR) &&
+ if (bcmgenet_has_mdio_intr(priv) &&
status & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) {
wake_up(&priv->wq);
}
@@ -3900,7 +3900,7 @@ static void bcmgenet_set_hw_params(struct bcmgenet_priv *priv)
}
#ifdef CONFIG_PHYS_ADDR_T_64BIT
- if (!(params->flags & GENET_HAS_40BITS))
+ if (!bcmgenet_has_40bits(priv))
pr_warn("GENET does not support 40-bits PA\n");
#endif
@@ -4079,7 +4079,7 @@ static int bcmgenet_probe(struct platform_device *pdev)
bcmgenet_set_hw_params(priv);
err = -EIO;
- if (priv->hw_params->flags & GENET_HAS_40BITS)
+ if (bcmgenet_has_40bits(priv))
err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(40));
if (err)
err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index 28e2c94ef835c..ba83819210aa8 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -1,6 +1,6 @@
/* SPDX-License-Identifier: GPL-2.0-only */
/*
- * Copyright (c) 2014-2024 Broadcom
+ * Copyright (c) 2014-2025 Broadcom
*/
#ifndef __BCMGENET_H__
@@ -650,6 +650,31 @@ struct bcmgenet_priv {
struct ethtool_eee eee;
};
+static inline bool bcmgenet_has_40bits(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_40BITS);
+}
+
+static inline bool bcmgenet_has_ext(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_EXT);
+}
+
+static inline bool bcmgenet_has_mdio_intr(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_MDIO_INTR);
+}
+
+static inline bool bcmgenet_has_moca_link_det(struct bcmgenet_priv *priv)
+{
+ return !!(priv->hw_params->flags & GENET_HAS_MOCA_LINK_DET);
+}
+
+static inline bool bcmgenet_has_ephy_16nm(struct bcmgenet_priv *priv)
+{
+ return priv->ephy_16nm;
+}
+
#define GENET_IO_MACRO(name, offset) \
static inline u32 bcmgenet_##name##_readl(struct bcmgenet_priv *priv, \
u32 off) \
diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
index e7c659cd39746..e4b498d6bd914 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -2,7 +2,7 @@
/*
* Broadcom GENET MDIO routines
*
- * Copyright (c) 2014-2024 Broadcom
+ * Copyright (c) 2014-2025 Broadcom
*/
#include <linux/acpi.h>
@@ -153,7 +153,7 @@ void bcmgenet_phy_power_set(struct net_device *dev, bool enable)
u32 reg = 0;
/* EXT_GPHY_CTRL is only valid for GENETv4 and onward */
- if (GENET_IS_V4(priv) || priv->ephy_16nm) {
+ if (GENET_IS_V4(priv) || bcmgenet_has_ephy_16nm(priv)) {
reg = bcmgenet_ext_readl(priv, EXT_GPHY_CTRL);
if (enable) {
reg &= ~EXT_CK25_DIS;
@@ -183,7 +183,7 @@ void bcmgenet_phy_power_set(struct net_device *dev, bool enable)
static void bcmgenet_moca_phy_setup(struct bcmgenet_priv *priv)
{
- if (priv->hw_params->flags & GENET_HAS_MOCA_LINK_DET)
+ if (bcmgenet_has_moca_link_det(priv))
fixed_phy_set_link_update(priv->dev->phydev,
bcmgenet_fixed_phy_link_update);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 057/508] net: bcmgenet: move DESC_INDEX flow to ring 0
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.6 056/508] net: bcmgenet: add bcmgenet_has_* helpers Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 058/508] net: bcmgenet: support reclaiming unsent Tx packets Greg Kroah-Hartman
` (452 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit 3b5d4f5a820d362dd46472542b2e961fb1f93515 ]
The default transmit and receive packet handling is moved from
the DESC_INDEX (i.e. 16) descriptor rings to the Ring 0 queues.
This saves a fair amount of special case code by unifying the
handling.
A default dummy filter is enabled in the Hardware Filter Block
to route default receive packets to Ring 0.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250306192643.2383632-7-opendmb@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 369 +++++-------------
.../net/ethernet/broadcom/genet/bcmgenet.h | 12 +-
.../ethernet/broadcom/genet/bcmgenet_wol.c | 4 +-
3 files changed, 110 insertions(+), 275 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 1046b4f8544c9..ed66ae393100e 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -41,15 +41,13 @@
#include "bcmgenet.h"
-/* Maximum number of hardware queues, downsized if needed */
-#define GENET_MAX_MQ_CNT 4
-
/* Default highest priority queue for multi queue support */
-#define GENET_Q0_PRIORITY 0
+#define GENET_Q1_PRIORITY 0
+#define GENET_Q0_PRIORITY 1
-#define GENET_Q16_RX_BD_CNT \
+#define GENET_Q0_RX_BD_CNT \
(TOTAL_DESC - priv->hw_params->rx_queues * priv->hw_params->rx_bds_per_q)
-#define GENET_Q16_TX_BD_CNT \
+#define GENET_Q0_TX_BD_CNT \
(TOTAL_DESC - priv->hw_params->tx_queues * priv->hw_params->tx_bds_per_q)
#define RX_BUF_LENGTH 2048
@@ -585,7 +583,7 @@ static void bcmgenet_hfb_create_rxnfc_filter(struct bcmgenet_priv *priv,
u16 mask_16;
size_t size;
- f = fs->location;
+ f = fs->location + 1;
if (fs->flow_type & FLOW_MAC_EXT) {
bcmgenet_hfb_insert_data(priv, f, 0,
&fs->h_ext.h_dest, &fs->m_ext.h_dest,
@@ -667,19 +665,14 @@ static void bcmgenet_hfb_create_rxnfc_filter(struct bcmgenet_priv *priv,
}
bcmgenet_hfb_set_filter_length(priv, f, 2 * f_length);
- if (!fs->ring_cookie || fs->ring_cookie == RX_CLS_FLOW_WAKE) {
- /* Ring 0 flows can be handled by the default Descriptor Ring
- * We'll map them to ring 0, but don't enable the filter
- */
+ if (fs->ring_cookie == RX_CLS_FLOW_WAKE)
bcmgenet_hfb_set_filter_rx_queue_mapping(priv, f, 0);
- rule->state = BCMGENET_RXNFC_STATE_DISABLED;
- } else {
+ else
/* Other Rx rings are direct mapped here */
bcmgenet_hfb_set_filter_rx_queue_mapping(priv, f,
fs->ring_cookie);
- bcmgenet_hfb_enable_filter(priv, f);
- rule->state = BCMGENET_RXNFC_STATE_ENABLED;
- }
+ bcmgenet_hfb_enable_filter(priv, f);
+ rule->state = BCMGENET_RXNFC_STATE_ENABLED;
}
/* bcmgenet_hfb_clear
@@ -715,6 +708,10 @@ static void bcmgenet_hfb_clear(struct bcmgenet_priv *priv)
for (i = 0; i < priv->hw_params->hfb_filter_cnt; i++)
bcmgenet_hfb_clear_filter(priv, i);
+
+ /* Enable filter 0 to send default flow to ring 0 */
+ bcmgenet_hfb_set_filter_length(priv, 0, 4);
+ bcmgenet_hfb_enable_filter(priv, 0);
}
static void bcmgenet_hfb_init(struct bcmgenet_priv *priv)
@@ -819,20 +816,16 @@ static int bcmgenet_get_coalesce(struct net_device *dev,
unsigned int i;
ec->tx_max_coalesced_frames =
- bcmgenet_tdma_ring_readl(priv, DESC_INDEX,
- DMA_MBUF_DONE_THRESH);
+ bcmgenet_tdma_ring_readl(priv, 0, DMA_MBUF_DONE_THRESH);
ec->rx_max_coalesced_frames =
- bcmgenet_rdma_ring_readl(priv, DESC_INDEX,
- DMA_MBUF_DONE_THRESH);
+ bcmgenet_rdma_ring_readl(priv, 0, DMA_MBUF_DONE_THRESH);
ec->rx_coalesce_usecs =
- bcmgenet_rdma_readl(priv, DMA_RING16_TIMEOUT) * 8192 / 1000;
+ bcmgenet_rdma_readl(priv, DMA_RING0_TIMEOUT) * 8192 / 1000;
- for (i = 0; i < priv->hw_params->rx_queues; i++) {
+ for (i = 0; i <= priv->hw_params->rx_queues; i++) {
ring = &priv->rx_rings[i];
ec->use_adaptive_rx_coalesce |= ring->dim.use_dim;
}
- ring = &priv->rx_rings[DESC_INDEX];
- ec->use_adaptive_rx_coalesce |= ring->dim.use_dim;
return 0;
}
@@ -902,17 +895,13 @@ static int bcmgenet_set_coalesce(struct net_device *dev,
/* Program all TX queues with the same values, as there is no
* ethtool knob to do coalescing on a per-queue basis
*/
- for (i = 0; i < priv->hw_params->tx_queues; i++)
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
bcmgenet_tdma_ring_writel(priv, i,
ec->tx_max_coalesced_frames,
DMA_MBUF_DONE_THRESH);
- bcmgenet_tdma_ring_writel(priv, DESC_INDEX,
- ec->tx_max_coalesced_frames,
- DMA_MBUF_DONE_THRESH);
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
bcmgenet_set_ring_rx_coalesce(&priv->rx_rings[i], ec);
- bcmgenet_set_ring_rx_coalesce(&priv->rx_rings[DESC_INDEX], ec);
return 0;
}
@@ -1120,7 +1109,7 @@ static const struct bcmgenet_stats bcmgenet_gstrings_stats[] = {
STAT_GENET_Q(1),
STAT_GENET_Q(2),
STAT_GENET_Q(3),
- STAT_GENET_Q(16),
+ STAT_GENET_Q(4),
};
#define BCMGENET_STATS_LEN ARRAY_SIZE(bcmgenet_gstrings_stats)
@@ -1474,10 +1463,10 @@ static int bcmgenet_insert_flow(struct net_device *dev,
loc_rule = &priv->rxnfc_rules[cmd->fs.location];
}
if (loc_rule->state == BCMGENET_RXNFC_STATE_ENABLED)
- bcmgenet_hfb_disable_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_disable_filter(priv, cmd->fs.location + 1);
if (loc_rule->state != BCMGENET_RXNFC_STATE_UNUSED) {
list_del(&loc_rule->list);
- bcmgenet_hfb_clear_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_clear_filter(priv, cmd->fs.location + 1);
}
loc_rule->state = BCMGENET_RXNFC_STATE_UNUSED;
memcpy(&loc_rule->fs, &cmd->fs,
@@ -1507,10 +1496,10 @@ static int bcmgenet_delete_flow(struct net_device *dev,
}
if (rule->state == BCMGENET_RXNFC_STATE_ENABLED)
- bcmgenet_hfb_disable_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_disable_filter(priv, cmd->fs.location + 1);
if (rule->state != BCMGENET_RXNFC_STATE_UNUSED) {
list_del(&rule->list);
- bcmgenet_hfb_clear_filter(priv, cmd->fs.location);
+ bcmgenet_hfb_clear_filter(priv, cmd->fs.location + 1);
}
rule->state = BCMGENET_RXNFC_STATE_UNUSED;
memset(&rule->fs, 0, sizeof(struct ethtool_rx_flow_spec));
@@ -1761,18 +1750,6 @@ static struct enet_cb *bcmgenet_put_txcb(struct bcmgenet_priv *priv,
return tx_cb_ptr;
}
-static inline void bcmgenet_rx_ring16_int_disable(struct bcmgenet_rx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_RXDMA_DONE,
- INTRL2_CPU_MASK_SET);
-}
-
-static inline void bcmgenet_rx_ring16_int_enable(struct bcmgenet_rx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_RXDMA_DONE,
- INTRL2_CPU_MASK_CLEAR);
-}
-
static inline void bcmgenet_rx_ring_int_disable(struct bcmgenet_rx_ring *ring)
{
bcmgenet_intrl2_1_writel(ring->priv,
@@ -1787,18 +1764,6 @@ static inline void bcmgenet_rx_ring_int_enable(struct bcmgenet_rx_ring *ring)
INTRL2_CPU_MASK_CLEAR);
}
-static inline void bcmgenet_tx_ring16_int_disable(struct bcmgenet_tx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_TXDMA_DONE,
- INTRL2_CPU_MASK_SET);
-}
-
-static inline void bcmgenet_tx_ring16_int_enable(struct bcmgenet_tx_ring *ring)
-{
- bcmgenet_intrl2_0_writel(ring->priv, UMAC_IRQ_TXDMA_DONE,
- INTRL2_CPU_MASK_CLEAR);
-}
-
static inline void bcmgenet_tx_ring_int_enable(struct bcmgenet_tx_ring *ring)
{
bcmgenet_intrl2_1_writel(ring->priv, 1 << ring->index,
@@ -1879,12 +1844,7 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
struct sk_buff *skb;
/* Clear status before servicing to reduce spurious interrupts */
- if (ring->index == DESC_INDEX)
- bcmgenet_intrl2_0_writel(priv, UMAC_IRQ_TXDMA_DONE,
- INTRL2_CPU_CLEAR);
- else
- bcmgenet_intrl2_1_writel(priv, (1 << ring->index),
- INTRL2_CPU_CLEAR);
+ bcmgenet_intrl2_1_writel(priv, (1 << ring->index), INTRL2_CPU_CLEAR);
/* Compute how many buffers are transmitted since last xmit call */
c_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_CONS_INDEX)
@@ -1918,7 +1878,7 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
ring->packets += pkts_compl;
ring->bytes += bytes_compl;
- netdev_tx_completed_queue(netdev_get_tx_queue(dev, ring->queue),
+ netdev_tx_completed_queue(netdev_get_tx_queue(dev, ring->index),
pkts_compl, bytes_compl);
return txbds_processed;
@@ -1946,14 +1906,14 @@ static int bcmgenet_tx_poll(struct napi_struct *napi, int budget)
spin_lock(&ring->lock);
work_done = __bcmgenet_tx_reclaim(ring->priv->dev, ring);
if (ring->free_bds > (MAX_SKB_FRAGS + 1)) {
- txq = netdev_get_tx_queue(ring->priv->dev, ring->queue);
+ txq = netdev_get_tx_queue(ring->priv->dev, ring->index);
netif_tx_wake_queue(txq);
}
spin_unlock(&ring->lock);
if (work_done == 0) {
napi_complete(napi);
- ring->int_enable(ring);
+ bcmgenet_tx_ring_int_enable(ring);
return 0;
}
@@ -1964,14 +1924,11 @@ static int bcmgenet_tx_poll(struct napi_struct *napi, int budget)
static void bcmgenet_tx_reclaim_all(struct net_device *dev)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- int i;
-
- if (netif_is_multiqueue(dev)) {
- for (i = 0; i < priv->hw_params->tx_queues; i++)
- bcmgenet_tx_reclaim(dev, &priv->tx_rings[i]);
- }
+ int i = 0;
- bcmgenet_tx_reclaim(dev, &priv->tx_rings[DESC_INDEX]);
+ do {
+ bcmgenet_tx_reclaim(dev, &priv->tx_rings[i++]);
+ } while (i <= priv->hw_params->tx_queues && netif_is_multiqueue(dev));
}
/* Reallocate the SKB to put enough headroom in front of it and insert
@@ -2059,19 +2016,14 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
index = skb_get_queue_mapping(skb);
/* Mapping strategy:
- * queue_mapping = 0, unclassified, packet xmited through ring16
- * queue_mapping = 1, goes to ring 0. (highest priority queue
- * queue_mapping = 2, goes to ring 1.
- * queue_mapping = 3, goes to ring 2.
- * queue_mapping = 4, goes to ring 3.
+ * queue_mapping = 0, unclassified, packet xmited through ring 0
+ * queue_mapping = 1, goes to ring 1. (highest priority queue)
+ * queue_mapping = 2, goes to ring 2.
+ * queue_mapping = 3, goes to ring 3.
+ * queue_mapping = 4, goes to ring 4.
*/
- if (index == 0)
- index = DESC_INDEX;
- else
- index -= 1;
-
ring = &priv->tx_rings[index];
- txq = netdev_get_tx_queue(dev, ring->queue);
+ txq = netdev_get_tx_queue(dev, index);
nr_frags = skb_shinfo(skb)->nr_frags;
@@ -2244,15 +2196,8 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
unsigned int discards;
/* Clear status before servicing to reduce spurious interrupts */
- if (ring->index == DESC_INDEX) {
- bcmgenet_intrl2_0_writel(priv, UMAC_IRQ_RXDMA_DONE,
- INTRL2_CPU_CLEAR);
- } else {
- mask = 1 << (UMAC_IRQ1_RX_INTR_SHIFT + ring->index);
- bcmgenet_intrl2_1_writel(priv,
- mask,
- INTRL2_CPU_CLEAR);
- }
+ mask = 1 << (UMAC_IRQ1_RX_INTR_SHIFT + ring->index);
+ bcmgenet_intrl2_1_writel(priv, mask, INTRL2_CPU_CLEAR);
p_index = bcmgenet_rdma_ring_readl(priv, ring->index, RDMA_PROD_INDEX);
@@ -2401,7 +2346,7 @@ static int bcmgenet_rx_poll(struct napi_struct *napi, int budget)
if (work_done < budget) {
napi_complete_done(napi, work_done);
- ring->int_enable(ring);
+ bcmgenet_rx_ring_int_enable(ring);
}
if (ring->dim.use_dim) {
@@ -2641,15 +2586,6 @@ static void bcmgenet_init_tx_ring(struct bcmgenet_priv *priv,
spin_lock_init(&ring->lock);
ring->priv = priv;
ring->index = index;
- if (index == DESC_INDEX) {
- ring->queue = 0;
- ring->int_enable = bcmgenet_tx_ring16_int_enable;
- ring->int_disable = bcmgenet_tx_ring16_int_disable;
- } else {
- ring->queue = index + 1;
- ring->int_enable = bcmgenet_tx_ring_int_enable;
- ring->int_disable = bcmgenet_tx_ring_int_disable;
- }
ring->cbs = priv->tx_cbs + start_ptr;
ring->size = size;
ring->clean_ptr = start_ptr;
@@ -2660,8 +2596,8 @@ static void bcmgenet_init_tx_ring(struct bcmgenet_priv *priv,
ring->end_ptr = end_ptr - 1;
ring->prod_index = 0;
- /* Set flow period for ring != 16 */
- if (index != DESC_INDEX)
+ /* Set flow period for ring != 0 */
+ if (index)
flow_period_val = ENET_MAX_MTU_SIZE << 16;
bcmgenet_tdma_ring_writel(priv, index, 0, TDMA_PROD_INDEX);
@@ -2699,13 +2635,6 @@ static int bcmgenet_init_rx_ring(struct bcmgenet_priv *priv,
ring->priv = priv;
ring->index = index;
- if (index == DESC_INDEX) {
- ring->int_enable = bcmgenet_rx_ring16_int_enable;
- ring->int_disable = bcmgenet_rx_ring16_int_disable;
- } else {
- ring->int_enable = bcmgenet_rx_ring_int_enable;
- ring->int_disable = bcmgenet_rx_ring_int_disable;
- }
ring->cbs = priv->rx_cbs + start_ptr;
ring->size = size;
ring->c_index = 0;
@@ -2751,15 +2680,11 @@ static void bcmgenet_enable_tx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_tx_ring *ring;
- for (i = 0; i < priv->hw_params->tx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->tx_queues; ++i) {
ring = &priv->tx_rings[i];
napi_enable(&ring->napi);
- ring->int_enable(ring);
+ bcmgenet_tx_ring_int_enable(ring);
}
-
- ring = &priv->tx_rings[DESC_INDEX];
- napi_enable(&ring->napi);
- ring->int_enable(ring);
}
static void bcmgenet_disable_tx_napi(struct bcmgenet_priv *priv)
@@ -2767,13 +2692,10 @@ static void bcmgenet_disable_tx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_tx_ring *ring;
- for (i = 0; i < priv->hw_params->tx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->tx_queues; ++i) {
ring = &priv->tx_rings[i];
napi_disable(&ring->napi);
}
-
- ring = &priv->tx_rings[DESC_INDEX];
- napi_disable(&ring->napi);
}
static void bcmgenet_fini_tx_napi(struct bcmgenet_priv *priv)
@@ -2781,33 +2703,31 @@ static void bcmgenet_fini_tx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_tx_ring *ring;
- for (i = 0; i < priv->hw_params->tx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->tx_queues; ++i) {
ring = &priv->tx_rings[i];
netif_napi_del(&ring->napi);
}
-
- ring = &priv->tx_rings[DESC_INDEX];
- netif_napi_del(&ring->napi);
}
/* Initialize Tx queues
*
- * Queues 0-3 are priority-based, each one has 32 descriptors,
- * with queue 0 being the highest priority queue.
+ * Queues 1-4 are priority-based, each one has 32 descriptors,
+ * with queue 1 being the highest priority queue.
*
- * Queue 16 is the default Tx queue with
- * GENET_Q16_TX_BD_CNT = 256 - 4 * 32 = 128 descriptors.
+ * Queue 0 is the default Tx queue with
+ * GENET_Q0_TX_BD_CNT = 256 - 4 * 32 = 128 descriptors.
*
* The transmit control block pool is then partitioned as follows:
- * - Tx queue 0 uses tx_cbs[0..31]
- * - Tx queue 1 uses tx_cbs[32..63]
- * - Tx queue 2 uses tx_cbs[64..95]
- * - Tx queue 3 uses tx_cbs[96..127]
- * - Tx queue 16 uses tx_cbs[128..255]
+ * - Tx queue 0 uses tx_cbs[0..127]
+ * - Tx queue 1 uses tx_cbs[128..159]
+ * - Tx queue 2 uses tx_cbs[160..191]
+ * - Tx queue 3 uses tx_cbs[192..223]
+ * - Tx queue 4 uses tx_cbs[224..255]
*/
static void bcmgenet_init_tx_queues(struct net_device *dev)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
+ unsigned int start = 0, end = GENET_Q0_TX_BD_CNT;
u32 i, dma_enable;
u32 dma_ctrl, ring_cfg;
u32 dma_priority[3] = {0, 0, 0};
@@ -2824,27 +2744,17 @@ static void bcmgenet_init_tx_queues(struct net_device *dev)
bcmgenet_tdma_writel(priv, DMA_ARBITER_SP, DMA_ARB_CTRL);
/* Initialize Tx priority queues */
- for (i = 0; i < priv->hw_params->tx_queues; i++) {
- bcmgenet_init_tx_ring(priv, i, priv->hw_params->tx_bds_per_q,
- i * priv->hw_params->tx_bds_per_q,
- (i + 1) * priv->hw_params->tx_bds_per_q);
+ for (i = 0; i <= priv->hw_params->tx_queues; i++) {
+ bcmgenet_init_tx_ring(priv, i, end - start, start, end);
+ start = end;
+ end += priv->hw_params->tx_bds_per_q;
ring_cfg |= (1 << i);
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
dma_priority[DMA_PRIO_REG_INDEX(i)] |=
- ((GENET_Q0_PRIORITY + i) << DMA_PRIO_REG_SHIFT(i));
+ (i ? GENET_Q1_PRIORITY : GENET_Q0_PRIORITY)
+ << DMA_PRIO_REG_SHIFT(i);
}
- /* Initialize Tx default queue 16 */
- bcmgenet_init_tx_ring(priv, DESC_INDEX, GENET_Q16_TX_BD_CNT,
- priv->hw_params->tx_queues *
- priv->hw_params->tx_bds_per_q,
- TOTAL_DESC);
- ring_cfg |= (1 << DESC_INDEX);
- dma_ctrl |= (1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT));
- dma_priority[DMA_PRIO_REG_INDEX(DESC_INDEX)] |=
- ((GENET_Q0_PRIORITY + priv->hw_params->tx_queues) <<
- DMA_PRIO_REG_SHIFT(DESC_INDEX));
-
/* Set Tx queue priorities */
bcmgenet_tdma_writel(priv, dma_priority[0], DMA_PRIORITY_0);
bcmgenet_tdma_writel(priv, dma_priority[1], DMA_PRIORITY_1);
@@ -2864,15 +2774,11 @@ static void bcmgenet_enable_rx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_rx_ring *ring;
- for (i = 0; i < priv->hw_params->rx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->rx_queues; ++i) {
ring = &priv->rx_rings[i];
napi_enable(&ring->napi);
- ring->int_enable(ring);
+ bcmgenet_rx_ring_int_enable(ring);
}
-
- ring = &priv->rx_rings[DESC_INDEX];
- napi_enable(&ring->napi);
- ring->int_enable(ring);
}
static void bcmgenet_disable_rx_napi(struct bcmgenet_priv *priv)
@@ -2880,15 +2786,11 @@ static void bcmgenet_disable_rx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_rx_ring *ring;
- for (i = 0; i < priv->hw_params->rx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->rx_queues; ++i) {
ring = &priv->rx_rings[i];
napi_disable(&ring->napi);
cancel_work_sync(&ring->dim.dim.work);
}
-
- ring = &priv->rx_rings[DESC_INDEX];
- napi_disable(&ring->napi);
- cancel_work_sync(&ring->dim.dim.work);
}
static void bcmgenet_fini_rx_napi(struct bcmgenet_priv *priv)
@@ -2896,13 +2798,10 @@ static void bcmgenet_fini_rx_napi(struct bcmgenet_priv *priv)
unsigned int i;
struct bcmgenet_rx_ring *ring;
- for (i = 0; i < priv->hw_params->rx_queues; ++i) {
+ for (i = 0; i <= priv->hw_params->rx_queues; ++i) {
ring = &priv->rx_rings[i];
netif_napi_del(&ring->napi);
}
-
- ring = &priv->rx_rings[DESC_INDEX];
- netif_napi_del(&ring->napi);
}
/* Initialize Rx queues
@@ -2910,15 +2809,13 @@ static void bcmgenet_fini_rx_napi(struct bcmgenet_priv *priv)
* Queues 0-15 are priority queues. Hardware Filtering Block (HFB) can be
* used to direct traffic to these queues.
*
- * Queue 16 is the default Rx queue with GENET_Q16_RX_BD_CNT descriptors.
+ * Queue 0 is also the default Rx queue with GENET_Q0_RX_BD_CNT descriptors.
*/
static int bcmgenet_init_rx_queues(struct net_device *dev)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- u32 i;
- u32 dma_enable;
- u32 dma_ctrl;
- u32 ring_cfg;
+ unsigned int start = 0, end = GENET_Q0_RX_BD_CNT;
+ u32 i, dma_enable, dma_ctrl = 0, ring_cfg = 0;
int ret;
dma_ctrl = bcmgenet_rdma_readl(priv, DMA_CTRL);
@@ -2930,34 +2827,21 @@ static int bcmgenet_init_rx_queues(struct net_device *dev)
ring_cfg = 0;
/* Initialize Rx priority queues */
- for (i = 0; i < priv->hw_params->rx_queues; i++) {
- ret = bcmgenet_init_rx_ring(priv, i,
- priv->hw_params->rx_bds_per_q,
- i * priv->hw_params->rx_bds_per_q,
- (i + 1) *
- priv->hw_params->rx_bds_per_q);
+ for (i = 0; i <= priv->hw_params->rx_queues; i++) {
+ ret = bcmgenet_init_rx_ring(priv, i, end - start, start, end);
if (ret)
return ret;
+ start = end;
+ end += priv->hw_params->rx_bds_per_q;
ring_cfg |= (1 << i);
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
}
- /* Initialize Rx default queue 16 */
- ret = bcmgenet_init_rx_ring(priv, DESC_INDEX, GENET_Q16_RX_BD_CNT,
- priv->hw_params->rx_queues *
- priv->hw_params->rx_bds_per_q,
- TOTAL_DESC);
- if (ret)
- return ret;
-
- ring_cfg |= (1 << DESC_INDEX);
- dma_ctrl |= (1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT));
-
- /* Enable rings */
+ /* Configure Rx queues as descriptor rings */
bcmgenet_rdma_writel(priv, ring_cfg, DMA_RING_CFG);
- /* Configure ring as descriptor ring and re-enable DMA if enabled */
+ /* Enable Rx rings */
if (dma_enable)
dma_ctrl |= DMA_EN;
bcmgenet_rdma_writel(priv, dma_ctrl, DMA_CTRL);
@@ -3016,14 +2900,14 @@ static int bcmgenet_dma_teardown(struct bcmgenet_priv *priv)
}
dma_ctrl = 0;
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_rdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
bcmgenet_rdma_writel(priv, reg, DMA_CTRL);
dma_ctrl = 0;
- for (i = 0; i < priv->hw_params->tx_queues; i++)
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_tdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
@@ -3044,14 +2928,11 @@ static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
dev_kfree_skb(bcmgenet_free_tx_cb(&priv->pdev->dev,
priv->tx_cbs + i));
- for (i = 0; i < priv->hw_params->tx_queues; i++) {
- txq = netdev_get_tx_queue(priv->dev, priv->tx_rings[i].queue);
+ for (i = 0; i <= priv->hw_params->tx_queues; i++) {
+ txq = netdev_get_tx_queue(priv->dev, i);
netdev_tx_reset_queue(txq);
}
- txq = netdev_get_tx_queue(priv->dev, priv->tx_rings[DESC_INDEX].queue);
- netdev_tx_reset_queue(txq);
-
bcmgenet_free_rx_buffers(priv);
kfree(priv->rx_cbs);
kfree(priv->tx_cbs);
@@ -3144,7 +3025,7 @@ static void bcmgenet_irq_task(struct work_struct *work)
}
-/* bcmgenet_isr1: handle Rx and Tx priority queues */
+/* bcmgenet_isr1: handle Rx and Tx queues */
static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
{
struct bcmgenet_priv *priv = dev_id;
@@ -3163,7 +3044,7 @@ static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
"%s: IRQ=0x%x\n", __func__, status);
/* Check Rx priority queue interrupts */
- for (index = 0; index < priv->hw_params->rx_queues; index++) {
+ for (index = 0; index <= priv->hw_params->rx_queues; index++) {
if (!(status & BIT(UMAC_IRQ1_RX_INTR_SHIFT + index)))
continue;
@@ -3171,20 +3052,20 @@ static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
rx_ring->dim.event_ctr++;
if (likely(napi_schedule_prep(&rx_ring->napi))) {
- rx_ring->int_disable(rx_ring);
+ bcmgenet_rx_ring_int_disable(rx_ring);
__napi_schedule_irqoff(&rx_ring->napi);
}
}
/* Check Tx priority queue interrupts */
- for (index = 0; index < priv->hw_params->tx_queues; index++) {
+ for (index = 0; index <= priv->hw_params->tx_queues; index++) {
if (!(status & BIT(index)))
continue;
tx_ring = &priv->tx_rings[index];
if (likely(napi_schedule_prep(&tx_ring->napi))) {
- tx_ring->int_disable(tx_ring);
+ bcmgenet_tx_ring_int_disable(tx_ring);
__napi_schedule_irqoff(&tx_ring->napi);
}
}
@@ -3192,12 +3073,10 @@ static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
return IRQ_HANDLED;
}
-/* bcmgenet_isr0: handle Rx and Tx default queues + other stuff */
+/* bcmgenet_isr0: handle other stuff */
static irqreturn_t bcmgenet_isr0(int irq, void *dev_id)
{
struct bcmgenet_priv *priv = dev_id;
- struct bcmgenet_rx_ring *rx_ring;
- struct bcmgenet_tx_ring *tx_ring;
unsigned int status;
unsigned long flags;
@@ -3211,25 +3090,6 @@ static irqreturn_t bcmgenet_isr0(int irq, void *dev_id)
netif_dbg(priv, intr, priv->dev,
"IRQ=0x%x\n", status);
- if (status & UMAC_IRQ_RXDMA_DONE) {
- rx_ring = &priv->rx_rings[DESC_INDEX];
- rx_ring->dim.event_ctr++;
-
- if (likely(napi_schedule_prep(&rx_ring->napi))) {
- rx_ring->int_disable(rx_ring);
- __napi_schedule_irqoff(&rx_ring->napi);
- }
- }
-
- if (status & UMAC_IRQ_TXDMA_DONE) {
- tx_ring = &priv->tx_rings[DESC_INDEX];
-
- if (likely(napi_schedule_prep(&tx_ring->napi))) {
- tx_ring->int_disable(tx_ring);
- __napi_schedule_irqoff(&tx_ring->napi);
- }
- }
-
if (bcmgenet_has_mdio_intr(priv) &&
status & (UMAC_IRQ_MDIO_DONE | UMAC_IRQ_MDIO_ERROR)) {
wake_up(&priv->wq);
@@ -3295,15 +3155,15 @@ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv, bool flush_rx)
u32 dma_ctrl;
/* disable DMA */
- dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
- for (i = 0; i < priv->hw_params->tx_queues; i++)
+ dma_ctrl = DMA_EN;
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_tdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
bcmgenet_tdma_writel(priv, reg, DMA_CTRL);
- dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ dma_ctrl = DMA_EN;
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
reg = bcmgenet_rdma_readl(priv, DMA_CTRL);
reg &= ~dma_ctrl;
@@ -3386,6 +3246,9 @@ static int bcmgenet_open(struct net_device *dev)
bcmgenet_set_hw_addr(priv, dev->dev_addr);
+ /* HFB init */
+ bcmgenet_hfb_init(priv);
+
/* Disable RX/TX DMA and flush TX and RX queues */
dma_ctrl = bcmgenet_dma_disable(priv, true);
@@ -3396,12 +3259,8 @@ static int bcmgenet_open(struct net_device *dev)
goto err_clk_disable;
}
- /* Always enable ring 16 - descriptor ring */
bcmgenet_enable_dma(priv, dma_ctrl);
- /* HFB init */
- bcmgenet_hfb_init(priv);
-
ret = request_irq(priv->irq0, bcmgenet_isr0, IRQF_SHARED,
dev->name, priv);
if (ret < 0) {
@@ -3508,16 +3367,11 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
if (!netif_msg_tx_err(priv))
return;
- txq = netdev_get_tx_queue(priv->dev, ring->queue);
+ txq = netdev_get_tx_queue(priv->dev, ring->index);
spin_lock(&ring->lock);
- if (ring->index == DESC_INDEX) {
- intsts = ~bcmgenet_intrl2_0_readl(priv, INTRL2_CPU_MASK_STATUS);
- intmsk = UMAC_IRQ_TXDMA_DONE | UMAC_IRQ_TXDMA_MBDONE;
- } else {
- intsts = ~bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_MASK_STATUS);
- intmsk = 1 << ring->index;
- }
+ intsts = ~bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_MASK_STATUS);
+ intmsk = 1 << ring->index;
c_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_CONS_INDEX);
p_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_PROD_INDEX);
txq_stopped = netif_tx_queue_stopped(txq);
@@ -3531,7 +3385,7 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
"(sw)c_index: %d (hw)c_index: %d\n"
"(sw)clean_p: %d (sw)write_p: %d\n"
"(sw)cb_ptr: %d (sw)end_ptr: %d\n",
- ring->index, ring->queue,
+ ring->index, ring->index,
txq_stopped ? "stopped" : "active",
intsts & intmsk ? "enabled" : "disabled",
free_bds, ring->size,
@@ -3544,25 +3398,20 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- u32 int0_enable = 0;
u32 int1_enable = 0;
unsigned int q;
netif_dbg(priv, tx_err, dev, "bcmgenet_timeout\n");
- for (q = 0; q < priv->hw_params->tx_queues; q++)
+ for (q = 0; q <= priv->hw_params->tx_queues; q++)
bcmgenet_dump_tx_queue(&priv->tx_rings[q]);
- bcmgenet_dump_tx_queue(&priv->tx_rings[DESC_INDEX]);
bcmgenet_tx_reclaim_all(dev);
- for (q = 0; q < priv->hw_params->tx_queues; q++)
+ for (q = 0; q <= priv->hw_params->tx_queues; q++)
int1_enable |= (1 << q);
- int0_enable = UMAC_IRQ_TXDMA_DONE;
-
/* Re-enable TX interrupts if disabled */
- bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR);
bcmgenet_intrl2_1_writel(priv, int1_enable, INTRL2_CPU_MASK_CLEAR);
netif_trans_update(dev);
@@ -3666,16 +3515,13 @@ static struct net_device_stats *bcmgenet_get_stats(struct net_device *dev)
struct bcmgenet_rx_ring *rx_ring;
unsigned int q;
- for (q = 0; q < priv->hw_params->tx_queues; q++) {
+ for (q = 0; q <= priv->hw_params->tx_queues; q++) {
tx_ring = &priv->tx_rings[q];
tx_bytes += tx_ring->bytes;
tx_packets += tx_ring->packets;
}
- tx_ring = &priv->tx_rings[DESC_INDEX];
- tx_bytes += tx_ring->bytes;
- tx_packets += tx_ring->packets;
- for (q = 0; q < priv->hw_params->rx_queues; q++) {
+ for (q = 0; q <= priv->hw_params->rx_queues; q++) {
rx_ring = &priv->rx_rings[q];
rx_bytes += rx_ring->bytes;
@@ -3683,11 +3529,6 @@ static struct net_device_stats *bcmgenet_get_stats(struct net_device *dev)
rx_errors += rx_ring->errors;
rx_dropped += rx_ring->dropped;
}
- rx_ring = &priv->rx_rings[DESC_INDEX];
- rx_bytes += rx_ring->bytes;
- rx_packets += rx_ring->packets;
- rx_errors += rx_ring->errors;
- rx_dropped += rx_ring->dropped;
dev->stats.tx_bytes = tx_bytes;
dev->stats.tx_packets = tx_packets;
@@ -4134,16 +3975,13 @@ static int bcmgenet_probe(struct platform_device *pdev)
if (err)
goto err_clk_disable;
- /* setup number of real queues + 1 (GENET_V1 has 0 hardware queues
- * just the ring 16 descriptor based TX
- */
+ /* setup number of real queues + 1 */
netif_set_real_num_tx_queues(priv->dev, priv->hw_params->tx_queues + 1);
netif_set_real_num_rx_queues(priv->dev, priv->hw_params->rx_queues + 1);
/* Set default coalescing parameters */
- for (i = 0; i < priv->hw_params->rx_queues; i++)
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
priv->rx_rings[i].rx_max_coalesced_frames = 1;
- priv->rx_rings[DESC_INDEX].rx_max_coalesced_frames = 1;
/* libphy will determine the link state */
netif_carrier_off(dev);
@@ -4268,7 +4106,6 @@ static int bcmgenet_resume(struct device *d)
goto out_clk_disable;
}
- /* Always enable ring 16 - descriptor ring */
bcmgenet_enable_dma(priv, dma_ctrl);
if (!device_may_wakeup(d))
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index ba83819210aa8..f3a1139cb7108 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -18,6 +18,9 @@
#include "../unimac.h"
+/* Maximum number of hardware queues, downsized if needed */
+#define GENET_MAX_MQ_CNT 4
+
/* total number of Buffer Descriptors, same for Rx/Tx */
#define TOTAL_DESC 256
@@ -513,7 +516,6 @@ struct bcmgenet_tx_ring {
unsigned long packets;
unsigned long bytes;
unsigned int index; /* ring index */
- unsigned int queue; /* queue index */
struct enet_cb *cbs; /* tx ring buffer control block*/
unsigned int size; /* size of each tx ring */
unsigned int clean_ptr; /* Tx ring clean pointer */
@@ -523,8 +525,6 @@ struct bcmgenet_tx_ring {
unsigned int prod_index; /* Tx ring producer index SW copy */
unsigned int cb_ptr; /* Tx ring initial CB ptr */
unsigned int end_ptr; /* Tx ring end CB ptr */
- void (*int_enable)(struct bcmgenet_tx_ring *);
- void (*int_disable)(struct bcmgenet_tx_ring *);
struct bcmgenet_priv *priv;
};
@@ -553,8 +553,6 @@ struct bcmgenet_rx_ring {
struct bcmgenet_net_dim dim;
u32 rx_max_coalesced_frames;
u32 rx_coalesce_usecs;
- void (*int_enable)(struct bcmgenet_rx_ring *);
- void (*int_disable)(struct bcmgenet_rx_ring *);
struct bcmgenet_priv *priv;
};
@@ -583,7 +581,7 @@ struct bcmgenet_priv {
struct enet_cb *tx_cbs;
unsigned int num_tx_bds;
- struct bcmgenet_tx_ring tx_rings[DESC_INDEX + 1];
+ struct bcmgenet_tx_ring tx_rings[GENET_MAX_MQ_CNT + 1];
/* receive variables */
void __iomem *rx_bds;
@@ -593,7 +591,7 @@ struct bcmgenet_priv {
struct bcmgenet_rxnfc_rule rxnfc_rules[MAX_NUM_OF_FS_RULES];
struct list_head rxnfc_list;
- struct bcmgenet_rx_ring rx_rings[DESC_INDEX + 1];
+ struct bcmgenet_rx_ring rx_rings[GENET_MAX_MQ_CNT + 1];
/* other misc variables */
struct bcmgenet_hw_params *hw_params;
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
index 2033fb9d893e0..98358b71cef5c 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
@@ -2,7 +2,7 @@
/*
* Broadcom GENET (Gigabit Ethernet) Wake-on-LAN support
*
- * Copyright (c) 2014-2024 Broadcom
+ * Copyright (c) 2014-2025 Broadcom
*/
#define pr_fmt(fmt) "bcmgenet_wol: " fmt
@@ -180,7 +180,7 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv,
if (priv->wolopts & WAKE_FILTER) {
list_for_each_entry(rule, &priv->rxnfc_list, list)
if (rule->fs.ring_cookie == RX_CLS_FLOW_WAKE)
- hfb_enable |= (1 << rule->fs.location);
+ hfb_enable |= (1 << (rule->fs.location + 1));
reg = (hfb_ctrl_reg & ~RBUF_HFB_EN) | RBUF_ACPI_EN;
bcmgenet_hfb_reg_writel(priv, reg, HFB_CTRL);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 058/508] net: bcmgenet: support reclaiming unsent Tx packets
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 057/508] net: bcmgenet: move DESC_INDEX flow to ring 0 Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 059/508] net: bcmgenet: switch to use 64bit statistics Greg Kroah-Hartman
` (451 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit f1bacae8b655163dcbc3c54b9e714ef1a8986d7b ]
When disabling the transmitter any outstanding packets can now
be reclaimed by bcmgenet_tx_reclaim_all() rather than by the
bcmgenet_fini_dma() function.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250306192643.2383632-12-opendmb@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 37 +++++++++++++++----
1 file changed, 30 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index ed66ae393100e..de15243c52a62 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1885,12 +1885,39 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
}
static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
- struct bcmgenet_tx_ring *ring)
+ struct bcmgenet_tx_ring *ring,
+ bool all)
{
- unsigned int released;
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct device *kdev = &priv->pdev->dev;
+ unsigned int released, drop, wr_ptr;
+ struct enet_cb *cb_ptr;
+ struct sk_buff *skb;
spin_lock_bh(&ring->lock);
released = __bcmgenet_tx_reclaim(dev, ring);
+ if (all) {
+ skb = NULL;
+ drop = (ring->prod_index - ring->c_index) & DMA_C_INDEX_MASK;
+ released += drop;
+ ring->prod_index = ring->c_index & DMA_C_INDEX_MASK;
+ while (drop--) {
+ cb_ptr = bcmgenet_put_txcb(priv, ring);
+ skb = cb_ptr->skb;
+ bcmgenet_free_tx_cb(kdev, cb_ptr);
+ if (skb && cb_ptr == GENET_CB(skb)->first_cb) {
+ dev_consume_skb_any(skb);
+ skb = NULL;
+ }
+ }
+ if (skb)
+ dev_consume_skb_any(skb);
+ bcmgenet_tdma_ring_writel(priv, ring->index,
+ ring->prod_index, TDMA_PROD_INDEX);
+ wr_ptr = ring->write_ptr * WORDS_PER_BD(priv);
+ bcmgenet_tdma_ring_writel(priv, ring->index, wr_ptr,
+ TDMA_WRITE_PTR);
+ }
spin_unlock_bh(&ring->lock);
return released;
@@ -1927,7 +1954,7 @@ static void bcmgenet_tx_reclaim_all(struct net_device *dev)
int i = 0;
do {
- bcmgenet_tx_reclaim(dev, &priv->tx_rings[i++]);
+ bcmgenet_tx_reclaim(dev, &priv->tx_rings[i++], true);
} while (i <= priv->hw_params->tx_queues && netif_is_multiqueue(dev));
}
@@ -2924,10 +2951,6 @@ static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
bcmgenet_fini_rx_napi(priv);
bcmgenet_fini_tx_napi(priv);
- for (i = 0; i < priv->num_tx_bds; i++)
- dev_kfree_skb(bcmgenet_free_tx_cb(&priv->pdev->dev,
- priv->tx_cbs + i));
-
for (i = 0; i <= priv->hw_params->tx_queues; i++) {
txq = netdev_get_tx_queue(priv->dev, i);
netdev_tx_reset_queue(txq);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 059/508] net: bcmgenet: switch to use 64bit statistics
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 058/508] net: bcmgenet: support reclaiming unsent Tx packets Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 060/508] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
` (450 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zak Kemble, Florian Fainelli,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zak Kemble <zakkemble@gmail.com>
[ Upstream commit 59aa6e3072aa7e51e9040e8c342d0c0825c5f48f ]
Update the driver to use ndo_get_stats64, rtnl_link_stats64 and
u64_stats_t counters for statistics.
Signed-off-by: Zak Kemble <zakkemble@gmail.com>
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250519113257.1031-2-zakkemble@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 5393b2b5bee2 ("net: bcmgenet: fix racing timeout handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 246 ++++++++++++------
.../net/ethernet/broadcom/genet/bcmgenet.h | 29 ++-
2 files changed, 187 insertions(+), 88 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index de15243c52a62..a5166582e0ab7 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -950,12 +950,13 @@ static int bcmgenet_set_pauseparam(struct net_device *dev,
/* standard ethtool support functions. */
enum bcmgenet_stat_type {
- BCMGENET_STAT_NETDEV = -1,
+ BCMGENET_STAT_RTNL = -1,
BCMGENET_STAT_MIB_RX,
BCMGENET_STAT_MIB_TX,
BCMGENET_STAT_RUNT,
BCMGENET_STAT_MISC,
BCMGENET_STAT_SOFT,
+ BCMGENET_STAT_SOFT64,
};
struct bcmgenet_stats {
@@ -965,13 +966,15 @@ struct bcmgenet_stats {
enum bcmgenet_stat_type type;
/* reg offset from UMAC base for misc counters */
u16 reg_offset;
+ /* sync for u64 stats counters */
+ int syncp_offset;
};
-#define STAT_NETDEV(m) { \
+#define STAT_RTNL(m) { \
.stat_string = __stringify(m), \
- .stat_sizeof = sizeof(((struct net_device_stats *)0)->m), \
- .stat_offset = offsetof(struct net_device_stats, m), \
- .type = BCMGENET_STAT_NETDEV, \
+ .stat_sizeof = sizeof(((struct rtnl_link_stats64 *)0)->m), \
+ .stat_offset = offsetof(struct rtnl_link_stats64, m), \
+ .type = BCMGENET_STAT_RTNL, \
}
#define STAT_GENET_MIB(str, m, _type) { \
@@ -981,6 +984,14 @@ struct bcmgenet_stats {
.type = _type, \
}
+#define STAT_GENET_SOFT_MIB64(str, s, m) { \
+ .stat_string = str, \
+ .stat_sizeof = sizeof(((struct bcmgenet_priv *)0)->s.m), \
+ .stat_offset = offsetof(struct bcmgenet_priv, s.m), \
+ .type = BCMGENET_STAT_SOFT64, \
+ .syncp_offset = offsetof(struct bcmgenet_priv, s.syncp), \
+}
+
#define STAT_GENET_MIB_RX(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_MIB_RX)
#define STAT_GENET_MIB_TX(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_MIB_TX)
#define STAT_GENET_RUNT(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_RUNT)
@@ -995,18 +1006,18 @@ struct bcmgenet_stats {
}
#define STAT_GENET_Q(num) \
- STAT_GENET_SOFT_MIB("txq" __stringify(num) "_packets", \
- tx_rings[num].packets), \
- STAT_GENET_SOFT_MIB("txq" __stringify(num) "_bytes", \
- tx_rings[num].bytes), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_bytes", \
- rx_rings[num].bytes), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_packets", \
- rx_rings[num].packets), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_errors", \
- rx_rings[num].errors), \
- STAT_GENET_SOFT_MIB("rxq" __stringify(num) "_dropped", \
- rx_rings[num].dropped)
+ STAT_GENET_SOFT_MIB64("txq" __stringify(num) "_packets", \
+ tx_rings[num].stats64, packets), \
+ STAT_GENET_SOFT_MIB64("txq" __stringify(num) "_bytes", \
+ tx_rings[num].stats64, bytes), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_bytes", \
+ rx_rings[num].stats64, bytes), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_packets", \
+ rx_rings[num].stats64, packets), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_errors", \
+ rx_rings[num].stats64, errors), \
+ STAT_GENET_SOFT_MIB64("rxq" __stringify(num) "_dropped", \
+ rx_rings[num].stats64, dropped)
/* There is a 0xC gap between the end of RX and beginning of TX stats and then
* between the end of TX stats and the beginning of the RX RUNT
@@ -1018,15 +1029,15 @@ struct bcmgenet_stats {
*/
static const struct bcmgenet_stats bcmgenet_gstrings_stats[] = {
/* general stats */
- STAT_NETDEV(rx_packets),
- STAT_NETDEV(tx_packets),
- STAT_NETDEV(rx_bytes),
- STAT_NETDEV(tx_bytes),
- STAT_NETDEV(rx_errors),
- STAT_NETDEV(tx_errors),
- STAT_NETDEV(rx_dropped),
- STAT_NETDEV(tx_dropped),
- STAT_NETDEV(multicast),
+ STAT_RTNL(rx_packets),
+ STAT_RTNL(tx_packets),
+ STAT_RTNL(rx_bytes),
+ STAT_RTNL(tx_bytes),
+ STAT_RTNL(rx_errors),
+ STAT_RTNL(tx_errors),
+ STAT_RTNL(rx_dropped),
+ STAT_RTNL(tx_dropped),
+ STAT_RTNL(multicast),
/* UniMAC RSV counters */
STAT_GENET_MIB_RX("rx_64_octets", mib.rx.pkt_cnt.cnt_64),
STAT_GENET_MIB_RX("rx_65_127_oct", mib.rx.pkt_cnt.cnt_127),
@@ -1114,6 +1125,20 @@ static const struct bcmgenet_stats bcmgenet_gstrings_stats[] = {
#define BCMGENET_STATS_LEN ARRAY_SIZE(bcmgenet_gstrings_stats)
+#define BCMGENET_STATS64_ADD(stats, m, v) \
+ do { \
+ u64_stats_update_begin(&stats->syncp); \
+ u64_stats_add(&stats->m, v); \
+ u64_stats_update_end(&stats->syncp); \
+ } while (0)
+
+#define BCMGENET_STATS64_INC(stats, m) \
+ do { \
+ u64_stats_update_begin(&stats->syncp); \
+ u64_stats_inc(&stats->m); \
+ u64_stats_update_end(&stats->syncp); \
+ } while (0)
+
static void bcmgenet_get_drvinfo(struct net_device *dev,
struct ethtool_drvinfo *info)
{
@@ -1197,8 +1222,9 @@ static void bcmgenet_update_mib_counters(struct bcmgenet_priv *priv)
s = &bcmgenet_gstrings_stats[i];
switch (s->type) {
- case BCMGENET_STAT_NETDEV:
+ case BCMGENET_STAT_RTNL:
case BCMGENET_STAT_SOFT:
+ case BCMGENET_STAT_SOFT64:
continue;
case BCMGENET_STAT_RUNT:
offset += BCMGENET_STAT_OFFSET;
@@ -1236,28 +1262,40 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev,
u64 *data)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct rtnl_link_stats64 stats64;
+ struct u64_stats_sync *syncp;
+ unsigned int start;
int i;
if (netif_running(dev))
bcmgenet_update_mib_counters(priv);
- dev->netdev_ops->ndo_get_stats(dev);
+ dev_get_stats(dev, &stats64);
for (i = 0; i < BCMGENET_STATS_LEN; i++) {
const struct bcmgenet_stats *s;
char *p;
s = &bcmgenet_gstrings_stats[i];
- if (s->type == BCMGENET_STAT_NETDEV)
- p = (char *)&dev->stats;
- else
- p = (char *)priv;
- p += s->stat_offset;
- if (sizeof(unsigned long) != sizeof(u32) &&
- s->stat_sizeof == sizeof(unsigned long))
- data[i] = *(unsigned long *)p;
- else
- data[i] = *(u32 *)p;
+ p = (char *)priv;
+
+ if (s->type == BCMGENET_STAT_SOFT64) {
+ syncp = (struct u64_stats_sync *)(p + s->syncp_offset);
+ do {
+ start = u64_stats_fetch_begin(syncp);
+ data[i] = u64_stats_read((u64_stats_t *)(p + s->stat_offset));
+ } while (u64_stats_fetch_retry(syncp, start));
+ } else {
+ if (s->type == BCMGENET_STAT_RTNL)
+ p = (char *)&stats64;
+
+ p += s->stat_offset;
+ if (sizeof(unsigned long) != sizeof(u32) &&
+ s->stat_sizeof == sizeof(unsigned long))
+ data[i] = *(unsigned long *)p;
+ else
+ data[i] = *(u32 *)p;
+ }
}
}
@@ -1835,6 +1873,7 @@ static struct sk_buff *bcmgenet_free_rx_cb(struct device *dev,
static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
struct bcmgenet_tx_ring *ring)
{
+ struct bcmgenet_tx_stats64 *stats = &ring->stats64;
struct bcmgenet_priv *priv = netdev_priv(dev);
unsigned int txbds_processed = 0;
unsigned int bytes_compl = 0;
@@ -1875,8 +1914,10 @@ static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
ring->free_bds += txbds_processed;
ring->c_index = c_index;
- ring->packets += pkts_compl;
- ring->bytes += bytes_compl;
+ u64_stats_update_begin(&stats->syncp);
+ u64_stats_add(&stats->packets, pkts_compl);
+ u64_stats_add(&stats->bytes, bytes_compl);
+ u64_stats_update_end(&stats->syncp);
netdev_tx_completed_queue(netdev_get_tx_queue(dev, ring->index),
pkts_compl, bytes_compl);
@@ -1962,8 +2003,10 @@ static void bcmgenet_tx_reclaim_all(struct net_device *dev)
* the transmit checksum offsets in the descriptors
*/
static struct sk_buff *bcmgenet_add_tsb(struct net_device *dev,
- struct sk_buff *skb)
+ struct sk_buff *skb,
+ struct bcmgenet_tx_ring *ring)
{
+ struct bcmgenet_tx_stats64 *stats = &ring->stats64;
struct bcmgenet_priv *priv = netdev_priv(dev);
struct status_64 *status = NULL;
struct sk_buff *new_skb;
@@ -1980,7 +2023,7 @@ static struct sk_buff *bcmgenet_add_tsb(struct net_device *dev,
if (!new_skb) {
dev_kfree_skb_any(skb);
priv->mib.tx_realloc_tsb_failed++;
- dev->stats.tx_dropped++;
+ BCMGENET_STATS64_INC(stats, dropped);
return NULL;
}
dev_consume_skb_any(skb);
@@ -2068,7 +2111,7 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
GENET_CB(skb)->bytes_sent = skb->len;
/* add the Transmit Status Block */
- skb = bcmgenet_add_tsb(dev, skb);
+ skb = bcmgenet_add_tsb(dev, skb, ring);
if (!skb) {
ret = NETDEV_TX_OK;
goto out;
@@ -2210,6 +2253,7 @@ static struct sk_buff *bcmgenet_rx_refill(struct bcmgenet_priv *priv,
static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
unsigned int budget)
{
+ struct bcmgenet_rx_stats64 *stats = &ring->stats64;
struct bcmgenet_priv *priv = ring->priv;
struct net_device *dev = priv->dev;
struct enet_cb *cb;
@@ -2232,7 +2276,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
DMA_P_INDEX_DISCARD_CNT_MASK;
if (discards > ring->old_discards) {
discards = discards - ring->old_discards;
- ring->errors += discards;
+ BCMGENET_STATS64_ADD(stats, errors, discards);
ring->old_discards += discards;
/* Clear HW register when we reach 75% of maximum 0xFFFF */
@@ -2258,7 +2302,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
skb = bcmgenet_rx_refill(priv, cb);
if (unlikely(!skb)) {
- ring->dropped++;
+ BCMGENET_STATS64_INC(stats, dropped);
goto next;
}
@@ -2285,8 +2329,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
if (unlikely(len > RX_BUF_LENGTH)) {
netif_err(priv, rx_status, dev, "oversized packet\n");
- dev->stats.rx_length_errors++;
- dev->stats.rx_errors++;
+ BCMGENET_STATS64_INC(stats, length_errors);
dev_kfree_skb_any(skb);
goto next;
}
@@ -2294,7 +2337,7 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
if (unlikely(!(dma_flag & DMA_EOP) || !(dma_flag & DMA_SOP))) {
netif_err(priv, rx_status, dev,
"dropping fragmented packet!\n");
- ring->errors++;
+ BCMGENET_STATS64_INC(stats, errors);
dev_kfree_skb_any(skb);
goto next;
}
@@ -2307,15 +2350,22 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
DMA_RX_RXER))) {
netif_err(priv, rx_status, dev, "dma_flag=0x%x\n",
(unsigned int)dma_flag);
+ u64_stats_update_begin(&stats->syncp);
if (dma_flag & DMA_RX_CRC_ERROR)
- dev->stats.rx_crc_errors++;
+ u64_stats_inc(&stats->crc_errors);
if (dma_flag & DMA_RX_OV)
- dev->stats.rx_over_errors++;
+ u64_stats_inc(&stats->over_errors);
if (dma_flag & DMA_RX_NO)
- dev->stats.rx_frame_errors++;
+ u64_stats_inc(&stats->frame_errors);
if (dma_flag & DMA_RX_LG)
- dev->stats.rx_length_errors++;
- dev->stats.rx_errors++;
+ u64_stats_inc(&stats->length_errors);
+ if ((dma_flag & (DMA_RX_CRC_ERROR |
+ DMA_RX_OV |
+ DMA_RX_NO |
+ DMA_RX_LG |
+ DMA_RX_RXER)) == DMA_RX_RXER)
+ u64_stats_inc(&stats->errors);
+ u64_stats_update_end(&stats->syncp);
dev_kfree_skb_any(skb);
goto next;
} /* error packet */
@@ -2335,10 +2385,13 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
/*Finish setting up the received SKB and send it to the kernel*/
skb->protocol = eth_type_trans(skb, priv->dev);
- ring->packets++;
- ring->bytes += len;
+
+ u64_stats_update_begin(&stats->syncp);
+ u64_stats_inc(&stats->packets);
+ u64_stats_add(&stats->bytes, len);
if (dma_flag & DMA_RX_MULT)
- dev->stats.multicast++;
+ u64_stats_inc(&stats->multicast);
+ u64_stats_update_end(&stats->syncp);
/* Notify kernel */
napi_gro_receive(&ring->napi, skb);
@@ -3439,7 +3492,7 @@ static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
netif_trans_update(dev);
- dev->stats.tx_errors++;
+ BCMGENET_STATS64_INC((&priv->tx_rings[txqueue].stats64), errors);
netif_tx_wake_all_queues(dev);
}
@@ -3528,39 +3581,68 @@ static int bcmgenet_set_mac_addr(struct net_device *dev, void *p)
return 0;
}
-static struct net_device_stats *bcmgenet_get_stats(struct net_device *dev)
+static void bcmgenet_get_stats64(struct net_device *dev,
+ struct rtnl_link_stats64 *stats)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- unsigned long tx_bytes = 0, tx_packets = 0;
- unsigned long rx_bytes = 0, rx_packets = 0;
- unsigned long rx_errors = 0, rx_dropped = 0;
- struct bcmgenet_tx_ring *tx_ring;
- struct bcmgenet_rx_ring *rx_ring;
+ struct bcmgenet_tx_stats64 *tx_stats;
+ struct bcmgenet_rx_stats64 *rx_stats;
+ u64 rx_length_errors, rx_over_errors;
+ u64 rx_crc_errors, rx_frame_errors;
+ u64 tx_errors, tx_dropped;
+ u64 rx_errors, rx_dropped;
+ u64 tx_bytes, tx_packets;
+ u64 rx_bytes, rx_packets;
+ unsigned int start;
unsigned int q;
+ u64 multicast;
for (q = 0; q <= priv->hw_params->tx_queues; q++) {
- tx_ring = &priv->tx_rings[q];
- tx_bytes += tx_ring->bytes;
- tx_packets += tx_ring->packets;
+ tx_stats = &priv->tx_rings[q].stats64;
+ do {
+ start = u64_stats_fetch_begin(&tx_stats->syncp);
+ tx_bytes = u64_stats_read(&tx_stats->bytes);
+ tx_packets = u64_stats_read(&tx_stats->packets);
+ tx_errors = u64_stats_read(&tx_stats->errors);
+ tx_dropped = u64_stats_read(&tx_stats->dropped);
+ } while (u64_stats_fetch_retry(&tx_stats->syncp, start));
+
+ stats->tx_bytes += tx_bytes;
+ stats->tx_packets += tx_packets;
+ stats->tx_errors += tx_errors;
+ stats->tx_dropped += tx_dropped;
}
for (q = 0; q <= priv->hw_params->rx_queues; q++) {
- rx_ring = &priv->rx_rings[q];
-
- rx_bytes += rx_ring->bytes;
- rx_packets += rx_ring->packets;
- rx_errors += rx_ring->errors;
- rx_dropped += rx_ring->dropped;
+ rx_stats = &priv->rx_rings[q].stats64;
+ do {
+ start = u64_stats_fetch_begin(&rx_stats->syncp);
+ rx_bytes = u64_stats_read(&rx_stats->bytes);
+ rx_packets = u64_stats_read(&rx_stats->packets);
+ rx_errors = u64_stats_read(&rx_stats->errors);
+ rx_dropped = u64_stats_read(&rx_stats->dropped);
+ rx_length_errors = u64_stats_read(&rx_stats->length_errors);
+ rx_over_errors = u64_stats_read(&rx_stats->over_errors);
+ rx_crc_errors = u64_stats_read(&rx_stats->crc_errors);
+ rx_frame_errors = u64_stats_read(&rx_stats->frame_errors);
+ multicast = u64_stats_read(&rx_stats->multicast);
+ } while (u64_stats_fetch_retry(&rx_stats->syncp, start));
+
+ rx_errors += rx_length_errors;
+ rx_errors += rx_crc_errors;
+ rx_errors += rx_frame_errors;
+
+ stats->rx_bytes += rx_bytes;
+ stats->rx_packets += rx_packets;
+ stats->rx_errors += rx_errors;
+ stats->rx_dropped += rx_dropped;
+ stats->rx_missed_errors += rx_errors;
+ stats->rx_length_errors += rx_length_errors;
+ stats->rx_over_errors += rx_over_errors;
+ stats->rx_crc_errors += rx_crc_errors;
+ stats->rx_frame_errors += rx_frame_errors;
+ stats->multicast += multicast;
}
-
- dev->stats.tx_bytes = tx_bytes;
- dev->stats.tx_packets = tx_packets;
- dev->stats.rx_bytes = rx_bytes;
- dev->stats.rx_packets = rx_packets;
- dev->stats.rx_errors = rx_errors;
- dev->stats.rx_missed_errors = rx_errors;
- dev->stats.rx_dropped = rx_dropped;
- return &dev->stats;
}
static int bcmgenet_change_carrier(struct net_device *dev, bool new_carrier)
@@ -3588,7 +3670,7 @@ static const struct net_device_ops bcmgenet_netdev_ops = {
.ndo_set_mac_address = bcmgenet_set_mac_addr,
.ndo_eth_ioctl = phy_do_ioctl_running,
.ndo_set_features = bcmgenet_set_features,
- .ndo_get_stats = bcmgenet_get_stats,
+ .ndo_get_stats64 = bcmgenet_get_stats64,
.ndo_change_carrier = bcmgenet_change_carrier,
};
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
index f3a1139cb7108..94957dfa55b6f 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -155,6 +155,27 @@ struct bcmgenet_mib_counters {
u32 tx_realloc_tsb_failed;
};
+struct bcmgenet_tx_stats64 {
+ struct u64_stats_sync syncp;
+ u64_stats_t packets;
+ u64_stats_t bytes;
+ u64_stats_t errors;
+ u64_stats_t dropped;
+};
+
+struct bcmgenet_rx_stats64 {
+ struct u64_stats_sync syncp;
+ u64_stats_t bytes;
+ u64_stats_t packets;
+ u64_stats_t errors;
+ u64_stats_t dropped;
+ u64_stats_t multicast;
+ u64_stats_t length_errors;
+ u64_stats_t over_errors;
+ u64_stats_t crc_errors;
+ u64_stats_t frame_errors;
+};
+
#define UMAC_MIB_START 0x400
#define UMAC_MDIO_CMD 0x614
@@ -513,8 +534,7 @@ struct bcmgenet_skb_cb {
struct bcmgenet_tx_ring {
spinlock_t lock; /* ring lock */
struct napi_struct napi; /* NAPI per tx queue */
- unsigned long packets;
- unsigned long bytes;
+ struct bcmgenet_tx_stats64 stats64;
unsigned int index; /* ring index */
struct enet_cb *cbs; /* tx ring buffer control block*/
unsigned int size; /* size of each tx ring */
@@ -538,10 +558,7 @@ struct bcmgenet_net_dim {
struct bcmgenet_rx_ring {
struct napi_struct napi; /* Rx NAPI struct */
- unsigned long bytes;
- unsigned long packets;
- unsigned long errors;
- unsigned long dropped;
+ struct bcmgenet_rx_stats64 stats64;
unsigned int index; /* Rx ring index */
struct enet_cb *cbs; /* Rx ring buffer control block */
unsigned int size; /* Rx ring size */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 060/508] net: bcmgenet: fix racing timeout handler
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 059/508] net: bcmgenet: switch to use 64bit statistics Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 061/508] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
` (449 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 5393b2b5bee2ac51a0043dc7f4ac3475f053d08d ]
The bcmgenet_timeout handler tries to take down all tx queues when
a single queue times out. This is over zealous and causes many race
conditions with queues that are still chugging along. Instead lets
only restart the timed out queue.
Fixes: 13ea657806cf ("net: bcmgenet: improve TX timeout")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-4-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++++++-----------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index a5166582e0ab7..e08abde4685ac 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -3474,27 +3474,23 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- u32 int1_enable = 0;
- unsigned int q;
+ struct bcmgenet_tx_ring *ring = &priv->tx_rings[txqueue];
+ struct netdev_queue *txq = netdev_get_tx_queue(dev, txqueue);
netif_dbg(priv, tx_err, dev, "bcmgenet_timeout\n");
- for (q = 0; q <= priv->hw_params->tx_queues; q++)
- bcmgenet_dump_tx_queue(&priv->tx_rings[q]);
-
- bcmgenet_tx_reclaim_all(dev);
+ bcmgenet_dump_tx_queue(ring);
- for (q = 0; q <= priv->hw_params->tx_queues; q++)
- int1_enable |= (1 << q);
+ bcmgenet_tx_reclaim(dev, ring, true);
- /* Re-enable TX interrupts if disabled */
- bcmgenet_intrl2_1_writel(priv, int1_enable, INTRL2_CPU_MASK_CLEAR);
+ /* Re-enable the TX interrupt for this ring */
+ bcmgenet_intrl2_1_writel(priv, 1 << txqueue, INTRL2_CPU_MASK_CLEAR);
- netif_trans_update(dev);
+ txq_trans_cond_update(txq);
- BCMGENET_STATS64_INC((&priv->tx_rings[txqueue].stats64), errors);
+ BCMGENET_STATS64_INC((&ring->stats64), errors);
- netif_tx_wake_all_queues(dev);
+ netif_tx_wake_queue(txq);
}
#define MAX_MDF_FILTER 17
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 061/508] netfilter: xt_socket: enable defrag after all other checks
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 060/508] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 062/508] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
` (448 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 542be3fa5aff54210a02954c38f07e53ea9bdafd ]
Originally this did not matter because defrag was enabled once per netns
and only disabled again on netns dismantle. When this got changed I should
have adjusted checkentry to not leave defrag enabled on error.
Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_socket.c | 23 ++++++-----------------
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 76e01f292aaff..811e53bee4085 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -168,52 +168,41 @@ static int socket_mt_enable_defrag(struct net *net, int family)
static int socket_mt_v1_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
- int err;
-
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V1) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V1);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static int socket_mt_v2_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo;
- int err;
-
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V2) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V2);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static int socket_mt_v3_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo3 *info =
(struct xt_socket_mtinfo3 *)par->matchinfo;
- int err;
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V3) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V3);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static void socket_mt_destroy(const struct xt_mtdtor_param *par)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 062/508] netfilter: nft_fwd_netdev: check ttl/hl before forwarding
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 061/508] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 063/508] bpf: Fix RCU stall in bpf_fd_array_map_clear() Greg Kroah-Hartman
` (447 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 1dfd95bdf4d18d263aa8fad06bfb9f4d9c992b18 ]
Drop packets if their ttl/hl is too small for forwarding.
Fixes: d32de98ea70f ("netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_fwd_netdev.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index 42ba31dfc0359..1223bdea1f00d 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -116,6 +116,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
iph = ip_hdr(skb);
+ if (iph->ttl <= 1) {
+ verdict = NF_DROP;
+ goto out;
+ }
+
ip_decrease_ttl(iph);
neigh_table = NEIGH_ARP_TABLE;
break;
@@ -132,6 +137,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
ip6h = ipv6_hdr(skb);
+ if (ip6h->hop_limit <= 1) {
+ verdict = NF_DROP;
+ goto out;
+ }
+
ip6h->hop_limit--;
neigh_table = NEIGH_ND_TABLE;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 063/508] bpf: Fix RCU stall in bpf_fd_array_map_clear()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 062/508] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 064/508] 6pack: propagage new tty types Greg Kroah-Hartman
` (446 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sun Jian, Sechang Lim,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sechang Lim <rhkrqnwk98@gmail.com>
[ Upstream commit 4406942e65ca128c56c67443832988873c21d2e9 ]
Add a missing cond_resched() in bpf_fd_array_map_clear() loop.
For PROG_ARRAY maps with many entries this loop calls
prog_array_map_poke_run() per entry which can be expensive, and
without yielding this can cause RCU stalls under load:
rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 30932 Comm: kworker/0:2 Not tainted 6.14.0-13195-g967e8def1100 #2 PREEMPT(undef)
Workqueue: events prog_array_map_clear_deferred
RIP: 0010:write_comp_data+0x38/0x90 kernel/kcov.c:246
Call Trace:
<TASK>
prog_array_map_poke_run+0x77/0x380 kernel/bpf/arraymap.c:1096
__fd_array_map_delete_elem+0x197/0x310 kernel/bpf/arraymap.c:925
bpf_fd_array_map_clear kernel/bpf/arraymap.c:1000 [inline]
prog_array_map_clear_deferred+0x119/0x1b0 kernel/bpf/arraymap.c:1141
process_one_work+0x898/0x19d0 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x770/0x10b0 kernel/workqueue.c:3400
kthread+0x465/0x880 kernel/kthread.c:464
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x19/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com>
Fixes: da765a2f5993 ("bpf: Add poke dependency tracking for prog array maps")
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
Link: https://lore.kernel.org/r/20260407103823.3942156-1-rhkrqnwk98@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/arraymap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 1811efcfbd6e3..ec5c489ed3131 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -938,8 +938,10 @@ static void bpf_fd_array_map_clear(struct bpf_map *map, bool need_defer)
struct bpf_array *array = container_of(map, struct bpf_array, map);
int i;
- for (i = 0; i < array->map.max_entries; i++)
+ for (i = 0; i < array->map.max_entries; i++) {
__fd_array_map_delete_elem(map, &i, need_defer);
+ cond_resched();
+ }
}
static void prog_array_map_seq_show_elem(struct bpf_map *map, void *key,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 064/508] 6pack: propagage new tty types
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 063/508] bpf: Fix RCU stall in bpf_fd_array_map_clear() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 065/508] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
` (445 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Andreas Koensgen,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
linux-hams, netdev, Jeremy Kerr, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
[ Upstream commit 1241b384efa53f4b7a95fe2b34d69359bb3ae1b5 ]
In tty, u8 is now used for data, ssize_t for sizes (with possible
negative error codes). Propagate these types to 6pack.
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Andreas Koensgen <ajk@comnets.uni-bremen.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-hams@vger.kernel.org
Cc: netdev@vger.kernel.org
Reviewed-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://lore.kernel.org/r/20240808103549.429349-12-jirislaby@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: bf9a38803b26 ("net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/6pack.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 6cecdfa8631d7..3145dadf99290 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -94,8 +94,8 @@ struct sixpack {
unsigned char *xhead; /* next byte to XMIT */
int xleft; /* bytes left in XMIT queue */
- unsigned char raw_buf[4];
- unsigned char cooked_buf[400];
+ u8 raw_buf[4];
+ u8 cooked_buf[400];
unsigned int rx_count;
unsigned int rx_count_cooked;
@@ -113,8 +113,8 @@ struct sixpack {
unsigned char slottime;
unsigned char duplex;
unsigned char led_state;
- unsigned char status;
- unsigned char status1;
+ u8 status;
+ u8 status1;
unsigned char status2;
unsigned char tx_enable;
unsigned char tnc_state;
@@ -126,7 +126,7 @@ struct sixpack {
#define AX25_6PACK_HEADER_LEN 0
-static void sixpack_decode(struct sixpack *, const unsigned char[], int);
+static void sixpack_decode(struct sixpack *, const u8 *, size_t);
static int encode_sixpack(unsigned char *, unsigned char *, int, unsigned char);
/*
@@ -331,7 +331,7 @@ static void sp_bump(struct sixpack *sp, char cmd)
{
struct sk_buff *skb;
int count;
- unsigned char *ptr;
+ u8 *ptr;
count = sp->rcount + 1;
@@ -397,7 +397,7 @@ static void sixpack_receive_buf(struct tty_struct *tty, const u8 *cp,
const u8 *fp, size_t count)
{
struct sixpack *sp;
- int count1;
+ size_t count1;
if (!count)
return;
@@ -773,9 +773,9 @@ static int encode_sixpack(unsigned char *tx_buf, unsigned char *tx_buf_raw,
/* decode 4 sixpack-encoded bytes into 3 data bytes */
-static void decode_data(struct sixpack *sp, unsigned char inbyte)
+static void decode_data(struct sixpack *sp, u8 inbyte)
{
- unsigned char *buf;
+ u8 *buf;
if (sp->rx_count != 3) {
sp->raw_buf[sp->rx_count++] = inbyte;
@@ -801,9 +801,9 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
/* identify and execute a 6pack priority command byte */
-static void decode_prio_command(struct sixpack *sp, unsigned char cmd)
+static void decode_prio_command(struct sixpack *sp, u8 cmd)
{
- int actual;
+ ssize_t actual;
if ((cmd & SIXP_PRIO_DATA_MASK) != 0) { /* idle ? */
@@ -851,9 +851,9 @@ static void decode_prio_command(struct sixpack *sp, unsigned char cmd)
/* identify and execute a standard 6pack command byte */
-static void decode_std_command(struct sixpack *sp, unsigned char cmd)
+static void decode_std_command(struct sixpack *sp, u8 cmd)
{
- unsigned char checksum = 0, rest = 0;
+ u8 checksum = 0, rest = 0;
short i;
switch (cmd & SIXP_CMD_MASK) { /* normal command */
@@ -901,10 +901,10 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd)
/* decode a 6pack packet */
static void
-sixpack_decode(struct sixpack *sp, const unsigned char *pre_rbuff, int count)
+sixpack_decode(struct sixpack *sp, const u8 *pre_rbuff, size_t count)
{
- unsigned char inbyte;
- int count1;
+ size_t count1;
+ u8 inbyte;
for (count1 = 0; count1 < count; count1++) {
inbyte = pre_rbuff[count1];
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 065/508] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 064/508] 6pack: propagage new tty types Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 066/508] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
` (444 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ecdb8c9878a81eb21e54,
Mashiro Chen, Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mashiro Chen <mashiro.chen@mailbox.org>
[ Upstream commit bf9a38803b2626b01cc769aaf13485d8650f576f ]
sixpack_receive_buf() does not properly skip bytes with TTY error flags.
The while loop iterates through the flags buffer but never advances the
data pointer (cp), and passes the original count (including error bytes)
to sixpack_decode(). This causes sixpack_decode() to process bytes that
should have been skipped due to TTY errors. The TTY layer does not
guarantee that cp[i] holds a meaningful value when fp[i] is set, so
passing those positions to sixpack_decode() results in KMSAN reporting
an uninit-value read.
Fix this by processing bytes one at a time, advancing cp on each
iteration, and only passing valid (non-error) bytes to sixpack_decode().
This matches the pattern used by slip_receive_buf() and
mkiss_receive_buf() for the same purpose.
Reported-by: syzbot+ecdb8c9878a81eb21e54@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ecdb8c9878a81eb21e54
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260407173101.107352-1-mashiro.chen@mailbox.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/6pack.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 3145dadf99290..1b8680923919d 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -397,7 +397,6 @@ static void sixpack_receive_buf(struct tty_struct *tty, const u8 *cp,
const u8 *fp, size_t count)
{
struct sixpack *sp;
- size_t count1;
if (!count)
return;
@@ -407,16 +406,16 @@ static void sixpack_receive_buf(struct tty_struct *tty, const u8 *cp,
return;
/* Read the characters out of the buffer */
- count1 = count;
- while (count) {
- count--;
+ while (count--) {
if (fp && *fp++) {
if (!test_and_set_bit(SIXPF_ERROR, &sp->flags))
sp->dev->stats.rx_errors++;
+ cp++;
continue;
}
+ sixpack_decode(sp, cp, 1);
+ cp++;
}
- sixpack_decode(sp, cp, count1);
tty_unthrottle(tty);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 066/508] net/sched: act_ct: Only release RCU read lock after ct_ft
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 065/508] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 067/508] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
` (443 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, zdi-disclosures, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit f462dca0c8415bf0058d0ffa476354c4476d0f09 ]
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Fixes: 138470a9b2cc2 ("net/sched: act_ct: fix lockdep splat in tcf_ct_flow_table_get")
Reported-by: zdi-disclosures@trendmicro.com
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260410111627.46611-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_ct.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index a5f4a27c8dd31..7810c9d64ff3a 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -328,9 +328,13 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
int err = -ENOMEM;
mutex_lock(&zones_mutex);
- ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params);
- if (ct_ft && refcount_inc_not_zero(&ct_ft->ref))
+ rcu_read_lock();
+ ct_ft = rhashtable_lookup(&zones_ht, &key, zones_params);
+ if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) {
+ rcu_read_unlock();
goto out_unlock;
+ }
+ rcu_read_unlock();
ct_ft = kzalloc(sizeof(*ct_ft), GFP_KERNEL);
if (!ct_ft)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 067/508] net/rds: Optimize rds_ib_laddr_check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 066/508] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 068/508] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
` (442 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Håkon Bugge,
Somasundaram Krishnasamy, Gerd Rausch, Allison Henderson,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Håkon Bugge <haakon.bugge@oracle.com>
[ Upstream commit 236f718ac885965fa886440b9898dfae185c9733 ]
rds_ib_laddr_check() creates a CM_ID and attempts to bind the address
in question to it. This in order to qualify the allegedly local
address as a usable IB/RoCE address.
In the field, ExaWatcher runs rds-ping to all ports in the fabric from
all local ports. This using all active ToS'es. In a full rack system,
we have 14 cell servers and eight db servers. Typically, 6 ToS'es are
used. This implies 528 rds-ping invocations per ExaWatcher's "RDSinfo"
interval.
Adding to this, each rds-ping invocation creates eight sockets and
binds the local address to them:
socket(AF_RDS, SOCK_SEQPACKET, 0) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 6
bind(6, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 7
bind(7, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 8
bind(8, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 9
bind(9, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 10
bind(10, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
So, at every interval ExaWatcher executes rds-ping's, 4224 CM_IDs are
allocated, considering this full-rack system. After the a CM_ID has
been allocated, rdma_bind_addr() is called, with the port number being
zero. This implies that the CMA will attempt to search for an un-used
ephemeral port. Simplified, the algorithm is to start at a random
position in the available port space, and then if needed, iterate
until an un-used port is found.
The book-keeping of used ports uses the idr system, which again uses
slab to allocate new struct idr_layer's. The size is 2092 bytes and
slab tries to reduce the wasted space. Hence, it chooses an order:3
allocation, for which 15 idr_layer structs will fit and only 1388
bytes are wasted per the 32KiB order:3 chunk.
Although this order:3 allocation seems like a good space/speed
trade-off, it does not resonate well with how it used by the CMA. The
combination of the randomized starting point in the port space (which
has close to zero spatial locality) and the close proximity in time of
the 4224 invocations of the rds-ping's, creates a memory hog for
order:3 allocations.
These costly allocations may need reclaims and/or compaction. At
worst, they may fail and produce a stack trace such as (from uek4):
[<ffffffff811a72d5>] __inc_zone_page_state+0x35/0x40
[<ffffffff811c2e97>] page_add_file_rmap+0x57/0x60
[<ffffffffa37ca1df>] remove_migration_pte+0x3f/0x3c0 [ksplice_6cn872bt_vmlinux_new]
[<ffffffff811c3de8>] rmap_walk+0xd8/0x340
[<ffffffff811e8860>] remove_migration_ptes+0x40/0x50
[<ffffffff811ea83c>] migrate_pages+0x3ec/0x890
[<ffffffff811afa0d>] compact_zone+0x32d/0x9a0
[<ffffffff811b00ed>] compact_zone_order+0x6d/0x90
[<ffffffff811b03b2>] try_to_compact_pages+0x102/0x270
[<ffffffff81190e56>] __alloc_pages_direct_compact+0x46/0x100
[<ffffffff8119165b>] __alloc_pages_nodemask+0x74b/0xaa0
[<ffffffff811d8411>] alloc_pages_current+0x91/0x110
[<ffffffff811e3b0b>] new_slab+0x38b/0x480
[<ffffffffa41323c7>] __slab_alloc+0x3b7/0x4a0 [ksplice_s0dk66a8_vmlinux_new]
[<ffffffff811e42ab>] kmem_cache_alloc+0x1fb/0x250
[<ffffffff8131fdd6>] idr_layer_alloc+0x36/0x90
[<ffffffff8132029c>] idr_get_empty_slot+0x28c/0x3d0
[<ffffffff813204ad>] idr_alloc+0x4d/0xf0
[<ffffffffa051727d>] cma_alloc_port+0x4d/0xa0 [rdma_cm]
[<ffffffffa0517cbe>] rdma_bind_addr+0x2ae/0x5b0 [rdma_cm]
[<ffffffffa09d8083>] rds_ib_laddr_check+0x83/0x2c0 [ksplice_6l2xst5i_rds_rdma_new]
[<ffffffffa05f892b>] rds_trans_get_preferred+0x5b/0xa0 [rds]
[<ffffffffa05f09f2>] rds_bind+0x212/0x280 [rds]
[<ffffffff815b4016>] SYSC_bind+0xe6/0x120
[<ffffffff815b4d3e>] SyS_bind+0xe/0x10
[<ffffffff816b031a>] system_call_fastpath+0x18/0xd4
To avoid these excessive calls to rdma_bind_addr(), we optimize
rds_ib_laddr_check() by simply checking if the address in question has
been used before. The rds_rdma module keeps track of addresses
associated with IB devices, and the function rds_ib_get_device() is
used to determine if the address already has been qualified as a valid
local address. If not found, we call the legacy rds_ib_laddr_check(),
now renamed to rds_ib_laddr_check_cm().
Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260408080420.540032-2-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: ebf71dd4aff4 ("net/rds: Restrict use of RDS/IB to the initial network namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/ib.c | 20 ++++++++++++++++++--
net/rds/ib.h | 1 +
net/rds/ib_rdma.c | 2 +-
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 9826fe7f9d008..996f007cd516b 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -403,8 +403,8 @@ static void rds6_ib_ic_info(struct socket *sock, unsigned int len,
* allowed to influence which paths have priority. We could call userspace
* asserting this policy "routing".
*/
-static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
- __u32 scope_id)
+static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
+ __u32 scope_id)
{
int ret;
struct rdma_cm_id *cm_id;
@@ -489,6 +489,22 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
return ret;
}
+static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
+ __u32 scope_id)
+{
+ struct rds_ib_device *rds_ibdev = NULL;
+
+ if (ipv6_addr_v4mapped(addr)) {
+ rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
+ if (rds_ibdev) {
+ rds_ib_dev_put(rds_ibdev);
+ return 0;
+ }
+ }
+
+ return rds_ib_laddr_check_cm(net, addr, scope_id);
+}
+
static void rds_ib_unregister_client(void)
{
ib_unregister_client(&rds_ib_client);
diff --git a/net/rds/ib.h b/net/rds/ib.h
index 2ba71102b1f1f..d6c1197731c1c 100644
--- a/net/rds/ib.h
+++ b/net/rds/ib.h
@@ -384,6 +384,7 @@ void rds_ib_cm_connect_complete(struct rds_connection *conn,
__rds_ib_conn_error(conn, KERN_WARNING "RDS/IB: " fmt)
/* ib_rdma.c */
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr);
int rds_ib_update_ipaddr(struct rds_ib_device *rds_ibdev,
struct in6_addr *ipaddr);
void rds_ib_add_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *conn);
diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index 30fca2169aa7a..468fd60d818ff 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -47,7 +47,7 @@ struct rds_ib_dereg_odp_mr {
static void rds_ib_odp_mr_worker(struct work_struct *work);
-static struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
{
struct rds_ib_device *rds_ibdev;
struct rds_ib_ipaddr *i_ipaddr;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 068/508] net/rds: Restrict use of RDS/IB to the initial network namespace
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 067/508] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 069/508] bpf: Fix OOB in pcpu_init_value Greg Kroah-Hartman
` (441 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+da8e060735ae02c8f3d1,
Greg Jumper, Allison Henderson, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Jumper <greg.jumper@oracle.com>
[ Upstream commit ebf71dd4aff46e8e421d455db3e231ba43d2fa8a ]
Prevent using RDS/IB in network namespaces other than the initial one.
The existing RDS/IB code will not work properly in non-initial network
namespaces.
Fixes: d5a8ac28a7ff ("RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net")
Reported-by: syzbot+da8e060735ae02c8f3d1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=da8e060735ae02c8f3d1
Signed-off-by: Greg Jumper <greg.jumper@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260408080420.540032-3-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/af_rds.c | 10 ++++++++--
net/rds/ib.c | 4 ++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index 8435a20968ef5..f0840169d5e31 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -357,7 +357,8 @@ static int rds_cong_monitor(struct rds_sock *rs, sockptr_t optval, int optlen)
return ret;
}
-static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
+static int rds_set_transport(struct net *net, struct rds_sock *rs,
+ sockptr_t optval, int optlen)
{
int t_type;
@@ -373,6 +374,10 @@ static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
if (t_type < 0 || t_type >= RDS_TRANS_COUNT)
return -EINVAL;
+ /* RDS/IB is restricted to the initial network namespace */
+ if (t_type != RDS_TRANS_TCP && !net_eq(net, &init_net))
+ return -EPROTOTYPE;
+
rs->rs_transport = rds_trans_get(t_type);
return rs->rs_transport ? 0 : -ENOPROTOOPT;
@@ -433,6 +438,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct rds_sock *rs = rds_sk_to_rs(sock->sk);
+ struct net *net = sock_net(sock->sk);
int ret;
if (level != SOL_RDS) {
@@ -461,7 +467,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
break;
case SO_RDS_TRANSPORT:
lock_sock(sock->sk);
- ret = rds_set_transport(rs, optval, optlen);
+ ret = rds_set_transport(net, rs, optval, optlen);
release_sock(sock->sk);
break;
case SO_TIMESTAMP_OLD:
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 996f007cd516b..ce5be43c5fbac 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -494,6 +494,10 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
{
struct rds_ib_device *rds_ibdev = NULL;
+ /* RDS/IB is restricted to the initial network namespace */
+ if (!net_eq(net, &init_net))
+ return -EPROTOTYPE;
+
if (ipv6_addr_v4mapped(addr)) {
rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
if (rds_ibdev) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 069/508] bpf: Fix OOB in pcpu_init_value
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 068/508] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 070/508] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
` (440 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaiyan Mei, Lang Xu,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lang Xu <xulang@uniontech.com>
[ Upstream commit 576afddfee8d1108ee299bf10f581593540d1a36 ]
An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the
same value_size that is not rounded up to 8 bytes.
The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
2. A pcpu map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1
pcpu_init_value assumes that all sources are rounded up to 8 bytes,
and invokes copy_map_value_long to make a data copy, However, the
assumption doesn't stand since there are some cases where the source
may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data.
the verifier verifies exactly the size that the source claims, not
the size rounded up to 8 bytes by kernel, an OOB happens when the
source has only 4 bytes while the copy size(4) is rounded up to 8.
Fixes: d3bec0138bfb ("bpf: Zero-fill re-used per-cpu map element")
Reported-by: Kaiyan Mei <kaiyanm@hust.edu.cn>
Closes: https://lore.kernel.org/all/14e6c70c.6c121.19c0399d948.Coremail.kaiyanm@hust.edu.cn/
Link: https://lore.kernel.org/r/420FEEDDC768A4BE+20260402074236.2187154-1-xulang@uniontech.com
Signed-off-by: Lang Xu <xulang@uniontech.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/hashtab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 8bac6ae1204dc..934fdc688d7c1 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -991,7 +991,7 @@ static void pcpu_init_value(struct bpf_htab *htab, void __percpu *pptr,
for_each_possible_cpu(cpu) {
if (cpu == current_cpu)
- copy_map_value_long(&htab->map, per_cpu_ptr(pptr, cpu), value);
+ copy_map_value(&htab->map, per_cpu_ptr(pptr, cpu), value);
else /* Since elem is preallocated, we cannot touch special fields */
zero_map_value(&htab->map, per_cpu_ptr(pptr, cpu));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 070/508] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 069/508] bpf: Fix OOB in pcpu_init_value Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 071/508] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG Greg Kroah-Hartman
` (439 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Taegu Ha, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taegu Ha <hataegu0826@gmail.com>
[ Upstream commit 2bb6379416fd19f44c3423a00bfd8626259f6067 ]
/dev/ppp open is currently authorized against file->f_cred->user_ns,
while unattached administrative ioctls operate on current->nsproxy->net_ns.
As a result, a local unprivileged user can create a new user namespace
with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
an inherited network namespace.
Require CAP_NET_ADMIN in the user namespace that owns the target network
namespace before handling unattached PPP administrative ioctls.
This preserves normal pppd operation in the network namespace it is
actually privileged in, while rejecting the userns-only inherited-netns
case.
Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Signed-off-by: Taegu Ha <hataegu0826@gmail.com>
Link: https://patch.msgid.link/20260409071117.4354-1-hataegu0826@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 46ac51217114b..7c863cb99383b 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1062,6 +1062,9 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
struct ppp_net *pn;
int __user *p = (int __user *)arg;
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
switch (cmd) {
case PPPIOCNEWUNIT:
/* Create a new ppp unit */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 071/508] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 070/508] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 072/508] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ Greg Kroah-Hartman
` (438 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Konrad Dybcio,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit de08f9585692813bd41ee654fca0487664c4de30 ]
The 'val' variable gets overwritten multiple times, discarding previous
values. Looking at the git log shows these should be combined with |=
instead.
Fixes: 9265a4f0f0b4 ("net: ipa: define even more IPA register fields")
Link: https://sashiko.dev/#/patchset/20260403-milos-ipa-v1-0-01e9e4e03d3e%40fairphone.com?part=4
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-ipa-fixes-v1-1-a817c30678ac@fairphone.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipa/ipa_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ipa/ipa_main.c b/drivers/net/ipa/ipa_main.c
index da853353a5c72..f5924142021d2 100644
--- a/drivers/net/ipa/ipa_main.c
+++ b/drivers/net/ipa/ipa_main.c
@@ -369,7 +369,7 @@ static void ipa_qtime_config(struct ipa *ipa)
{
const struct reg *reg;
u32 offset;
- u32 val;
+ u32 val = 0;
/* Timer clock divider must be disabled when we change the rate */
reg = ipa_reg(ipa, TIMERS_XO_CLK_DIV_CFG);
@@ -380,8 +380,8 @@ static void ipa_qtime_config(struct ipa *ipa)
val = reg_encode(reg, DPL_TIMESTAMP_LSB, DPL_TIMESTAMP_SHIFT);
val |= reg_bit(reg, DPL_TIMESTAMP_SEL);
/* Configure tag and NAT Qtime timestamp resolution as well */
- val = reg_encode(reg, TAG_TIMESTAMP_LSB, TAG_TIMESTAMP_SHIFT);
- val = reg_encode(reg, NAT_TIMESTAMP_LSB, NAT_TIMESTAMP_SHIFT);
+ val |= reg_encode(reg, TAG_TIMESTAMP_LSB, TAG_TIMESTAMP_SHIFT);
+ val |= reg_encode(reg, NAT_TIMESTAMP_LSB, NAT_TIMESTAMP_SHIFT);
iowrite32(val, ipa->reg_virt + reg_offset(reg));
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 072/508] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 071/508] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 073/508] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 Greg Kroah-Hartman
` (437 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Konrad Dybcio,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit 1335b903cf2e8aeaca87fd665683384c731ec941 ]
Initially 'reg' and 'val' are assigned from HW_PARAM_2.
But since IPA v5.0+ takes EV_PER_EE from HW_PARAM_4 (instead of
NUM_EV_PER_EE from HW_PARAM_2), we not only need to re-assign 'reg' but
also read the register value of that register into 'val' so that
reg_decode() works on the correct value.
Fixes: f651334e1ef5 ("net: ipa: add HW_PARAM_4 GSI register")
Link: https://sashiko.dev/#/patchset/20260403-milos-ipa-v1-0-01e9e4e03d3e%40fairphone.com?part=2
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-ipa-fixes-v1-2-a817c30678ac@fairphone.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipa/gsi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ipa/gsi.c b/drivers/net/ipa/gsi.c
index 9a0b1fe4a93a8..05157492f99b4 100644
--- a/drivers/net/ipa/gsi.c
+++ b/drivers/net/ipa/gsi.c
@@ -2046,6 +2046,7 @@ static int gsi_ring_setup(struct gsi *gsi)
count = reg_decode(reg, NUM_EV_PER_EE, val);
} else {
reg = gsi_reg(gsi, HW_PARAM_4);
+ val = ioread32(gsi->virt + reg_offset(reg));
count = reg_decode(reg, EV_PER_EE, val);
}
if (!count) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 073/508] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 072/508] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 074/508] net/mlx5e: Fix features not applied during netdev registration Greg Kroah-Hartman
` (436 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josua Mayer, Conor Dooley,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 600f01dc4bd0c736b3ffea9f7976136d8bf1b136 ]
Currently, the binding requires 'spi-cpha' for SJA1105 and 'spi-cpol'
for SJA1110.
However, the SJA1110 supports both SPI modes 0 and 2. Mode 2
(cpha=0, cpol=1) is used by the NXP LX2160 Bluebox 3.
On the SolidRun i.MX8DXL HummingBoard Telematics, mode 0 is stable,
while forcing mode 2 introduces CRC errors especially during bursts.
Drop the requirement on spi-cpol for SJA1110.
Fixes: af2eab1a8243 ("dt-bindings: net: nxp,sja1105: document spi-cpol/cpha")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260409-imx8dxl-sr-som-v2-1-83ff20629ba0@solid-run.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml | 2 --
1 file changed, 2 deletions(-)
diff --git a/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml b/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml
index 4d5f5cc6d031e..155719453b704 100644
--- a/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml
+++ b/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml
@@ -129,8 +129,6 @@ allOf:
else:
properties:
spi-cpha: false
- required:
- - spi-cpol
unevaluatedProperties: false
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 074/508] net/mlx5e: Fix features not applied during netdev registration
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 073/508] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 075/508] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() Greg Kroah-Hartman
` (435 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Dragos Tatulea,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 9994ad4df82d64e57135c0f0906897685f5a9e87 ]
mlx5e_fix_features() returns early when the netdevice is not present.
This is correct during profile transitions where priv is cleared, but it
also incorrectly blocks feature fixups during register_netdev(), when
the device is also not yet present.
It is not trivial to distinguish between both cases as we cannot use
priv to carry state, and in both cases reg_state == NETREG_REGISTERED.
Force a netdev features update after register_netdev() completes, where
the device is present and fix_features() can actually work.
This is not a pretty solution, as it results in an additional features
update call (register_netdevice() already calls
__netdev_update_features() internally), but it is the simplest,
cleanest, and most robust way I found to fix this issue after multiple
attempts.
This fixes an issue on systems where CQE compression is enabled by
default, RXHASH remains enabled after registration despite the two
features being mutually exclusive.
Fixes: ab4b01bfdaa6 ("net/mlx5e: Verify dev is present for fix features ndo")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260409202852.158059-2-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 71749497ec27a..97fa2095498cc 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -6093,6 +6093,14 @@ static int mlx5e_probe(struct auxiliary_device *adev,
goto err_resume;
}
+ /* mlx5e_fix_features() returns early when the device is not present
+ * to avoid dereferencing cleared priv during profile changes.
+ * This also causes it to be a no-op during register_netdev(), where
+ * the device is not yet present.
+ * Trigger an additional features update that will actually work.
+ */
+ mlx5e_update_features(netdev);
+
mlx5e_dcbnl_init_app(priv);
mlx5_core_uplink_netdev_set(mdev, netdev);
mlx5e_params_print_info(mdev, &priv->channels.params);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 075/508] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 074/508] net/mlx5e: Fix features not applied during netdev registration Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 076/508] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
` (434 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Jianbo Liu,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit edccdd1eb94712da97a6ce71123ec27890add754 ]
The do-while poll loop uses jiffies for its timeout:
expires = jiffies + msecs_to_jiffies(10);
jiffies is sampled at an arbitrary point within the current tick, so the
first partial tick contributes anywhere from a full tick down to nearly
zero real time. For small msecs_to_jiffies() results this is
significant, the effective poll window can be much shorter than the
requested 10ms, and in the worst case the loop exits after a single
iteration (e.g., when HZ=100), well before the device has delivered the
CQE.
Replace the loop with read_poll_timeout_atomic(), which counts elapsed
time via udelay() accounting rather than jiffies, guaranteeing the full
poll window regardless of HZ.
Additionally, read_poll_timeout_atomic() executes the poll operation one
more time after the timeout has expired, giving the CQE a final chance
to be detected. The old do-while loop could exit without a final poll if
the timeout expired during the udelay() between iterations.
Fixes: 76e463f6508b ("net/mlx5e: Overcome slow response for first IPsec ASO WQE")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260409202852.158059-3-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/en_accel/ipsec_offload.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
index fd03aa4f47b5a..004cf295eb249 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
@@ -1,6 +1,8 @@
// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
/* Copyright (c) 2017, Mellanox Technologies inc. All rights reserved. */
+#include <linux/iopoll.h>
+
#include "mlx5_core.h"
#include "en.h"
#include "ipsec.h"
@@ -591,7 +593,6 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
struct mlx5_wqe_aso_ctrl_seg *ctrl;
struct mlx5e_hw_objs *res;
struct mlx5_aso_wqe *wqe;
- unsigned long expires;
u8 ds_cnt;
int ret;
@@ -613,13 +614,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
mlx5e_ipsec_aso_copy(ctrl, data);
mlx5_aso_post_wqe(aso->aso, false, &wqe->ctrl);
- expires = jiffies + msecs_to_jiffies(10);
- do {
- ret = mlx5_aso_poll_cq(aso->aso, false);
- if (ret)
- /* We are in atomic context */
- udelay(10);
- } while (ret && time_is_after_jiffies(expires));
+ read_poll_timeout_atomic(mlx5_aso_poll_cq, ret, !ret, 10,
+ 10 * USEC_PER_MSEC, false, aso->aso, false);
if (!ret)
memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso));
spin_unlock_bh(&aso->lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 076/508] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 075/508] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 077/508] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
` (433 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+619b9ef527f510a57cfc,
Sun Jian, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sun Jian <sun.jian.kdev@gmail.com>
[ Upstream commit 12bec2bd4b76d81c5d3996bd14ec1b7f4d983747 ]
bpf_prog_test_run_skb() calls eth_type_trans() first and then uses
skb->protocol to initialize sk family and address fields for the test
run.
For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb)
even when the provided test input only contains an Ethernet header.
Reject the input earlier if the Ethernet frame carries IPv4/IPv6
EtherType but the L3 header is too short.
Fold the IPv4/IPv6 header length checks into the existing protocol
switch and return -EINVAL before accessing the network headers.
Fixes: fa5cb548ced6 ("bpf: Setup socket family and addresses in bpf_prog_test_run_skb")
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Link: https://lore.kernel.org/r/20260408034623.180320-2-sun.jian.kdev@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index c9c6f675d8e21..8e665cee22503 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1031,19 +1031,23 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
switch (skb->protocol) {
case htons(ETH_P_IP):
- sk->sk_family = AF_INET;
- if (sizeof(struct iphdr) <= skb_headlen(skb)) {
- sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
- sk->sk_daddr = ip_hdr(skb)->daddr;
+ if (skb_headlen(skb) < sizeof(struct iphdr)) {
+ ret = -EINVAL;
+ goto out;
}
+ sk->sk_family = AF_INET;
+ sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
+ sk->sk_daddr = ip_hdr(skb)->daddr;
break;
#if IS_ENABLED(CONFIG_IPV6)
case htons(ETH_P_IPV6):
- sk->sk_family = AF_INET6;
- if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) {
- sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
- sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
+ if (skb_headlen(skb) < sizeof(struct ipv6hdr)) {
+ ret = -EINVAL;
+ goto out;
}
+ sk->sk_family = AF_INET6;
+ sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
+ sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
break;
#endif
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 077/508] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 076/508] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 078/508] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
` (432 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Paul Menzel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 15bf35a660eb82a49f8397fc3d3acada8dae13db ]
The code was printing skb->len and sdu_len in the places where it should
be sdu_len and chan->imtu respectively to match the if conditions.
Link: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06
Fixes: e1d9a6688986 ("Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 3da3e9fddd049..2a15863a882d6 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6658,7 +6658,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
if (sdu_len > chan->imtu) {
BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
- skb->len, sdu_len);
+ sdu_len, chan->imtu);
l2cap_send_disconn_req(chan, ECONNRESET);
err = -EMSGSIZE;
goto failed;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 078/508] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 077/508] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 079/508] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
` (431 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Rissanen,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Rissanen <jonathan.rissanen@axis.com>
[ Upstream commit 68d39ea5e0adc9ecaea1ce8abd842ec972eb8718 ]
When hci_register_dev() fails in hci_uart_register_dev()
HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu)
and setting hu->hdev to NULL. This means incoming UART data will reach
the protocol-specific recv handler in hci_uart_tty_receive() after
resources are freed.
Clear HCI_UART_PROTO_INIT with a write lock before calling
hu->proto->close() and setting hu->hdev to NULL. The write lock ensures
all active readers have completed and no new reader can enter the
protocol recv path before resources are freed.
This allows the protocol-specific recv functions to remove the
"HCI_UART_REGISTERED" guard without risking a null pointer dereference
if hci_register_dev() fails.
Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
Signed-off-by: Jonathan Rissanen <jonathan.rissanen@axis.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ldisc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index e38f3c4458c90..85baba91aaa97 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -689,6 +689,9 @@ static int hci_uart_register_dev(struct hci_uart *hu)
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ percpu_down_write(&hu->proto_lock);
+ clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 079/508] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 078/508] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 080/508] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
` (430 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit 5c7209a341ff2ac338b2b0375c34a307b37c9ac2 ]
When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls
hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()
assumes it is held, and if conn is deleted concurrently -> UAF.
Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,
and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred
listening socket code paths, hci_connect_cfm(conn) is called with
hdev->lock held.
Fix by holding the lock.
Fixes: 70c464256310 ("Bluetooth: Refactor connection request handling")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index f6285c4325d63..4607db3037bd9 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3282,8 +3282,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
memcpy(conn->dev_class, ev->dev_class, 3);
- hci_dev_unlock(hdev);
-
if (ev->link_type == ACL_LINK ||
(!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
struct hci_cp_accept_conn_req cp;
@@ -3317,7 +3315,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
hci_connect_cfm(conn, 0);
}
- return;
unlock:
hci_dev_unlock(hdev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 080/508] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 079/508] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 081/508] net: phy: aquantia: move to separate directory Greg Kroah-Hartman
` (429 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit 42776497cdbc9a665b384a6dcb85f0d4bd927eab ]
l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding
l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file
acquires the lock first. A remote BLE device can send a crafted
L2CAP ECRED reconfiguration response to corrupt the channel list
while another thread is iterating it.
Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),
and l2cap_chan_unlock() and l2cap_chan_put() after, matching the
pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2a15863a882d6..bbaf0070ca617 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5400,7 +5400,13 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
if (chan->ident != cmd->ident)
continue;
+ l2cap_chan_hold(chan);
+ l2cap_chan_lock(chan);
+
l2cap_chan_del(chan, ECONNRESET);
+
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 081/508] net: phy: aquantia: move to separate directory
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 080/508] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 082/508] net: phy: add Rust Asix PHY driver Greg Kroah-Hartman
` (428 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Marangi, Andrew Lunn,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Marangi <ansuelsmth@gmail.com>
[ Upstream commit d2213db3f49bce8e7a87c8de05b9a091f78f654e ]
Move aquantia PHY driver to separate driectory in preparation for
firmware loading support to keep things tidy.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: e7a62edd34b1 ("net: phy: qcom: at803x: Use the correct bit to disable extended next page")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/Kconfig | 5 +----
drivers/net/phy/Makefile | 6 +-----
drivers/net/phy/aquantia/Kconfig | 5 +++++
drivers/net/phy/aquantia/Makefile | 6 ++++++
drivers/net/phy/{ => aquantia}/aquantia.h | 0
drivers/net/phy/{ => aquantia}/aquantia_hwmon.c | 0
drivers/net/phy/{ => aquantia}/aquantia_main.c | 0
7 files changed, 13 insertions(+), 9 deletions(-)
create mode 100644 drivers/net/phy/aquantia/Kconfig
create mode 100644 drivers/net/phy/aquantia/Makefile
rename drivers/net/phy/{ => aquantia}/aquantia.h (100%)
rename drivers/net/phy/{ => aquantia}/aquantia_hwmon.c (100%)
rename drivers/net/phy/{ => aquantia}/aquantia_main.c (100%)
diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index 107880d13d219..aa5491aaaab40 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -96,10 +96,7 @@ config ADIN1100_PHY
Currently supports the:
- ADIN1100 - Robust,Industrial, Low Power 10BASE-T1L Ethernet PHY
-config AQUANTIA_PHY
- tristate "Aquantia PHYs"
- help
- Currently supports the Aquantia AQ1202, AQ2104, AQR105, AQR405
+source "drivers/net/phy/aquantia/Kconfig"
config AX88796B_PHY
tristate "Asix PHYs"
diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
index c945ed9bd14b3..f65e85c91fc10 100644
--- a/drivers/net/phy/Makefile
+++ b/drivers/net/phy/Makefile
@@ -35,11 +35,7 @@ obj-y += $(sfp-obj-y) $(sfp-obj-m)
obj-$(CONFIG_ADIN_PHY) += adin.o
obj-$(CONFIG_ADIN1100_PHY) += adin1100.o
obj-$(CONFIG_AMD_PHY) += amd.o
-aquantia-objs += aquantia_main.o
-ifdef CONFIG_HWMON
-aquantia-objs += aquantia_hwmon.o
-endif
-obj-$(CONFIG_AQUANTIA_PHY) += aquantia.o
+obj-$(CONFIG_AQUANTIA_PHY) += aquantia/
obj-$(CONFIG_AT803X_PHY) += at803x.o
obj-$(CONFIG_AX88796B_PHY) += ax88796b.o
obj-$(CONFIG_BCM54140_PHY) += bcm54140.o
diff --git a/drivers/net/phy/aquantia/Kconfig b/drivers/net/phy/aquantia/Kconfig
new file mode 100644
index 0000000000000..226146417a6a7
--- /dev/null
+++ b/drivers/net/phy/aquantia/Kconfig
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: GPL-2.0-only
+config AQUANTIA_PHY
+ tristate "Aquantia PHYs"
+ help
+ Currently supports the Aquantia AQ1202, AQ2104, AQR105, AQR405
diff --git a/drivers/net/phy/aquantia/Makefile b/drivers/net/phy/aquantia/Makefile
new file mode 100644
index 0000000000000..346f350bc0846
--- /dev/null
+++ b/drivers/net/phy/aquantia/Makefile
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: GPL-2.0
+aquantia-objs += aquantia_main.o
+ifdef CONFIG_HWMON
+aquantia-objs += aquantia_hwmon.o
+endif
+obj-$(CONFIG_AQUANTIA_PHY) += aquantia.o
diff --git a/drivers/net/phy/aquantia.h b/drivers/net/phy/aquantia/aquantia.h
similarity index 100%
rename from drivers/net/phy/aquantia.h
rename to drivers/net/phy/aquantia/aquantia.h
diff --git a/drivers/net/phy/aquantia_hwmon.c b/drivers/net/phy/aquantia/aquantia_hwmon.c
similarity index 100%
rename from drivers/net/phy/aquantia_hwmon.c
rename to drivers/net/phy/aquantia/aquantia_hwmon.c
diff --git a/drivers/net/phy/aquantia_main.c b/drivers/net/phy/aquantia/aquantia_main.c
similarity index 100%
rename from drivers/net/phy/aquantia_main.c
rename to drivers/net/phy/aquantia/aquantia_main.c
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 082/508] net: phy: add Rust Asix PHY driver
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 081/508] net: phy: aquantia: move to separate directory Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 083/508] net: phy: move at803x PHY driver to dedicated directory Greg Kroah-Hartman
` (427 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, FUJITA Tomonori, Trevor Gross,
Benno Lossin, Andrew Lunn, Alice Ryhl, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: FUJITA Tomonori <fujita.tomonori@gmail.com>
[ Upstream commit cbe0e415089636170aa6eb540ca4af5dc9842a60 ]
This is the Rust implementation of drivers/net/phy/ax88796b.c. The
features are equivalent. You can choose C or Rust version kernel
configuration.
Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: e7a62edd34b1 ("net: phy: qcom: at803x: Use the correct bit to disable extended next page")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
MAINTAINERS | 8 ++
drivers/net/phy/Kconfig | 8 ++
drivers/net/phy/Makefile | 6 +-
drivers/net/phy/ax88796b_rust.rs | 135 +++++++++++++++++++++++++++++++
rust/uapi/uapi_helper.h | 2 +
5 files changed, 158 insertions(+), 1 deletion(-)
create mode 100644 drivers/net/phy/ax88796b_rust.rs
diff --git a/MAINTAINERS b/MAINTAINERS
index e700dca4974b3..8b1ee5b11eca2 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3060,6 +3060,14 @@ S: Maintained
F: Documentation/devicetree/bindings/net/asix,ax88796c.yaml
F: drivers/net/ethernet/asix/ax88796c_*
+ASIX PHY DRIVER [RUST]
+M: FUJITA Tomonori <fujita.tomonori@gmail.com>
+R: Trevor Gross <tmgross@umich.edu>
+L: netdev@vger.kernel.org
+L: rust-for-linux@vger.kernel.org
+S: Maintained
+F: drivers/net/phy/ax88796b_rust.rs
+
ASPEED CRYPTO DRIVER
M: Neal Liu <neal_liu@aspeedtech.com>
L: linux-aspeed@lists.ozlabs.org (moderated for non-subscribers)
diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index aa5491aaaab40..466d3dff60744 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -104,6 +104,14 @@ config AX88796B_PHY
Currently supports the Asix Electronics PHY found in the X-Surf 100
AX88796B package.
+config AX88796B_RUST_PHY
+ bool "Rust reference driver for Asix PHYs"
+ depends on RUST_PHYLIB_ABSTRACTIONS && AX88796B_PHY
+ help
+ Uses the Rust reference driver for Asix PHYs (ax88796b_rust.ko).
+ The features are equivalent. It supports the Asix Electronics PHY
+ found in the X-Surf 100 AX88796B package.
+
config BROADCOM_PHY
tristate "Broadcom 54XX PHYs"
select BCM_NET_PHYLIB
diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
index f65e85c91fc10..ab450a46b8550 100644
--- a/drivers/net/phy/Makefile
+++ b/drivers/net/phy/Makefile
@@ -37,7 +37,11 @@ obj-$(CONFIG_ADIN1100_PHY) += adin1100.o
obj-$(CONFIG_AMD_PHY) += amd.o
obj-$(CONFIG_AQUANTIA_PHY) += aquantia/
obj-$(CONFIG_AT803X_PHY) += at803x.o
-obj-$(CONFIG_AX88796B_PHY) += ax88796b.o
+ifdef CONFIG_AX88796B_RUST_PHY
+ obj-$(CONFIG_AX88796B_PHY) += ax88796b_rust.o
+else
+ obj-$(CONFIG_AX88796B_PHY) += ax88796b.o
+endif
obj-$(CONFIG_BCM54140_PHY) += bcm54140.o
obj-$(CONFIG_BCM63XX_PHY) += bcm63xx.o
obj-$(CONFIG_BCM7XXX_PHY) += bcm7xxx.o
diff --git a/drivers/net/phy/ax88796b_rust.rs b/drivers/net/phy/ax88796b_rust.rs
new file mode 100644
index 0000000000000..5c92572962dce
--- /dev/null
+++ b/drivers/net/phy/ax88796b_rust.rs
@@ -0,0 +1,135 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (C) 2023 FUJITA Tomonori <fujita.tomonori@gmail.com>
+
+//! Rust Asix PHYs driver
+//!
+//! C version of this driver: [`drivers/net/phy/ax88796b.c`](./ax88796b.c)
+use kernel::{
+ c_str,
+ net::phy::{self, DeviceId, Driver},
+ prelude::*,
+ uapi,
+};
+
+kernel::module_phy_driver! {
+ drivers: [PhyAX88772A, PhyAX88772C, PhyAX88796B],
+ device_table: [
+ DeviceId::new_with_driver::<PhyAX88772A>(),
+ DeviceId::new_with_driver::<PhyAX88772C>(),
+ DeviceId::new_with_driver::<PhyAX88796B>()
+ ],
+ name: "rust_asix_phy",
+ author: "FUJITA Tomonori <fujita.tomonori@gmail.com>",
+ description: "Rust Asix PHYs driver",
+ license: "GPL",
+}
+
+const MII_BMCR: u16 = uapi::MII_BMCR as u16;
+const BMCR_SPEED100: u16 = uapi::BMCR_SPEED100 as u16;
+const BMCR_FULLDPLX: u16 = uapi::BMCR_FULLDPLX as u16;
+
+// Performs a software PHY reset using the standard
+// BMCR_RESET bit and poll for the reset bit to be cleared.
+// Toggle BMCR_RESET bit off to accommodate broken AX8796B PHY implementation
+// such as used on the Individual Computers' X-Surf 100 Zorro card.
+fn asix_soft_reset(dev: &mut phy::Device) -> Result {
+ dev.write(uapi::MII_BMCR as u16, 0)?;
+ dev.genphy_soft_reset()
+}
+
+struct PhyAX88772A;
+
+#[vtable]
+impl Driver for PhyAX88772A {
+ const FLAGS: u32 = phy::flags::IS_INTERNAL;
+ const NAME: &'static CStr = c_str!("Asix Electronics AX88772A");
+ const PHY_DEVICE_ID: DeviceId = DeviceId::new_with_exact_mask(0x003b1861);
+
+ // AX88772A is not working properly with some old switches (NETGEAR EN 108TP):
+ // after autoneg is done and the link status is reported as active, the MII_LPA
+ // register is 0. This issue is not reproducible on AX88772C.
+ fn read_status(dev: &mut phy::Device) -> Result<u16> {
+ dev.genphy_update_link()?;
+ if !dev.is_link_up() {
+ return Ok(0);
+ }
+ // If MII_LPA is 0, phy_resolve_aneg_linkmode() will fail to resolve
+ // linkmode so use MII_BMCR as default values.
+ let ret = dev.read(MII_BMCR)?;
+
+ if ret & BMCR_SPEED100 != 0 {
+ dev.set_speed(uapi::SPEED_100);
+ } else {
+ dev.set_speed(uapi::SPEED_10);
+ }
+
+ let duplex = if ret & BMCR_FULLDPLX != 0 {
+ phy::DuplexMode::Full
+ } else {
+ phy::DuplexMode::Half
+ };
+ dev.set_duplex(duplex);
+
+ dev.genphy_read_lpa()?;
+
+ if dev.is_autoneg_enabled() && dev.is_autoneg_completed() {
+ dev.resolve_aneg_linkmode();
+ }
+
+ Ok(0)
+ }
+
+ fn suspend(dev: &mut phy::Device) -> Result {
+ dev.genphy_suspend()
+ }
+
+ fn resume(dev: &mut phy::Device) -> Result {
+ dev.genphy_resume()
+ }
+
+ fn soft_reset(dev: &mut phy::Device) -> Result {
+ asix_soft_reset(dev)
+ }
+
+ fn link_change_notify(dev: &mut phy::Device) {
+ // Reset PHY, otherwise MII_LPA will provide outdated information.
+ // This issue is reproducible only with some link partner PHYs.
+ if dev.state() == phy::DeviceState::NoLink {
+ let _ = dev.init_hw();
+ let _ = dev.start_aneg();
+ }
+ }
+}
+
+struct PhyAX88772C;
+
+#[vtable]
+impl Driver for PhyAX88772C {
+ const FLAGS: u32 = phy::flags::IS_INTERNAL;
+ const NAME: &'static CStr = c_str!("Asix Electronics AX88772C");
+ const PHY_DEVICE_ID: DeviceId = DeviceId::new_with_exact_mask(0x003b1881);
+
+ fn suspend(dev: &mut phy::Device) -> Result {
+ dev.genphy_suspend()
+ }
+
+ fn resume(dev: &mut phy::Device) -> Result {
+ dev.genphy_resume()
+ }
+
+ fn soft_reset(dev: &mut phy::Device) -> Result {
+ asix_soft_reset(dev)
+ }
+}
+
+struct PhyAX88796B;
+
+#[vtable]
+impl Driver for PhyAX88796B {
+ const NAME: &'static CStr = c_str!("Asix Electronics AX88796B");
+ const PHY_DEVICE_ID: DeviceId = DeviceId::new_with_model_mask(0x003b1841);
+
+ fn soft_reset(dev: &mut phy::Device) -> Result {
+ asix_soft_reset(dev)
+ }
+}
diff --git a/rust/uapi/uapi_helper.h b/rust/uapi/uapi_helper.h
index 301f5207f0238..08f5e9334c9e8 100644
--- a/rust/uapi/uapi_helper.h
+++ b/rust/uapi/uapi_helper.h
@@ -7,3 +7,5 @@
*/
#include <uapi/asm-generic/ioctl.h>
+#include <uapi/linux/mii.h>
+#include <uapi/linux/ethtool.h>
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 083/508] net: phy: move at803x PHY driver to dedicated directory
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 082/508] net: phy: add Rust Asix PHY driver Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 084/508] net: phy: qcom: at803x: Use the correct bit to disable extended next page Greg Kroah-Hartman
` (426 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Marangi, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Marangi <ansuelsmth@gmail.com>
[ Upstream commit 9e56ff53b4115875667760445b028357848b4748 ]
In preparation for addition of other Qcom PHY and to tidy things up,
move the at803x PHY driver to dedicated directory.
The same order in the Kconfig selection is saved.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20240129141600.2592-2-ansuelsmth@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: e7a62edd34b1 ("net: phy: qcom: at803x: Use the correct bit to disable extended next page")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/Kconfig | 7 +------
drivers/net/phy/Makefile | 2 +-
drivers/net/phy/qcom/Kconfig | 7 +++++++
drivers/net/phy/qcom/Makefile | 2 ++
drivers/net/phy/{ => qcom}/at803x.c | 0
5 files changed, 11 insertions(+), 7 deletions(-)
create mode 100644 drivers/net/phy/qcom/Kconfig
create mode 100644 drivers/net/phy/qcom/Makefile
rename drivers/net/phy/{ => qcom}/at803x.c (100%)
diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index 466d3dff60744..e49131cef9570 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -326,12 +326,7 @@ config NCN26000_PHY
Currently supports the NCN26000 10BASE-T1S Industrial PHY
with MII interface.
-config AT803X_PHY
- tristate "Qualcomm Atheros AR803X PHYs and QCA833x PHYs"
- depends on REGULATOR
- help
- Currently supports the AR8030, AR8031, AR8033, AR8035 and internal
- QCA8337(Internal qca8k PHY) model
+source "drivers/net/phy/qcom/Kconfig"
config QSEMI_PHY
tristate "Quality Semiconductor PHYs"
diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
index ab450a46b8550..6e4493e26816d 100644
--- a/drivers/net/phy/Makefile
+++ b/drivers/net/phy/Makefile
@@ -36,7 +36,6 @@ obj-$(CONFIG_ADIN_PHY) += adin.o
obj-$(CONFIG_ADIN1100_PHY) += adin1100.o
obj-$(CONFIG_AMD_PHY) += amd.o
obj-$(CONFIG_AQUANTIA_PHY) += aquantia/
-obj-$(CONFIG_AT803X_PHY) += at803x.o
ifdef CONFIG_AX88796B_RUST_PHY
obj-$(CONFIG_AX88796B_PHY) += ax88796b_rust.o
else
@@ -86,6 +85,7 @@ obj-$(CONFIG_NCN26000_PHY) += ncn26000.o
obj-$(CONFIG_NXP_C45_TJA11XX_PHY) += nxp-c45-tja11xx.o
obj-$(CONFIG_NXP_CBTX_PHY) += nxp-cbtx.o
obj-$(CONFIG_NXP_TJA11XX_PHY) += nxp-tja11xx.o
+obj-y += qcom/
obj-$(CONFIG_QSEMI_PHY) += qsemi.o
obj-$(CONFIG_REALTEK_PHY) += realtek.o
obj-$(CONFIG_RENESAS_PHY) += uPD60620.o
diff --git a/drivers/net/phy/qcom/Kconfig b/drivers/net/phy/qcom/Kconfig
new file mode 100644
index 0000000000000..2c274fbbe410d
--- /dev/null
+++ b/drivers/net/phy/qcom/Kconfig
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: GPL-2.0-only
+config AT803X_PHY
+ tristate "Qualcomm Atheros AR803X PHYs and QCA833x PHYs"
+ depends on REGULATOR
+ help
+ Currently supports the AR8030, AR8031, AR8033, AR8035 and internal
+ QCA8337(Internal qca8k PHY) model
diff --git a/drivers/net/phy/qcom/Makefile b/drivers/net/phy/qcom/Makefile
new file mode 100644
index 0000000000000..6a68da8aaa7bf
--- /dev/null
+++ b/drivers/net/phy/qcom/Makefile
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0
+obj-$(CONFIG_AT803X_PHY) += at803x.o
diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/qcom/at803x.c
similarity index 100%
rename from drivers/net/phy/at803x.c
rename to drivers/net/phy/qcom/at803x.c
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 084/508] net: phy: qcom: at803x: Use the correct bit to disable extended next page
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 083/508] net: phy: move at803x PHY driver to dedicated directory Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 085/508] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
` (425 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit e7a62edd34b1b4bc5f979988efc2f81c075733fd ]
As noted in the blamed commit, the AR8035 and other PHYs from this
family advertise the Extended Next Page support by default, which may be
understood by some partners as this PHY being multi-gig capable.
The fix is to disable XNP advertising, which is done by setting bit 12
of the Auto-Negotiation Advertisement Register (MII_ADVERTISE).
The blamed commit incorrectly uses MDIO_AN_CTRL1_XNP, which is bit 13 as per
802.3 : 45.2.7.1 AN control register (Register 7.0)
BIT 12 in MII_ADVERTISE is wrapped by ADVERTISE_RESV, used by some
drivers such as the aquantia one. 802.3 Clause 28 defines bit 12 as
Extended Next Page ability, at least in recent versions of the standard.
Let's add a define for it and use it in the at803x driver.
Fixes: 3c51fa5d2afe ("net: phy: ar803x: disable extended next page bit")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260410171021.1277138-1-maxime.chevallier@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/qcom/at803x.c | 2 +-
include/uapi/linux/mii.h | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/phy/qcom/at803x.c b/drivers/net/phy/qcom/at803x.c
index ef203b0807e58..0b01b6ff0a4b5 100644
--- a/drivers/net/phy/qcom/at803x.c
+++ b/drivers/net/phy/qcom/at803x.c
@@ -1064,7 +1064,7 @@ static int at803x_config_init(struct phy_device *phydev)
* behaviour but we still need to accommodate it. XNP is only needed
* for 10Gbps support, so disable XNP.
*/
- return phy_modify(phydev, MII_ADVERTISE, MDIO_AN_CTRL1_XNP, 0);
+ return phy_modify(phydev, MII_ADVERTISE, ADVERTISE_XNP, 0);
}
static int at803x_ack_interrupt(struct phy_device *phydev)
diff --git a/include/uapi/linux/mii.h b/include/uapi/linux/mii.h
index 39f7c44baf535..61d6edad4b94a 100644
--- a/include/uapi/linux/mii.h
+++ b/include/uapi/linux/mii.h
@@ -82,7 +82,8 @@
#define ADVERTISE_100BASE4 0x0200 /* Try for 100mbps 4k packets */
#define ADVERTISE_PAUSE_CAP 0x0400 /* Try for pause */
#define ADVERTISE_PAUSE_ASYM 0x0800 /* Try for asymetric pause */
-#define ADVERTISE_RESV 0x1000 /* Unused... */
+#define ADVERTISE_XNP 0x1000 /* Extended Next Page */
+#define ADVERTISE_RESV ADVERTISE_XNP /* Used to be reserved */
#define ADVERTISE_RFAULT 0x2000 /* Say we can detect faults */
#define ADVERTISE_LPACK 0x4000 /* Ack link partners response */
#define ADVERTISE_NPAGE 0x8000 /* Next page bit */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 085/508] sctp: fix missing encap_port propagation for GSO fragments
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 084/508] net: phy: qcom: at803x: Use the correct bit to disable extended next page Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 086/508] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
` (424 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit bf6f95ae3b8b2638c0e1d6d802d50983ce5d0f45 ]
encap_port in SCTP_INPUT_CB(skb) is used by sctp_vtag_verify() for
SCTP-over-UDP processing. In the GSO case, it is only set on the head
skb, while fragment skbs leave it 0.
This results in fragment skbs seeing encap_port == 0, breaking
SCTP-over-UDP connections.
Fix it by propagating encap_port from the head skb cb when initializing
fragment skbs in sctp_inq_pop().
Fixes: 046c052b475e ("sctp: enable udp tunneling socks")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/ea65ed61b3598d8b4940f0170b9aa1762307e6c3.1776017631.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/inqueue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index f5a7d5a387555..a024c08432471 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -201,6 +201,7 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
cb->chunk = head_cb->chunk;
cb->af = head_cb->af;
+ cb->encap_port = head_cb->encap_port;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 086/508] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 085/508] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 087/508] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
` (423 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+80e046b8da2820b6ba73,
Daniel Borkmann, Jiayuan Chen, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 1921f91298d1388a0bb9db8f83800c998b649cb3 ]
syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via
xdp_master_redirect(). Full decoded trace:
https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73
bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU
counter that bonding only allocates in bond_open() when the mode is
round-robin. If the bond device was never brought up, rr_tx_counter
stays NULL.
The XDP redirect path can still reach that code on a bond that was
never opened: bpf_master_redirect_enabled_key is a global static key,
so as soon as any bond device has native XDP attached, the
XDP_TX -> xdp_master_redirect() interception is enabled for every
slave system-wide. The path xdp_master_redirect() ->
bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() ->
bond_rr_gen_slave_id() then runs against a bond that has no
rr_tx_counter and crashes.
Fix this in the generic xdp_master_redirect() by refusing to call into
the master's ->ndo_xdp_get_xmit_slave() when the master device is not
up. IFF_UP is only set after ->ndo_open() has successfully returned,
so this reliably excludes masters whose XDP state has not been fully
initialized. Drop the frame with XDP_ABORTED so the exception is
visible via trace_xdp_exception() rather than silently falling through.
This is not specific to bonding: any current or future master that
defers XDP state allocation to ->ndo_open() is protected.
Fixes: 879af96ffd72 ("net, core: Add support for XDP redirection to slave device")
Reported-by: syzbot+80e046b8da2820b6ba73@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698f84c6.a70a0220.2c38d7.00cc.GAE@google.com/T/
Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260411005524.201200-2-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 2cd58d1d4a7aa..c24510037334c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4354,6 +4354,8 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info);
master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
+ if (unlikely(!(master->flags & IFF_UP)))
+ return XDP_ABORTED;
slave = master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp);
if (slave && slave != xdp->rxq->dev) {
/* The target device is different from the receiving device, so
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 087/508] drm/komeda: fix integer overflow in AFBC framebuffer size check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 086/508] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 088/508] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
` (422 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Konyukhov, Liviu Dudau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
[ Upstream commit 779ec12c85c9e4547519e3903a371a3b26a289de ]
The AFBC framebuffer size validation calculates the minimum required
buffer size by adding the AFBC payload size to the framebuffer offset.
This addition is performed without checking for integer overflow.
If the addition oveflows, the size check may incorrectly succed and
allow userspace to provide an undersized drm_gem_object, potentially
leading to out-of-bounds memory access.
Add usage of check_add_overflow() to safely compute the minimum
required size and reject the framebuffer if an overflow is detected.
This makes the AFBC size validation more robust against malformed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver")
Signed-off-by: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
Acked-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://lore.kernel.org/r/20260203134907.1587067-1-Alexander.Konyukhov@kaspersky.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
index df5da5a447555..b4f2b89651ff2 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
@@ -4,6 +4,8 @@
* Author: James.Qian.Wang <james.qian.wang@arm.com>
*
*/
+#include <linux/overflow.h>
+
#include <drm/drm_device.h>
#include <drm/drm_fb_dma_helper.h>
#include <drm/drm_gem.h>
@@ -92,7 +94,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
kfb->afbc_size = kfb->offset_payload + n_blocks *
ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
AFBC_SUPERBLK_ALIGNMENT);
- min_size = kfb->afbc_size + fb->offsets[0];
+ if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
+ goto check_failed;
+ }
if (min_size > obj->size) {
DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
obj->size, min_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 088/508] drm/sun4i: backend: fix error pointer dereference
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 087/508] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 089/508] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
` (421 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Chen-Yu Tsai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 06277983eca4a31d3c2114fa33d99a6e82484b11 ]
The function drm_atomic_get_plane_state() can return an error pointer
and is not checked for it. Add error pointer check.
Detected by Smatch:
drivers/gpu/drm/sun4i/sun4i_backend.c:496 sun4i_backend_atomic_check() error:
'plane_state' dereferencing possible ERR_PTR()
Fixes: 96180dde23b79 ("drm/sun4i: backend: Add a custom atomic_check for the frontend")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Chen-Yu Tsai <wens@kernel.org>
Link: https://patch.msgid.link/20260217014801.60760-1-ethantidmore06@gmail.com
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sun4i/sun4i_backend.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c
index 335fd0edb904c..6a2ffaa477ab8 100644
--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
+++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
@@ -488,6 +488,9 @@ static int sun4i_backend_atomic_check(struct sunxi_engine *engine,
drm_for_each_plane_mask(plane, drm, crtc_state->plane_mask) {
struct drm_plane_state *plane_state =
drm_atomic_get_plane_state(state, plane);
+ if (IS_ERR(plane_state))
+ return PTR_ERR(plane_state);
+
struct sun4i_layer_state *layer_state =
state_to_sun4i_layer_state(plane_state);
struct drm_framebuffer *fb = plane_state->fb;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 089/508] ASoC: sti: Return errors from regmap_field_alloc()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 088/508] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 090/508] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
` (420 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sander Vanheule, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sander Vanheule <sander@svanheule.net>
[ Upstream commit 272aabef50bc3fe58edd26de000f4cdd41bdbe60 ]
When regmap_field_alloc() fails, it can return an error. Specifically,
it will return PTR_ERR(-ENOMEM) when the allocation returns a NULL
pointer. The code then uses these allocations with a simple NULL check:
if (player->clk_sel) {
// May dereference invalid pointer (-ENOMEM)
err = regmap_field_write(player->clk_sel, ...);
}
Ensure initialization fails by forwarding the errors from
regmap_field_alloc(), thus avoiding the use of the invalid pointers.
Fixes: 76c2145ded6b ("ASoC: sti: Add CPU DAI driver for playback")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Link: https://patch.msgid.link/20260220152634.480766-2-sander@svanheule.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sti/uniperif_player.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/soc/sti/uniperif_player.c b/sound/soc/sti/uniperif_player.c
index 6d1ce030963c6..f1b7e76f97b58 100644
--- a/sound/soc/sti/uniperif_player.c
+++ b/sound/soc/sti/uniperif_player.c
@@ -1029,7 +1029,12 @@ static int uni_player_parse_dt_audio_glue(struct platform_device *pdev,
}
player->clk_sel = regmap_field_alloc(regmap, regfield[0]);
+ if (IS_ERR(player->clk_sel))
+ return PTR_ERR(player->clk_sel);
+
player->valid_sel = regmap_field_alloc(regmap, regfield[1]);
+ if (IS_ERR(player->valid_sel))
+ return PTR_ERR(player->valid_sel);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 090/508] ASoC: sti: use managed regmap_field allocations
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 089/508] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 091/508] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
` (419 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sander Vanheule, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sander Vanheule <sander@svanheule.net>
[ Upstream commit 1696fad8b259a2d46e51cd6e17e4bcdbe02279fa ]
The regmap_field objects allocated at player init are never freed and
may leak resources if the driver is removed.
Switch to devm_regmap_field_alloc() to automatically limit the lifetime
of the allocations the lifetime of the device.
Fixes: 76c2145ded6b ("ASoC: sti: Add CPU DAI driver for playback")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Link: https://patch.msgid.link/20260220152634.480766-3-sander@svanheule.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sti/uniperif_player.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sti/uniperif_player.c b/sound/soc/sti/uniperif_player.c
index f1b7e76f97b58..45d35b887e4eb 100644
--- a/sound/soc/sti/uniperif_player.c
+++ b/sound/soc/sti/uniperif_player.c
@@ -1028,11 +1028,11 @@ static int uni_player_parse_dt_audio_glue(struct platform_device *pdev,
return PTR_ERR(regmap);
}
- player->clk_sel = regmap_field_alloc(regmap, regfield[0]);
+ player->clk_sel = devm_regmap_field_alloc(&pdev->dev, regmap, regfield[0]);
if (IS_ERR(player->clk_sel))
return PTR_ERR(player->clk_sel);
- player->valid_sel = regmap_field_alloc(regmap, regfield[1]);
+ player->valid_sel = devm_regmap_field_alloc(&pdev->dev, regmap, regfield[1]);
if (IS_ERR(player->valid_sel))
return PTR_ERR(player->valid_sel);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 091/508] dm cache: fix null-deref with concurrent writes in passthrough mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 090/508] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 092/508] dm cache: fix write path cache coherency " Greg Kroah-Hartman
` (418 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 7d1f98d668ee34c1d15bdc0420fdd062f24a27c0 ]
In passthrough mode, when dm-cache starts to invalidate a cache
entry and bio prison cell lock fails due to concurrent write to
the same cached block, mg->cell remains NULL. The error path in
invalidate_complete() attempts to unlock and free the cell
unconditionally, causing a NULL pointer dereference:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT
RIP: 0010:dm_cell_unlock_v2+0x3f/0x210
<snip>
Call Trace:
invalidate_complete+0xef/0x430
map_bio+0x130f/0x1a10
cache_map+0x320/0x6b0
__map_bio+0x458/0x510
dm_submit_bio+0x40e/0x16d0
__submit_bio+0x419/0x870
<snip>
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first cached block concurrently
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k
Fix by checking if mg->cell is valid before attempting to unlock it.
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 0d002d50329da..9c4aa5180a70e 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1458,8 +1458,10 @@ static void invalidate_complete(struct dm_cache_migration *mg, bool success)
struct cache *cache = mg->cache;
bio_list_init(&bios);
- if (dm_cell_unlock_v2(cache->prison, mg->cell, &bios))
- free_prison_cell(cache, mg->cell);
+ if (mg->cell) {
+ if (dm_cell_unlock_v2(cache->prison, mg->cell, &bios))
+ free_prison_cell(cache, mg->cell);
+ }
if (!success && mg->overwrite_bio)
bio_io_error(mg->overwrite_bio);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 092/508] dm cache: fix write path cache coherency in passthrough mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 091/508] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 093/508] dm cache: fix write hang " Greg Kroah-Hartman
` (417 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 0c5eef0aad508231d8e43ff8392692925e131b68 ]
In passthrough mode, dm-cache defers write bio submission until cache
invalidation completes to maintain existing coherency, requiring the
target map function to return DM_MAPIO_SUBMITTED. The current map_bio()
returns DM_MAPIO_REMAPPED, violating the required ordering constraint.
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into the cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first data block, and check io ordering using ftrace
echo 1 > /sys/kernel/debug/tracing/events/block/block_bio_queue/enable
echo 1 > /sys/kernel/debug/tracing/events/block/block_bio_complete/enable
echo 1 > /sys/kernel/debug/tracing/events/block/block_rq_complete/enable
fio --filename=/dev/mapper/cache --name=test --rw=write --bs=64k \
--direct=1 --size 64k
5. ftrace logs show that write operations to the cache origin (252:2)
and metadata operations (252:0) are unsynchronized: the origin write
occurs before metadata commit.
<snip>
fio-146 [000] ..... 420.139562: block_bio_queue: 252,3 WS 0 + 128 [fio]
fio-146 [000] ..... 420.149395: block_bio_queue: 252,2 WS 0 + 128 [fio]
fio-146 [000] ..... 420.149763: block_bio_queue: 8,32 WS 262144 + 128 [fio]
fio-146 [000] dNh1. 420.151446: block_rq_complete: 8,32 WS () 262144 + 128 be,0,4 [0]
fio-146 [000] dNh1. 420.152731: block_bio_complete: 252,2 WS 0 + 128 [0]
fio-146 [000] dNh1. 420.154229: block_bio_complete: 252,3 WS 0 + 128 [0]
kworker/0:0-9 [000] ..... 420.160530: block_bio_queue: 252,0 W 408 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.161641: block_bio_queue: 8,32 W 408 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.162533: block_bio_queue: 252,0 W 416 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.162821: block_bio_queue: 8,32 W 416 + 8 [kworker/0:0]
<snip>
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 9c4aa5180a70e..a2fba4ce40d7d 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1699,6 +1699,7 @@ static int map_bio(struct cache *cache, struct bio *bio, dm_oblock_t block,
bio_drop_shared_lock(cache, bio);
atomic_inc(&cache->stats.demotion);
invalidate_start(cache, cblock, block, bio);
+ return DM_MAPIO_SUBMITTED;
} else
remap_to_origin_clear_discard(cache, bio, block);
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 093/508] dm cache: fix write hang in passthrough mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 092/508] dm cache: fix write path cache coherency " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 094/508] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
` (416 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 4ca8b8bd952df7c3ccdc68af9bd3419d0839a04b ]
The invalidate_remove() function has incomplete logic for handling write
hit bios after cache invalidation. It sets up the remapping for the
overwrite_bio but then drops it immediately without submission, causing
write operations to hang.
Fix by adding a new invalidate_committed() continuation that submits
the remapped writes to the cache origin after metadata commit completes,
while using the overwrite_endio hook to ensure proper completion
sequencing. This maintains existing coherency. Also improve error
handling in invalidate_complete() to preserve the original error status
instead of using bio_io_error() unconditionally.
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index a2fba4ce40d7d..a3a8623eff297 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1463,8 +1463,14 @@ static void invalidate_complete(struct dm_cache_migration *mg, bool success)
free_prison_cell(cache, mg->cell);
}
- if (!success && mg->overwrite_bio)
- bio_io_error(mg->overwrite_bio);
+ if (mg->overwrite_bio) {
+ // Set generic error if the bio hasn't been issued yet,
+ // e.g., invalidation or metadata commit failed before bio
+ // submission. Otherwise preserve the bio's own error status.
+ if (!success && !mg->overwrite_bio->bi_status)
+ mg->overwrite_bio->bi_status = BLK_STS_IOERR;
+ bio_endio(mg->overwrite_bio);
+ }
free_migration(mg);
defer_bios(cache, &bios);
@@ -1504,6 +1510,22 @@ static int invalidate_cblock(struct cache *cache, dm_cblock_t cblock)
return r;
}
+static void invalidate_committed(struct work_struct *ws)
+{
+ struct dm_cache_migration *mg = ws_to_mg(ws);
+ struct cache *cache = mg->cache;
+ struct bio *bio = mg->overwrite_bio;
+ struct per_bio_data *pb = get_per_bio_data(bio);
+
+ if (mg->k.input)
+ invalidate_complete(mg, false);
+
+ init_continuation(&mg->k, invalidate_completed);
+ remap_to_origin_clear_discard(cache, bio, mg->invalidate_oblock);
+ dm_hook_bio(&pb->hook_info, bio, overwrite_endio, mg);
+ dm_submit_bio_remap(bio, NULL);
+}
+
static void invalidate_remove(struct work_struct *ws)
{
int r;
@@ -1516,10 +1538,8 @@ static void invalidate_remove(struct work_struct *ws)
return;
}
- init_continuation(&mg->k, invalidate_completed);
+ init_continuation(&mg->k, invalidate_committed);
continue_after_commit(&cache->committer, &mg->k);
- remap_to_origin_clear_discard(cache, mg->overwrite_bio, mg->invalidate_oblock);
- mg->overwrite_bio = NULL;
schedule_commit(&cache->committer);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 094/508] dm cache policy smq: fix missing locks in invalidating cache blocks
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 093/508] dm cache: fix write hang " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 095/508] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
` (415 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45 ]
In passthrough mode, the policy invalidate_mapping operation is called
simultaneously from multiple workers, thus it should be protected by a
lock. Otherwise, we might end up with data races on the allocated blocks
counter, or even use-after-free issues with internal data structures
when doing concurrent writes.
Note that the existing FIXME in smq_invalidate_mapping() doesn't affect
passthrough mode since migration tasks don't exist there, but would need
attention if supporting fast device shrinking via suspend/resume without
target reloading.
Reproduce steps:
1. Create a cache device consisting of 1024 cache entries
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Populate the cache, and record the number of cached blocks
fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \
--size=64m --direct=1
nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the passthrough cache. By setting multiple jobs with I/O
size equal to the cache block size, cache blocks are invalidated
concurrently from different workers.
fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \
--direct=1 --numjobs=2 --randrepeat=0 --size=64m
5. Check if demoted matches cached block count. These numbers should
match but may differ due to the data race.
nr_demoted=$(dmsetup status cache | awk '{print $12}')
echo "$nr_cached, $nr_demoted"
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-policy-smq.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/md/dm-cache-policy-smq.c b/drivers/md/dm-cache-policy-smq.c
index 8bd2ad743d9ae..1566e040f7aac 100644
--- a/drivers/md/dm-cache-policy-smq.c
+++ b/drivers/md/dm-cache-policy-smq.c
@@ -1589,14 +1589,18 @@ static int smq_invalidate_mapping(struct dm_cache_policy *p, dm_cblock_t cblock)
{
struct smq_policy *mq = to_smq_policy(p);
struct entry *e = get_entry(&mq->cache_alloc, from_cblock(cblock));
+ unsigned long flags;
if (!e->allocated)
return -ENODATA;
+ spin_lock_irqsave(&mq->lock, flags);
// FIXME: what if this block has pending background work?
del_queue(mq, e);
h_remove(&mq->table, e);
free_entry(&mq->cache_alloc, e);
+ spin_unlock_irqrestore(&mq->lock, flags);
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 095/508] dm cache: fix concurrent write failure in passthrough mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 094/508] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 096/508] dm cache: support shrinking the origin device Greg Kroah-Hartman
` (414 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit e4f66341779d0cf4c83c74793753a84094286d9e ]
When bio prison cell lock acquisition fails due to concurrent writes to
the same block in passthrough mode, dm-cache incorrectly returns an I/O
error instead of properly handling the concurrency. This can occur in
both process and workqueue contexts when invalidate_lock() is called for
exclusive access to a data block. Fix this by deferring the write bios
to ensure proper block device behavior.
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first cached block concurrently. Sometimes one of the
processes will receive I/O errors.
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k
<snip>
fio-3.41
fio: io_u error on file /dev/mapper/cache: Input/output error: write offset=4096, buflen=4096
fio: pid=106, err=5/file:io_u.c:2008, func=io_u error, error=Input/output error
test: (groupid=0, jobs=1): err= 0: pid=105
test: (groupid=0, jobs=1): err= 5 (file:io_u.c:2008, func=io_u error, error=Input/output error): pid=106
<snip>
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index a3a8623eff297..65ae94f64c11b 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1557,6 +1557,15 @@ static int invalidate_lock(struct dm_cache_migration *mg)
READ_WRITE_LOCK_LEVEL, prealloc, &mg->cell);
if (r < 0) {
free_prison_cell(cache, prealloc);
+
+ /* Defer the bio for retrying the cell lock */
+ if (mg->overwrite_bio) {
+ struct bio *bio = mg->overwrite_bio;
+
+ mg->overwrite_bio = NULL;
+ defer_bio(cache, bio);
+ }
+
invalidate_complete(mg, false);
return r;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 096/508] dm cache: support shrinking the origin device
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 095/508] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 097/508] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
` (413 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit c2662b1544cbd8ea3181381bb899b8e681dfedc7 ]
This patch introduces formal support for shrinking the cache origin by
reducing the cache target length via table reloads. Cache blocks mapped
beyond the new target length must be clean and are invalidated during
preresume. If any dirty blocks exist in the area being removed, the
preresume operation fails without setting the NEEDS_CHECK flag in
superblock, and the resume ioctl returns EFBIG. The cache device remains
suspended until a table reload with target length that fits existing
mappings is performed.
Without this patch, reducing the cache target length could result in
io errors (RHBZ: 2134334), out-of-bounds memory access to the discard
bitset, and security concerns regarding data leakage.
Verification steps:
1. create a cache metadata with some cached blocks mapped to the tail
of the origin device. Here we use cache_restore v1.0 to build a
metadata with one clean block mapped to the last origin block.
cat <<EOF >> cmeta.xml
<superblock uuid="" block_size="128" nr_cache_blocks="512" \
policy="smq" hint_width="4">
<mappings>
<mapping cache_block="0" origin_block="4095" dirty="false"/>
</mappings>
</superblock>
EOF
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2
dmsetup remove cmeta
2. bring up the cache whilst shrinking the cache origin by one block:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524160 linear /dev/sdc 262144"
dmsetup create cache --table "0 524160 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
3. check the number of cached data blocks via dmsetup status. It is
expected to be zero.
dmsetup status cache | cut -d ' ' -f 7
In addition to the script above, this patch can be verified using the
"cache/resize" tests in dmtest-python:
./dmtest run --rx cache/resize/shrink_origin --result-set default
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Stable-dep-of: 322586745bd1 ("dm cache: fix dirty mapping checking in passthrough mode switching")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 72 ++++++++++++++++++++++++++++++++++--
1 file changed, 69 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 65ae94f64c11b..77953a171860e 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -407,6 +407,12 @@ struct cache {
mempool_t migration_pool;
struct bio_set bs;
+
+ /*
+ * Cache_size entries. Set bits indicate blocks mapped beyond the
+ * target length, which are marked for invalidation.
+ */
+ unsigned long *invalid_bitset;
};
struct per_bio_data {
@@ -1958,6 +1964,9 @@ static void __destroy(struct cache *cache)
if (cache->discard_bitset)
free_bitset(cache->discard_bitset);
+ if (cache->invalid_bitset)
+ free_bitset(cache->invalid_bitset);
+
if (cache->copier)
dm_kcopyd_client_destroy(cache->copier);
@@ -2546,6 +2555,13 @@ static int cache_create(struct cache_args *ca, struct cache **result)
}
clear_bitset(cache->discard_bitset, from_dblock(cache->discard_nr_blocks));
+ cache->invalid_bitset = alloc_bitset(from_cblock(cache->cache_size));
+ if (!cache->invalid_bitset) {
+ *error = "could not allocate bitset for invalid blocks";
+ goto bad;
+ }
+ clear_bitset(cache->invalid_bitset, from_cblock(cache->cache_size));
+
cache->copier = dm_kcopyd_client_create(&dm_kcopyd_throttle);
if (IS_ERR(cache->copier)) {
*error = "could not create kcopyd client";
@@ -2844,6 +2860,24 @@ static int load_mapping(void *context, dm_oblock_t oblock, dm_cblock_t cblock,
return policy_load_mapping(cache->policy, oblock, cblock, dirty, hint, hint_valid);
}
+static int load_filtered_mapping(void *context, dm_oblock_t oblock, dm_cblock_t cblock,
+ bool dirty, uint32_t hint, bool hint_valid)
+{
+ struct cache *cache = context;
+
+ if (from_oblock(oblock) >= from_oblock(cache->origin_blocks)) {
+ if (dirty) {
+ DMERR("%s: unable to shrink origin; cache block %u is dirty",
+ cache_device_name(cache), from_cblock(cblock));
+ return -EFBIG;
+ }
+ set_bit(from_cblock(cblock), cache->invalid_bitset);
+ return 0;
+ }
+
+ return load_mapping(context, oblock, cblock, dirty, hint, hint_valid);
+}
+
/*
* The discard block size in the on disk metadata is not
* necessarily the same as we're currently using. So we have to
@@ -2998,6 +3032,24 @@ static int resize_cache_dev(struct cache *cache, dm_cblock_t new_size)
return 0;
}
+static int truncate_oblocks(struct cache *cache)
+{
+ uint32_t nr_blocks = from_cblock(cache->cache_size);
+ uint32_t i;
+ int r;
+
+ for_each_set_bit(i, cache->invalid_bitset, nr_blocks) {
+ r = dm_cache_remove_mapping(cache->cmd, to_cblock(i));
+ if (r) {
+ DMERR_LIMIT("%s: invalidation failed; couldn't update on disk metadata",
+ cache_device_name(cache));
+ return r;
+ }
+ }
+
+ return 0;
+}
+
static int cache_preresume(struct dm_target *ti)
{
int r = 0;
@@ -3022,11 +3074,25 @@ static int cache_preresume(struct dm_target *ti)
}
if (!cache->loaded_mappings) {
+ /*
+ * The fast device could have been resized since the last
+ * failed preresume attempt. To be safe we start by a blank
+ * bitset for cache blocks.
+ */
+ clear_bitset(cache->invalid_bitset, from_cblock(cache->cache_size));
+
r = dm_cache_load_mappings(cache->cmd, cache->policy,
- load_mapping, cache);
+ load_filtered_mapping, cache);
if (r) {
DMERR("%s: could not load cache mappings", cache_device_name(cache));
- metadata_operation_failed(cache, "dm_cache_load_mappings", r);
+ if (r != -EFBIG)
+ metadata_operation_failed(cache, "dm_cache_load_mappings", r);
+ return r;
+ }
+
+ r = truncate_oblocks(cache);
+ if (r) {
+ metadata_operation_failed(cache, "dm_cache_remove_mapping", r);
return r;
}
@@ -3492,7 +3558,7 @@ static void cache_io_hints(struct dm_target *ti, struct queue_limits *limits)
static struct target_type cache_target = {
.name = "cache",
- .version = {2, 2, 0},
+ .version = {2, 3, 0},
.module = THIS_MODULE,
.ctr = cache_ctr,
.dtr = cache_dtr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 097/508] dm cache: fix dirty mapping checking in passthrough mode switching
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 096/508] dm cache: support shrinking the origin device Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 098/508] platform/chrome: chromeos_tbmc: Drop wakeup source on remove Greg Kroah-Hartman
` (412 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 322586745bd1a0e5f3559fd1635fdeb4dbd1d6b8 ]
As mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata
object across inactive and active DM tables"), dm-cache assumed table
reload occurs after suspension, while LVM's table preload breaks this
assumption. The dirty mapping check for passthrough mode was designed
around this assumption and is performed during table creation, causing
the check to fail with preload while metadata updates are ongoing. This
risks loading dirty mappings into passthrough mode, resulting in data
loss.
Reproduce steps:
1. Create a writeback cache with zero migration_threshold to produce
dirty mappings
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq \
2 migration_threshold 0"
2. Preload a table in passthrough mode
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
3. Write to the first cache block to make it dirty
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
4. Resume the inactive table. Now it's possible to load the dirty block
into passthrough mode.
dmsetup resume cache
Fix by moving the checks to the preresume phase to support table
preloading. Also remove the unused function dm_cache_metadata_all_clean.
Fixes: 2ee57d587357 ("dm cache: add passthrough mode")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-metadata.c | 11 -----------
drivers/md/dm-cache-metadata.h | 5 -----
drivers/md/dm-cache-target.c | 25 ++++++++-----------------
3 files changed, 8 insertions(+), 33 deletions(-)
diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
index acffed750e3ed..c9d13a30ce86d 100644
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1756,17 +1756,6 @@ int dm_cache_write_hints(struct dm_cache_metadata *cmd, struct dm_cache_policy *
return r;
}
-int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result)
-{
- int r;
-
- READ_LOCK(cmd);
- r = blocks_are_unmapped_or_clean(cmd, 0, cmd->cache_blocks, result);
- READ_UNLOCK(cmd);
-
- return r;
-}
-
void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd)
{
WRITE_LOCK_VOID(cmd);
diff --git a/drivers/md/dm-cache-metadata.h b/drivers/md/dm-cache-metadata.h
index 57afc70479472..24e4af14fcca4 100644
--- a/drivers/md/dm-cache-metadata.h
+++ b/drivers/md/dm-cache-metadata.h
@@ -138,11 +138,6 @@ void dm_cache_dump(struct dm_cache_metadata *cmd);
*/
int dm_cache_write_hints(struct dm_cache_metadata *cmd, struct dm_cache_policy *p);
-/*
- * Query method. Are all the blocks in the cache clean?
- */
-int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result);
-
int dm_cache_metadata_needs_check(struct dm_cache_metadata *cmd, bool *result);
int dm_cache_metadata_set_needs_check(struct dm_cache_metadata *cmd);
void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd);
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 77953a171860e..8db906ea3bef0 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2510,23 +2510,8 @@ static int cache_create(struct cache_args *ca, struct cache **result)
goto bad;
}
- if (passthrough_mode(cache)) {
- bool all_clean;
-
- r = dm_cache_metadata_all_clean(cache->cmd, &all_clean);
- if (r) {
- *error = "dm_cache_metadata_all_clean() failed";
- goto bad;
- }
-
- if (!all_clean) {
- *error = "Cannot enter passthrough mode unless all blocks are clean";
- r = -EINVAL;
- goto bad;
- }
-
+ if (passthrough_mode(cache))
policy_allow_migrations(cache->policy, false);
- }
spin_lock_init(&cache->lock);
bio_list_init(&cache->deferred_bios);
@@ -2852,6 +2837,12 @@ static int load_mapping(void *context, dm_oblock_t oblock, dm_cblock_t cblock,
struct cache *cache = context;
if (dirty) {
+ if (passthrough_mode(cache)) {
+ DMERR("%s: cannot enter passthrough mode unless all blocks are clean",
+ cache_device_name(cache));
+ return -EBUSY;
+ }
+
set_bit(from_cblock(cblock), cache->dirty_bitset);
atomic_inc(&cache->nr_dirty);
} else
@@ -3085,7 +3076,7 @@ static int cache_preresume(struct dm_target *ti)
load_filtered_mapping, cache);
if (r) {
DMERR("%s: could not load cache mappings", cache_device_name(cache));
- if (r != -EFBIG)
+ if (r != -EFBIG && r != -EBUSY)
metadata_operation_failed(cache, "dm_cache_load_mappings", r);
return r;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 098/508] platform/chrome: chromeos_tbmc: Drop wakeup source on remove
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 097/508] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 099/508] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
` (411 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Tzung-Bi Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 5d441a4bc93642ed6f41da87327a39946b4e1455 ]
The wakeup source added by device_init_wakeup() in chromeos_tbmc_add()
needs to be dropped during driver removal, so add a .remove() callback
to the driver for this purpose.
Fixes: 0144c00ed86b ("platform/chrome: chromeos_tbmc: Report wake events")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/6151957.MhkbZ0Pkbq@rafael.j.wysocki
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/chrome/chromeos_tbmc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/platform/chrome/chromeos_tbmc.c b/drivers/platform/chrome/chromeos_tbmc.c
index d1cf8f3463ce3..e248567c0a182 100644
--- a/drivers/platform/chrome/chromeos_tbmc.c
+++ b/drivers/platform/chrome/chromeos_tbmc.c
@@ -95,6 +95,11 @@ static int chromeos_tbmc_add(struct acpi_device *adev)
return 0;
}
+static void chromeos_tbmc_remove(struct acpi_device *adev)
+{
+ device_init_wakeup(&adev->dev, false);
+}
+
static const struct acpi_device_id chromeos_tbmc_acpi_device_ids[] = {
{ ACPI_DRV_NAME, 0 },
{ }
@@ -110,6 +115,7 @@ static struct acpi_driver chromeos_tbmc_driver = {
.ids = chromeos_tbmc_acpi_device_ids,
.ops = {
.add = chromeos_tbmc_add,
+ .remove = chromeos_tbmc_remove,
.notify = chromeos_tbmc_notify,
},
.drv.pm = &chromeos_tbmc_pm_ops,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 099/508] dm cache metadata: fix memory leak on metadata abort retry
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 098/508] platform/chrome: chromeos_tbmc: Drop wakeup source on remove Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 100/508] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
` (410 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 044ca491d4086dc5bf233e9fcb71db52df32f633 ]
When failing to acquire the root_lock in dm_cache_metadata_abort because
the block_manager is read-only, the temporary block_manager created
outside the root_lock is not properly released, causing a memory leak.
Reproduce steps:
This can be reproduced by reloading a new table while the metadata
is read-only. While the second call to dm_cache_metadata_abort is
caused by lack of support for table preload in dm-cache, mentioned
in commit 9b1cc9f251af ("dm cache: share cache-metadata object across
inactive and active DM tables"), it exposes the memory leak in
dm_cache_metadata_abort when the function is called multiple times.
Specifically, dm-cache fails to sync the new cache object's mode during
preresume, creating the reproducer condition.
This issue could also occur through concurrent metadata_operation_failed
calls due to races in cache mode updates, but the table preload scenario
below provides a reliable reproducer.
1. Create a cache device with some faulty trailing metadata blocks
dmsetup create cmeta <<EOF
0 200 linear /dev/sdc 0
200 7992 error
EOF
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"
2. Suspend and resume the cache to start a new metadata transaction and
trigger metadata io errors on the next metadata commit.
dmsetup suspend cache
dmsetup resume cache
3. Write to the cache device to update metadata
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --size 64k
4. Preload the same table
dmsetup reload cache --table "$(dmsetup table cache)"
5. Resume the new table. This triggers the memory leak.
dmsetup suspend cache
dmsetup resume cache
kmemleak logs:
<snip>
unreferenced object 0xffff8880080c2010 (size 16):
comm "dmsetup", pid 132, jiffies 4294982580
hex dump (first 16 bytes):
00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ...
backtrace (crc 3118f31c):
kmemleak_alloc+0x28/0x40
__kmalloc_cache_noprof+0x3d9/0x510
dm_block_manager_create+0x51/0x140
dm_cache_metadata_abort+0x85/0x320
metadata_operation_failed+0x103/0x1e0
cache_preresume+0xacd/0xe70
dm_table_resume_targets+0xd3/0x320
__dm_resume+0x1b/0xf0
dm_resume+0x127/0x170
<snip>
Fixes: 352b837a5541 ("dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-metadata.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
index c9d13a30ce86d..74078b90653f3 100644
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1023,6 +1023,12 @@ static bool cmd_write_lock(struct dm_cache_metadata *cmd)
return; \
} while (0)
+#define WRITE_LOCK_OR_GOTO(cmd, label) \
+ do { \
+ if (!cmd_write_lock((cmd))) \
+ goto label; \
+ } while (0)
+
#define WRITE_UNLOCK(cmd) \
up_write(&(cmd)->root_lock)
@@ -1822,11 +1828,8 @@ int dm_cache_metadata_abort(struct dm_cache_metadata *cmd)
new_bm = dm_block_manager_create(cmd->bdev, DM_CACHE_METADATA_BLOCK_SIZE << SECTOR_SHIFT,
CACHE_MAX_CONCURRENT_LOCKS);
- WRITE_LOCK(cmd);
- if (cmd->fail_io) {
- WRITE_UNLOCK(cmd);
- goto out;
- }
+ /* cmd_write_lock() already checks fail_io with cmd->root_lock held */
+ WRITE_LOCK_OR_GOTO(cmd, out);
__destroy_persistent_data_objects(cmd, false);
old_bm = cmd->bm;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 100/508] dm log: fix out-of-bounds write due to region_count overflow
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 099/508] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 101/508] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() Greg Kroah-Hartman
` (409 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit c20e36b7631d83e7535877f08af8b0af72c44b1a ]
The local variable region_count in create_log_context() is declared as
unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit).
When a device-mapper target has a sufficiently large ti->len with a small
region_size, the division result can exceed UINT_MAX. The truncated
value is then used to calculate bitset_size, causing clean_bits,
sync_bits, and recovering_bits to be allocated far smaller than needed
for the actual number of regions.
Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use
region indices derived from the full untruncated region space, causing
out-of-bounds writes to kernel heap memory allocated by vmalloc.
This can be reproduced by creating a mirror target whose region_count
overflows 32 bits:
dmsetup create bigzero --table '0 8589934594 zero'
dmsetup create mymirror --table '0 8589934594 mirror \
core 2 2 nosync 2 /dev/mapper/bigzero 0 \
/dev/mapper/bigzero 0'
The status output confirms the truncation (sync_count=1 instead of
4294967297, because 0x100000001 was truncated to 1):
$ dmsetup status mymirror
0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...
This leads to a kernel crash in core_in_sync:
BUG: scheduling while atomic: (udev-worker)/9150/0x00000000
RIP: 0010:core_in_sync+0x14/0x30 [dm_log]
CR2: 0000000000000008
Fixing recursive fault but reboot is needed!
Fix by widening the local region_count to sector_t and adding an
explicit overflow check before the value is assigned to lc->region_count.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-log.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-log.c b/drivers/md/dm-log.c
index e215478bcee04..94d3f13e673e9 100644
--- a/drivers/md/dm-log.c
+++ b/drivers/md/dm-log.c
@@ -373,7 +373,7 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti,
struct log_c *lc;
uint32_t region_size;
- unsigned int region_count;
+ sector_t region_count;
size_t bitset_size, buf_size;
int r;
char dummy;
@@ -401,6 +401,10 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti,
}
region_count = dm_sector_div_up(ti->len, region_size);
+ if (region_count > UINT_MAX) {
+ DMWARN("region count exceeds limit of %u", UINT_MAX);
+ return -EINVAL;
+ }
lc = kmalloc(sizeof(*lc), GFP_KERNEL);
if (!lc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 101/508] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 100/508] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 102/508] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs Greg Kroah-Hartman
` (408 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jayesh Choudhary, Harikrishna Shenoy,
Luca Ceresoli, Tomi Valkeinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jayesh Choudhary <j-choudhary@ti.com>
[ Upstream commit 43d6508ddbf9fb974fbc359a033154f78c9d4c8b ]
In case if we get errors in cdns_mhdp_link_up() or cdns_mhdp_reg_read()
in atomic_enable, we will go to cdns_mhdp_modeset_retry_fn() and will hit
NULL pointer while trying to access the mutex. We need the connector to
be set before that. Unlike in legacy cases with flag
!DRM_BRIDGE_ATTACH_NO_CONNECTOR, we do not have connector initialised
in bridge_attach(), so add the mhdp->connector_ptr in device structure
to handle both cases with DRM_BRIDGE_ATTACH_NO_CONNECTOR and
!DRM_BRIDGE_ATTACH_NO_CONNECTOR, set it in atomic_enable() earlier to
avoid possible NULL pointer dereference in recovery paths like
modeset_retry_fn() with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set.
Fixes: c932ced6b585 ("drm/tidss: Update encoder/bridge chain connect model")
Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
Signed-off-by: Harikrishna Shenoy <h-shenoy@ti.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patch.msgid.link/20251209120332.3559893-2-h-shenoy@ti.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/bridge/cadence/cdns-mhdp8546-core.c | 29 ++++++++++---------
.../drm/bridge/cadence/cdns-mhdp8546-core.h | 1 +
.../drm/bridge/cadence/cdns-mhdp8546-hdcp.c | 18 +++++++++---
3 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index bdb9fc00c776b..8037a41f9afd2 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -810,7 +810,7 @@ static void cdns_mhdp_fw_cb(const struct firmware *fw, void *context)
bridge_attached = mhdp->bridge_attached;
spin_unlock(&mhdp->start_lock);
if (bridge_attached) {
- if (mhdp->connector.dev)
+ if (mhdp->connector_ptr)
drm_kms_helper_hotplug_event(mhdp->bridge.dev);
else
drm_bridge_hpd_notify(&mhdp->bridge, cdns_mhdp_detect(mhdp));
@@ -1709,6 +1709,7 @@ static int cdns_mhdp_connector_init(struct cdns_mhdp_device *mhdp)
return ret;
}
+ mhdp->connector_ptr = conn;
drm_connector_helper_add(conn, &cdns_mhdp_conn_helper_funcs);
ret = drm_display_info_set_bus_formats(&conn->display_info,
@@ -1988,17 +1989,25 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
struct drm_atomic_state *state = bridge_state->base.state;
struct cdns_mhdp_bridge_state *mhdp_state;
struct drm_crtc_state *crtc_state;
- struct drm_connector *connector;
struct drm_connector_state *conn_state;
struct drm_bridge_state *new_state;
const struct drm_display_mode *mode;
u32 resp;
- int ret;
+ int ret = 0;
dev_dbg(mhdp->dev, "bridge enable\n");
mutex_lock(&mhdp->link_mutex);
+ mhdp->connector_ptr = drm_atomic_get_new_connector_for_encoder(state,
+ bridge->encoder);
+ if (WARN_ON(!mhdp->connector_ptr))
+ goto out;
+
+ conn_state = drm_atomic_get_new_connector_state(state, mhdp->connector_ptr);
+ if (WARN_ON(!conn_state))
+ goto out;
+
if (mhdp->plugged && !mhdp->link_up) {
ret = cdns_mhdp_link_up(mhdp);
if (ret < 0)
@@ -2018,15 +2027,6 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
cdns_mhdp_reg_write(mhdp, CDNS_DPTX_CAR,
resp | CDNS_VIF_CLK_EN | CDNS_VIF_CLK_RSTN);
- connector = drm_atomic_get_new_connector_for_encoder(state,
- bridge->encoder);
- if (WARN_ON(!connector))
- goto out;
-
- conn_state = drm_atomic_get_new_connector_state(state, connector);
- if (WARN_ON(!conn_state))
- goto out;
-
if (mhdp->hdcp_supported &&
mhdp->hw_state == MHDP_HW_READY &&
conn_state->content_protection ==
@@ -2103,6 +2103,7 @@ static void cdns_mhdp_atomic_disable(struct drm_bridge *bridge,
if (mhdp->info && mhdp->info->ops && mhdp->info->ops->disable)
mhdp->info->ops->disable(mhdp);
+ mhdp->connector_ptr = NULL;
mutex_unlock(&mhdp->link_mutex);
}
@@ -2368,7 +2369,7 @@ static void cdns_mhdp_modeset_retry_fn(struct work_struct *work)
mhdp = container_of(work, typeof(*mhdp), modeset_retry_work);
- conn = &mhdp->connector;
+ conn = mhdp->connector_ptr;
/* Grab the locks before changing connector property */
mutex_lock(&conn->dev->mode_config.mutex);
@@ -2445,7 +2446,7 @@ static void cdns_mhdp_hpd_work(struct work_struct *work)
int ret;
ret = cdns_mhdp_update_link_status(mhdp);
- if (mhdp->connector.dev) {
+ if (mhdp->connector_ptr) {
if (ret < 0)
schedule_work(&mhdp->modeset_retry_work);
else
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h
index bad2fc0c73066..a76775c768956 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h
@@ -376,6 +376,7 @@ struct cdns_mhdp_device {
struct mutex link_mutex;
struct drm_connector connector;
+ struct drm_connector *connector_ptr;
struct drm_bridge bridge;
struct cdns_mhdp_link link;
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c
index 5e3b8edcf7948..2866069805524 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c
@@ -394,7 +394,7 @@ static int _cdns_mhdp_hdcp_disable(struct cdns_mhdp_device *mhdp)
int ret;
dev_dbg(mhdp->dev, "[%s:%d] HDCP is being disabled...\n",
- mhdp->connector.name, mhdp->connector.base.id);
+ mhdp->connector_ptr->name, mhdp->connector_ptr->base.id);
ret = cdns_mhdp_hdcp_set_config(mhdp, 0, false);
@@ -436,6 +436,10 @@ static int cdns_mhdp_hdcp_check_link(struct cdns_mhdp_device *mhdp)
int ret = 0;
mutex_lock(&mhdp->hdcp.mutex);
+
+ if (!mhdp->connector_ptr)
+ goto out;
+
if (mhdp->hdcp.value == DRM_MODE_CONTENT_PROTECTION_UNDESIRED)
goto out;
@@ -445,7 +449,7 @@ static int cdns_mhdp_hdcp_check_link(struct cdns_mhdp_device *mhdp)
dev_err(mhdp->dev,
"[%s:%d] HDCP link failed, retrying authentication\n",
- mhdp->connector.name, mhdp->connector.base.id);
+ mhdp->connector_ptr->name, mhdp->connector_ptr->base.id);
ret = _cdns_mhdp_hdcp_disable(mhdp);
if (ret) {
@@ -487,13 +491,19 @@ static void cdns_mhdp_hdcp_prop_work(struct work_struct *work)
struct cdns_mhdp_device *mhdp = container_of(hdcp,
struct cdns_mhdp_device,
hdcp);
- struct drm_device *dev = mhdp->connector.dev;
+ struct drm_device *dev = NULL;
struct drm_connector_state *state;
+ if (mhdp->connector_ptr)
+ dev = mhdp->connector_ptr->dev;
+
+ if (!dev)
+ return;
+
drm_modeset_lock(&dev->mode_config.connection_mutex, NULL);
mutex_lock(&mhdp->hdcp.mutex);
if (mhdp->hdcp.value != DRM_MODE_CONTENT_PROTECTION_UNDESIRED) {
- state = mhdp->connector.state;
+ state = mhdp->connector_ptr->state;
state->content_protection = mhdp->hdcp.value;
}
mutex_unlock(&mhdp->hdcp.mutex);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 102/508] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 101/508] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 103/508] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check Greg Kroah-Hartman
` (407 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Jayesh Choudhary,
Harikrishna Shenoy, Luca Ceresoli, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jayesh Choudhary <j-choudhary@ti.com>
[ Upstream commit 6dbff34016052b099558b76632e4983e2df13fed ]
Add cdns_mhdp_bridge_mode_valid() to check if specific mode is valid for
this bridge or not. In the legacy usecase with
!DRM_BRIDGE_ATTACH_NO_CONNECTOR we were using the hook from
drm_connector_helper_funcs but with DRM_BRIDGE_ATTACH_NO_CONNECTOR
we need to have mode_valid() in drm_bridge_funcs.
Without this patch, when using DRM_BRIDGE_ATTACH_NO_CONNECTOR
flag, the cdns_mhdp_bandwidth_ok() function would not be called
during mode validation, potentially allowing modes that exceed
the bridge's bandwidth capabilities to be incorrectly marked as
valid.
Fixes: c932ced6b585 ("drm/tidss: Update encoder/bridge chain connect model")
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
Signed-off-by: Harikrishna Shenoy <h-shenoy@ti.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://patch.msgid.link/20251209120332.3559893-3-h-shenoy@ti.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/bridge/cadence/cdns-mhdp8546-core.c | 20 +++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index 8037a41f9afd2..34a3348375171 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2234,6 +2234,25 @@ static struct edid *cdns_mhdp_bridge_get_edid(struct drm_bridge *bridge,
return cdns_mhdp_get_edid(mhdp, connector);
}
+static enum drm_mode_status
+cdns_mhdp_bridge_mode_valid(struct drm_bridge *bridge,
+ const struct drm_display_info *info,
+ const struct drm_display_mode *mode)
+{
+ struct cdns_mhdp_device *mhdp = bridge_to_mhdp(bridge);
+
+ mutex_lock(&mhdp->link_mutex);
+
+ if (!cdns_mhdp_bandwidth_ok(mhdp, mode, mhdp->link.num_lanes,
+ mhdp->link.rate)) {
+ mutex_unlock(&mhdp->link_mutex);
+ return MODE_CLOCK_HIGH;
+ }
+
+ mutex_unlock(&mhdp->link_mutex);
+ return MODE_OK;
+}
+
static const struct drm_bridge_funcs cdns_mhdp_bridge_funcs = {
.atomic_enable = cdns_mhdp_atomic_enable,
.atomic_disable = cdns_mhdp_atomic_disable,
@@ -2248,6 +2267,7 @@ static const struct drm_bridge_funcs cdns_mhdp_bridge_funcs = {
.get_edid = cdns_mhdp_bridge_get_edid,
.hpd_enable = cdns_mhdp_bridge_hpd_enable,
.hpd_disable = cdns_mhdp_bridge_hpd_disable,
+ .mode_valid = cdns_mhdp_bridge_mode_valid,
};
static bool cdns_mhdp_detect_hpd(struct cdns_mhdp_device *mhdp, bool *hpd_pulse)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 103/508] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 102/508] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 104/508] spi: fsl-qspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
` (406 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harikrishna Shenoy, Luca Ceresoli,
Tomi Valkeinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harikrishna Shenoy <h-shenoy@ti.com>
[ Upstream commit 4a8edd658489ec2a3d7e20482fa9e8d366153d8d ]
Now that we have DRM_BRIDGE_ATTACH_NO_CONNECTOR framework, handle the
HDCP state change in bridge atomic check as well to enable correct
functioning for HDCP in both DRM_BRIDGE_ATTACH_NO_CONNECTOR and
!DRM_BRIDGE_ATTACH_NO_CONNECTOR case.
Without this patch, when using DRM_BRIDGE_ATTACH_NO_CONNECTOR flag, HDCP
state changes would not be properly handled during atomic commits,
potentially leading to HDCP authentication failures or incorrect
protection status for content requiring HDCP encryption.
Fixes: 6a3608eae6d33 ("drm: bridge: cdns-mhdp8546: Enable HDCP")
Signed-off-by: Harikrishna Shenoy <h-shenoy@ti.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patch.msgid.link/20251209120332.3559893-4-h-shenoy@ti.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/bridge/cadence/cdns-mhdp8546-core.c | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index 34a3348375171..44955601a9dfc 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2196,6 +2196,10 @@ static int cdns_mhdp_atomic_check(struct drm_bridge *bridge,
{
struct cdns_mhdp_device *mhdp = bridge_to_mhdp(bridge);
const struct drm_display_mode *mode = &crtc_state->adjusted_mode;
+ struct drm_connector_state *old_state, *new_state;
+ struct drm_atomic_state *state = crtc_state->state;
+ struct drm_connector *conn = mhdp->connector_ptr;
+ u64 old_cp, new_cp;
mutex_lock(&mhdp->link_mutex);
@@ -2215,6 +2219,25 @@ static int cdns_mhdp_atomic_check(struct drm_bridge *bridge,
if (mhdp->info)
bridge_state->input_bus_cfg.flags = *mhdp->info->input_bus_flags;
+ if (conn && mhdp->hdcp_supported) {
+ old_state = drm_atomic_get_old_connector_state(state, conn);
+ new_state = drm_atomic_get_new_connector_state(state, conn);
+ old_cp = old_state->content_protection;
+ new_cp = new_state->content_protection;
+
+ if (old_state->hdcp_content_type != new_state->hdcp_content_type &&
+ new_cp != DRM_MODE_CONTENT_PROTECTION_UNDESIRED) {
+ new_state->content_protection = DRM_MODE_CONTENT_PROTECTION_DESIRED;
+ crtc_state = drm_atomic_get_new_crtc_state(state, new_state->crtc);
+ crtc_state->mode_changed = true;
+ }
+
+ if (!new_state->crtc) {
+ if (old_cp == DRM_MODE_CONTENT_PROTECTION_ENABLED)
+ new_state->content_protection = DRM_MODE_CONTENT_PROTECTION_DESIRED;
+ }
+ }
+
mutex_unlock(&mhdp->link_mutex);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 104/508] spi: fsl-qspi: Use reinit_completion() for repeated operations
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 103/508] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 105/508] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
` (405 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Haibo Chen, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 981b080a79724738882b0af1c5bb7ade30d94f24 ]
The driver currently calls init_completion() during every spi_mem_op.
Tchnically it may work, but it's not the recommended pattern.
According to the kernel documentation: Calling init_completion() on
the same completion object twice is most likely a bug as it
re-initializes the queue to an empty queue and enqueued tasks could
get "lost" - use reinit_completion() in that case, but be aware of
other races.
So moves the initial initialization to probe function and uses
reinit_completion() for subsequent operations.
Fixes: 84d043185dbe ("spi: Add a driver for the Freescale/NXP QuadSPI controller")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20260304-spi-nxp-v2-3-cd7d7726a27e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-fsl-qspi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-fsl-qspi.c b/drivers/spi/spi-fsl-qspi.c
index 21e357966d2a2..cb2e5413dd32b 100644
--- a/drivers/spi/spi-fsl-qspi.c
+++ b/drivers/spi/spi-fsl-qspi.c
@@ -606,7 +606,7 @@ static int fsl_qspi_do_op(struct fsl_qspi *q, const struct spi_mem_op *op)
void __iomem *base = q->iobase;
int err = 0;
- init_completion(&q->c);
+ reinit_completion(&q->c);
/*
* Always start the sequence at the same index since we update
@@ -924,6 +924,7 @@ static int fsl_qspi_probe(struct platform_device *pdev)
if (ret < 0)
goto err_disable_clk;
+ init_completion(&q->c);
ret = devm_request_irq(dev, ret,
fsl_qspi_irq_handler, 0, pdev->name, q);
if (ret) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 105/508] drm/sun4i: Fix resource leaks
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 104/508] spi: fsl-qspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 106/508] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
` (404 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Jernej Skrabec,
Chen-Yu Tsai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 127367ad2e0f4870de60c6d719ae82ecf68d674c ]
Three clocks are not being released in devm_regmap_init_mmio() error
path.
Add proper goto and set ret to the error code.
Fixes: 8270249fbeaf0 ("drm/sun4i: backend: Create regmap after access is possible")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://patch.msgid.link/20260226163836.10335-1-ethantidmore06@gmail.com
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sun4i/sun4i_backend.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c
index 6a2ffaa477ab8..4943577ec7fb8 100644
--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
+++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
@@ -878,7 +878,8 @@ static int sun4i_backend_bind(struct device *dev, struct device *master,
&sun4i_backend_regmap_config);
if (IS_ERR(backend->engine.regs)) {
dev_err(dev, "Couldn't create the backend regmap\n");
- return PTR_ERR(backend->engine.regs);
+ ret = PTR_ERR(backend->engine.regs);
+ goto err_disable_ram_clk;
}
list_add_tail(&backend->engine.list, &drv->engine_list);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 106/508] drm/amdgpu: Add default case in DVI mode validation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 105/508] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 107/508] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
` (403 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Timur Kristóf,
Alex Deucher, Christian König, Srinivasan Shanmugam,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit e6020a55b8e364d15eac27f9c788e13114eec6b7 ]
amdgpu_connector_dvi_mode_valid() assigns max_digital_pixel_clock_khz
based on connector_object_id using a switch statement that lacks a
default case.
In practice this code path should never be hit because the existing
cases already cover all digital connector types that this function is
used for. This is also legacy display code which is not used for new
hardware.
Add a default case returning MODE_BAD to make the switch exhaustive and
silence the static analyzer smatch error. The new branch is effectively
defensive and should never be reached during normal operation.
Fixes: 585b2f685c56 ("drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)")
Cc: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Timur Kristóf <timur.kristof@gmail.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index 52c093e42531b..5f4fef27177b4 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -1257,6 +1257,8 @@ static enum drm_mode_status amdgpu_connector_dvi_mode_valid(struct drm_connector
case CONNECTOR_OBJECT_ID_HDMI_TYPE_B:
max_digital_pixel_clock_khz = max_dvi_single_link_pixel_clock * 2;
break;
+ default:
+ return MODE_BAD;
}
/* When the display EDID claims that it's an HDMI display,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 107/508] dm init: ensure device probing has finished in dm-mod.waitfor=
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 106/508] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 108/508] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
` (402 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Gonnet, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Gonnet <ggonnet.linux@gmail.com>
[ Upstream commit 99a2312f69805f4ba92d98a757625e0300a747ab ]
The early_lookup_bdev() function returns successfully when the disk
device is present but not necessarily its partitions. In this situation,
dm_early_create() fails as the partition block device does not exist
yet.
In my case, this phenomenon occurs quite often because the device is
an SD card with slow reading times, on which kernel takes time to
enumerate available partitions.
Fortunately, the underlying device is back to "probing" state while
enumerating partitions. Waiting for all probing to end is enough to fix
this issue.
That's also the reason why this problem never occurs with rootwait=
parameter: the while loop inside wait_for_root() explicitly waits for
probing to be done and then the function calls async_synchronize_full().
These lines were omitted in 035641b, even though the commit says it's
based on the rootwait logic...
Anyway, calling wait_for_device_probe() after our while loop does the
job (it both waits for probing and calls async_synchronize_full).
Fixes: 035641b01e72 ("dm init: add dm-mod.waitfor to wait for asynchronously probed block devices")
Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-init.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
index b37bbe7625003..423269cbdd2bb 100644
--- a/drivers/md/dm-init.c
+++ b/drivers/md/dm-init.c
@@ -303,8 +303,10 @@ static int __init dm_init_init(void)
}
}
- if (waitfor[0])
+ if (waitfor[0]) {
+ wait_for_device_probe();
DMINFO("all devices available");
+ }
list_for_each_entry(dev, &devices, list) {
if (dm_early_create(&dev->dmi, dev->table,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 108/508] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 107/508] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 109/508] crypto: atmel - Remove cfb and ofb Greg Kroah-Hartman
` (401 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Jason Yan,
Helge Deller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit caf6144053b4e1c815aa56afb54745a176f999df ]
Clang is not happy about set but unused variable:
drivers/video/fbdev/matrox/g450_pll.c:412:18: error: variable 'mnp' set but not used
412 | unsigned int mnp;
| ^
1 error generated.
Since the commit 7b987887f97b ("video: fbdev: matroxfb: remove dead code
and set but not used variable") the 'mnp' became unused, but eliminating
that code might have side-effects. The question here is what should we do
with 'mnp'? The easiest way out is just mark it with __maybe_unused which
will shut the compiler up and won't change any possible IO flow. So does
this change.
A dive into the history of the driver:
The problem was revealed when the #if 0 guarded code along with unused
pixel_vco variable was removed. That code was introduced in the original
commit 213d22146d1f ("[PATCH] (1/3) matroxfb for 2.5.3"). And then guarded
in the commit 705e41f82988 ("matroxfb DVI updates: Handle DVI output on
G450/G550. Powerdown unused portions of G450/G550 DAC. Split G450/G550 DAC
from older DAC1064 handling. Modify PLL setting when both CRTCs use same
pixel clocks.").
NOTE: The two commits mentioned above pre-date Git era and available in
history.git repository for archaeological purposes.
Even without that guard the modern compilers may see that the pixel_vco
wasn't ever used and seems a leftover after some debug or review made
25 years ago.
The g450_mnp2vco() doesn't have any IO and as Jason said doesn't seem
to have any side effects either than some unneeded CPU processing during
runtime. I agree that's unlikely that timeout (or heating up the CPU) has
any effect on the HW (GPU/display) functionality.
Fixes: 7b987887f97b ("video: fbdev: matroxfb: remove dead code and set but not used variable")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/matrox/g450_pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/matrox/g450_pll.c b/drivers/video/fbdev/matrox/g450_pll.c
index ff8e321a22cef..b2d3f7328ea83 100644
--- a/drivers/video/fbdev/matrox/g450_pll.c
+++ b/drivers/video/fbdev/matrox/g450_pll.c
@@ -407,7 +407,7 @@ static int __g450_setclk(struct matrox_fb_info *minfo, unsigned int fout,
case M_VIDEO_PLL:
{
u_int8_t tmp;
- unsigned int mnp;
+ unsigned int mnp __maybe_unused;
unsigned long flags;
matroxfb_DAC_lock_irqsave(flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 109/508] crypto: atmel - Remove cfb and ofb
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 108/508] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 110/508] crypto: atmel - Use unregister_{aeads,ahashes,skciphers} Greg Kroah-Hartman
` (400 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit a16144bda9c332079b6a1db52725e9c22007114d ]
Remove the unused CFB/OFB implementation.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 57a13941c0bb ("crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/atmel-aes.c | 214 +-----------------------------------
drivers/crypto/atmel-tdes.c | 205 +---------------------------------
2 files changed, 8 insertions(+), 411 deletions(-)
diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 97fcde0126766..f023f27468c0d 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -46,11 +46,6 @@
#define ATMEL_AES_BUFFER_ORDER 2
#define ATMEL_AES_BUFFER_SIZE (PAGE_SIZE << ATMEL_AES_BUFFER_ORDER)
-#define CFB8_BLOCK_SIZE 1
-#define CFB16_BLOCK_SIZE 2
-#define CFB32_BLOCK_SIZE 4
-#define CFB64_BLOCK_SIZE 8
-
#define SIZE_IN_WORDS(x) ((x) >> 2)
/* AES flags */
@@ -60,12 +55,6 @@
#define AES_FLAGS_OPMODE_MASK (AES_MR_OPMOD_MASK | AES_MR_CFBS_MASK)
#define AES_FLAGS_ECB AES_MR_OPMOD_ECB
#define AES_FLAGS_CBC AES_MR_OPMOD_CBC
-#define AES_FLAGS_OFB AES_MR_OPMOD_OFB
-#define AES_FLAGS_CFB128 (AES_MR_OPMOD_CFB | AES_MR_CFBS_128b)
-#define AES_FLAGS_CFB64 (AES_MR_OPMOD_CFB | AES_MR_CFBS_64b)
-#define AES_FLAGS_CFB32 (AES_MR_OPMOD_CFB | AES_MR_CFBS_32b)
-#define AES_FLAGS_CFB16 (AES_MR_OPMOD_CFB | AES_MR_CFBS_16b)
-#define AES_FLAGS_CFB8 (AES_MR_OPMOD_CFB | AES_MR_CFBS_8b)
#define AES_FLAGS_CTR AES_MR_OPMOD_CTR
#define AES_FLAGS_GCM AES_MR_OPMOD_GCM
#define AES_FLAGS_XTS AES_MR_OPMOD_XTS
@@ -87,7 +76,6 @@
struct atmel_aes_caps {
bool has_dualbuff;
- bool has_cfb64;
bool has_gcm;
bool has_xts;
bool has_authenc;
@@ -860,22 +848,6 @@ static int atmel_aes_dma_start(struct atmel_aes_dev *dd,
int err;
switch (dd->ctx->block_size) {
- case CFB8_BLOCK_SIZE:
- addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
- maxburst = 1;
- break;
-
- case CFB16_BLOCK_SIZE:
- addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES;
- maxburst = 1;
- break;
-
- case CFB32_BLOCK_SIZE:
- case CFB64_BLOCK_SIZE:
- addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
- maxburst = 1;
- break;
-
case AES_BLOCK_SIZE:
addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
maxburst = dd->caps.max_burst_size;
@@ -1103,7 +1075,7 @@ static int atmel_aes_crypt(struct skcipher_request *req, unsigned long mode)
}
/*
- * ECB, CBC, CFB, OFB or CTR mode require the plaintext and ciphertext
+ * ECB, CBC or CTR mode require the plaintext and ciphertext
* to have a positve integer length.
*/
if (!req->cryptlen && opmode != AES_FLAGS_XTS)
@@ -1113,27 +1085,7 @@ static int atmel_aes_crypt(struct skcipher_request *req, unsigned long mode)
!IS_ALIGNED(req->cryptlen, crypto_skcipher_blocksize(skcipher)))
return -EINVAL;
- switch (mode & AES_FLAGS_OPMODE_MASK) {
- case AES_FLAGS_CFB8:
- ctx->block_size = CFB8_BLOCK_SIZE;
- break;
-
- case AES_FLAGS_CFB16:
- ctx->block_size = CFB16_BLOCK_SIZE;
- break;
-
- case AES_FLAGS_CFB32:
- ctx->block_size = CFB32_BLOCK_SIZE;
- break;
-
- case AES_FLAGS_CFB64:
- ctx->block_size = CFB64_BLOCK_SIZE;
- break;
-
- default:
- ctx->block_size = AES_BLOCK_SIZE;
- break;
- }
+ ctx->block_size = AES_BLOCK_SIZE;
ctx->is_aead = false;
rctx = skcipher_request_ctx(req);
@@ -1188,66 +1140,6 @@ static int atmel_aes_cbc_decrypt(struct skcipher_request *req)
return atmel_aes_crypt(req, AES_FLAGS_CBC);
}
-static int atmel_aes_ofb_encrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_OFB | AES_FLAGS_ENCRYPT);
-}
-
-static int atmel_aes_ofb_decrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_OFB);
-}
-
-static int atmel_aes_cfb_encrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB128 | AES_FLAGS_ENCRYPT);
-}
-
-static int atmel_aes_cfb_decrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB128);
-}
-
-static int atmel_aes_cfb64_encrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB64 | AES_FLAGS_ENCRYPT);
-}
-
-static int atmel_aes_cfb64_decrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB64);
-}
-
-static int atmel_aes_cfb32_encrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB32 | AES_FLAGS_ENCRYPT);
-}
-
-static int atmel_aes_cfb32_decrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB32);
-}
-
-static int atmel_aes_cfb16_encrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB16 | AES_FLAGS_ENCRYPT);
-}
-
-static int atmel_aes_cfb16_decrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB16);
-}
-
-static int atmel_aes_cfb8_encrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB8 | AES_FLAGS_ENCRYPT);
-}
-
-static int atmel_aes_cfb8_decrypt(struct skcipher_request *req)
-{
- return atmel_aes_crypt(req, AES_FLAGS_CFB8);
-}
-
static int atmel_aes_ctr_encrypt(struct skcipher_request *req)
{
return atmel_aes_crypt(req, AES_FLAGS_CTR | AES_FLAGS_ENCRYPT);
@@ -1318,76 +1210,6 @@ static struct skcipher_alg aes_algs[] = {
.decrypt = atmel_aes_cbc_decrypt,
.ivsize = AES_BLOCK_SIZE,
},
-{
- .base.cra_name = "ofb(aes)",
- .base.cra_driver_name = "atmel-ofb-aes",
- .base.cra_blocksize = 1,
- .base.cra_ctxsize = sizeof(struct atmel_aes_ctx),
-
- .init = atmel_aes_init_tfm,
- .min_keysize = AES_MIN_KEY_SIZE,
- .max_keysize = AES_MAX_KEY_SIZE,
- .setkey = atmel_aes_setkey,
- .encrypt = atmel_aes_ofb_encrypt,
- .decrypt = atmel_aes_ofb_decrypt,
- .ivsize = AES_BLOCK_SIZE,
-},
-{
- .base.cra_name = "cfb(aes)",
- .base.cra_driver_name = "atmel-cfb-aes",
- .base.cra_blocksize = 1,
- .base.cra_ctxsize = sizeof(struct atmel_aes_ctx),
-
- .init = atmel_aes_init_tfm,
- .min_keysize = AES_MIN_KEY_SIZE,
- .max_keysize = AES_MAX_KEY_SIZE,
- .setkey = atmel_aes_setkey,
- .encrypt = atmel_aes_cfb_encrypt,
- .decrypt = atmel_aes_cfb_decrypt,
- .ivsize = AES_BLOCK_SIZE,
-},
-{
- .base.cra_name = "cfb32(aes)",
- .base.cra_driver_name = "atmel-cfb32-aes",
- .base.cra_blocksize = CFB32_BLOCK_SIZE,
- .base.cra_ctxsize = sizeof(struct atmel_aes_ctx),
-
- .init = atmel_aes_init_tfm,
- .min_keysize = AES_MIN_KEY_SIZE,
- .max_keysize = AES_MAX_KEY_SIZE,
- .setkey = atmel_aes_setkey,
- .encrypt = atmel_aes_cfb32_encrypt,
- .decrypt = atmel_aes_cfb32_decrypt,
- .ivsize = AES_BLOCK_SIZE,
-},
-{
- .base.cra_name = "cfb16(aes)",
- .base.cra_driver_name = "atmel-cfb16-aes",
- .base.cra_blocksize = CFB16_BLOCK_SIZE,
- .base.cra_ctxsize = sizeof(struct atmel_aes_ctx),
-
- .init = atmel_aes_init_tfm,
- .min_keysize = AES_MIN_KEY_SIZE,
- .max_keysize = AES_MAX_KEY_SIZE,
- .setkey = atmel_aes_setkey,
- .encrypt = atmel_aes_cfb16_encrypt,
- .decrypt = atmel_aes_cfb16_decrypt,
- .ivsize = AES_BLOCK_SIZE,
-},
-{
- .base.cra_name = "cfb8(aes)",
- .base.cra_driver_name = "atmel-cfb8-aes",
- .base.cra_blocksize = CFB8_BLOCK_SIZE,
- .base.cra_ctxsize = sizeof(struct atmel_aes_ctx),
-
- .init = atmel_aes_init_tfm,
- .min_keysize = AES_MIN_KEY_SIZE,
- .max_keysize = AES_MAX_KEY_SIZE,
- .setkey = atmel_aes_setkey,
- .encrypt = atmel_aes_cfb8_encrypt,
- .decrypt = atmel_aes_cfb8_decrypt,
- .ivsize = AES_BLOCK_SIZE,
-},
{
.base.cra_name = "ctr(aes)",
.base.cra_driver_name = "atmel-ctr-aes",
@@ -1404,21 +1226,6 @@ static struct skcipher_alg aes_algs[] = {
},
};
-static struct skcipher_alg aes_cfb64_alg = {
- .base.cra_name = "cfb64(aes)",
- .base.cra_driver_name = "atmel-cfb64-aes",
- .base.cra_blocksize = CFB64_BLOCK_SIZE,
- .base.cra_ctxsize = sizeof(struct atmel_aes_ctx),
-
- .init = atmel_aes_init_tfm,
- .min_keysize = AES_MIN_KEY_SIZE,
- .max_keysize = AES_MAX_KEY_SIZE,
- .setkey = atmel_aes_setkey,
- .encrypt = atmel_aes_cfb64_encrypt,
- .decrypt = atmel_aes_cfb64_decrypt,
- .ivsize = AES_BLOCK_SIZE,
-};
-
/* gcm aead functions */
@@ -2407,9 +2214,6 @@ static void atmel_aes_unregister_algs(struct atmel_aes_dev *dd)
if (dd->caps.has_gcm)
crypto_unregister_aead(&aes_gcm_alg);
- if (dd->caps.has_cfb64)
- crypto_unregister_skcipher(&aes_cfb64_alg);
-
for (i = 0; i < ARRAY_SIZE(aes_algs); i++)
crypto_unregister_skcipher(&aes_algs[i]);
}
@@ -2434,14 +2238,6 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
goto err_aes_algs;
}
- if (dd->caps.has_cfb64) {
- atmel_aes_crypto_alg_init(&aes_cfb64_alg.base);
-
- err = crypto_register_skcipher(&aes_cfb64_alg);
- if (err)
- goto err_aes_cfb64_alg;
- }
-
if (dd->caps.has_gcm) {
atmel_aes_crypto_alg_init(&aes_gcm_alg.base);
@@ -2482,8 +2278,6 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
err_aes_xts_alg:
crypto_unregister_aead(&aes_gcm_alg);
err_aes_gcm_alg:
- crypto_unregister_skcipher(&aes_cfb64_alg);
-err_aes_cfb64_alg:
i = ARRAY_SIZE(aes_algs);
err_aes_algs:
for (j = 0; j < i; j++)
@@ -2495,7 +2289,6 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
static void atmel_aes_get_cap(struct atmel_aes_dev *dd)
{
dd->caps.has_dualbuff = 0;
- dd->caps.has_cfb64 = 0;
dd->caps.has_gcm = 0;
dd->caps.has_xts = 0;
dd->caps.has_authenc = 0;
@@ -2507,7 +2300,6 @@ static void atmel_aes_get_cap(struct atmel_aes_dev *dd)
case 0x600:
case 0x500:
dd->caps.has_dualbuff = 1;
- dd->caps.has_cfb64 = 1;
dd->caps.has_gcm = 1;
dd->caps.has_xts = 1;
dd->caps.has_authenc = 1;
@@ -2515,13 +2307,11 @@ static void atmel_aes_get_cap(struct atmel_aes_dev *dd)
break;
case 0x200:
dd->caps.has_dualbuff = 1;
- dd->caps.has_cfb64 = 1;
dd->caps.has_gcm = 1;
dd->caps.max_burst_size = 4;
break;
case 0x130:
dd->caps.has_dualbuff = 1;
- dd->caps.has_cfb64 = 1;
dd->caps.max_burst_size = 4;
break;
case 0x120:
diff --git a/drivers/crypto/atmel-tdes.c b/drivers/crypto/atmel-tdes.c
index 6870a13342e22..48888b2ff7936 100644
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -45,11 +45,6 @@
#define TDES_FLAGS_OPMODE_MASK (TDES_MR_OPMOD_MASK | TDES_MR_CFBS_MASK)
#define TDES_FLAGS_ECB TDES_MR_OPMOD_ECB
#define TDES_FLAGS_CBC TDES_MR_OPMOD_CBC
-#define TDES_FLAGS_OFB TDES_MR_OPMOD_OFB
-#define TDES_FLAGS_CFB64 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_64b)
-#define TDES_FLAGS_CFB32 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_32b)
-#define TDES_FLAGS_CFB16 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_16b)
-#define TDES_FLAGS_CFB8 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_8b)
#define TDES_FLAGS_MODE_MASK (TDES_FLAGS_OPMODE_MASK | TDES_FLAGS_ENCRYPT)
@@ -60,13 +55,8 @@
#define ATMEL_TDES_QUEUE_LENGTH 50
-#define CFB8_BLOCK_SIZE 1
-#define CFB16_BLOCK_SIZE 2
-#define CFB32_BLOCK_SIZE 4
-
struct atmel_tdes_caps {
bool has_dma;
- u32 has_cfb_3keys;
};
struct atmel_tdes_dev;
@@ -376,7 +366,6 @@ static int atmel_tdes_crypt_pdc(struct atmel_tdes_dev *dd,
dma_addr_t dma_addr_in,
dma_addr_t dma_addr_out, int length)
{
- struct atmel_tdes_reqctx *rctx = skcipher_request_ctx(dd->req);
int len32;
dd->dma_size = length;
@@ -386,19 +375,7 @@ static int atmel_tdes_crypt_pdc(struct atmel_tdes_dev *dd,
DMA_TO_DEVICE);
}
- switch (rctx->mode & TDES_FLAGS_OPMODE_MASK) {
- case TDES_FLAGS_CFB8:
- len32 = DIV_ROUND_UP(length, sizeof(u8));
- break;
-
- case TDES_FLAGS_CFB16:
- len32 = DIV_ROUND_UP(length, sizeof(u16));
- break;
-
- default:
- len32 = DIV_ROUND_UP(length, sizeof(u32));
- break;
- }
+ len32 = DIV_ROUND_UP(length, sizeof(u32));
atmel_tdes_write(dd, TDES_PTCR, TDES_PTCR_TXTDIS|TDES_PTCR_RXTDIS);
atmel_tdes_write(dd, TDES_TPR, dma_addr_in);
@@ -419,7 +396,6 @@ static int atmel_tdes_crypt_dma(struct atmel_tdes_dev *dd,
dma_addr_t dma_addr_in,
dma_addr_t dma_addr_out, int length)
{
- struct atmel_tdes_reqctx *rctx = skcipher_request_ctx(dd->req);
struct scatterlist sg[2];
struct dma_async_tx_descriptor *in_desc, *out_desc;
enum dma_slave_buswidth addr_width;
@@ -431,19 +407,7 @@ static int atmel_tdes_crypt_dma(struct atmel_tdes_dev *dd,
DMA_TO_DEVICE);
}
- switch (rctx->mode & TDES_FLAGS_OPMODE_MASK) {
- case TDES_FLAGS_CFB8:
- addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
- break;
-
- case TDES_FLAGS_CFB16:
- addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES;
- break;
-
- default:
- addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
- break;
- }
+ addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
dd->dma_lch_in.dma_conf.dst_addr_width = addr_width;
dd->dma_lch_out.dma_conf.src_addr_width = addr_width;
@@ -680,39 +644,11 @@ static int atmel_tdes_crypt(struct skcipher_request *req, unsigned long mode)
if (!req->cryptlen)
return 0;
- switch (mode & TDES_FLAGS_OPMODE_MASK) {
- case TDES_FLAGS_CFB8:
- if (!IS_ALIGNED(req->cryptlen, CFB8_BLOCK_SIZE)) {
- dev_dbg(dev, "request size is not exact amount of CFB8 blocks\n");
- return -EINVAL;
- }
- ctx->block_size = CFB8_BLOCK_SIZE;
- break;
-
- case TDES_FLAGS_CFB16:
- if (!IS_ALIGNED(req->cryptlen, CFB16_BLOCK_SIZE)) {
- dev_dbg(dev, "request size is not exact amount of CFB16 blocks\n");
- return -EINVAL;
- }
- ctx->block_size = CFB16_BLOCK_SIZE;
- break;
-
- case TDES_FLAGS_CFB32:
- if (!IS_ALIGNED(req->cryptlen, CFB32_BLOCK_SIZE)) {
- dev_dbg(dev, "request size is not exact amount of CFB32 blocks\n");
- return -EINVAL;
- }
- ctx->block_size = CFB32_BLOCK_SIZE;
- break;
-
- default:
- if (!IS_ALIGNED(req->cryptlen, DES_BLOCK_SIZE)) {
- dev_dbg(dev, "request size is not exact amount of DES blocks\n");
- return -EINVAL;
- }
- ctx->block_size = DES_BLOCK_SIZE;
- break;
+ if (!IS_ALIGNED(req->cryptlen, DES_BLOCK_SIZE)) {
+ dev_dbg(dev, "request size is not exact amount of DES blocks\n");
+ return -EINVAL;
}
+ ctx->block_size = DES_BLOCK_SIZE;
rctx->mode = mode;
@@ -832,55 +768,6 @@ static int atmel_tdes_cbc_decrypt(struct skcipher_request *req)
{
return atmel_tdes_crypt(req, TDES_FLAGS_CBC);
}
-static int atmel_tdes_cfb_encrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB64 | TDES_FLAGS_ENCRYPT);
-}
-
-static int atmel_tdes_cfb_decrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB64);
-}
-
-static int atmel_tdes_cfb8_encrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB8 | TDES_FLAGS_ENCRYPT);
-}
-
-static int atmel_tdes_cfb8_decrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB8);
-}
-
-static int atmel_tdes_cfb16_encrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB16 | TDES_FLAGS_ENCRYPT);
-}
-
-static int atmel_tdes_cfb16_decrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB16);
-}
-
-static int atmel_tdes_cfb32_encrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB32 | TDES_FLAGS_ENCRYPT);
-}
-
-static int atmel_tdes_cfb32_decrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_CFB32);
-}
-
-static int atmel_tdes_ofb_encrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_OFB | TDES_FLAGS_ENCRYPT);
-}
-
-static int atmel_tdes_ofb_decrypt(struct skcipher_request *req)
-{
- return atmel_tdes_crypt(req, TDES_FLAGS_OFB);
-}
static int atmel_tdes_init_tfm(struct crypto_skcipher *tfm)
{
@@ -931,71 +818,6 @@ static struct skcipher_alg tdes_algs[] = {
.encrypt = atmel_tdes_cbc_encrypt,
.decrypt = atmel_tdes_cbc_decrypt,
},
-{
- .base.cra_name = "cfb(des)",
- .base.cra_driver_name = "atmel-cfb-des",
- .base.cra_blocksize = DES_BLOCK_SIZE,
- .base.cra_alignmask = 0x7,
-
- .min_keysize = DES_KEY_SIZE,
- .max_keysize = DES_KEY_SIZE,
- .ivsize = DES_BLOCK_SIZE,
- .setkey = atmel_des_setkey,
- .encrypt = atmel_tdes_cfb_encrypt,
- .decrypt = atmel_tdes_cfb_decrypt,
-},
-{
- .base.cra_name = "cfb8(des)",
- .base.cra_driver_name = "atmel-cfb8-des",
- .base.cra_blocksize = CFB8_BLOCK_SIZE,
- .base.cra_alignmask = 0,
-
- .min_keysize = DES_KEY_SIZE,
- .max_keysize = DES_KEY_SIZE,
- .ivsize = DES_BLOCK_SIZE,
- .setkey = atmel_des_setkey,
- .encrypt = atmel_tdes_cfb8_encrypt,
- .decrypt = atmel_tdes_cfb8_decrypt,
-},
-{
- .base.cra_name = "cfb16(des)",
- .base.cra_driver_name = "atmel-cfb16-des",
- .base.cra_blocksize = CFB16_BLOCK_SIZE,
- .base.cra_alignmask = 0x1,
-
- .min_keysize = DES_KEY_SIZE,
- .max_keysize = DES_KEY_SIZE,
- .ivsize = DES_BLOCK_SIZE,
- .setkey = atmel_des_setkey,
- .encrypt = atmel_tdes_cfb16_encrypt,
- .decrypt = atmel_tdes_cfb16_decrypt,
-},
-{
- .base.cra_name = "cfb32(des)",
- .base.cra_driver_name = "atmel-cfb32-des",
- .base.cra_blocksize = CFB32_BLOCK_SIZE,
- .base.cra_alignmask = 0x3,
-
- .min_keysize = DES_KEY_SIZE,
- .max_keysize = DES_KEY_SIZE,
- .ivsize = DES_BLOCK_SIZE,
- .setkey = atmel_des_setkey,
- .encrypt = atmel_tdes_cfb32_encrypt,
- .decrypt = atmel_tdes_cfb32_decrypt,
-},
-{
- .base.cra_name = "ofb(des)",
- .base.cra_driver_name = "atmel-ofb-des",
- .base.cra_blocksize = 1,
- .base.cra_alignmask = 0x7,
-
- .min_keysize = DES_KEY_SIZE,
- .max_keysize = DES_KEY_SIZE,
- .ivsize = DES_BLOCK_SIZE,
- .setkey = atmel_des_setkey,
- .encrypt = atmel_tdes_ofb_encrypt,
- .decrypt = atmel_tdes_ofb_decrypt,
-},
{
.base.cra_name = "ecb(des3_ede)",
.base.cra_driver_name = "atmel-ecb-tdes",
@@ -1021,19 +843,6 @@ static struct skcipher_alg tdes_algs[] = {
.decrypt = atmel_tdes_cbc_decrypt,
.ivsize = DES_BLOCK_SIZE,
},
-{
- .base.cra_name = "ofb(des3_ede)",
- .base.cra_driver_name = "atmel-ofb-tdes",
- .base.cra_blocksize = DES_BLOCK_SIZE,
- .base.cra_alignmask = 0x7,
-
- .min_keysize = DES3_EDE_KEY_SIZE,
- .max_keysize = DES3_EDE_KEY_SIZE,
- .setkey = atmel_tdes_setkey,
- .encrypt = atmel_tdes_ofb_encrypt,
- .decrypt = atmel_tdes_ofb_decrypt,
- .ivsize = DES_BLOCK_SIZE,
-},
};
static void atmel_tdes_queue_task(unsigned long data)
@@ -1121,14 +930,12 @@ static void atmel_tdes_get_cap(struct atmel_tdes_dev *dd)
{
dd->caps.has_dma = 0;
- dd->caps.has_cfb_3keys = 0;
/* keep only major version number */
switch (dd->hw_version & 0xf00) {
case 0x800:
case 0x700:
dd->caps.has_dma = 1;
- dd->caps.has_cfb_3keys = 1;
break;
case 0x600:
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 110/508] crypto: atmel - Use unregister_{aeads,ahashes,skciphers}
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 109/508] crypto: atmel - Remove cfb and ofb Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 111/508] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs Greg Kroah-Hartman
` (399 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 2ffc1ef4e826f0c3274f9ff5eb42bc70a5571afd ]
Replace multiple for loops with calls to crypto_unregister_aeads(),
crypto_unregister_ahashes(), and crypto_unregister_skciphers().
Remove the definition of atmel_tdes_unregister_algs() because it is
equivalent to calling crypto_unregister_skciphers() directly, and the
function parameter 'struct atmel_tdes_dev *' is unused anyway.
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 57a13941c0bb ("crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/atmel-aes.c | 17 ++++++-----------
drivers/crypto/atmel-sha.c | 27 ++++++++++-----------------
drivers/crypto/atmel-tdes.c | 25 ++++++-------------------
3 files changed, 22 insertions(+), 47 deletions(-)
diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index f023f27468c0d..9bd18825e1bf2 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2200,12 +2200,10 @@ static irqreturn_t atmel_aes_irq(int irq, void *dev_id)
static void atmel_aes_unregister_algs(struct atmel_aes_dev *dd)
{
- int i;
-
#if IS_ENABLED(CONFIG_CRYPTO_DEV_ATMEL_AUTHENC)
if (dd->caps.has_authenc)
- for (i = 0; i < ARRAY_SIZE(aes_authenc_algs); i++)
- crypto_unregister_aead(&aes_authenc_algs[i]);
+ crypto_unregister_aeads(aes_authenc_algs,
+ ARRAY_SIZE(aes_authenc_algs));
#endif
if (dd->caps.has_xts)
@@ -2214,8 +2212,7 @@ static void atmel_aes_unregister_algs(struct atmel_aes_dev *dd)
if (dd->caps.has_gcm)
crypto_unregister_aead(&aes_gcm_alg);
- for (i = 0; i < ARRAY_SIZE(aes_algs); i++)
- crypto_unregister_skcipher(&aes_algs[i]);
+ crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
}
static void atmel_aes_crypto_alg_init(struct crypto_alg *alg)
@@ -2228,7 +2225,7 @@ static void atmel_aes_crypto_alg_init(struct crypto_alg *alg)
static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
{
- int err, i, j;
+ int err, i;
for (i = 0; i < ARRAY_SIZE(aes_algs); i++) {
atmel_aes_crypto_alg_init(&aes_algs[i].base);
@@ -2271,8 +2268,7 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
#if IS_ENABLED(CONFIG_CRYPTO_DEV_ATMEL_AUTHENC)
/* i = ARRAY_SIZE(aes_authenc_algs); */
err_aes_authenc_alg:
- for (j = 0; j < i; j++)
- crypto_unregister_aead(&aes_authenc_algs[j]);
+ crypto_unregister_aeads(aes_authenc_algs, i);
crypto_unregister_skcipher(&aes_xts_alg);
#endif
err_aes_xts_alg:
@@ -2280,8 +2276,7 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
err_aes_gcm_alg:
i = ARRAY_SIZE(aes_algs);
err_aes_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_skcipher(&aes_algs[j]);
+ crypto_unregister_skciphers(aes_algs, i);
return err;
}
diff --git a/drivers/crypto/atmel-sha.c b/drivers/crypto/atmel-sha.c
index 3622120add625..d32fb4e770119 100644
--- a/drivers/crypto/atmel-sha.c
+++ b/drivers/crypto/atmel-sha.c
@@ -2418,27 +2418,23 @@ EXPORT_SYMBOL_GPL(atmel_sha_authenc_abort);
static void atmel_sha_unregister_algs(struct atmel_sha_dev *dd)
{
- int i;
-
if (dd->caps.has_hmac)
- for (i = 0; i < ARRAY_SIZE(sha_hmac_algs); i++)
- crypto_unregister_ahash(&sha_hmac_algs[i]);
+ crypto_unregister_ahashes(sha_hmac_algs,
+ ARRAY_SIZE(sha_hmac_algs));
- for (i = 0; i < ARRAY_SIZE(sha_1_256_algs); i++)
- crypto_unregister_ahash(&sha_1_256_algs[i]);
+ crypto_unregister_ahashes(sha_1_256_algs, ARRAY_SIZE(sha_1_256_algs));
if (dd->caps.has_sha224)
crypto_unregister_ahash(&sha_224_alg);
- if (dd->caps.has_sha_384_512) {
- for (i = 0; i < ARRAY_SIZE(sha_384_512_algs); i++)
- crypto_unregister_ahash(&sha_384_512_algs[i]);
- }
+ if (dd->caps.has_sha_384_512)
+ crypto_unregister_ahashes(sha_384_512_algs,
+ ARRAY_SIZE(sha_384_512_algs));
}
static int atmel_sha_register_algs(struct atmel_sha_dev *dd)
{
- int err, i, j;
+ int err, i;
for (i = 0; i < ARRAY_SIZE(sha_1_256_algs); i++) {
atmel_sha_alg_init(&sha_1_256_algs[i]);
@@ -2480,18 +2476,15 @@ static int atmel_sha_register_algs(struct atmel_sha_dev *dd)
/*i = ARRAY_SIZE(sha_hmac_algs);*/
err_sha_hmac_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_ahash(&sha_hmac_algs[j]);
+ crypto_unregister_ahashes(sha_hmac_algs, i);
i = ARRAY_SIZE(sha_384_512_algs);
err_sha_384_512_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_ahash(&sha_384_512_algs[j]);
+ crypto_unregister_ahashes(sha_384_512_algs, i);
crypto_unregister_ahash(&sha_224_alg);
err_sha_224_algs:
i = ARRAY_SIZE(sha_1_256_algs);
err_sha_1_256_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_ahash(&sha_1_256_algs[j]);
+ crypto_unregister_ahashes(sha_1_256_algs, i);
return err;
}
diff --git a/drivers/crypto/atmel-tdes.c b/drivers/crypto/atmel-tdes.c
index 48888b2ff7936..0bf485f350c8f 100644
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -897,38 +897,25 @@ static irqreturn_t atmel_tdes_irq(int irq, void *dev_id)
return IRQ_NONE;
}
-static void atmel_tdes_unregister_algs(struct atmel_tdes_dev *dd)
-{
- int i;
-
- for (i = 0; i < ARRAY_SIZE(tdes_algs); i++)
- crypto_unregister_skcipher(&tdes_algs[i]);
-}
-
static int atmel_tdes_register_algs(struct atmel_tdes_dev *dd)
{
- int err, i, j;
+ int err, i;
for (i = 0; i < ARRAY_SIZE(tdes_algs); i++) {
atmel_tdes_skcipher_alg_init(&tdes_algs[i]);
err = crypto_register_skcipher(&tdes_algs[i]);
- if (err)
- goto err_tdes_algs;
+ if (err) {
+ crypto_unregister_skciphers(tdes_algs, i);
+ return err;
+ }
}
return 0;
-
-err_tdes_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_skcipher(&tdes_algs[j]);
-
- return err;
}
static void atmel_tdes_get_cap(struct atmel_tdes_dev *dd)
{
-
dd->caps.has_dma = 0;
/* keep only major version number */
@@ -1061,7 +1048,7 @@ static int atmel_tdes_remove(struct platform_device *pdev)
list_del(&tdes_dd->list);
spin_unlock(&atmel_tdes.lock);
- atmel_tdes_unregister_algs(tdes_dd);
+ crypto_unregister_skciphers(tdes_algs, ARRAY_SIZE(tdes_algs));
tasklet_kill(&tdes_dd->done_task);
tasklet_kill(&tdes_dd->queue_task);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 111/508] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 110/508] crypto: atmel - Use unregister_{aeads,ahashes,skciphers} Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 112/508] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
` (398 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 57a13941c0bb06ae24e3b34672d7b6f2172b253f ]
Ensure the device supports XTS and GCM with 'has_xts' and 'has_gcm'
before unregistering algorithms when XTS or authenc registration fails,
which would trigger a WARN in crypto_unregister_alg().
Currently, with the capabilities defined in atmel_aes_get_cap(), this
bug cannot happen because all devices that support XTS and authenc also
support GCM, but the error handling should still be correct regardless
of hardware capabilities.
Fixes: d52db5188a87 ("crypto: atmel-aes - add support to the XTS mode")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/atmel-aes.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 9bd18825e1bf2..3402cf3f017f1 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2269,10 +2269,12 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
/* i = ARRAY_SIZE(aes_authenc_algs); */
err_aes_authenc_alg:
crypto_unregister_aeads(aes_authenc_algs, i);
- crypto_unregister_skcipher(&aes_xts_alg);
+ if (dd->caps.has_xts)
+ crypto_unregister_skcipher(&aes_xts_alg);
#endif
err_aes_xts_alg:
- crypto_unregister_aead(&aes_gcm_alg);
+ if (dd->caps.has_gcm)
+ crypto_unregister_aead(&aes_gcm_alg);
err_aes_gcm_alg:
i = ARRAY_SIZE(aes_algs);
err_aes_algs:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 112/508] padata: Remove cpu online check from cpu add and removal
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 111/508] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 113/508] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
` (397 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuyi Zhou, Daniel Jordan,
Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuyi Zhou <zhouchuyi@bytedance.com>
[ Upstream commit 73117ea6470dca787f70f33c001f9faf437a1c0b ]
During the CPU offline process, the dying CPU is cleared from the
cpu_online_mask in takedown_cpu(). After this step, various CPUHP_*_DEAD
callbacks are executed to perform cleanup jobs for the dead CPU, so this
cpu online check in padata_cpu_dead() is unnecessary.
Similarly, when executing padata_cpu_online() during the
CPUHP_AP_ONLINE_DYN phase, the CPU has already been set in the
cpu_online_mask, the action even occurs earlier than the
CPUHP_AP_ONLINE_IDLE stage.
Remove this unnecessary cpu online check in __padata_add_cpu() and
__padata_remove_cpu().
Signed-off-by: Chuyi Zhou <zhouchuyi@bytedance.com>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: c8c4a2972f83 ("padata: Put CPU offline callback in ONLINE section to allow failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 26 ++++++++------------------
1 file changed, 8 insertions(+), 18 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 44ea75bfd8681..4fd48905c60df 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -745,32 +745,22 @@ EXPORT_SYMBOL(padata_set_cpumask);
static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
{
- int err = 0;
-
- if (cpumask_test_cpu(cpu, cpu_online_mask)) {
- err = padata_replace(pinst);
+ int err = padata_replace(pinst);
- if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
- padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_start(pinst);
- }
+ if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
+ padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_start(pinst);
return err;
}
static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
{
- int err = 0;
-
- if (!cpumask_test_cpu(cpu, cpu_online_mask)) {
- if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
- !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_stop(pinst);
-
- err = padata_replace(pinst);
- }
+ if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
+ !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_stop(pinst);
- return err;
+ return padata_replace(pinst);
}
static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 113/508] padata: Put CPU offline callback in ONLINE section to allow failure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 112/508] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 114/508] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
` (396 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+123e1b70473ce213f3af,
Daniel Jordan, Herbert Xu, Sasha Levin, Thomas Gleixner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jordan <daniel.m.jordan@oracle.com>
[ Upstream commit c8c4a2972f83c8b68ff03b43cecdb898939ff851 ]
syzbot reported the following warning:
DEAD callback error for CPU1
WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614
at commit 4ae12d8bd9a8 ("Merge tag 'kbuild-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux")
which tglx traced to padata_cpu_dead() given it's the only
sub-CPUHP_TEARDOWN_CPU callback that returns an error.
Failure isn't allowed in hotplug states before CPUHP_TEARDOWN_CPU
so move the CPU offline callback to the ONLINE section where failure is
possible.
Fixes: 894c9ef9780c ("padata: validate cpumask without removed CPU during offline")
Reported-by: syzbot+123e1b70473ce213f3af@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69af0a05.050a0220.310d8.002f.GAE@google.com/
Debugged-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/cpuhotplug.h | 1 -
include/linux/padata.h | 8 +--
kernel/padata.c | 120 +++++++++++++++++++------------------
3 files changed, 65 insertions(+), 64 deletions(-)
diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
index 624d4a38c358a..72070333026b9 100644
--- a/include/linux/cpuhotplug.h
+++ b/include/linux/cpuhotplug.h
@@ -98,7 +98,6 @@ enum cpuhp_state {
CPUHP_IOMMU_IOVA_DEAD,
CPUHP_LUSTRE_CFS_DEAD,
CPUHP_AP_ARM_CACHE_B15_RAC_DEAD,
- CPUHP_PADATA_DEAD,
CPUHP_AP_DTPM_CPU_DEAD,
CPUHP_RANDOM_PREPARE,
CPUHP_WORKQUEUE_PREP,
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 6f07e12a43819..72f5899cc7a95 100644
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -147,23 +147,23 @@ struct padata_mt_job {
/**
* struct padata_instance - The overall control structure.
*
- * @cpu_online_node: Linkage for CPU online callback.
- * @cpu_dead_node: Linkage for CPU offline callback.
+ * @cpuhp_node: Linkage for CPU hotplug callbacks.
* @parallel_wq: The workqueue used for parallel work.
* @serial_wq: The workqueue used for serial work.
* @pslist: List of padata_shell objects attached to this instance.
* @cpumask: User supplied cpumasks for parallel and serial works.
+ * @validate_cpumask: Internal cpumask used to validate @cpumask during hotplug.
* @kobj: padata instance kernel object.
* @lock: padata instance lock.
* @flags: padata flags.
*/
struct padata_instance {
- struct hlist_node cpu_online_node;
- struct hlist_node cpu_dead_node;
+ struct hlist_node cpuhp_node;
struct workqueue_struct *parallel_wq;
struct workqueue_struct *serial_wq;
struct list_head pslist;
struct padata_cpumask cpumask;
+ cpumask_var_t validate_cpumask;
struct kobject kobj;
struct mutex lock;
u8 flags;
diff --git a/kernel/padata.c b/kernel/padata.c
index 4fd48905c60df..9e4037a0fd334 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -548,7 +548,8 @@ static void padata_init_reorder_list(struct parallel_data *pd)
}
/* Allocate and initialize the internal cpumask dependend resources. */
-static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
+static struct parallel_data *padata_alloc_pd(struct padata_shell *ps,
+ int offlining_cpu)
{
struct padata_instance *pinst = ps->pinst;
struct parallel_data *pd;
@@ -574,6 +575,10 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
cpumask_and(pd->cpumask.pcpu, pinst->cpumask.pcpu, cpu_online_mask);
cpumask_and(pd->cpumask.cbcpu, pinst->cpumask.cbcpu, cpu_online_mask);
+ if (offlining_cpu >= 0) {
+ __cpumask_clear_cpu(offlining_cpu, pd->cpumask.pcpu);
+ __cpumask_clear_cpu(offlining_cpu, pd->cpumask.cbcpu);
+ }
padata_init_reorder_list(pd);
padata_init_squeues(pd);
@@ -620,11 +625,11 @@ static void __padata_stop(struct padata_instance *pinst)
}
/* Replace the internal control structure with a new one. */
-static int padata_replace_one(struct padata_shell *ps)
+static int padata_replace_one(struct padata_shell *ps, int offlining_cpu)
{
struct parallel_data *pd_new;
- pd_new = padata_alloc_pd(ps);
+ pd_new = padata_alloc_pd(ps, offlining_cpu);
if (!pd_new)
return -ENOMEM;
@@ -634,7 +639,7 @@ static int padata_replace_one(struct padata_shell *ps)
return 0;
}
-static int padata_replace(struct padata_instance *pinst)
+static int padata_replace(struct padata_instance *pinst, int offlining_cpu)
{
struct padata_shell *ps;
int err = 0;
@@ -642,7 +647,7 @@ static int padata_replace(struct padata_instance *pinst)
pinst->flags |= PADATA_RESET;
list_for_each_entry(ps, &pinst->pslist, list) {
- err = padata_replace_one(ps);
+ err = padata_replace_one(ps, offlining_cpu);
if (err)
break;
}
@@ -659,9 +664,21 @@ static int padata_replace(struct padata_instance *pinst)
/* If cpumask contains no active cpu, we mark the instance as invalid. */
static bool padata_validate_cpumask(struct padata_instance *pinst,
- const struct cpumask *cpumask)
+ const struct cpumask *cpumask,
+ int offlining_cpu)
{
- if (!cpumask_intersects(cpumask, cpu_online_mask)) {
+ cpumask_copy(pinst->validate_cpumask, cpu_online_mask);
+
+ /*
+ * @offlining_cpu is still in cpu_online_mask, so remove it here for
+ * validation. Using a sub-CPUHP_TEARDOWN_CPU hotplug state where
+ * @offlining_cpu wouldn't be in the online mask doesn't work because
+ * padata_cpu_offline() can fail but such a state doesn't allow failure.
+ */
+ if (offlining_cpu >= 0)
+ __cpumask_clear_cpu(offlining_cpu, pinst->validate_cpumask);
+
+ if (!cpumask_intersects(cpumask, pinst->validate_cpumask)) {
pinst->flags |= PADATA_INVALID;
return false;
}
@@ -677,13 +694,13 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
int valid;
int err;
- valid = padata_validate_cpumask(pinst, pcpumask);
+ valid = padata_validate_cpumask(pinst, pcpumask, -1);
if (!valid) {
__padata_stop(pinst);
goto out_replace;
}
- valid = padata_validate_cpumask(pinst, cbcpumask);
+ valid = padata_validate_cpumask(pinst, cbcpumask, -1);
if (!valid)
__padata_stop(pinst);
@@ -691,7 +708,7 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
cpumask_copy(pinst->cpumask.pcpu, pcpumask);
cpumask_copy(pinst->cpumask.cbcpu, cbcpumask);
- err = padata_setup_cpumasks(pinst) ?: padata_replace(pinst);
+ err = padata_setup_cpumasks(pinst) ?: padata_replace(pinst, -1);
if (valid)
__padata_start(pinst);
@@ -743,26 +760,6 @@ EXPORT_SYMBOL(padata_set_cpumask);
#ifdef CONFIG_HOTPLUG_CPU
-static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
-{
- int err = padata_replace(pinst);
-
- if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
- padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_start(pinst);
-
- return err;
-}
-
-static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
-{
- if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
- !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_stop(pinst);
-
- return padata_replace(pinst);
-}
-
static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
{
return cpumask_test_cpu(cpu, pinst->cpumask.pcpu) ||
@@ -774,27 +771,39 @@ static int padata_cpu_online(unsigned int cpu, struct hlist_node *node)
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, cpu_online_node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpuhp_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
mutex_lock(&pinst->lock);
- ret = __padata_add_cpu(pinst, cpu);
+
+ ret = padata_replace(pinst, -1);
+
+ if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu, -1) &&
+ padata_validate_cpumask(pinst, pinst->cpumask.cbcpu, -1))
+ __padata_start(pinst);
+
mutex_unlock(&pinst->lock);
return ret;
}
-static int padata_cpu_dead(unsigned int cpu, struct hlist_node *node)
+static int padata_cpu_offline(unsigned int cpu, struct hlist_node *node)
{
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, cpu_dead_node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpuhp_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
mutex_lock(&pinst->lock);
- ret = __padata_remove_cpu(pinst, cpu);
+
+ if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu, cpu) ||
+ !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu, cpu))
+ __padata_stop(pinst);
+
+ ret = padata_replace(pinst, cpu);
+
mutex_unlock(&pinst->lock);
return ret;
}
@@ -805,15 +814,14 @@ static enum cpuhp_state hp_online;
static void __padata_free(struct padata_instance *pinst)
{
#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD,
- &pinst->cpu_dead_node);
- cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpu_online_node);
+ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpuhp_node);
#endif
WARN_ON(!list_empty(&pinst->pslist));
free_cpumask_var(pinst->cpumask.pcpu);
free_cpumask_var(pinst->cpumask.cbcpu);
+ free_cpumask_var(pinst->validate_cpumask);
destroy_workqueue(pinst->serial_wq);
destroy_workqueue(pinst->parallel_wq);
kfree(pinst);
@@ -973,10 +981,10 @@ struct padata_instance *padata_alloc(const char *name)
if (!alloc_cpumask_var(&pinst->cpumask.pcpu, GFP_KERNEL))
goto err_free_serial_wq;
- if (!alloc_cpumask_var(&pinst->cpumask.cbcpu, GFP_KERNEL)) {
- free_cpumask_var(pinst->cpumask.pcpu);
- goto err_free_serial_wq;
- }
+ if (!alloc_cpumask_var(&pinst->cpumask.cbcpu, GFP_KERNEL))
+ goto err_free_p_mask;
+ if (!alloc_cpumask_var(&pinst->validate_cpumask, GFP_KERNEL))
+ goto err_free_cb_mask;
INIT_LIST_HEAD(&pinst->pslist);
@@ -984,7 +992,7 @@ struct padata_instance *padata_alloc(const char *name)
cpumask_copy(pinst->cpumask.cbcpu, cpu_possible_mask);
if (padata_setup_cpumasks(pinst))
- goto err_free_masks;
+ goto err_free_v_mask;
__padata_start(pinst);
@@ -993,18 +1001,19 @@ struct padata_instance *padata_alloc(const char *name)
#ifdef CONFIG_HOTPLUG_CPU
cpuhp_state_add_instance_nocalls_cpuslocked(hp_online,
- &pinst->cpu_online_node);
- cpuhp_state_add_instance_nocalls_cpuslocked(CPUHP_PADATA_DEAD,
- &pinst->cpu_dead_node);
+ &pinst->cpuhp_node);
#endif
cpus_read_unlock();
return pinst;
-err_free_masks:
- free_cpumask_var(pinst->cpumask.pcpu);
+err_free_v_mask:
+ free_cpumask_var(pinst->validate_cpumask);
+err_free_cb_mask:
free_cpumask_var(pinst->cpumask.cbcpu);
+err_free_p_mask:
+ free_cpumask_var(pinst->cpumask.pcpu);
err_free_serial_wq:
destroy_workqueue(pinst->serial_wq);
err_put_cpus:
@@ -1047,7 +1056,7 @@ struct padata_shell *padata_alloc_shell(struct padata_instance *pinst)
ps->pinst = pinst;
cpus_read_lock();
- pd = padata_alloc_pd(ps);
+ pd = padata_alloc_pd(ps, -1);
cpus_read_unlock();
if (!pd)
@@ -1096,32 +1105,25 @@ void __init padata_init(void)
int ret;
ret = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN, "padata:online",
- padata_cpu_online, NULL);
+ padata_cpu_online, padata_cpu_offline);
if (ret < 0)
goto err;
hp_online = ret;
-
- ret = cpuhp_setup_state_multi(CPUHP_PADATA_DEAD, "padata:dead",
- NULL, padata_cpu_dead);
- if (ret < 0)
- goto remove_online_state;
#endif
possible_cpus = num_possible_cpus();
padata_works = kmalloc_array(possible_cpus, sizeof(struct padata_work),
GFP_KERNEL);
if (!padata_works)
- goto remove_dead_state;
+ goto remove_online_state;
for (i = 0; i < possible_cpus; ++i)
list_add(&padata_works[i].pw_list, &padata_free_works);
return;
-remove_dead_state:
-#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_remove_multi_state(CPUHP_PADATA_DEAD);
remove_online_state:
+#ifdef CONFIG_HOTPLUG_CPU
cpuhp_remove_multi_state(hp_online);
err:
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 114/508] drm/amdgpu/gfx10: look at the right prop for gfx queue priority
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 113/508] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 115/508] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
` (395 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 355d96cdec5c61fd83f7eb54f1a28e38809645d6 ]
Look at hqd_queue_priority rather than hqd_pipe_priority.
In practice, it didn't matter as both were always set for
kernel queues, but that will change in the future.
Fixes: b07d1d73b09e ("drm/amd/amdgpu: Enable high priority gfx queue")
Reviewed-by:Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
index 1c29b4d04a2ca..afa9eb7050751 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
@@ -6338,7 +6338,7 @@ static void gfx_v10_0_gfx_mqd_set_priority(struct amdgpu_device *adev,
/* set up default queue priority level
* 0x0 = low priority, 0x1 = high priority
*/
- if (prop->hqd_pipe_priority == AMDGPU_GFX_PIPE_PRIO_HIGH)
+ if (prop->hqd_queue_priority == AMDGPU_GFX_QUEUE_PRIORITY_MAXIMUM)
priority = 1;
tmp = RREG32_SOC15(GC, 0, mmCP_GFX_HQD_QUEUE_PRIORITY);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 115/508] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 114/508] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 116/508] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
` (394 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 9f61daf2c2debe9f5cf4e1a4471e56a89a6fe45a ]
The hisi_spi_flush_fifo()'s inner while loop that lacks any timeout
mechanism. Maybe the hardware never becomes empty, the loop will spin
forever, causing the CPU to hang.
Fix this by adding a inner_limit based on loops_per_jiffy. The inner loop
now exits after approximately one jiffy if the FIFO remains non-empty, logs
a ratelimited warning, and breaks out of the outer loop. Additionally, add
a cpu_relax() inside the busy loop to improve power efficiency.
Fixes: c770d8631e18 ("spi: Add HiSilicon SPI Controller Driver for Kunpeng SoCs")
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/d834ce28172886bfaeb9c8ca00cfd9bf1c65d5a1.1773889292.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-hisi-kunpeng.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-hisi-kunpeng.c b/drivers/spi/spi-hisi-kunpeng.c
index f0a50f40a3ba1..77526f7940688 100644
--- a/drivers/spi/spi-hisi-kunpeng.c
+++ b/drivers/spi/spi-hisi-kunpeng.c
@@ -196,8 +196,18 @@ static void hisi_spi_flush_fifo(struct hisi_spi *hs)
unsigned long limit = loops_per_jiffy << 1;
do {
- while (hisi_spi_rx_not_empty(hs))
+ unsigned long inner_limit = loops_per_jiffy;
+
+ while (hisi_spi_rx_not_empty(hs) && --inner_limit) {
readl(hs->regs + HISI_SPI_DOUT);
+ cpu_relax();
+ }
+
+ if (!inner_limit) {
+ dev_warn_ratelimited(hs->dev, "RX FIFO flush timeout\n");
+ break;
+ }
+
} while (hisi_spi_busy(hs) && limit--);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 116/508] drm/msm/dpu: fix mismatch between power and frequency
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 115/508] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 117/508] drm/msm/dsi: add the missing parameter description Greg Kroah-Hartman
` (393 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuanjie Yang, Konrad Dybcio,
Dmitry Baryshkov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
[ Upstream commit bc1dccc518cc5ab5140fba06c27e7188e0ed342b ]
During DPU runtime suspend, calling dev_pm_opp_set_rate(dev, 0) drops
the MMCX rail to MIN_SVS while the core clock frequency remains at its
original (highest) rate. When runtime resume re-enables the clock, this
may result in a mismatch between the rail voltage and the clock rate.
For example, in the DPU bind path, the sequence could be:
cpu0: dev_sync_state -> rpmhpd_sync_state
cpu1: dpu_kms_hw_init
timeline 0 ------------------------------------------------> t
After rpmhpd_sync_state, the voltage performance is no longer guaranteed
to stay at the highest level. During dpu_kms_hw_init, calling
dev_pm_opp_set_rate(dev, 0) drops the voltage, causing the MMCX rail to
fall to MIN_SVS while the core clock is still at its maximum frequency.
When the power is re-enabled, only the clock is enabled, leading to a
situation where the MMCX rail is at MIN_SVS but the core clock is at its
highest rate. In this state, the rail cannot sustain the clock rate,
which may cause instability or system crash.
Remove the call to dev_pm_opp_set_rate(dev, 0) from dpu_runtime_suspend
to ensure the correct vote is restored when DPU resumes.
Fixes: b0530eb11913 ("drm/msm/dpu: Use OPP API to set clk/perf state")
Signed-off-by: Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/710077/
Link: https://lore.kernel.org/r/20260309063720.13572-1-yuanjie.yang@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
index 6ba289e04b3b2..4d93b5f78893e 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
@@ -1316,8 +1316,6 @@ static int __maybe_unused dpu_runtime_suspend(struct device *dev)
struct msm_drm_private *priv = platform_get_drvdata(pdev);
struct dpu_kms *dpu_kms = to_dpu_kms(priv->kms);
- /* Drop the performance state vote */
- dev_pm_opp_set_rate(dev, 0);
clk_bulk_disable_unprepare(dpu_kms->num_clocks, dpu_kms->clocks);
for (i = 0; i < dpu_kms->num_paths; i++)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 117/508] drm/msm/dsi: add the missing parameter description
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.6 116/508] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 118/508] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
` (392 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Pengyu Luo,
Dmitry Baryshkov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit 958adefc4c0fddee3b12269da5dd7cb49bac953f ]
Add a description for is_bonded_dsi in dsi_adjust_pclk_for_compression
to match the existing kernel-doc comment.
Fixes: e4eb11b34d6c ("drm/msm/dsi: fix pclk rate calculation for bonded dsi")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603080314.XeqyRZ7A-lkp@intel.com/
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/710112/
Link: https://lore.kernel.org/r/20260309100254.877801-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 6077331deba97..771ac34561037 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -533,6 +533,7 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host)
* dsi_adjust_pclk_for_compression() - Adjust the pclk rate for compression case
* @mode: The selected mode for the DSI output
* @dsc: DRM DSC configuration for this DSI output
+ * @is_bonded_dsi: True if two DSI controllers are bonded
*
* Adjust the pclk rate by calculating a new hdisplay proportional to
* the compression ratio such that:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 118/508] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 117/508] drm/msm/dsi: add the missing parameter description Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 119/508] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first Greg Kroah-Hartman
` (391 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Alexander Koskovich, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <akoskovich@pm.me>
[ Upstream commit 913a709dea0eff9c7b2e9470f8c8594b9a0114ab ]
The MSM8998 DSI controller is v2.0.0 as stated in commit 7b8c9e203039
("drm/msm/dsi: Add support for MSM8998 DSI controller"). The value was
always correct just the name was wrong.
Rename and reorder to maintain version sorting.
Fixes: 7b8c9e203039 ("drm/msm/dsi: Add support for MSM8998 DSI controller")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Patchwork: https://patchwork.freedesktop.org/patch/713717/
Link: https://lore.kernel.org/r/20260324-dsi-rgb101010-support-v5-3-ff6afc904115@pm.me
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_cfg.c | 4 ++--
drivers/gpu/drm/msm/dsi/dsi_cfg.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
index 1f98ff74ceb09..39940685681b9 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
@@ -263,10 +263,10 @@ static const struct msm_dsi_cfg_handler dsi_cfg_handlers[] = {
&msm8996_dsi_cfg, &msm_dsi_6g_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V1_4_2,
&msm8976_dsi_cfg, &msm_dsi_6g_host_ops},
+ {MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_0_0,
+ &msm8998_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_1_0,
&sdm660_dsi_cfg, &msm_dsi_6g_v2_host_ops},
- {MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_2_0,
- &msm8998_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_2_1,
&sdm845_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_3_0,
diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.h b/drivers/gpu/drm/msm/dsi/dsi_cfg.h
index 43f0dd74edb65..32eff45744624 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.h
+++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.h
@@ -19,8 +19,8 @@
#define MSM_DSI_6G_VER_MINOR_V1_3_1 0x10030001
#define MSM_DSI_6G_VER_MINOR_V1_4_1 0x10040001
#define MSM_DSI_6G_VER_MINOR_V1_4_2 0x10040002
+#define MSM_DSI_6G_VER_MINOR_V2_0_0 0x20000000
#define MSM_DSI_6G_VER_MINOR_V2_1_0 0x20010000
-#define MSM_DSI_6G_VER_MINOR_V2_2_0 0x20000000
#define MSM_DSI_6G_VER_MINOR_V2_2_1 0x20020001
#define MSM_DSI_6G_VER_MINOR_V2_3_0 0x20030000
#define MSM_DSI_6G_VER_MINOR_V2_4_0 0x20040000
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 119/508] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 118/508] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 120/508] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
` (390 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Douglas Anderson,
Neil Armstrong, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit c222177d7c7e1b2e0433d9e47ec2da7015345d50 ]
The DSI link must be powered up to let panel driver to talk to the panel
during prepare() callback execution. Set the prepare_prev_first flag to
guarantee this.
Fixes: 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260323-panel-fix-v1-1-9f12b09161e8@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
index 855e64444daa6..58f201720e699 100644
--- a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
+++ b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
@@ -224,6 +224,7 @@ static int sharp_nt_panel_add(struct sharp_nt_panel *sharp_nt)
drm_panel_init(&sharp_nt->base, &sharp_nt->dsi->dev,
&sharp_nt_panel_funcs, DRM_MODE_CONNECTOR_DSI);
+ sharp_nt->base.prepare_prev_first = true;
ret = drm_panel_of_backlight(&sharp_nt->base);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 120/508] drm/panel: simple: Correct G190EAN01 prepare timing
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 119/508] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 121/508] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
` (389 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Ian Ray,
Neil Armstrong, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit f1080f82570b797598c1ba7e9c800ae9e94aafc6 ]
The prepare timing specified by the G190EAN01 datasheet should be
between 30 and 50 ms. Considering it might take some time for the
LVDS encoder to enable the signal, we should only wait the min.
required time in the panel driver and not the max. allowed time.
Fixes: 2f7b832fc992 ("drm/panel: simple: Add support for AUO G190EAN01 panel")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260217142528.68613-1-ian.ray@gehealthcare.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-simple.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
index 8a94eee57d943..7620ac20393b7 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -1157,7 +1157,7 @@ static const struct panel_desc auo_g190ean01 = {
.height = 301,
},
.delay = {
- .prepare = 50,
+ .prepare = 30,
.enable = 200,
.disable = 110,
.unprepare = 1000,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 121/508] ALSA: core: Validate compress device numbers without dynamic minors
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 120/508] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 122/508] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
` (388 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 796e119e9b14763be905ad0d023c71a14bc2e931 ]
Without CONFIG_SND_DYNAMIC_MINORS, ALSA reserves only two fixed minors
for compress devices on each card: comprD0 and comprD1.
snd_find_free_minor() currently computes the compress minor as
type + dev without validating dev first, so device numbers greater than
1 spill into the HWDEP minor range instead of failing registration.
ASoC passes rtd->id to snd_compress_new(), so this can happen on real
non-dynamic-minor builds.
Add a dedicated fixed-minor check for SNDRV_DEVICE_TYPE_COMPRESS in
snd_find_free_minor() and reject out-of-range device numbers with
-EINVAL before constructing the minor.
Also remove the stale TODO in compress_offload.c that still claims
multiple compress nodes are missing.
Fixes: 3eafc959b32f ("ALSA: core: add support for compressed devices")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260325-alsa-compress-static-minors-v1-1-0628573bee1c@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/compress_offload.c | 7 -------
sound/core/sound.c | 7 +++++++
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 619371aa9964d..8545c7bbc58e3 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -40,13 +40,6 @@
#define COMPR_CODEC_CAPS_OVERFLOW
#endif
-/* TODO:
- * - add substream support for multiple devices in case of
- * SND_DYNAMIC_MINORS is not used
- * - Multiple node representation
- * driver should be able to register multiple nodes
- */
-
struct snd_compr_file {
unsigned long caps;
struct snd_compr_stream stream;
diff --git a/sound/core/sound.c b/sound/core/sound.c
index df5571d986295..f3bb0adf37cce 100644
--- a/sound/core/sound.c
+++ b/sound/core/sound.c
@@ -219,9 +219,16 @@ static int snd_find_free_minor(int type, struct snd_card *card, int dev)
case SNDRV_DEVICE_TYPE_RAWMIDI:
case SNDRV_DEVICE_TYPE_PCM_PLAYBACK:
case SNDRV_DEVICE_TYPE_PCM_CAPTURE:
+ if (snd_BUG_ON(!card))
+ return -EINVAL;
+ minor = SNDRV_MINOR(card->number, type + dev);
+ break;
case SNDRV_DEVICE_TYPE_COMPRESS:
if (snd_BUG_ON(!card))
return -EINVAL;
+ if (dev < 0 ||
+ dev >= SNDRV_MINOR_HWDEP - SNDRV_MINOR_COMPRESS)
+ return -EINVAL;
minor = SNDRV_MINOR(card->number, type + dev);
break;
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 122/508] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 121/508] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 123/508] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
` (387 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 894f0d34d66cb47fe718fe2ae5c18729d22c5218 ]
When MCLK DPM is disabled for any reason, populate the MCLK
table with the highest MCLK DPM level, so that the ASIC can
use the highest possible memory clock to get good performance
even when MCLK DPM is disabled.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 23f991dd065f3..fa9ab4144d308 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1322,6 +1322,14 @@ static int ci_populate_all_memory_levels(struct pp_hwmgr *hwmgr)
return result;
}
+ if (data->mclk_dpm_key_disabled && dpm_table->mclk_table.count) {
+ /* Populate the table with the highest MCLK level when MCLK DPM is disabled */
+ for (i = 0; i < dpm_table->mclk_table.count - 1; i++) {
+ levels[i] = levels[dpm_table->mclk_table.count - 1];
+ levels[i].DisplayWatermark = PPSMC_DISPLAY_WATERMARK_HIGH;
+ }
+ }
+
smu_data->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
dev_id = adev->pdev->device;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 123/508] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 122/508] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 124/508] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
` (386 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 9851f29cb06c09f7dad3867d8b0feec3fc71b6c8 ]
There are two known cases where MCLK DPM can causes issues:
Radeon R9 M380 found in iMac computers from 2015.
The SMU in this GPU just hangs as soon as we send it the
PPSMC_MSG_MCLKDPM_Enable command, even when MCLK switching is
disabled, and even when we only populate one MCLK DPM level.
Apply workaround to all devices with the same subsystem ID.
Radeon R7 260X due to old memory controller microcode.
We only flash the MC ucode when it isn't set up by the VBIOS,
therefore there is no way to make sure that it has the correct
ucode version.
I verified that this patch fixes the SMU hang on the R9 M380
which would previously fail to boot. This also fixes the UVD
initialization error on that GPU which happened because the
SMU couldn't ungate the UVD after it hung.
Fixes: 86457c3b21cb ("drm/amd/powerplay: Add support for CI asics to hwmgr")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
index 2b5ac21fee399..1d6e30269d567 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
@@ -104,6 +104,21 @@ int hwmgr_early_init(struct pp_hwmgr *hwmgr)
PP_GFXOFF_MASK);
hwmgr->pp_table_version = PP_TABLE_V0;
hwmgr->od_enabled = false;
+ switch (hwmgr->chip_id) {
+ case CHIP_BONAIRE:
+ /* R9 M380 in iMac 2015: SMU hangs when enabling MCLK DPM
+ * R7 260X cards with old MC ucode: MCLK DPM is unstable
+ */
+ if (adev->pdev->subsystem_vendor == 0x106B ||
+ adev->pdev->device == 0x6658) {
+ dev_info(adev->dev, "disabling MCLK DPM on quirky ASIC");
+ adev->pm.pp_feature &= ~PP_MCLK_DPM_MASK;
+ hwmgr->feature_mask &= ~PP_MCLK_DPM_MASK;
+ }
+ break;
+ default:
+ break;
+ }
smu7_init_function_pointers(hwmgr);
break;
case AMDGPU_FAMILY_CZ:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 124/508] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 123/508] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 125/508] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
` (385 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 0138610c14130425be53423b35336561829965e0 ]
The DCE (display controller engine) requires a minimum voltage
in order to function correctly, depending on which clock level
it currently uses.
Add a new table that contains display clock frequency levels
and the corresponding required voltages. The clock frequency
levels are taken from DC (and the old radeon driver's voltage
dependency table for CI in cases where its values were lower).
The voltage levels are taken from the following function:
phm_initializa_dynamic_state_adjustment_rule_settings().
Furthermore, in case of CI, call smu7_patch_vddc() on the new
table to account for leakage voltage (like in radeon).
Use the display clock value from amd_pp_display_configuration
to look up the voltage level needed by the DCE. Send the
voltage to the SMU via the PPSMC_MSG_VddC_Request command.
The previous implementation of this feature was non-functional
because it relied on a "dal_power_level" field which was never
assigned; and it was not at all implemented for CI ASICs.
I verified this on a Radeon R9 M380 which previously booted to
a black screen with DC enabled (default since Linux 6.19), but
now works correctly.
Fixes: 599a7e9fe1b6 ("drm/amd/powerplay: implement smu7 hwmgr to manager asics with smu ip version 7.")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 88 ++++++++++++++++++-
drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h | 1 +
2 files changed, 86 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 965ffcac17f86..9c2a2c46dea02 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -2802,6 +2802,10 @@ static int smu7_patch_dependency_tables_with_leakage(struct pp_hwmgr *hwmgr)
if (tmp)
return -EINVAL;
+ tmp = smu7_patch_vddc(hwmgr, hwmgr->dyn_state.vddc_dependency_on_display_clock);
+ if (tmp)
+ return -EINVAL;
+
tmp = smu7_patch_vce_vddc(hwmgr, hwmgr->dyn_state.vce_clock_voltage_dependency_table);
if (tmp)
return -EINVAL;
@@ -2885,6 +2889,8 @@ static int smu7_hwmgr_backend_fini(struct pp_hwmgr *hwmgr)
{
kfree(hwmgr->dyn_state.vddc_dep_on_dal_pwrl);
hwmgr->dyn_state.vddc_dep_on_dal_pwrl = NULL;
+ kfree(hwmgr->dyn_state.vddc_dependency_on_display_clock);
+ hwmgr->dyn_state.vddc_dependency_on_display_clock = NULL;
kfree(hwmgr->backend);
hwmgr->backend = NULL;
@@ -2955,6 +2961,51 @@ static int smu7_update_edc_leakage_table(struct pp_hwmgr *hwmgr)
return ret;
}
+static int smu7_init_voltage_dependency_on_display_clock_table(struct pp_hwmgr *hwmgr)
+{
+ struct phm_clock_voltage_dependency_table *table;
+
+ if (!amdgpu_device_ip_get_ip_block(hwmgr->adev, AMD_IP_BLOCK_TYPE_DCE))
+ return 0;
+
+ table = kzalloc(struct_size(table, entries, 4), GFP_KERNEL);
+ if (!table)
+ return -ENOMEM;
+
+ if (hwmgr->chip_id >= CHIP_POLARIS10) {
+ table->entries[0].clk = 38918;
+ table->entries[1].clk = 45900;
+ table->entries[2].clk = 66700;
+ table->entries[3].clk = 113200;
+
+ table->entries[0].v = 700;
+ table->entries[1].v = 740;
+ table->entries[2].v = 800;
+ table->entries[3].v = 900;
+ } else {
+ if (hwmgr->chip_family == AMDGPU_FAMILY_CZ) {
+ table->entries[0].clk = 35200;
+ table->entries[1].clk = 35200;
+ table->entries[2].clk = 46700;
+ table->entries[3].clk = 64300;
+ } else {
+ table->entries[0].clk = 0;
+ table->entries[1].clk = 35200;
+ table->entries[2].clk = 54000;
+ table->entries[3].clk = 62500;
+ }
+
+ table->entries[0].v = 0;
+ table->entries[1].v = 720;
+ table->entries[2].v = 810;
+ table->entries[3].v = 900;
+ }
+
+ table->count = 4;
+ hwmgr->dyn_state.vddc_dependency_on_display_clock = table;
+ return 0;
+}
+
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
struct amdgpu_device *adev = hwmgr->adev;
@@ -2983,6 +3034,10 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
smu7_get_elb_voltages(hwmgr);
}
+ result = smu7_init_voltage_dependency_on_display_clock_table(hwmgr);
+ if (result)
+ goto fail;
+
if (hwmgr->pp_table_version == PP_TABLE_V1) {
smu7_complete_dependency_tables(hwmgr);
smu7_set_private_data_based_on_pptable_v1(hwmgr);
@@ -3079,13 +3134,40 @@ static int smu7_force_dpm_highest(struct pp_hwmgr *hwmgr)
return 0;
}
+static uint32_t smu7_lookup_vddc_from_dispclk(struct pp_hwmgr *hwmgr)
+{
+ const struct amd_pp_display_configuration *cfg = hwmgr->display_config;
+ const struct phm_clock_voltage_dependency_table *vddc_dep_on_dispclk =
+ hwmgr->dyn_state.vddc_dependency_on_display_clock;
+ uint32_t i;
+
+ if (!vddc_dep_on_dispclk || !vddc_dep_on_dispclk->count ||
+ !cfg || !cfg->num_display || !cfg->display_clk)
+ return 0;
+
+ /* Start from 1 because ClocksStateUltraLow should not be used according to DC. */
+ for (i = 1; i < vddc_dep_on_dispclk->count; ++i)
+ if (vddc_dep_on_dispclk->entries[i].clk >= cfg->display_clk)
+ return vddc_dep_on_dispclk->entries[i].v;
+
+ return vddc_dep_on_dispclk->entries[vddc_dep_on_dispclk->count - 1].v;
+}
+
+static void smu7_apply_minimum_dce_voltage_request(struct pp_hwmgr *hwmgr)
+{
+ uint32_t req_vddc = smu7_lookup_vddc_from_dispclk(hwmgr);
+
+ smum_send_msg_to_smc_with_parameter(hwmgr,
+ PPSMC_MSG_VddC_Request,
+ req_vddc * VOLTAGE_SCALE,
+ NULL);
+}
+
static int smu7_upload_dpm_level_enable_mask(struct pp_hwmgr *hwmgr)
{
struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);
- if (hwmgr->pp_table_version == PP_TABLE_V1)
- phm_apply_dal_min_voltage_request(hwmgr);
-/* TO DO for v0 iceland and Ci*/
+ smu7_apply_minimum_dce_voltage_request(hwmgr);
if (!data->sclk_dpm_key_disabled) {
if (data->dpm_level_enable_mask.sclk_dpm_enable_mask)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
index 81650727a5def..6e7e6318b9505 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
@@ -632,6 +632,7 @@ struct phm_dynamic_state_info {
struct phm_clock_voltage_dependency_table *vddci_dependency_on_mclk;
struct phm_clock_voltage_dependency_table *vddc_dependency_on_mclk;
struct phm_clock_voltage_dependency_table *mvdd_dependency_on_mclk;
+ struct phm_clock_voltage_dependency_table *vddc_dependency_on_display_clock;
struct phm_clock_voltage_dependency_table *vddc_dep_on_dal_pwrl;
struct phm_clock_array *valid_sclk_values;
struct phm_clock_array *valid_mclk_values;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 125/508] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 124/508] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 126/508] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
` (384 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit d784759c07924280f3c313f205fc48eb62d7cb71 ]
There is no AMD GPU with the ID 0x66B0, this looks like a typo.
It should be 0x67B0 which is actually part of the PCI ID list,
and should use the Hawaii XT powertune defaults according to
the old radeon driver.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index fa9ab4144d308..b600a87fbb005 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -245,7 +245,7 @@ static void ci_initialize_power_tune_defaults(struct pp_hwmgr *hwmgr)
smu_data->power_tune_defaults = &defaults_hawaii_pro;
break;
case 0x67B8:
- case 0x66B0:
+ case 0x67B0:
smu_data->power_tune_defaults = &defaults_hawaii_xt;
break;
case 0x6640:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 126/508] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 125/508] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 127/508] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
` (383 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 5facfd4c4c67e8500116ffec0d9da35d92b9c787 ]
Follow what radeon did and what amdgpu does for other GPUs with SMU7.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index b600a87fbb005..4a0e8887fa74b 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1217,7 +1217,7 @@ static int ci_populate_single_memory_level(
}
memory_level->EnabledForThrottle = 1;
- memory_level->EnabledForActivity = 1;
+ memory_level->EnabledForActivity = 0;
memory_level->UpH = data->current_profile_setting.mclk_up_hyst;
memory_level->DownH = data->current_profile_setting.mclk_down_hyst;
memory_level->VoltageDownH = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 127/508] drm/amd/pm/ci: Fill DW8 fields from SMC
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 126/508] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 128/508] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
` (382 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit baf28ec5795c077406d6f52b8ad39e614153bce6 ]
In ci_populate_dw8() we currently just read a value from the SMU
and then throw it away. Instead of throwing away the value,
we should use it to fill other fields in DW8 (like radeon).
Otherwise the value of the other fiels is just cleared when
we copy this data to the SMU later.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 4a0e8887fa74b..741ebeb276b84 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -543,12 +543,11 @@ static int ci_populate_dw8(struct pp_hwmgr *hwmgr, uint32_t fuse_table_offset)
{
struct ci_smumgr *smu_data = (struct ci_smumgr *)(hwmgr->smu_backend);
const struct ci_pt_defaults *defaults = smu_data->power_tune_defaults;
- uint32_t temp;
if (ci_read_smc_sram_dword(hwmgr,
fuse_table_offset +
offsetof(SMU7_Discrete_PmFuses, TdcWaterfallCtl),
- (uint32_t *)&temp, SMC_RAM_END))
+ (uint32_t *)&smu_data->power_tune_table.TdcWaterfallCtl, SMC_RAM_END))
PP_ASSERT_WITH_CODE(false,
"Attempt to read PmFuses.DW6 (SviLoadLineEn) from SMC Failed!",
return -EINVAL);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 128/508] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 127/508] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 129/508] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
` (381 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 4724bc5b8d78c34b993594f9406135408ccb312a ]
On a specific Radeon R9 390X board, the GPU can "randomly" hang
while gaming. Initially I thought this was a RADV bug and tried
to work around this in Mesa:
commit 8ea08747b86b ("radv: Mitigate GPU hang on Hawaii in Dota 2 and RotTR")
However, I got some feedback from other users who are reporting
that the above mitigation causes a significant performance
regression for them, and they didn't experience the hang on their
GPU in the first place.
After some further investigation, it turns out that the problem
is that the highest SCLK DPM level on this board isn't stable.
Lowering SCLK to 1040 MHz (from 1070 MHz) works around the issue,
and has a negligible impact on performance compared to the Mesa
patch. (Note that increasing the voltage can also work around it,
but we felt that lowering the SCLK is the safer option.)
To solve the above issue, add an "sclk_cap" field to smu7_hwmgr
and set this field for the affected board. The capped SCLK value
correctly appears on the sysfs interface and shows up in GUI
tools such as LACT.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 30 ++++++++++++++++---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h | 1 +
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 9c2a2c46dea02..9dc01de3e7207 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -787,7 +787,7 @@ static int smu7_setup_dpm_tables_v0(struct pp_hwmgr *hwmgr)
hwmgr->dyn_state.vddc_dependency_on_mclk;
struct phm_cac_leakage_table *std_voltage_table =
hwmgr->dyn_state.cac_leakage_table;
- uint32_t i;
+ uint32_t i, clk;
PP_ASSERT_WITH_CODE(allowed_vdd_sclk_table != NULL,
"SCLK dependency table is missing. This table is mandatory", return -EINVAL);
@@ -804,10 +804,12 @@ static int smu7_setup_dpm_tables_v0(struct pp_hwmgr *hwmgr)
data->dpm_table.sclk_table.count = 0;
for (i = 0; i < allowed_vdd_sclk_table->count; i++) {
+ clk = min(allowed_vdd_sclk_table->entries[i].clk, data->sclk_cap);
+
if (i == 0 || data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count-1].value !=
- allowed_vdd_sclk_table->entries[i].clk) {
+ clk) {
data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count].value =
- allowed_vdd_sclk_table->entries[i].clk;
+ clk;
data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count].enabled = (i == 0) ? 1 : 0;
data->dpm_table.sclk_table.count++;
}
@@ -3006,6 +3008,25 @@ static int smu7_init_voltage_dependency_on_display_clock_table(struct pp_hwmgr *
return 0;
}
+static void smu7_set_sclk_cap(struct pp_hwmgr *hwmgr)
+{
+ struct amdgpu_device *adev = hwmgr->adev;
+ struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);
+
+ data->sclk_cap = 0xffffffff;
+
+ if (hwmgr->od_enabled)
+ return;
+
+ /* R9 390X board: last sclk dpm level is unstable, use lower sclk */
+ if (adev->pdev->device == 0x67B0 &&
+ adev->pdev->subsystem_vendor == 0x1043)
+ data->sclk_cap = 104000; /* 1040 MHz */
+
+ if (data->sclk_cap != 0xffffffff)
+ dev_info(adev->dev, "sclk cap: %u kHz on quirky ASIC\n", data->sclk_cap * 10);
+}
+
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
struct amdgpu_device *adev = hwmgr->adev;
@@ -3017,6 +3038,7 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
return -ENOMEM;
hwmgr->backend = data;
+ smu7_set_sclk_cap(hwmgr);
smu7_patch_voltage_workaround(hwmgr);
smu7_init_dpm_defaults(hwmgr);
@@ -3903,7 +3925,7 @@ static int smu7_get_pp_table_entry_callback_func_v0(struct pp_hwmgr *hwmgr,
/* Performance levels are arranged from low to high. */
performance_level->memory_clock = memory_clock;
- performance_level->engine_clock = engine_clock;
+ performance_level->engine_clock = min(engine_clock, data->sclk_cap);
pcie_gen_from_bios = visland_clk_info->ucPCIEGen;
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
index d9e8b386bd4d3..66adabeab6a3a 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
@@ -234,6 +234,7 @@ struct smu7_hwmgr {
uint32_t pcie_gen_cap;
uint32_t pcie_lane_cap;
uint32_t pcie_spc_cap;
+ uint32_t sclk_cap;
struct smu7_leakage_voltage vddc_leakage;
struct smu7_leakage_voltage vddci_leakage;
struct smu7_leakage_voltage vddcgfx_leakage;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 129/508] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace })
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 128/508] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 130/508] ASoC: SOF: Intel: hda: Place check before dereference Greg Kroah-Hartman
` (380 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lei Huang, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lei Huang <huanglei@kylinos.cn>
[ Upstream commit d1888bf848ade6a9e71c7ba516fd215aa1bd8d65 ]
Fix checkpatch code style errors:
ERROR: else should follow close brace '}'
#2300: FILE: sound/hda/codecs/realtek/alc269.c:2300:
+ }
+ else
Fixes: 31278997add6 ("ALSA: hda/realtek - Add headset quirk for Dell DT")
Signed-off-by: Lei Huang <huanglei@kylinos.cn>
Link: https://patch.msgid.link/20260331075405.78148-1-huanglei814@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 6ef859f59f8d1..937f3fdbab252 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6043,9 +6043,9 @@ static void alc_fixup_headset_mode_alc255_no_hp_mic(struct hda_codec *codec,
struct alc_spec *spec = codec->spec;
spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
alc255_set_default_jack_type(codec);
- }
- else
+ } else {
alc_fixup_headset_mode(codec, fix, action);
+ }
}
static void alc288_update_headset_jack_cb(struct hda_codec *codec,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 130/508] ASoC: SOF: Intel: hda: Place check before dereference
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 129/508] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 131/508] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
` (379 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 6cbc8360f51a3df2ea16a786b262b9fe44d4c68c ]
The struct hext_stream is dereferenced before it is checked for NULL.
Although it can never be NULL due to a check prior to
hda_dsp_iccmax_stream_hw_params() being called, this change clears any
confusion regarding hext_stream possibly being NULL.
Check hext_stream for NULL and then assign its members.
Detected by Smatch:
sound/soc/sof/intel/hda-stream.c:488 hda_dsp_iccmax_stream_hw_params() warn:
variable dereferenced before check 'hext_stream' (see line 486)
Fixes: aca961f196e5d ("ASoC: SOF: Intel: hda: Add helper function to program ICCMAX stream")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Link: https://patch.msgid.link/20260324173830.17563-1-ethantidmore06@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-stream.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/sound/soc/sof/intel/hda-stream.c b/sound/soc/sof/intel/hda-stream.c
index 3bb743cb167a5..924cef8d96c60 100644
--- a/sound/soc/sof/intel/hda-stream.c
+++ b/sound/soc/sof/intel/hda-stream.c
@@ -415,16 +415,20 @@ int hda_dsp_iccmax_stream_hw_params(struct snd_sof_dev *sdev, struct hdac_ext_st
struct snd_dma_buffer *dmab,
struct snd_pcm_hw_params *params)
{
- struct hdac_stream *hstream = &hext_stream->hstream;
- int sd_offset = SOF_STREAM_SD_OFFSET(hstream);
+ struct hdac_stream *hstream;
+ int sd_offset;
int ret;
- u32 mask = 0x1 << hstream->index;
+ u32 mask;
if (!hext_stream) {
dev_err(sdev->dev, "error: no stream available\n");
return -ENODEV;
}
+ hstream = &hext_stream->hstream;
+ sd_offset = SOF_STREAM_SD_OFFSET(hstream);
+ mask = 0x1 << hstream->index;
+
if (!dmab) {
dev_err(sdev->dev, "error: no dma buffer allocated!\n");
return -ENODEV;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 131/508] drm/msm/a6xx: Fix HLSQ register dumping
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 130/508] ASoC: SOF: Intel: hda: Place check before dereference Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 132/508] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
` (378 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Connor Abbott, Rob Clark,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit c289a6db9ba6cb974f0317da142e4f665d589566 ]
Fix the bitfield offset of HLSQ_READ_SEL state-type bitfield. Otherwise
we are always reading TP state when we wanted SP or HLSQ state.
Reported-by: Connor Abbott <cwabbott0@gmail.com>
Suggested-by: Connor Abbott <cwabbott0@gmail.com>
Fixes: 1707add81551 ("drm/msm/a6xx: Add a6xx gpu state")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/714236/
Message-ID: <20260325184043.1259312-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
index 258de1bfc5700..6ebb7e6254175 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
@@ -672,7 +672,7 @@ static void a6xx_get_crashdumper_hlsq_registers(struct msm_gpu *gpu,
u64 out = dumper->iova + A6XX_CD_DATA_OFFSET;
int i, regcount = 0;
- in += CRASHDUMP_WRITE(in, REG_A6XX_HLSQ_DBG_READ_SEL, regs->val1);
+ in += CRASHDUMP_WRITE(in, REG_A6XX_HLSQ_DBG_READ_SEL, (regs->val1 & 0xff) << 8);
for (i = 0; i < regs->count; i += 2) {
u32 count = RANGE(regs->registers, i);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 132/508] drm/msm/shrinker: Fix can_block() logic
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 131/508] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 133/508] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
` (377 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boris Brezillon, Rob Clark,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit df0f439e3926817cf577ca6272aad68468ff7624 ]
The intention here was to allow blocking if DIRECT_RECLAIM or if called
from kswapd and KSWAPD_RECLAIM is set.
Reported by Claude code review: https://lore.gitlab.freedesktop.org/drm-ai-reviews/review-patch9-20260309151119.290217-10-boris.brezillon@collabora.com/ on a panthor patch which had copied similar logic.
Reported-by: Boris Brezillon <boris.brezillon@collabora.com>
Fixes: 7860d720a84c ("drm/msm: Fix build break with recent mm tree")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Patchwork: https://patchwork.freedesktop.org/patch/714238/
Message-ID: <20260325184106.1259528-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem_shrinker.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_shrinker.c b/drivers/gpu/drm/msm/msm_gem_shrinker.c
index 0641f5bb8649a..5d5cf51cde65a 100644
--- a/drivers/gpu/drm/msm/msm_gem_shrinker.c
+++ b/drivers/gpu/drm/msm/msm_gem_shrinker.c
@@ -26,9 +26,8 @@ static bool can_swap(void)
static bool can_block(struct shrink_control *sc)
{
- if (!(sc->gfp_mask & __GFP_DIRECT_RECLAIM))
- return false;
- return current_is_kswapd() || (sc->gfp_mask & __GFP_RECLAIM);
+ return (sc->gfp_mask & __GFP_DIRECT_RECLAIM) ||
+ (current_is_kswapd() && (sc->gfp_mask & __GFP_KSWAPD_RECLAIM));
}
static unsigned long
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 133/508] drm/msm/a6xx: Use barriers while updating HFI Q headers
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 132/508] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 134/508] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
` (376 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Rob Clark,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
[ Upstream commit dc78b35d5ec09d1b0b8a937e6e640d2c5a030915 ]
To avoid harmful compiler optimizations and IO reordering in the HW, use
barriers and READ/WRITE_ONCE helpers as necessary while accessing the HFI
queue index variables.
Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/714653/
Message-ID: <20260327-a8xx-gpu-batch2-v2-1-2b53c38d2101@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
index 25b235b49ebc2..14a0ec4a56fda 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
@@ -29,7 +29,7 @@ static int a6xx_hfi_queue_read(struct a6xx_gmu *gmu,
struct a6xx_hfi_queue_header *header = queue->header;
u32 i, hdr, index = header->read_index;
- if (header->read_index == header->write_index) {
+ if (header->read_index == READ_ONCE(header->write_index)) {
header->rx_request = 1;
return 0;
}
@@ -57,7 +57,10 @@ static int a6xx_hfi_queue_read(struct a6xx_gmu *gmu,
if (!gmu->legacy)
index = ALIGN(index, 4) % header->size;
- header->read_index = index;
+ /* Ensure all memory operations are complete before updating the read index */
+ dma_mb();
+
+ WRITE_ONCE(header->read_index, index);
return HFI_HEADER_SIZE(hdr);
}
@@ -69,7 +72,7 @@ static int a6xx_hfi_queue_write(struct a6xx_gmu *gmu,
spin_lock(&queue->lock);
- space = CIRC_SPACE(header->write_index, header->read_index,
+ space = CIRC_SPACE(header->write_index, READ_ONCE(header->read_index),
header->size);
if (space < dwords) {
header->dropped++;
@@ -90,7 +93,10 @@ static int a6xx_hfi_queue_write(struct a6xx_gmu *gmu,
queue->data[index] = 0xfafafafa;
}
- header->write_index = index;
+ /* Ensure all memory operations are complete before updating the write index */
+ dma_mb();
+
+ WRITE_ONCE(header->write_index, index);
spin_unlock(&queue->lock);
gmu_write(gmu, REG_A6XX_GMU_HOST2GMU_INTR_SET, 0x01);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 134/508] pmdomain: ti: omap_prm: Fix a reference leak on device node
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 133/508] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 135/508] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
` (375 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Ulf Hansson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <gu_0233@qq.com>
[ Upstream commit 44c28e1c52764fef6dd1c1ada3a248728812e67f ]
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In omap_prm_domain_attach_dev, it does not release the reference.
Fixes: 58cbff023bfa ("soc: ti: omap-prm: Add basic power domain support")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pmdomain/ti/omap_prm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pmdomain/ti/omap_prm.c b/drivers/pmdomain/ti/omap_prm.c
index b8ceb3c2b81c2..f4e52e92dcbf6 100644
--- a/drivers/pmdomain/ti/omap_prm.c
+++ b/drivers/pmdomain/ti/omap_prm.c
@@ -651,6 +651,7 @@ static int omap_prm_domain_attach_dev(struct generic_pm_domain *domain,
if (pd_args.args_count != 0)
dev_warn(dev, "%s: unusupported #power-domain-cells: %i\n",
prmd->pd.name, pd_args.args_count);
+ of_node_put(pd_args.np);
genpd_data = dev_gpd_data(dev);
genpd_data->data = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 135/508] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 134/508] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 136/508] ASoC: fsl_micfil: Add access property for "VAD Detected" Greg Kroah-Hartman
` (374 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Peng Fan, Ulf Hansson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit c8e9b6a55702be6c6d034e973d519c52c3848415 ]
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In imx_sc_pd_get_console_rsrc(), it does not release the reference.
Fixes: 893cfb99734f ("firmware: imx: scu-pd: do not power off console domain")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pmdomain/imx/scu-pd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pmdomain/imx/scu-pd.c b/drivers/pmdomain/imx/scu-pd.c
index 368918e562f55..606d6bdccf94a 100644
--- a/drivers/pmdomain/imx/scu-pd.c
+++ b/drivers/pmdomain/imx/scu-pd.c
@@ -326,6 +326,7 @@ static void imx_sc_pd_get_console_rsrc(void)
return;
imx_con_rsrc = specs.args[0];
+ of_node_put(specs.np);
}
static int imx_sc_get_pd_power(struct device *dev, u32 rsrc)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 136/508] ASoC: fsl_micfil: Add access property for "VAD Detected"
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 135/508] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 137/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() Greg Kroah-Hartman
` (373 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit c7661bfc7422443df394c01e069ae4e5c3a7f04c ]
Add access property SNDRV_CTL_ELEM_ACCESS_READ for control "VAD
Detected", which doesn't support put operation, otherwise there will be
issue with mixer-test.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-2-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 80ff1d1359f64..56ee7cbf371c1 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -395,7 +395,13 @@ static const struct snd_kcontrol_new fsl_micfil_snd_controls[] = {
SOC_SINGLE("HWVAD ZCD Adjustment", REG_MICFIL_VAD0_ZCD, 8, 15, 0),
SOC_SINGLE("HWVAD ZCD And Behavior Switch",
REG_MICFIL_VAD0_ZCD, 4, 1, 0),
- SOC_SINGLE_BOOL_EXT("VAD Detected", 0, hwvad_detected, NULL),
+ {
+ .iface = SNDRV_CTL_ELEM_IFACE_MIXER,
+ .access = SNDRV_CTL_ELEM_ACCESS_READ | SNDRV_CTL_ELEM_ACCESS_VOLATILE,
+ .name = "VAD Detected",
+ .info = snd_soc_info_bool_ext,
+ .get = hwvad_detected,
+ },
};
static int fsl_micfil_use_verid(struct device *dev)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 137/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 136/508] ASoC: fsl_micfil: Add access property for "VAD Detected" Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 138/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() Greg Kroah-Hartman
` (372 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 59b9061824f2179fe133e2636203548eaba3e528 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation hwvad_put_enable() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the vad_enabled
variable.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-3-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 56ee7cbf371c1..8eb5f553aa209 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -277,10 +277,15 @@ static int hwvad_put_enable(struct snd_kcontrol *kcontrol,
unsigned int *item = ucontrol->value.enumerated.item;
struct fsl_micfil *micfil = snd_soc_component_get_drvdata(comp);
int val = snd_soc_enum_item_to_val(e, item[0]);
+ bool change = false;
+ if (val < 0 || val > 1)
+ return -EINVAL;
+
+ change = (micfil->vad_enabled != val);
micfil->vad_enabled = val;
- return 0;
+ return change;
}
static int hwvad_get_enable(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 138/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 137/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 139/508] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() Greg Kroah-Hartman
` (371 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 7e226209906906421f0d952d7304e48fdb0adabc ]
ALSA controls should return 1 if the value in the control changed but the
control put operation hwvad_put_init_mode() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the vad_init_mode
variable.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-4-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 8eb5f553aa209..88553f0c0de86 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -307,13 +307,18 @@ static int hwvad_put_init_mode(struct snd_kcontrol *kcontrol,
unsigned int *item = ucontrol->value.enumerated.item;
struct fsl_micfil *micfil = snd_soc_component_get_drvdata(comp);
int val = snd_soc_enum_item_to_val(e, item[0]);
+ bool change = false;
+
+ if (val < MICFIL_HWVAD_ENVELOPE_MODE || val > MICFIL_HWVAD_ENERGY_MODE)
+ return -EINVAL;
/* 0 - Envelope-based Mode
* 1 - Energy-based Mode
*/
+ change = (micfil->vad_init_mode != val);
micfil->vad_init_mode = val;
- return 0;
+ return change;
}
static int hwvad_get_init_mode(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 139/508] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 138/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 140/508] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
` (370 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 7d2bd35100de370dc326b250e8f6b66bee06a2f3 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation micfil_put_dc_remover_state() only returns 0 or a
negative error code, causing ALSA to not generate any change events.
return the value of snd_soc_component_update_bits() directly, as it has
the capability of return check status of changed or not.
Also enable pm runtime before calling the function
snd_soc_component_update_bits() to make the regmap cache data align with
the value in hardware.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-6-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 88553f0c0de86..32ee7093c8110 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -243,6 +243,10 @@ static int micfil_put_dc_remover_state(struct snd_kcontrol *kcontrol,
if (val < 0 || val > 3)
return -EINVAL;
+ ret = pm_runtime_resume_and_get(comp->dev);
+ if (ret)
+ return ret;
+
micfil->dc_remover = val;
/* Calculate total value for all channels */
@@ -252,10 +256,10 @@ static int micfil_put_dc_remover_state(struct snd_kcontrol *kcontrol,
/* Update DC Remover mode for all channels */
ret = snd_soc_component_update_bits(comp, REG_MICFIL_DC_CTRL,
MICFIL_DC_CTRL_CONFIG, reg_val);
- if (ret < 0)
- return ret;
- return 0;
+ pm_runtime_put_autosuspend(comp->dev);
+
+ return ret;
}
static int micfil_get_dc_remover_state(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 140/508] ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 139/508] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 141/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
` (369 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit e5785093b1b45af7ee57d18619b2854a8aed073a ]
ALSA controls should return 1 if the value in the control changed but the
control put operation micfil_quality_set() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the quality variable.
Also enable pm runtime before calling the function micfil_set_quality()
to make the regmap cache data align with the value in hardware.
Fixes: bea1d61d5892 ("ASoC: fsl_micfil: rework quality setting")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-7-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 32ee7093c8110..189f65989fcfe 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -181,10 +181,34 @@ static int micfil_quality_set(struct snd_kcontrol *kcontrol,
{
struct snd_soc_component *cmpnt = snd_soc_kcontrol_component(kcontrol);
struct fsl_micfil *micfil = snd_soc_component_get_drvdata(cmpnt);
+ int val = ucontrol->value.integer.value[0];
+ bool change = false;
+ int old_val;
+ int ret;
+
+ if (val < QUALITY_HIGH || val > QUALITY_VLOW2)
+ return -EINVAL;
+
+ if (micfil->quality != val) {
+ ret = pm_runtime_resume_and_get(cmpnt->dev);
+ if (ret)
+ return ret;
+
+ old_val = micfil->quality;
+ micfil->quality = val;
+ ret = micfil_set_quality(micfil);
- micfil->quality = ucontrol->value.integer.value[0];
+ pm_runtime_put_autosuspend(cmpnt->dev);
- return micfil_set_quality(micfil);
+ if (ret) {
+ micfil->quality = old_val;
+ return ret;
+ }
+
+ change = true;
+ }
+
+ return change;
}
static const char * const micfil_hwvad_enable[] = {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 141/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 140/508] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 142/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
` (368 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 1b61c8103c9317a9c37fe544c2d83cee1c281149 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_xcvr_arc_mode_put() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the arc_mode
variable.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-8-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 90a0a24c05d84..87ea3abc4416f 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -98,10 +98,17 @@ static int fsl_xcvr_arc_mode_put(struct snd_kcontrol *kcontrol,
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
unsigned int *item = ucontrol->value.enumerated.item;
+ int val = snd_soc_enum_item_to_val(e, item[0]);
+ int ret;
- xcvr->arc_mode = snd_soc_enum_item_to_val(e, item[0]);
+ if (val < 0 || val > 1)
+ return -EINVAL;
- return 0;
+ ret = (xcvr->arc_mode != val);
+
+ xcvr->arc_mode = val;
+
+ return ret;
}
static int fsl_xcvr_arc_mode_get(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 142/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 141/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 143/508] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
` (367 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 64a496ba976324615b845d60739dfcdae3d57434 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_xcvr_mode_put() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the mode variable.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-9-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 87ea3abc4416f..d6aa9c30978f4 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -208,10 +208,17 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol,
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
unsigned int *item = ucontrol->value.enumerated.item;
+ int val = snd_soc_enum_item_to_val(e, item[0]);
struct snd_soc_card *card = dai->component->card;
struct snd_soc_pcm_runtime *rtd;
+ int ret;
+
+ if (val < FSL_XCVR_MODE_SPDIF || val > FSL_XCVR_MODE_EARC)
+ return -EINVAL;
- xcvr->mode = snd_soc_enum_item_to_val(e, item[0]);
+ ret = (xcvr->mode != val);
+
+ xcvr->mode = val;
fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name,
(xcvr->mode == FSL_XCVR_MODE_ARC));
@@ -221,7 +228,7 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol,
rtd = snd_soc_get_pcm_runtime(card, card->dai_link);
rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count =
(xcvr->mode == FSL_XCVR_MODE_SPDIF ? 1 : 0);
- return 0;
+ return ret;
}
static int fsl_xcvr_mode_get(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 143/508] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 142/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 144/508] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
` (366 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 00541b86fb578d4949cfdd6aff1f82d43fcf07af ]
Add check of input value's range in fsl_easrc_iec958_put_bits(),
otherwise the wrong value may be written from user space.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-10-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index c78abf7698e0f..48d7a3e109129 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -54,6 +54,9 @@ static int fsl_easrc_iec958_put_bits(struct snd_kcontrol *kcontrol,
unsigned int regval = ucontrol->value.integer.value[0];
int ret;
+ if (regval < EASRC_WIDTH_16_BIT || regval > EASRC_WIDTH_24_BIT)
+ return -EINVAL;
+
ret = (easrc_priv->bps_iec958[mc->regbase] != regval);
easrc_priv->bps_iec958[mc->regbase] = regval;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 144/508] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 143/508] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 145/508] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
` (365 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit aa21fe4a81458cf469c2615b08cbde5997dde25a ]
The value type of controls "Context 0 IEC958 Bits Per Sample" should be
integer, not enumerated, the issue is found by the mixer-test.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-11-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index 48d7a3e109129..c33cad8f07a3f 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -73,7 +73,7 @@ static int fsl_easrc_iec958_get_bits(struct snd_kcontrol *kcontrol,
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
- ucontrol->value.enumerated.item[0] = easrc_priv->bps_iec958[mc->regbase];
+ ucontrol->value.integer.value[0] = easrc_priv->bps_iec958[mc->regbase];
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 145/508] ASoC: fsl_easrc: Change the type for iec958 channel status controls
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 144/508] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 146/508] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
` (364 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 47f28a5bd154a95d5aa563dde02a801bd32ddb81 ]
Use the type SNDRV_CTL_ELEM_TYPE_IEC958 for iec958 channel status
controls, the original type will cause mixer-test to iterate all 32bit
values, which costs a lot of time. And using IEC958 type can reduce the
control numbers.
Also enable pm runtime before updating registers to make the regmap cache
data align with the value in hardware.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-12-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 118 +++++++++++++++++++++++++++-----------
1 file changed, 84 insertions(+), 34 deletions(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index c33cad8f07a3f..16aa0063aa65c 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -78,17 +78,47 @@ static int fsl_easrc_iec958_get_bits(struct snd_kcontrol *kcontrol,
return 0;
}
+static int fsl_easrc_iec958_info(struct snd_kcontrol *kcontrol,
+ struct snd_ctl_elem_info *uinfo)
+{
+ uinfo->type = SNDRV_CTL_ELEM_TYPE_IEC958;
+ uinfo->count = 1;
+ return 0;
+}
+
static int fsl_easrc_get_reg(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
struct snd_soc_component *component = snd_kcontrol_chip(kcontrol);
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
- unsigned int regval;
+ struct fsl_asrc *easrc = snd_soc_component_get_drvdata(component);
+ unsigned int *regval = (unsigned int *)ucontrol->value.iec958.status;
+ int ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS0(mc->regbase), ®val[0]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS1(mc->regbase), ®val[1]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS2(mc->regbase), ®val[2]);
+ if (ret)
+ return ret;
- regval = snd_soc_component_read(component, mc->regbase);
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS3(mc->regbase), ®val[3]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS4(mc->regbase), ®val[4]);
+ if (ret)
+ return ret;
- ucontrol->value.integer.value[0] = regval;
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS5(mc->regbase), ®val[5]);
+ if (ret)
+ return ret;
return 0;
}
@@ -100,22 +130,62 @@ static int fsl_easrc_set_reg(struct snd_kcontrol *kcontrol,
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
struct fsl_asrc *easrc = snd_soc_component_get_drvdata(component);
- unsigned int regval = ucontrol->value.integer.value[0];
- bool changed;
+ unsigned int *regval = (unsigned int *)ucontrol->value.iec958.status;
+ bool changed, changed_all = false;
int ret;
- ret = regmap_update_bits_check(easrc->regmap, mc->regbase,
- GENMASK(31, 0), regval, &changed);
- if (ret != 0)
+ ret = pm_runtime_resume_and_get(component->dev);
+ if (ret)
return ret;
- return changed;
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS0(mc->regbase),
+ GENMASK(31, 0), regval[0], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS1(mc->regbase),
+ GENMASK(31, 0), regval[1], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS2(mc->regbase),
+ GENMASK(31, 0), regval[2], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS3(mc->regbase),
+ GENMASK(31, 0), regval[3], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS4(mc->regbase),
+ GENMASK(31, 0), regval[4], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS5(mc->regbase),
+ GENMASK(31, 0), regval[5], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+err:
+ pm_runtime_put_autosuspend(component->dev);
+
+ if (ret != 0)
+ return ret;
+ else
+ return changed_all;
}
#define SOC_SINGLE_REG_RW(xname, xreg) \
{ .iface = SNDRV_CTL_ELEM_IFACE_PCM, .name = (xname), \
.access = SNDRV_CTL_ELEM_ACCESS_READWRITE, \
- .info = snd_soc_info_xr_sx, .get = fsl_easrc_get_reg, \
+ .info = fsl_easrc_iec958_info, .get = fsl_easrc_get_reg, \
.put = fsl_easrc_set_reg, \
.private_value = (unsigned long)&(struct soc_mreg_control) \
{ .regbase = xreg, .regcount = 1, .nbits = 32, \
@@ -146,30 +216,10 @@ static const struct snd_kcontrol_new fsl_easrc_snd_controls[] = {
SOC_SINGLE_VAL_RW("Context 2 IEC958 Bits Per Sample", 2),
SOC_SINGLE_VAL_RW("Context 3 IEC958 Bits Per Sample", 3),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS0", REG_EASRC_CS0(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS0", REG_EASRC_CS0(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS0", REG_EASRC_CS0(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS0", REG_EASRC_CS0(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS1", REG_EASRC_CS1(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS1", REG_EASRC_CS1(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS1", REG_EASRC_CS1(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS1", REG_EASRC_CS1(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS2", REG_EASRC_CS2(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS2", REG_EASRC_CS2(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS2", REG_EASRC_CS2(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS2", REG_EASRC_CS2(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS3", REG_EASRC_CS3(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS3", REG_EASRC_CS3(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS3", REG_EASRC_CS3(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS3", REG_EASRC_CS3(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS4", REG_EASRC_CS4(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS4", REG_EASRC_CS4(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS4", REG_EASRC_CS4(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS4", REG_EASRC_CS4(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS5", REG_EASRC_CS5(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS5", REG_EASRC_CS5(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS5", REG_EASRC_CS5(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS5", REG_EASRC_CS5(3)),
+ SOC_SINGLE_REG_RW("Context 0 IEC958 CS", 0),
+ SOC_SINGLE_REG_RW("Context 1 IEC958 CS", 1),
+ SOC_SINGLE_REG_RW("Context 2 IEC958 CS", 2),
+ SOC_SINGLE_REG_RW("Context 3 IEC958 CS", 3),
};
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 146/508] ASoC: qcom: qdsp6: topology: check widget type before accessing data
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 145/508] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 147/508] crypto: qat - use swab32 macro Greg Kroah-Hartman
` (363 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
[ Upstream commit d5bfdd28e0cdd45043ae6e0ac168a451d59283dc ]
Check widget type before accessing the private data, as this could a
virtual widget which is no associated with a dsp graph, container and
module. Accessing witout check could lead to incorrect memory access.
Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support")
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/qcom/qdsp6/topology.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/sound/soc/qcom/qdsp6/topology.c b/sound/soc/qcom/qdsp6/topology.c
index d4c3bc85fb356..51d1926ea3c2b 100644
--- a/sound/soc/qcom/qdsp6/topology.c
+++ b/sound/soc/qcom/qdsp6/topology.c
@@ -903,9 +903,6 @@ static int audioreach_widget_unload(struct snd_soc_component *scomp,
struct audioreach_container *cont;
struct audioreach_module *mod;
- mod = dobj->private;
- cont = mod->container;
-
if (w->id == snd_soc_dapm_mixer) {
/* virtual widget */
struct snd_ar_control *scontrol = dobj->private;
@@ -914,6 +911,11 @@ static int audioreach_widget_unload(struct snd_soc_component *scomp,
kfree(scontrol);
return 0;
}
+ mod = dobj->private;
+ if (!mod)
+ return 0;
+
+ cont = mod->container;
mutex_lock(&apm->lock);
idr_remove(&apm->modules_idr, mod->instance_id);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 147/508] crypto: qat - use swab32 macro
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 146/508] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 148/508] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] Greg Kroah-Hartman
` (362 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Giovanni Cabiddu,
Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
[ Upstream commit 35ecb77ae0749a2f1b04872c9978d9d7ddbbeb79 ]
Replace __builtin_bswap32() with swab32 in icp_qat_hw_20_comp.h to fix
the following build errors on architectures without native byte-swap
support:
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.o: in function `adf_gen4_build_decomp_block':
drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:141:(.text+0xeec): undefined reference to `__bswapsi2'
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:141:(.text+0xef8): undefined reference to `__bswapsi2'
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.o: in function `adf_gen4_build_comp_block':
drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:57:(.text+0xf64): undefined reference to `__bswapsi2'
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:57:(.text+0xf7c): undefined reference to `__bswapsi2'
Fixes: 5b14b2b307e4 ("crypto: qat - enable deflate for QAT GEN4")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603290259.Ig9kDOmI-lkp@intel.com/
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h b/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h
index 7ea8962272f2f..d28732225c9e0 100644
--- a/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h
+++ b/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h
@@ -3,6 +3,8 @@
#ifndef _ICP_QAT_HW_20_COMP_H_
#define _ICP_QAT_HW_20_COMP_H_
+#include <linux/swab.h>
+
#include "icp_qat_hw_20_comp_defs.h"
#include "icp_qat_fw.h"
@@ -54,7 +56,7 @@ ICP_QAT_FW_COMP_20_BUILD_CONFIG_LOWER(struct icp_qat_hw_comp_20_config_csr_lower
QAT_FIELD_SET(val32, csr.abd, ICP_QAT_HW_COMP_20_CONFIG_CSR_ABD_BITPOS,
ICP_QAT_HW_COMP_20_CONFIG_CSR_ABD_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
struct icp_qat_hw_comp_20_config_csr_upper {
@@ -106,7 +108,7 @@ ICP_QAT_FW_COMP_20_BUILD_CONFIG_UPPER(struct icp_qat_hw_comp_20_config_csr_upper
ICP_QAT_HW_COMP_20_CONFIG_CSR_NICE_PARAM_BITPOS,
ICP_QAT_HW_COMP_20_CONFIG_CSR_NICE_PARAM_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
struct icp_qat_hw_decomp_20_config_csr_lower {
@@ -138,7 +140,7 @@ ICP_QAT_FW_DECOMP_20_BUILD_CONFIG_LOWER(struct icp_qat_hw_decomp_20_config_csr_l
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_LZ4_BLOCK_CHECKSUM_PRESENT_BITPOS,
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_LZ4_BLOCK_CHECKSUM_PRESENT_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
struct icp_qat_hw_decomp_20_config_csr_upper {
@@ -158,7 +160,7 @@ ICP_QAT_FW_DECOMP_20_BUILD_CONFIG_UPPER(struct icp_qat_hw_decomp_20_config_csr_u
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_MINI_CAM_CONTROL_BITPOS,
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_MINI_CAM_CONTROL_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 148/508] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 147/508] crypto: qat - use swab32 macro Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 149/508] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
` (361 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Rastyogin, Kuninori Morimoto,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Rastyogin <gerben@altlinux.org>
[ Upstream commit f9e437cddf6cf9e603bdaefe148c1f4792aaf39c ]
component_dais[RSND_MAX_COMPONENT] is initially zero-initialized
and later populated in rsnd_dai_of_node(). However, the existing boundary check:
if (i >= RSND_MAX_COMPONENT)
does not guarantee that the last valid element remains zero. As a result,
the loop can rely on component_dais[RSND_MAX_COMPONENT] being zero,
which may lead to an out-of-bounds access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 547b02f74e4a ("ASoC: rsnd: enable multi Component support for Audio Graph Card/Card2")
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/20260327103311.459239-1-gerben@altlinux.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sh/rcar/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c
index 3cd14fbca28ea..68f91fc543493 100644
--- a/sound/soc/sh/rcar/core.c
+++ b/sound/soc/sh/rcar/core.c
@@ -1995,7 +1995,7 @@ static int rsnd_probe(struct platform_device *pdev)
* asoc register
*/
ci = 0;
- for (i = 0; priv->component_dais[i] > 0; i++) {
+ for (i = 0; i < RSND_MAX_COMPONENT && priv->component_dais[i] > 0; i++) {
int nr = priv->component_dais[i];
ret = devm_snd_soc_register_component(dev, &rsnd_soc_component,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 149/508] PCI: Enable AtomicOps only if Root Port supports them
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 148/508] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 150/508] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
` (360 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Schmidt, Gerd Bayer,
Bjorn Helgaas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gerd Bayer <gbayer@linux.ibm.com>
[ Upstream commit 1ae8c4ce157037e266184064a182af9ef9af278b ]
When inspecting the config space of a Connect-X physical function in an
s390 system after it was initialized by the mlx5_core device driver, we
found the function to be enabled to request AtomicOps despite the Root Port
lacking support for completing them:
00:00.1 Ethernet controller: Mellanox Technologies MT2894 Family [ConnectX-6 Lx]
Subsystem: Mellanox Technologies Device 0002
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-
AtomicOpsCtl: ReqEn+
On s390 and many virtualized guests, the Endpoint is visible but the Root
Port is not. In this case, pci_enable_atomic_ops_to_root() previously
enabled AtomicOps in the Endpoint even though it can't tell whether the
Root Port supports them as a completer.
Change pci_enable_atomic_ops_to_root() to fail if there's no Root Port or
the Root Port doesn't support AtomicOps.
Fixes: 430a23689dea ("PCI: Add pci_enable_atomic_ops_to_root()")
Reported-by: Alexander Schmidt <alexs@linux.ibm.com>
Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
[bhelgaas: commit log, check RP first to simplify flow]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20260330-fix_pciatops-v7-2-f601818417e8@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 41 ++++++++++++++++++++---------------------
1 file changed, 20 insertions(+), 21 deletions(-)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index a21192ec5689b..e7648a1abfdbf 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3956,8 +3956,7 @@ int pci_rebar_set_size(struct pci_dev *pdev, int bar, int size)
*/
int pci_enable_atomic_ops_to_root(struct pci_dev *dev, u32 cap_mask)
{
- struct pci_bus *bus = dev->bus;
- struct pci_dev *bridge;
+ struct pci_dev *root, *bridge;
u32 cap, ctl2;
/*
@@ -3987,35 +3986,35 @@ int pci_enable_atomic_ops_to_root(struct pci_dev *dev, u32 cap_mask)
return -EINVAL;
}
- while (bus->parent) {
- bridge = bus->self;
+ root = pcie_find_root_port(dev);
+ if (!root)
+ return -EINVAL;
- pcie_capability_read_dword(bridge, PCI_EXP_DEVCAP2, &cap);
+ pcie_capability_read_dword(root, PCI_EXP_DEVCAP2, &cap);
+ if ((cap & cap_mask) != cap_mask)
+ return -EINVAL;
+ bridge = pci_upstream_bridge(dev);
+ while (bridge != root) {
switch (pci_pcie_type(bridge)) {
- /* Ensure switch ports support AtomicOp routing */
case PCI_EXP_TYPE_UPSTREAM:
- case PCI_EXP_TYPE_DOWNSTREAM:
- if (!(cap & PCI_EXP_DEVCAP2_ATOMIC_ROUTE))
- return -EINVAL;
- break;
-
- /* Ensure root port supports all the sizes we care about */
- case PCI_EXP_TYPE_ROOT_PORT:
- if ((cap & cap_mask) != cap_mask)
- return -EINVAL;
- break;
- }
-
- /* Ensure upstream ports don't block AtomicOps on egress */
- if (pci_pcie_type(bridge) == PCI_EXP_TYPE_UPSTREAM) {
+ /* Upstream ports must not block AtomicOps on egress */
pcie_capability_read_dword(bridge, PCI_EXP_DEVCTL2,
&ctl2);
if (ctl2 & PCI_EXP_DEVCTL2_ATOMIC_EGRESS_BLOCK)
return -EINVAL;
+ fallthrough;
+
+ /* All switch ports need to route AtomicOps */
+ case PCI_EXP_TYPE_DOWNSTREAM:
+ pcie_capability_read_dword(bridge, PCI_EXP_DEVCAP2,
+ &cap);
+ if (!(cap & PCI_EXP_DEVCAP2_ATOMIC_ROUTE))
+ return -EINVAL;
+ break;
}
- bus = bus->parent;
+ bridge = pci_upstream_bridge(bridge);
}
pcie_capability_set_word(dev, PCI_EXP_DEVCTL2,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 150/508] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 149/508] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 151/508] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
` (359 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai, Manivannan Sadhasivam,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 5573c44cb3fd01a9f62d569ae9ac870ef5f0e0ba ]
In mtk_pcie_setup_irq(), the IRQ domains are allocated before the
controller's IRQ is fetched. If the latter fails, the function
directly returns an error, without cleaning up the allocated domains.
Hence, reverse the order so that the IRQ domains are allocated after the
controller's IRQ is found.
This was flagged by Sashiko during a review of "[PATCH v6 0/7] PCI:
mediatek-gen3: add power control support".
Fixes: 814cceebba9b ("PCI: mediatek-gen3: Add INTx support")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://sashiko.dev/#/patchset/20260324052002.4072430-1-wenst%40chromium.org
Link: https://patch.msgid.link/20260324093542.18523-1-wenst@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-mediatek-gen3.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/controller/pcie-mediatek-gen3.c b/drivers/pci/controller/pcie-mediatek-gen3.c
index 975b3024fb08c..822d9b8e09f60 100644
--- a/drivers/pci/controller/pcie-mediatek-gen3.c
+++ b/drivers/pci/controller/pcie-mediatek-gen3.c
@@ -760,14 +760,14 @@ static int mtk_pcie_setup_irq(struct mtk_gen3_pcie *pcie)
struct platform_device *pdev = to_platform_device(dev);
int err;
- err = mtk_pcie_init_irq_domains(pcie);
- if (err)
- return err;
-
pcie->irq = platform_get_irq(pdev, 0);
if (pcie->irq < 0)
return pcie->irq;
+ err = mtk_pcie_init_irq_domains(pcie);
+ if (err)
+ return err;
+
irq_set_chained_handler_and_data(pcie->irq, mtk_pcie_irq_handler, pcie);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 151/508] selftests/mm: skip migration tests if NUMA is unavailable
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 150/508] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 152/508] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
` (358 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AnishMulay, SeongJae Park, Dev Jain,
Anshuman Khandual, Sayali Patil, David Hildenbrand (Arm),
Liam Howlett, Lorenzo Stoakes, Michal Hocko, Mike Rapoport,
Shuah Khan, Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: AnishMulay <anishm7030@gmail.com>
[ Upstream commit 54218f10dfbe88c8e41c744fd45a756cde60b8c4 ]
Currently, the migration test asserts that numa_available() returns 0. On
systems where NUMA is not available (returning -1), such as certain ARM64
configurations or single-node systems, this assertion fails and crashes
the test.
Update the test to check the return value of numa_available(). If it is
less than 0, skip the test gracefully instead of failing.
This aligns the behavior with other MM selftests (like rmap) that skip
when NUMA support is missing.
Link: https://lkml.kernel.org/r/20260218163941.13499-1-anishm7030@gmail.com
Fixes: 0c2d08728470 ("mm: add selftests for migration entries")
Signed-off-by: AnishMulay <anishm7030@gmail.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Tested-by: Sayali Patil <sayalip@linux.ibm.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/mm/migration.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/mm/migration.c b/tools/testing/selftests/mm/migration.c
index 6908569ef4065..877ee32d04c82 100644
--- a/tools/testing/selftests/mm/migration.c
+++ b/tools/testing/selftests/mm/migration.c
@@ -33,7 +33,8 @@ FIXTURE_SETUP(migration)
{
int n;
- ASSERT_EQ(numa_available(), 0);
+ if (numa_available() < 0)
+ SKIP(return, "NUMA not available");
self->nthreads = numa_num_task_cpus() - 1;
self->n1 = -1;
self->n2 = -1;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 152/508] Documentation: fix a hugetlbfs reservation statement
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 151/508] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 153/508] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
` (357 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jane Chu, David Hildenbrand,
Hillf Danton, Jonathan Corbet, Liam Howlett, Lorenzo Stoakes,
Michal Hocko, Mike Rapoport, Muchun Song, Oscar Salvador,
Shuah Khan, Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jane Chu <jane.chu@oracle.com>
[ Upstream commit 7a197d346a44384a1a858a98ef03766840e561d4 ]
Documentation/mm/hugetlbfs_reserv.rst has
if (resv_needed <= (resv_huge_pages - free_huge_pages))
resv_huge_pages += resv_needed;
which describes this code in gather_surplus_pages()
needed = (h->resv_huge_pages + delta) - h->free_huge_pages;
if (needed <= 0) {
h->resv_huge_pages += delta;
return 0;
}
which means if there are enough free hugepages to account for the new
reservation, simply update the global reservation count without
further action.
But the description is backwards, it should be
if (resv_needed <= (free_huge_pages - resv_huge_pages))
instead.
Link: https://lkml.kernel.org/r/20260302201015.1824798-1-jane.chu@oracle.com
Fixes: 70bc0dc578b3 ("Documentation: vm, add hugetlbfs reservation overview")
Signed-off-by: Jane Chu <jane.chu@oracle.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/mm/hugetlbfs_reserv.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/mm/hugetlbfs_reserv.rst b/Documentation/mm/hugetlbfs_reserv.rst
index 4914fbf07966c..a49115db18c76 100644
--- a/Documentation/mm/hugetlbfs_reserv.rst
+++ b/Documentation/mm/hugetlbfs_reserv.rst
@@ -155,7 +155,7 @@ are enough free huge pages to accommodate the reservation. If there are,
the global reservation count resv_huge_pages is adjusted something like the
following::
- if (resv_needed <= (resv_huge_pages - free_huge_pages))
+ if (resv_needed <= (free_huge_pages - resv_huge_pages)
resv_huge_pages += resv_needed;
Note that the global lock hugetlb_lock is held when checking and adjusting
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 153/508] selftest: memcg: skip memcg_sock test if address family not supported
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 152/508] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 154/508] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
` (356 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Michal Koutný,
Shakeel Butt, Johannes Weiner, Michal Hocko, Mike Rapoport,
Muchun Song, Roman Gushchin, Shuah Khan, Tejun Heo, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 2d028f3e4bbbfd448928a8d3d2814b0b04c214f4 ]
The test_memcg_sock test in memcontrol.c sets up an IPv6 socket and send
data over it to consume memory and verify that memory.stat.sock and
memory.current values are close.
On systems where IPv6 isn't enabled or not configured to support
SOCK_STREAM, the test_memcg_sock test always fails. When the socket()
call fails, there is no way we can test the memory consumption and verify
the above claim. I believe it is better to just skip the test in this
case instead of reporting a test failure hinting that there may be
something wrong with the memcg code.
Link: https://lkml.kernel.org/r/20260311200526.885899-1-longman@redhat.com
Fixes: 5f8f019380b8 ("selftests: cgroup/memcontrol: add basic test for socket accounting")
Signed-off-by: Waiman Long <longman@redhat.com>
Acked-by: Michal Koutný <mkoutny@suse.com>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Michal Koutný <mkoutny@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/cgroup/test_memcontrol.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c
index b462416b38061..6efa26a8383e1 100644
--- a/tools/testing/selftests/cgroup/test_memcontrol.c
+++ b/tools/testing/selftests/cgroup/test_memcontrol.c
@@ -940,8 +940,11 @@ static int tcp_server(const char *cgroup, void *arg)
saddr.sin6_port = htons(srv_args->port);
sk = socket(AF_INET6, SOCK_STREAM, 0);
- if (sk < 0)
+ if (sk < 0) {
+ /* Pass back errno to the ctl_fd */
+ write(ctl_fd, &errno, sizeof(errno));
return ret;
+ }
if (setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) < 0)
goto cleanup;
@@ -1071,6 +1074,12 @@ static int test_memcg_sock(const char *root)
goto cleanup;
close(args.ctl[0]);
+ /* Skip if address family not supported by protocol */
+ if (err == EAFNOSUPPORT) {
+ ret = KSFT_SKIP;
+ goto cleanup;
+ }
+
if (!err)
break;
if (err != EADDRINUSE)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 154/508] ALSA: scarlett2: Add missing sentinel initializer field
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 153/508] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 155/508] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
` (355 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Panagiotis Petrakopoulos,
Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
[ Upstream commit 2428cd6e8b6fa80c36db4652702ca0acd2ce3f08 ]
A "-Wmissing-field-initializers" warning was emitted when compiling the
module using the W=2 option. There is a sentinel initializer field
missing in the end of scarlett2_devices[]. Tested using a
Scarlett Solo 4th gen.
Fixes: d98cc489029d ("ALSA: scarlett2: Move USB IDs out from device_info struct")
Signed-off-by: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
Link: https://patch.msgid.link/20260405222548.8903-1-npetrakopoulos2003@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_scarlett2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c
index c4b29b3670cd4..8aa7414d0b2fa 100644
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -1011,7 +1011,7 @@ static const struct scarlett2_device_entry scarlett2_devices[] = {
{ USB_ID(0x1235, 0x820c), &clarett_8pre_info, "Clarett+" },
/* End of list */
- { 0, NULL },
+ { 0, NULL, NULL },
};
/* get the starting port index number for a given port type/direction */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 155/508] ASoC: SOF: compress: return the configured codec from get_params
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 154/508] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 156/508] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
` (354 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 2c4fdd055f92a2fc8602dcd88bcea08c374b7e8b ]
The SOF compressed offload path accepts codec parameters in
sof_compr_set_params() and forwards them to firmware as
extended data in the SOF IPC stream params message.
However, sof_compr_get_params() still returns success without
filling the snd_codec structure. Since the compress core allocates
that structure zeroed and copies it back to userspace on success,
SNDRV_COMPRESS_GET_PARAMS returns an all-zero codec description
even after the stream has been configured successfully.
The stale TODO in this callback conflates get_params() with capability
discovery. Supported codec enumeration belongs in get_caps() and
get_codec_caps(). get_params() should report the current codec settings.
Cache the codec accepted by sof_compr_set_params() in the per-stream SOF
compress state and return it from sof_compr_get_params().
Fixes: 6324cf901e14 ("ASoC: SOF: compr: Add compress ops implementation")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260325-sof-compr-get-params-v1-1-0758815f13c7@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/compress.c | 8 +++++---
sound/soc/sof/sof-priv.h | 2 ++
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c
index c469bb706e4a4..b64a5d99fe608 100644
--- a/sound/soc/sof/compress.c
+++ b/sound/soc/sof/compress.c
@@ -247,6 +247,7 @@ static int sof_compr_set_params(struct snd_soc_component *component,
sstream->sampling_rate = params->codec.sample_rate;
sstream->channels = params->codec.ch_out;
sstream->sample_container_bytes = pcm->params.sample_container_bytes;
+ sstream->codec_params = params->codec;
spcm->prepared[cstream->direction] = true;
@@ -259,9 +260,10 @@ static int sof_compr_set_params(struct snd_soc_component *component,
static int sof_compr_get_params(struct snd_soc_component *component,
struct snd_compr_stream *cstream, struct snd_codec *params)
{
- /* TODO: we don't query the supported codecs for now, if the
- * application asks for an unsupported codec the set_params() will fail.
- */
+ struct sof_compr_stream *sstream = cstream->runtime->private_data;
+
+ *params = sstream->codec_params;
+
return 0;
}
diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
index d4f6702e93dcb..6bf461506ce37 100644
--- a/sound/soc/sof/sof-priv.h
+++ b/sound/soc/sof/sof-priv.h
@@ -17,6 +17,7 @@
#include <sound/sof/info.h>
#include <sound/sof/pm.h>
#include <sound/sof/trace.h>
+#include <sound/compress_params.h>
#include <uapi/sound/sof/fw.h>
#include <sound/sof/ext_manifest.h>
@@ -119,6 +120,7 @@ struct sof_compr_stream {
u32 sampling_rate;
u16 channels;
u16 sample_container_bytes;
+ struct snd_codec codec_params;
size_t posn_offset;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 156/508] PCI: tegra194: Fix polling delay for L2 state
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 155/508] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 157/508] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
` (353 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit adaffed907f14f954096555665ad6af2ae724d83 ]
As per PCIe r7.0, sec 5.3.3.2.1, after sending PME_Turn_Off message, Root
Port should wait for 1-10 msec for PME_TO_Ack message. Currently, driver is
polling for 10 msec with 1 usec delay which is aggressive. Use existing
macro PCIE_PME_TO_L2_TIMEOUT_US to poll for 10 msec with 1 msec delay.
Since this function is used in non-atomic context only, use non-atomic poll
function.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-2-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index ce2a7a6dab90c..6a4e0dc0d1dce 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -205,8 +205,6 @@
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_MASK GENMASK(11, 8)
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_SHIFT 8
-#define PME_ACK_TIMEOUT 10000
-
#define LTSSM_TIMEOUT 50000 /* 50ms */
#define GEN3_GEN4_EQ_PRESET_INIT 5
@@ -1583,9 +1581,10 @@ static int tegra_pcie_try_link_l2(struct tegra_pcie_dw *pcie)
val |= APPL_PM_XMT_TURNOFF_STATE;
appl_writel(pcie, val, APPL_RADM_STATUS);
- return readl_poll_timeout_atomic(pcie->appl_base + APPL_DEBUG, val,
- val & APPL_DEBUG_PM_LINKST_IN_L2_LAT,
- 1, PME_ACK_TIMEOUT);
+ return readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
+ val & APPL_DEBUG_PM_LINKST_IN_L2_LAT,
+ PCIE_PME_TO_L2_TIMEOUT_US/10,
+ PCIE_PME_TO_L2_TIMEOUT_US);
}
static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 157/508] PCI: tegra194: Increase LTSSM poll time on surprise link down
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 156/508] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 158/508] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
` (352 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 74dd8efe4d6cead433162147333af989a568aac7 ]
On surprise link down, LTSSM state transits from L0 -> Recovery.RcvrLock ->
Recovery.RcvrSpeed -> Gen1 Recovery.RcvrLock -> Detect. Recovery.RcvrLock
and Recovery.RcvrSpeed transit times are 24 ms and 48 ms respectively, so
the total time from L0 to Detect is ~96 ms. Increase the poll timeout to
120 ms to account for this.
While at it, add LTSSM state defines for Detect-related states and use them
in the poll condition. Use readl_poll_timeout() instead of
readl_poll_timeout_atomic() in tegra_pcie_dw_pme_turnoff() since that path
runs in non-atomic context.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-3-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 36 +++++++++++++---------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 6a4e0dc0d1dce..db5af8d32d18a 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -139,7 +139,11 @@
#define APPL_DEBUG_PM_LINKST_IN_L0 0x11
#define APPL_DEBUG_LTSSM_STATE_MASK GENMASK(8, 3)
#define APPL_DEBUG_LTSSM_STATE_SHIFT 3
-#define LTSSM_STATE_PRE_DETECT 5
+#define LTSSM_STATE_DETECT_QUIET 0x00
+#define LTSSM_STATE_DETECT_ACT 0x08
+#define LTSSM_STATE_PRE_DETECT_QUIET 0x28
+#define LTSSM_STATE_DETECT_WAIT 0x30
+#define LTSSM_STATE_L2_IDLE 0xa8
#define APPL_RADM_STATUS 0xE4
#define APPL_PM_XMT_TURNOFF_STATE BIT(0)
@@ -205,7 +209,8 @@
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_MASK GENMASK(11, 8)
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_SHIFT 8
-#define LTSSM_TIMEOUT 50000 /* 50ms */
+#define LTSSM_DELAY_US 10000 /* 10 ms */
+#define LTSSM_TIMEOUT_US 120000 /* 120 ms */
#define GEN3_GEN4_EQ_PRESET_INIT 5
@@ -1627,15 +1632,14 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
data &= ~APPL_CTRL_LTSSM_EN;
writel(data, pcie->appl_base + APPL_CTRL);
- err = readl_poll_timeout_atomic(pcie->appl_base + APPL_DEBUG,
- data,
- ((data &
- APPL_DEBUG_LTSSM_STATE_MASK) >>
- APPL_DEBUG_LTSSM_STATE_SHIFT) ==
- LTSSM_STATE_PRE_DETECT,
- 1, LTSSM_TIMEOUT);
+ err = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, data,
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_PRE_DETECT_QUIET) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_WAIT),
+ LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (err)
- dev_info(pcie->dev, "Link didn't go to detect state\n");
+ dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", data, err);
}
/*
* DBI registers may not be accessible after this as PLL-E would be
@@ -1723,12 +1727,14 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
appl_writel(pcie, val, APPL_CTRL);
ret = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
- ((val & APPL_DEBUG_LTSSM_STATE_MASK) >>
- APPL_DEBUG_LTSSM_STATE_SHIFT) ==
- LTSSM_STATE_PRE_DETECT,
- 1, LTSSM_TIMEOUT);
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_PRE_DETECT_QUIET) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_WAIT) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_L2_IDLE),
+ LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (ret)
- dev_err(pcie->dev, "Failed to go Detect state: %d\n", ret);
+ dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", val, ret);
reset_control_assert(pcie->core_rst);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 158/508] PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 157/508] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 159/508] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0() Greg Kroah-Hartman
` (351 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 9fa0c242f8d7acf1b124d4462d18f4023573ac1c ]
After the link reaches a Detect-related LTSSM state, disable LTSSM so it
does not keep toggling between Polling and Detect. Do this by polling for
the Detect state first, then clearing APPL_CTRL_LTSSM_EN in both
tegra_pcie_dw_pme_turnoff() and pex_ep_event_pex_rst_assert().
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-4-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 29 ++++++++++++----------
1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index db5af8d32d18a..e79f77c3152da 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1624,14 +1624,6 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
data &= ~APPL_PINMUX_PEX_RST;
appl_writel(pcie, data, APPL_PINMUX);
- /*
- * Some cards do not go to detect state even after de-asserting
- * PERST#. So, de-assert LTSSM to bring link to detect state.
- */
- data = readl(pcie->appl_base + APPL_CTRL);
- data &= ~APPL_CTRL_LTSSM_EN;
- writel(data, pcie->appl_base + APPL_CTRL);
-
err = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, data,
((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
@@ -1640,6 +1632,14 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (err)
dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", data, err);
+
+ /*
+ * Deassert LTSSM state to stop the state toggling between
+ * Polling and Detect.
+ */
+ data = readl(pcie->appl_base + APPL_CTRL);
+ data &= ~APPL_CTRL_LTSSM_EN;
+ writel(data, pcie->appl_base + APPL_CTRL);
}
/*
* DBI registers may not be accessible after this as PLL-E would be
@@ -1721,11 +1721,6 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
if (pcie->ep_state == EP_STATE_DISABLED)
return;
- /* Disable LTSSM */
- val = appl_readl(pcie, APPL_CTRL);
- val &= ~APPL_CTRL_LTSSM_EN;
- appl_writel(pcie, val, APPL_CTRL);
-
ret = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
@@ -1736,6 +1731,14 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
if (ret)
dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", val, ret);
+ /*
+ * Deassert LTSSM state to stop the state toggling between
+ * Polling and Detect.
+ */
+ val = appl_readl(pcie, APPL_CTRL);
+ val &= ~APPL_CTRL_LTSSM_EN;
+ appl_writel(pcie, val, APPL_CTRL);
+
reset_control_assert(pcie->core_rst);
tegra_pcie_disable_phy(pcie);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 159/508] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 158/508] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 160/508] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
` (350 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Manivannan Sadhasivam, Bjorn Helgaas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit e1bd928479fb1fa60e9034b0fdb1ab9f3fa92f33 ]
In tegra_pcie_downstream_dev_to_D0(), PCI devices are transitioned to D0
state. For iterating over the devices, first the downstream bus of the Root
Port is searched from the root bus. But the name of the variable that holds
the Root Port downstream bus is named as 'root_bus', which is wrong.
Rename the variable to 'root_port_bus'. Also, move the comment on 'bringing
the devices to D0' to where the state is set exactly.
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20250922081057.15209-1-mani@kernel.org
Stable-dep-of: 71d9f67701e1 ("PCI: tegra194: Don't force the device into the D0 state before L2")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index e79f77c3152da..47421796cc147 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1291,7 +1291,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
{
struct dw_pcie_rp *pp = &pcie->pci.pp;
- struct pci_bus *child, *root_bus = NULL;
+ struct pci_bus *child, *root_port_bus = NULL;
struct pci_dev *pdev;
/*
@@ -1304,19 +1304,19 @@ static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
*/
list_for_each_entry(child, &pp->bridge->bus->children, node) {
- /* Bring downstream devices to D0 if they are not already in */
if (child->parent == pp->bridge->bus) {
- root_bus = child;
+ root_port_bus = child;
break;
}
}
- if (!root_bus) {
- dev_err(pcie->dev, "Failed to find downstream devices\n");
+ if (!root_port_bus) {
+ dev_err(pcie->dev, "Failed to find downstream bus of Root Port\n");
return;
}
- list_for_each_entry(pdev, &root_bus->devices, bus_list) {
+ /* Bring downstream devices to D0 if they are not already in */
+ list_for_each_entry(pdev, &root_port_bus->devices, bus_list) {
if (PCI_SLOT(pdev->devfn) == 0) {
if (pci_set_power_state(pdev, PCI_D0))
dev_err(pcie->dev,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 160/508] PCI: tegra194: Dont force the device into the D0 state before L2
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 159/508] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 161/508] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
` (349 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 71d9f67701e1affc82d18ca88ae798c5361beddf ]
As per PCIe CEM r6.0, sec 2.3, the PCIe Endpoint device should be in D3cold
to assert WAKE# pin. The previous workaround that forced downstream devices
to D0 before taking the link to L2 cited PCIe r4.0, sec 5.2, "Link State
Power Management"; however, that spec does not explicitly require putting
the device into D0 and only indicates that power removal may be initiated
without transitioning to D3hot.
Remove the D0 workaround so that Endpoint devices can use wake
functionality (WAKE# from D3). With some Endpoints the link may not enter
L2 when they remain in D3, but the Root Port continues with the usual flow
after PME timeout, so there is no functional issue.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-5-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 41 ----------------------
1 file changed, 41 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 47421796cc147..23c7c6e691b26 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1288,44 +1288,6 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
return 0;
}
-static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
-{
- struct dw_pcie_rp *pp = &pcie->pci.pp;
- struct pci_bus *child, *root_port_bus = NULL;
- struct pci_dev *pdev;
-
- /*
- * link doesn't go into L2 state with some of the endpoints with Tegra
- * if they are not in D0 state. So, need to make sure that immediate
- * downstream devices are in D0 state before sending PME_TurnOff to put
- * link into L2 state.
- * This is as per PCI Express Base r4.0 v1.0 September 27-2017,
- * 5.2 Link State Power Management (Page #428).
- */
-
- list_for_each_entry(child, &pp->bridge->bus->children, node) {
- if (child->parent == pp->bridge->bus) {
- root_port_bus = child;
- break;
- }
- }
-
- if (!root_port_bus) {
- dev_err(pcie->dev, "Failed to find downstream bus of Root Port\n");
- return;
- }
-
- /* Bring downstream devices to D0 if they are not already in */
- list_for_each_entry(pdev, &root_port_bus->devices, bus_list) {
- if (PCI_SLOT(pdev->devfn) == 0) {
- if (pci_set_power_state(pdev, PCI_D0))
- dev_err(pcie->dev,
- "Failed to transition %s to D0 state\n",
- dev_name(&pdev->dev));
- }
- }
-}
-
static int tegra_pcie_get_slot_regulators(struct tegra_pcie_dw *pcie)
{
pcie->slot_ctl_3v3 = devm_regulator_get_optional(pcie->dev, "vpcie3v3");
@@ -1655,7 +1617,6 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
static void tegra_pcie_deinit_controller(struct tegra_pcie_dw *pcie)
{
- tegra_pcie_downstream_dev_to_D0(pcie);
dw_pcie_host_deinit(&pcie->pci.pp);
tegra_pcie_dw_pme_turnoff(pcie);
tegra_pcie_unconfig_controller(pcie);
@@ -2373,7 +2334,6 @@ static int tegra_pcie_dw_suspend_noirq(struct device *dev)
if (!pcie->link_state)
return 0;
- tegra_pcie_downstream_dev_to_D0(pcie);
tegra_pcie_dw_pme_turnoff(pcie);
tegra_pcie_unconfig_controller(pcie);
@@ -2447,7 +2407,6 @@ static void tegra_pcie_dw_shutdown(struct platform_device *pdev)
return;
debugfs_remove_recursive(pcie->debugfs);
- tegra_pcie_downstream_dev_to_D0(pcie);
disable_irq(pcie->pci.pp.irq);
if (IS_ENABLED(CONFIG_PCI_MSI))
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 161/508] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 160/508] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 162/508] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
` (348 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 40658a31b6e134169c648041efc84944c4c71dcd ]
The PERST# GPIO interrupt is only registered when the controller is
operating in Endpoint mode. In Root Port mode, the PERST# GPIO is
configured as an output to control downstream devices, and no interrupt is
registered for it.
Currently, tegra_pcie_dw_stop_link() unconditionally calls disable_irq()
on pex_rst_irq, which causes issues in Root Port mode where this IRQ is
not registered.
Fix this by only disabling the PERST# IRQ when operating in Endpoint mode,
where the interrupt is actually registered and used to detect PERST#
assertion/deassertion from the host.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-6-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 23c7c6e691b26..ed0d12ab579d8 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1055,7 +1055,8 @@ static void tegra_pcie_dw_stop_link(struct dw_pcie *pci)
{
struct tegra_pcie_dw *pcie = to_tegra_pcie(pci);
- disable_irq(pcie->pex_rst_irq);
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ disable_irq(pcie->pex_rst_irq);
}
static const struct dw_pcie_ops tegra_dw_pcie_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 162/508] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 161/508] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 163/508] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
` (347 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit f62bc7917de1374dce86a852ffba8baf9cb7a56a ]
The GPIO DT property "nvidia,refclk-select", to select the PCIe reference
clock is optional. Use devm_gpiod_get_optional() to get it.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-7-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index ed0d12ab579d8..dba73a0ea4210 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1197,9 +1197,9 @@ static int tegra_pcie_dw_parse_dt(struct tegra_pcie_dw *pcie)
return err;
}
- pcie->pex_refclk_sel_gpiod = devm_gpiod_get(pcie->dev,
- "nvidia,refclk-select",
- GPIOD_OUT_HIGH);
+ pcie->pex_refclk_sel_gpiod = devm_gpiod_get_optional(pcie->dev,
+ "nvidia,refclk-select",
+ GPIOD_OUT_HIGH);
if (IS_ERR(pcie->pex_refclk_sel_gpiod)) {
int err = PTR_ERR(pcie->pex_refclk_sel_gpiod);
const char *level = KERN_ERR;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 163/508] PCI: tegra194: Disable direct speed change for Endpoint mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 162/508] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 164/508] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
` (346 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 976f6763f57970388bcd7118931f33f447916927 ]
Pre-silicon simulation showed the controller operating in Endpoint mode
initiating link speed change after completing Secondary Bus Reset. Ideally,
the Root Port or the Switch Downstream Port should initiate the link speed
change post SBR, not the Endpoint.
So, as per the hardware team recommendation, disable direct speed change
for the Endpoint mode to prevent it from initiating speed change after the
physical layer link is up at Gen1, leaving speed change ownership with the
host.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-8-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index dba73a0ea4210..b29d1edd4c9bd 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1839,6 +1839,10 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
reset_control_deassert(pcie->core_rst);
+ val = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
+ val &= ~PORT_LOGIC_SPEED_CHANGE;
+ dw_pcie_writel_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL, val);
+
if (pcie->update_fc_fixup) {
val = dw_pcie_readl_dbi(pci, CFG_TIMER_CTRL_MAX_FUNC_NUM_OFF);
val |= 0x1 << CFG_TIMER_CTRL_ACK_NAK_SHIFT;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 164/508] PCI: tegra194: Allow system suspend when the Endpoint link is not up
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 163/508] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 165/508] PCI: tegra194: Use DWC IP core version Greg Kroah-Hartman
` (345 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit c76f8eae7d4695b1176c4ea5eb93c17e16a20272 ]
Host software initiates the L2 sequence. PCIe link is kept in L2 state
during suspend. If Endpoint mode is enabled and the link is up, the
software cannot proceed with suspend. However, when the PCIe Endpoint
driver is probed, but the PCIe link is not up, Tegra can go into suspend
state. So, allow system to suspend in this case.
Fixes: de2bbf2b71bb ("PCI: tegra194: Don't allow suspend when Tegra PCIe is in EP mode")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-10-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 31 +++++++++++++++++-----
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index b29d1edd4c9bd..cab6cd5b8f3cd 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -2307,16 +2307,28 @@ static void tegra_pcie_dw_remove(struct platform_device *pdev)
gpiod_set_value(pcie->pex_refclk_sel_gpiod, 0);
}
-static int tegra_pcie_dw_suspend_late(struct device *dev)
+static int tegra_pcie_dw_suspend(struct device *dev)
{
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
- u32 val;
if (pcie->of_data->mode == DW_PCIE_EP_TYPE) {
- dev_err(dev, "Failed to Suspend as Tegra PCIe is in EP mode\n");
- return -EPERM;
+ if (pcie->ep_state == EP_STATE_ENABLED) {
+ dev_err(dev, "Tegra PCIe is in EP mode, suspend not allowed\n");
+ return -EPERM;
+ }
+
+ disable_irq(pcie->pex_rst_irq);
+ return 0;
}
+ return 0;
+}
+
+static int tegra_pcie_dw_suspend_late(struct device *dev)
+{
+ struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
+ u32 val;
+
if (!pcie->link_state)
return 0;
@@ -2336,6 +2348,9 @@ static int tegra_pcie_dw_suspend_noirq(struct device *dev)
{
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ return 0;
+
if (!pcie->link_state)
return 0;
@@ -2350,6 +2365,9 @@ static int tegra_pcie_dw_resume_noirq(struct device *dev)
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
int ret;
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ return 0;
+
if (!pcie->link_state)
return 0;
@@ -2382,8 +2400,8 @@ static int tegra_pcie_dw_resume_early(struct device *dev)
u32 val;
if (pcie->of_data->mode == DW_PCIE_EP_TYPE) {
- dev_err(dev, "Suspend is not supported in EP mode");
- return -ENOTSUPP;
+ enable_irq(pcie->pex_rst_irq);
+ return 0;
}
if (!pcie->link_state)
@@ -2488,6 +2506,7 @@ static const struct of_device_id tegra_pcie_dw_of_match[] = {
};
static const struct dev_pm_ops tegra_pcie_dw_pm_ops = {
+ .suspend = tegra_pcie_dw_suspend,
.suspend_late = tegra_pcie_dw_suspend_late,
.suspend_noirq = tegra_pcie_dw_suspend_noirq,
.resume_noirq = tegra_pcie_dw_resume_noirq,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 165/508] PCI: tegra194: Use DWC IP core version
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 164/508] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 166/508] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well Greg Kroah-Hartman
` (344 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit ea60ca067f0f098043610c96a915d162113c1aac ]
Tegra194 PCIe driver used custom version numbers to detect Tegra194 and
Tegra234 IPs. With version detect logic added, version check results in
mismatch warnings:
tegra194-pcie 14100000.pcie: Versions don't match (0000562a != 3536322a)
Use HW version numbers which match to PORT_LOGIC.PCIE_VERSION_OFF in
Tegra194 driver to avoid these kernel warnings.
Fixes: a54e19073718 ("PCI: tegra194: Add Tegra234 PCIe support")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-12-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware.h | 2 ++
drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
index fec9473869bce..1ffa31797a17c 100644
--- a/drivers/pci/controller/dwc/pcie-designware.h
+++ b/drivers/pci/controller/dwc/pcie-designware.h
@@ -31,8 +31,10 @@
#define DW_PCIE_VER_470A 0x3437302a
#define DW_PCIE_VER_480A 0x3438302a
#define DW_PCIE_VER_490A 0x3439302a
+#define DW_PCIE_VER_500A 0x3530302a
#define DW_PCIE_VER_520A 0x3532302a
#define DW_PCIE_VER_540A 0x3534302a
+#define DW_PCIE_VER_562A 0x3536322a
#define __dw_pcie_ver_cmp(_pci, _ver, _op) \
((_pci)->version _op DW_PCIE_VER_ ## _ver)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index cab6cd5b8f3cd..89109e380635c 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -37,8 +37,8 @@
#include <soc/tegra/bpmp-abi.h>
#include "../../pci.h"
-#define TEGRA194_DWC_IP_VER 0x490A
-#define TEGRA234_DWC_IP_VER 0x562A
+#define TEGRA194_DWC_IP_VER DW_PCIE_VER_500A
+#define TEGRA234_DWC_IP_VER DW_PCIE_VER_562A
#define APPL_PINMUX 0x0
#define APPL_PINMUX_PEX_RST BIT(0)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 166/508] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 165/508] PCI: tegra194: Use DWC IP core version Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 167/508] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
` (343 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 40805f32dceadebb7381d911003100bec7b8cd51 ]
The ECRC (TLP digest) workaround was originally added for DesignWare
version 4.90a. Tegra234 SoC has 5.00a DWC HW version, which has the same
ATU TD override behaviour, so apply the workaround for 5.00a too.
Fixes: a54e19073718 ("PCI: tegra194: Add Tegra234 PCIe support")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-13-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
index 46b12e157bebe..504450a8b6a45 100644
--- a/drivers/pci/controller/dwc/pcie-designware.c
+++ b/drivers/pci/controller/dwc/pcie-designware.c
@@ -426,13 +426,13 @@ static inline void dw_pcie_writel_atu_ob(struct dw_pcie *pci, u32 index, u32 reg
static inline u32 dw_pcie_enable_ecrc(u32 val)
{
/*
- * DesignWare core version 4.90A has a design issue where the 'TD'
- * bit in the Control register-1 of the ATU outbound region acts
- * like an override for the ECRC setting, i.e., the presence of TLP
- * Digest (ECRC) in the outgoing TLPs is solely determined by this
- * bit. This is contrary to the PCIe spec which says that the
- * enablement of the ECRC is solely determined by the AER
- * registers.
+ * DWC versions 0x3530302a and 0x3536322a have a design issue where
+ * the 'TD' bit in the Control register-1 of the ATU outbound
+ * region acts like an override for the ECRC setting, i.e., the
+ * presence of TLP Digest (ECRC) in the outgoing TLPs is solely
+ * determined by this bit. This is contrary to the PCIe spec which
+ * says that the enablement of the ECRC is solely determined by the
+ * AER registers.
*
* Because of this, even when the ECRC is enabled through AER
* registers, the transactions going through ATU won't have TLP
@@ -502,7 +502,7 @@ static int __dw_pcie_prog_outbound_atu(struct dw_pcie *pci, u8 func_no,
if (upper_32_bits(limit_addr) > upper_32_bits(cpu_addr) &&
dw_pcie_ver_is_ge(pci, 460A))
val |= PCIE_ATU_INCREASE_REGION_SIZE;
- if (dw_pcie_ver_is(pci, 490A))
+ if (dw_pcie_ver_is(pci, 490A) || dw_pcie_ver_is(pci, 500A))
val = dw_pcie_enable_ecrc(val);
dw_pcie_writel_atu_ob(pci, index, PCIE_ATU_REGION_CTRL1, val);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 167/508] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 166/508] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 168/508] ALSA: sc6000: Use standard print API Greg Kroah-Hartman
` (342 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit ab00febad191d7a4400aa1c3468279fb508258d4 ]
mtk_snand_probe() registers the on-host NAND ECC engine, but teardown was
missing from both probe unwind and remove-time cleanup. Add a devm cleanup
action after successful registration so
nand_ecc_unregister_on_host_hw_engine() runs automatically on probe
failures and during device removal.
Fixes: 764f1b748164 ("spi: add driver for MTK SPI NAND Flash Interface")
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/20263f885f1a9c9d559f95275298cd6de4b11ed5.1775546401.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-mtk-snfi.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/spi/spi-mtk-snfi.c b/drivers/spi/spi-mtk-snfi.c
index 4433a8a9299f6..22f3b22d77ad8 100644
--- a/drivers/spi/spi-mtk-snfi.c
+++ b/drivers/spi/spi-mtk-snfi.c
@@ -1307,6 +1307,13 @@ static const struct spi_controller_mem_caps mtk_snand_mem_caps = {
.ecc = true,
};
+static void mtk_unregister_ecc_engine(void *data)
+{
+ struct nand_ecc_engine *eng = data;
+
+ nand_ecc_unregister_on_host_hw_engine(eng);
+}
+
static irqreturn_t mtk_snand_irq(int irq, void *id)
{
struct mtk_snand *snf = id;
@@ -1487,6 +1494,13 @@ static int mtk_snand_probe(struct platform_device *pdev)
goto disable_clk;
}
+ ret = devm_add_action_or_reset(&pdev->dev, mtk_unregister_ecc_engine,
+ &ms->ecc_eng);
+ if (ret) {
+ dev_err_probe(&pdev->dev, ret, "failed to add ECC unregister action\n");
+ goto release_ecc;
+ }
+
ctlr->num_chipselect = 1;
ctlr->mem_ops = &mtk_snand_mem_ops;
ctlr->mem_caps = &mtk_snand_mem_caps;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 168/508] ALSA: sc6000: Use standard print API
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 167/508] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 169/508] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
` (341 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jaroslav Kysela, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit e7c475b92043c02c3e6cd0c20e308fbb6f03ebde ]
Use the standard print API with dev_*() instead of the old house-baked
one. It gives better information and allows dynamically control of
debug prints.
Some functions are changed to receive a device pointer to be passed to
dev_*() calls.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20240807133452.9424-34-tiwai@suse.de
Stable-dep-of: fb79bf127ac2 ("ALSA: sc6000: Keep the programmed board state in card-private data")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/isa/sc6000.c | 177 +++++++++++++++++++++++----------------------
1 file changed, 90 insertions(+), 87 deletions(-)
diff --git a/sound/isa/sc6000.c b/sound/isa/sc6000.c
index 60398fced046b..3115c32b4061b 100644
--- a/sound/isa/sc6000.c
+++ b/sound/isa/sc6000.c
@@ -204,7 +204,7 @@ static int sc6000_read(char __iomem *vport)
}
-static int sc6000_write(char __iomem *vport, int cmd)
+static int sc6000_write(struct device *devptr, char __iomem *vport, int cmd)
{
unsigned char val;
int loop = 500000;
@@ -221,18 +221,19 @@ static int sc6000_write(char __iomem *vport, int cmd)
cpu_relax();
} while (loop--);
- snd_printk(KERN_ERR "DSP Command (0x%x) timeout.\n", cmd);
+ dev_err(devptr, "DSP Command (0x%x) timeout.\n", cmd);
return -EIO;
}
-static int sc6000_dsp_get_answer(char __iomem *vport, int command,
+static int sc6000_dsp_get_answer(struct device *devptr,
+ char __iomem *vport, int command,
char *data, int data_len)
{
int len = 0;
- if (sc6000_write(vport, command)) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", command);
+ if (sc6000_write(devptr, vport, command)) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", command);
return -EIO;
}
@@ -265,82 +266,86 @@ static int sc6000_dsp_reset(char __iomem *vport)
}
/* detection and initialization */
-static int sc6000_hw_cfg_write(char __iomem *vport, const int *cfg)
+static int sc6000_hw_cfg_write(struct device *devptr,
+ char __iomem *vport, const int *cfg)
{
- if (sc6000_write(vport, COMMAND_6C) < 0) {
- snd_printk(KERN_WARNING "CMD 0x%x: failed!\n", COMMAND_6C);
+ if (sc6000_write(devptr, vport, COMMAND_6C) < 0) {
+ dev_warn(devptr, "CMD 0x%x: failed!\n", COMMAND_6C);
return -EIO;
}
- if (sc6000_write(vport, COMMAND_5C) < 0) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", COMMAND_5C);
+ if (sc6000_write(devptr, vport, COMMAND_5C) < 0) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", COMMAND_5C);
return -EIO;
}
- if (sc6000_write(vport, cfg[0]) < 0) {
- snd_printk(KERN_ERR "DATA 0x%x: failed!\n", cfg[0]);
+ if (sc6000_write(devptr, vport, cfg[0]) < 0) {
+ dev_err(devptr, "DATA 0x%x: failed!\n", cfg[0]);
return -EIO;
}
- if (sc6000_write(vport, cfg[1]) < 0) {
- snd_printk(KERN_ERR "DATA 0x%x: failed!\n", cfg[1]);
+ if (sc6000_write(devptr, vport, cfg[1]) < 0) {
+ dev_err(devptr, "DATA 0x%x: failed!\n", cfg[1]);
return -EIO;
}
- if (sc6000_write(vport, COMMAND_C5) < 0) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", COMMAND_C5);
+ if (sc6000_write(devptr, vport, COMMAND_C5) < 0) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", COMMAND_C5);
return -EIO;
}
return 0;
}
-static int sc6000_cfg_write(char __iomem *vport, unsigned char softcfg)
+static int sc6000_cfg_write(struct device *devptr,
+ char __iomem *vport, unsigned char softcfg)
{
- if (sc6000_write(vport, WRITE_MDIRQ_CFG)) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n", WRITE_MDIRQ_CFG);
+ if (sc6000_write(devptr, vport, WRITE_MDIRQ_CFG)) {
+ dev_err(devptr, "CMD 0x%x: failed!\n", WRITE_MDIRQ_CFG);
return -EIO;
}
- if (sc6000_write(vport, softcfg)) {
- snd_printk(KERN_ERR "sc6000_cfg_write: failed!\n");
+ if (sc6000_write(devptr, vport, softcfg)) {
+ dev_err(devptr, "%s: failed!\n", __func__);
return -EIO;
}
return 0;
}
-static int sc6000_setup_board(char __iomem *vport, int config)
+static int sc6000_setup_board(struct device *devptr,
+ char __iomem *vport, int config)
{
int loop = 10;
do {
- if (sc6000_write(vport, COMMAND_88)) {
- snd_printk(KERN_ERR "CMD 0x%x: failed!\n",
- COMMAND_88);
+ if (sc6000_write(devptr, vport, COMMAND_88)) {
+ dev_err(devptr, "CMD 0x%x: failed!\n",
+ COMMAND_88);
return -EIO;
}
} while ((sc6000_wait_data(vport) < 0) && loop--);
if (sc6000_read(vport) < 0) {
- snd_printk(KERN_ERR "sc6000_read after CMD 0x%x: failed\n",
- COMMAND_88);
+ dev_err(devptr, "sc6000_read after CMD 0x%x: failed\n",
+ COMMAND_88);
return -EIO;
}
- if (sc6000_cfg_write(vport, config))
+ if (sc6000_cfg_write(devptr, vport, config))
return -ENODEV;
return 0;
}
-static int sc6000_init_mss(char __iomem *vport, int config,
+static int sc6000_init_mss(struct device *devptr,
+ char __iomem *vport, int config,
char __iomem *vmss_port, int mss_config)
{
- if (sc6000_write(vport, DSP_INIT_MSS)) {
- snd_printk(KERN_ERR "sc6000_init_mss [0x%x]: failed!\n",
- DSP_INIT_MSS);
+ if (sc6000_write(devptr, vport, DSP_INIT_MSS)) {
+ dev_err(devptr, "%s [0x%x]: failed!\n", __func__,
+ DSP_INIT_MSS);
return -EIO;
}
msleep(10);
- if (sc6000_cfg_write(vport, config))
+ if (sc6000_cfg_write(devptr, vport, config))
return -EIO;
iowrite8(mss_config, vmss_port);
@@ -348,7 +353,8 @@ static int sc6000_init_mss(char __iomem *vport, int config,
return 0;
}
-static void sc6000_hw_cfg_encode(char __iomem *vport, int *cfg,
+static void sc6000_hw_cfg_encode(struct device *devptr,
+ char __iomem *vport, int *cfg,
long xport, long xmpu,
long xmss_port, int joystick)
{
@@ -367,10 +373,11 @@ static void sc6000_hw_cfg_encode(char __iomem *vport, int *cfg,
cfg[0] |= 0x02;
cfg[1] |= 0x80; /* enable WSS system */
cfg[1] &= ~0x40; /* disable IDE */
- snd_printd("hw cfg %x, %x\n", cfg[0], cfg[1]);
+ dev_dbg(devptr, "hw cfg %x, %x\n", cfg[0], cfg[1]);
}
-static int sc6000_init_board(char __iomem *vport,
+static int sc6000_init_board(struct device *devptr,
+ char __iomem *vport,
char __iomem *vmss_port, int dev)
{
char answer[15];
@@ -384,14 +391,14 @@ static int sc6000_init_board(char __iomem *vport,
err = sc6000_dsp_reset(vport);
if (err < 0) {
- snd_printk(KERN_ERR "sc6000_dsp_reset: failed!\n");
+ dev_err(devptr, "sc6000_dsp_reset: failed!\n");
return err;
}
memset(answer, 0, sizeof(answer));
- err = sc6000_dsp_get_answer(vport, GET_DSP_COPYRIGHT, answer, 15);
+ err = sc6000_dsp_get_answer(devptr, vport, GET_DSP_COPYRIGHT, answer, 15);
if (err <= 0) {
- snd_printk(KERN_ERR "sc6000_dsp_copyright: failed!\n");
+ dev_err(devptr, "sc6000_dsp_copyright: failed!\n");
return -ENODEV;
}
/*
@@ -399,52 +406,52 @@ static int sc6000_init_board(char __iomem *vport,
* if we have something different, we have to be warned.
*/
if (strncmp("SC-6000", answer, 7))
- snd_printk(KERN_WARNING "Warning: non SC-6000 audio card!\n");
+ dev_warn(devptr, "Warning: non SC-6000 audio card!\n");
- if (sc6000_dsp_get_answer(vport, GET_DSP_VERSION, version, 2) < 2) {
- snd_printk(KERN_ERR "sc6000_dsp_version: failed!\n");
+ if (sc6000_dsp_get_answer(devptr, vport, GET_DSP_VERSION, version, 2) < 2) {
+ dev_err(devptr, "sc6000_dsp_version: failed!\n");
return -ENODEV;
}
- printk(KERN_INFO PFX "Detected model: %s, DSP version %d.%d\n",
+ dev_info(devptr, "Detected model: %s, DSP version %d.%d\n",
answer, version[0], version[1]);
/* set configuration */
- sc6000_write(vport, COMMAND_5C);
+ sc6000_write(devptr, vport, COMMAND_5C);
if (sc6000_read(vport) < 0)
old = 1;
if (!old) {
int cfg[2];
- sc6000_hw_cfg_encode(vport, &cfg[0], port[dev], mpu_port[dev],
+ sc6000_hw_cfg_encode(devptr,
+ vport, &cfg[0], port[dev], mpu_port[dev],
mss_port[dev], joystick[dev]);
- if (sc6000_hw_cfg_write(vport, cfg) < 0) {
- snd_printk(KERN_ERR "sc6000_hw_cfg_write: failed!\n");
+ if (sc6000_hw_cfg_write(devptr, vport, cfg) < 0) {
+ dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
return -EIO;
}
}
- err = sc6000_setup_board(vport, config);
+ err = sc6000_setup_board(devptr, vport, config);
if (err < 0) {
- snd_printk(KERN_ERR "sc6000_setup_board: failed!\n");
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
return -ENODEV;
}
sc6000_dsp_reset(vport);
if (!old) {
- sc6000_write(vport, COMMAND_60);
- sc6000_write(vport, 0x02);
+ sc6000_write(devptr, vport, COMMAND_60);
+ sc6000_write(devptr, vport, 0x02);
sc6000_dsp_reset(vport);
}
- err = sc6000_setup_board(vport, config);
+ err = sc6000_setup_board(devptr, vport, config);
if (err < 0) {
- snd_printk(KERN_ERR "sc6000_setup_board: failed!\n");
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
return -ENODEV;
}
- err = sc6000_init_mss(vport, config, vmss_port, mss_config);
+ err = sc6000_init_mss(devptr, vport, config, vmss_port, mss_config);
if (err < 0) {
- snd_printk(KERN_ERR "Cannot initialize "
- "Microsoft Sound System mode.\n");
+ dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
return -ENODEV;
}
@@ -491,39 +498,39 @@ static int snd_sc6000_match(struct device *devptr, unsigned int dev)
if (!enable[dev])
return 0;
if (port[dev] == SNDRV_AUTO_PORT) {
- printk(KERN_ERR PFX "specify IO port\n");
+ dev_err(devptr, "specify IO port\n");
return 0;
}
if (mss_port[dev] == SNDRV_AUTO_PORT) {
- printk(KERN_ERR PFX "specify MSS port\n");
+ dev_err(devptr, "specify MSS port\n");
return 0;
}
if (port[dev] != 0x220 && port[dev] != 0x240) {
- printk(KERN_ERR PFX "Port must be 0x220 or 0x240\n");
+ dev_err(devptr, "Port must be 0x220 or 0x240\n");
return 0;
}
if (mss_port[dev] != 0x530 && mss_port[dev] != 0xe80) {
- printk(KERN_ERR PFX "MSS port must be 0x530 or 0xe80\n");
+ dev_err(devptr, "MSS port must be 0x530 or 0xe80\n");
return 0;
}
if (irq[dev] != SNDRV_AUTO_IRQ && !sc6000_irq_to_softcfg(irq[dev])) {
- printk(KERN_ERR PFX "invalid IRQ %d\n", irq[dev]);
+ dev_err(devptr, "invalid IRQ %d\n", irq[dev]);
return 0;
}
if (dma[dev] != SNDRV_AUTO_DMA && !sc6000_dma_to_softcfg(dma[dev])) {
- printk(KERN_ERR PFX "invalid DMA %d\n", dma[dev]);
+ dev_err(devptr, "invalid DMA %d\n", dma[dev]);
return 0;
}
if (mpu_port[dev] != SNDRV_AUTO_PORT &&
(mpu_port[dev] & ~0x30L) != 0x300) {
- printk(KERN_ERR PFX "invalid MPU-401 port %lx\n",
+ dev_err(devptr, "invalid MPU-401 port %lx\n",
mpu_port[dev]);
return 0;
}
if (mpu_port[dev] != SNDRV_AUTO_PORT &&
mpu_irq[dev] != SNDRV_AUTO_IRQ && mpu_irq[dev] != 0 &&
!sc6000_mpu_irq_to_softcfg(mpu_irq[dev])) {
- printk(KERN_ERR PFX "invalid MPU-401 IRQ %d\n", mpu_irq[dev]);
+ dev_err(devptr, "invalid MPU-401 IRQ %d\n", mpu_irq[dev]);
return 0;
}
return 1;
@@ -534,7 +541,7 @@ static void snd_sc6000_free(struct snd_card *card)
char __iomem *vport = (char __force __iomem *)card->private_data;
if (vport)
- sc6000_setup_board(vport, 0);
+ sc6000_setup_board(card->dev, vport, 0);
}
static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
@@ -558,7 +565,7 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
if (xirq == SNDRV_AUTO_IRQ) {
xirq = snd_legacy_find_free_irq(possible_irqs);
if (xirq < 0) {
- snd_printk(KERN_ERR PFX "unable to find a free IRQ\n");
+ dev_err(devptr, "unable to find a free IRQ\n");
return -EBUSY;
}
}
@@ -566,42 +573,39 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
if (xdma == SNDRV_AUTO_DMA) {
xdma = snd_legacy_find_free_dma(possible_dmas);
if (xdma < 0) {
- snd_printk(KERN_ERR PFX "unable to find a free DMA\n");
+ dev_err(devptr, "unable to find a free DMA\n");
return -EBUSY;
}
}
if (!devm_request_region(devptr, port[dev], 0x10, DRV_NAME)) {
- snd_printk(KERN_ERR PFX
- "I/O port region is already in use.\n");
+ dev_err(devptr, "I/O port region is already in use.\n");
return -EBUSY;
}
vport = devm_ioport_map(devptr, port[dev], 0x10);
if (!vport) {
- snd_printk(KERN_ERR PFX
- "I/O port cannot be iomapped.\n");
+ dev_err(devptr, "I/O port cannot be iomapped.\n");
return -EBUSY;
}
card->private_data = (void __force *)vport;
/* to make it marked as used */
if (!devm_request_region(devptr, mss_port[dev], 4, DRV_NAME)) {
- snd_printk(KERN_ERR PFX
- "SC-6000 port I/O port region is already in use.\n");
+ dev_err(devptr,
+ "SC-6000 port I/O port region is already in use.\n");
return -EBUSY;
}
vmss_port = devm_ioport_map(devptr, mss_port[dev], 4);
if (!vmss_port) {
- snd_printk(KERN_ERR PFX
- "MSS port I/O cannot be iomapped.\n");
+ dev_err(devptr, "MSS port I/O cannot be iomapped.\n");
return -EBUSY;
}
- snd_printd("Initializing BASE[0x%lx] IRQ[%d] DMA[%d] MIRQ[%d]\n",
- port[dev], xirq, xdma,
- mpu_irq[dev] == SNDRV_AUTO_IRQ ? 0 : mpu_irq[dev]);
+ dev_dbg(devptr, "Initializing BASE[0x%lx] IRQ[%d] DMA[%d] MIRQ[%d]\n",
+ port[dev], xirq, xdma,
+ mpu_irq[dev] == SNDRV_AUTO_IRQ ? 0 : mpu_irq[dev]);
- err = sc6000_init_board(vport, vmss_port, dev);
+ err = sc6000_init_board(devptr, vport, vmss_port, dev);
if (err < 0)
return err;
card->private_free = snd_sc6000_free;
@@ -613,25 +617,24 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
err = snd_wss_pcm(chip, 0);
if (err < 0) {
- snd_printk(KERN_ERR PFX
- "error creating new WSS PCM device\n");
+ dev_err(devptr, "error creating new WSS PCM device\n");
return err;
}
err = snd_wss_mixer(chip);
if (err < 0) {
- snd_printk(KERN_ERR PFX "error creating new WSS mixer\n");
+ dev_err(devptr, "error creating new WSS mixer\n");
return err;
}
err = snd_sc6000_mixer(chip);
if (err < 0) {
- snd_printk(KERN_ERR PFX "the mixer rewrite failed\n");
+ dev_err(devptr, "the mixer rewrite failed\n");
return err;
}
if (snd_opl3_create(card,
0x388, 0x388 + 2,
OPL3_HW_AUTO, 0, &opl3) < 0) {
- snd_printk(KERN_ERR PFX "no OPL device at 0x%x-0x%x ?\n",
- 0x388, 0x388 + 2);
+ dev_err(devptr, "no OPL device at 0x%x-0x%x ?\n",
+ 0x388, 0x388 + 2);
} else {
err = snd_opl3_hwdep_new(opl3, 0, 1, NULL);
if (err < 0)
@@ -645,8 +648,8 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
MPU401_HW_MPU401,
mpu_port[dev], 0,
mpu_irq[dev], NULL) < 0)
- snd_printk(KERN_ERR "no MPU-401 device at 0x%lx ?\n",
- mpu_port[dev]);
+ dev_err(devptr, "no MPU-401 device at 0x%lx ?\n",
+ mpu_port[dev]);
}
strcpy(card->driver, DRV_NAME);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 169/508] ALSA: sc6000: Keep the programmed board state in card-private data
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 168/508] ALSA: sc6000: Use standard print API Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 170/508] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
` (340 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit fb79bf127ac2577b4876132da6dba768018aad4c ]
The driver may auto-select IRQ and DMA resources at probe time, but
sc6000_init_board() still derives the SC-6000 soft configuration from
the module parameter arrays. When irq=auto or dma=auto is used, the
codec is created with the selected resources while the board is
programmed with the unresolved values.
Store the mapped ports and generated SC-6000 board configuration in
card-private data, build that configuration from the live probe
results instead of the raw module parameters, and keep the probe-time
board programming in a shared helper.
This fixes the resource-programming mismatch and leaves the driver
with a stable board-state block that can be reused by suspend/resume.
Fixes: c282866101bf ("ALSA: sc6000: add support for SC-6600 and SC-7000")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260410-alsa-sc6000-pm-v1-1-4d9e95493d26@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/isa/sc6000.c | 152 +++++++++++++++++++++++++++------------------
1 file changed, 92 insertions(+), 60 deletions(-)
diff --git a/sound/isa/sc6000.c b/sound/isa/sc6000.c
index 3115c32b4061b..4066b68a102e2 100644
--- a/sound/isa/sc6000.c
+++ b/sound/isa/sc6000.c
@@ -100,6 +100,15 @@ MODULE_PARM_DESC(joystick, "Enable gameport.");
#define PFX "sc6000: "
#define DRV_NAME "SC-6000"
+struct snd_sc6000 {
+ char __iomem *vport;
+ char __iomem *vmss_port;
+ u8 mss_config;
+ u8 config;
+ u8 hw_cfg[2];
+ bool old_dsp;
+};
+
/* hardware dependent functions */
/*
@@ -267,7 +276,7 @@ static int sc6000_dsp_reset(char __iomem *vport)
/* detection and initialization */
static int sc6000_hw_cfg_write(struct device *devptr,
- char __iomem *vport, const int *cfg)
+ char __iomem *vport, const u8 *cfg)
{
if (sc6000_write(devptr, vport, COMMAND_6C) < 0) {
dev_warn(devptr, "CMD 0x%x: failed!\n", COMMAND_6C);
@@ -353,8 +362,7 @@ static int sc6000_init_mss(struct device *devptr,
return 0;
}
-static void sc6000_hw_cfg_encode(struct device *devptr,
- char __iomem *vport, int *cfg,
+static void sc6000_hw_cfg_encode(struct device *devptr, u8 *cfg,
long xport, long xmpu,
long xmss_port, int joystick)
{
@@ -376,27 +384,83 @@ static void sc6000_hw_cfg_encode(struct device *devptr,
dev_dbg(devptr, "hw cfg %x, %x\n", cfg[0], cfg[1]);
}
-static int sc6000_init_board(struct device *devptr,
- char __iomem *vport,
- char __iomem *vmss_port, int dev)
+static void sc6000_prepare_board(struct device *devptr,
+ struct snd_sc6000 *sc6000,
+ unsigned int dev, int xirq, int xdma)
+{
+ sc6000->mss_config = sc6000_irq_to_softcfg(xirq) |
+ sc6000_dma_to_softcfg(xdma);
+ sc6000->config = sc6000->mss_config |
+ sc6000_mpu_irq_to_softcfg(mpu_irq[dev]);
+ sc6000_hw_cfg_encode(devptr, sc6000->hw_cfg, port[dev], mpu_port[dev],
+ mss_port[dev], joystick[dev]);
+}
+
+static void sc6000_detect_old_dsp(struct device *devptr,
+ struct snd_sc6000 *sc6000)
+{
+ sc6000_write(devptr, sc6000->vport, COMMAND_5C);
+ sc6000->old_dsp = sc6000_read(sc6000->vport) < 0;
+}
+
+static int sc6000_program_board(struct device *devptr,
+ struct snd_sc6000 *sc6000)
+{
+ int err;
+
+ if (!sc6000->old_dsp) {
+ if (sc6000_hw_cfg_write(devptr, sc6000->vport,
+ sc6000->hw_cfg) < 0) {
+ dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
+ return -EIO;
+ }
+ }
+
+ err = sc6000_setup_board(devptr, sc6000->vport, sc6000->config);
+ if (err < 0) {
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
+ return -ENODEV;
+ }
+
+ sc6000_dsp_reset(sc6000->vport);
+
+ if (!sc6000->old_dsp) {
+ sc6000_write(devptr, sc6000->vport, COMMAND_60);
+ sc6000_write(devptr, sc6000->vport, 0x02);
+ sc6000_dsp_reset(sc6000->vport);
+ }
+
+ err = sc6000_setup_board(devptr, sc6000->vport, sc6000->config);
+ if (err < 0) {
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
+ return -ENODEV;
+ }
+
+ err = sc6000_init_mss(devptr, sc6000->vport, sc6000->config,
+ sc6000->vmss_port, sc6000->mss_config);
+ if (err < 0) {
+ dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
+static int sc6000_init_board(struct device *devptr, struct snd_sc6000 *sc6000)
{
char answer[15];
char version[2];
- int mss_config = sc6000_irq_to_softcfg(irq[dev]) |
- sc6000_dma_to_softcfg(dma[dev]);
- int config = mss_config |
- sc6000_mpu_irq_to_softcfg(mpu_irq[dev]);
int err;
- int old = 0;
- err = sc6000_dsp_reset(vport);
+ err = sc6000_dsp_reset(sc6000->vport);
if (err < 0) {
dev_err(devptr, "sc6000_dsp_reset: failed!\n");
return err;
}
memset(answer, 0, sizeof(answer));
- err = sc6000_dsp_get_answer(devptr, vport, GET_DSP_COPYRIGHT, answer, 15);
+ err = sc6000_dsp_get_answer(devptr, sc6000->vport, GET_DSP_COPYRIGHT,
+ answer, 15);
if (err <= 0) {
dev_err(devptr, "sc6000_dsp_copyright: failed!\n");
return -ENODEV;
@@ -408,54 +472,17 @@ static int sc6000_init_board(struct device *devptr,
if (strncmp("SC-6000", answer, 7))
dev_warn(devptr, "Warning: non SC-6000 audio card!\n");
- if (sc6000_dsp_get_answer(devptr, vport, GET_DSP_VERSION, version, 2) < 2) {
+ if (sc6000_dsp_get_answer(devptr, sc6000->vport,
+ GET_DSP_VERSION, version, 2) < 2) {
dev_err(devptr, "sc6000_dsp_version: failed!\n");
return -ENODEV;
}
dev_info(devptr, "Detected model: %s, DSP version %d.%d\n",
answer, version[0], version[1]);
- /* set configuration */
- sc6000_write(devptr, vport, COMMAND_5C);
- if (sc6000_read(vport) < 0)
- old = 1;
-
- if (!old) {
- int cfg[2];
- sc6000_hw_cfg_encode(devptr,
- vport, &cfg[0], port[dev], mpu_port[dev],
- mss_port[dev], joystick[dev]);
- if (sc6000_hw_cfg_write(devptr, vport, cfg) < 0) {
- dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
- return -EIO;
- }
- }
- err = sc6000_setup_board(devptr, vport, config);
- if (err < 0) {
- dev_err(devptr, "sc6000_setup_board: failed!\n");
- return -ENODEV;
- }
-
- sc6000_dsp_reset(vport);
-
- if (!old) {
- sc6000_write(devptr, vport, COMMAND_60);
- sc6000_write(devptr, vport, 0x02);
- sc6000_dsp_reset(vport);
- }
+ sc6000_detect_old_dsp(devptr, sc6000);
- err = sc6000_setup_board(devptr, vport, config);
- if (err < 0) {
- dev_err(devptr, "sc6000_setup_board: failed!\n");
- return -ENODEV;
- }
- err = sc6000_init_mss(devptr, vport, config, vmss_port, mss_config);
- if (err < 0) {
- dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
- return -ENODEV;
- }
-
- return 0;
+ return sc6000_program_board(devptr, sc6000);
}
static int snd_sc6000_mixer(struct snd_wss *chip)
@@ -538,10 +565,10 @@ static int snd_sc6000_match(struct device *devptr, unsigned int dev)
static void snd_sc6000_free(struct snd_card *card)
{
- char __iomem *vport = (char __force __iomem *)card->private_data;
+ struct snd_sc6000 *sc6000 = card->private_data;
- if (vport)
- sc6000_setup_board(card->dev, vport, 0);
+ if (sc6000->vport)
+ sc6000_setup_board(card->dev, sc6000->vport, 0);
}
static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
@@ -552,15 +579,17 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
int xirq = irq[dev];
int xdma = dma[dev];
struct snd_card *card;
+ struct snd_sc6000 *sc6000;
struct snd_wss *chip;
struct snd_opl3 *opl3;
char __iomem *vport;
char __iomem *vmss_port;
err = snd_devm_card_new(devptr, index[dev], id[dev], THIS_MODULE,
- 0, &card);
+ sizeof(*sc6000), &card);
if (err < 0)
return err;
+ sc6000 = card->private_data;
if (xirq == SNDRV_AUTO_IRQ) {
xirq = snd_legacy_find_free_irq(possible_irqs);
@@ -587,7 +616,7 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
dev_err(devptr, "I/O port cannot be iomapped.\n");
return -EBUSY;
}
- card->private_data = (void __force *)vport;
+ sc6000->vport = vport;
/* to make it marked as used */
if (!devm_request_region(devptr, mss_port[dev], 4, DRV_NAME)) {
@@ -600,12 +629,15 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
dev_err(devptr, "MSS port I/O cannot be iomapped.\n");
return -EBUSY;
}
+ sc6000->vmss_port = vmss_port;
dev_dbg(devptr, "Initializing BASE[0x%lx] IRQ[%d] DMA[%d] MIRQ[%d]\n",
port[dev], xirq, xdma,
mpu_irq[dev] == SNDRV_AUTO_IRQ ? 0 : mpu_irq[dev]);
- err = sc6000_init_board(devptr, vport, vmss_port, dev);
+ sc6000_prepare_board(devptr, sc6000, dev, xirq, xdma);
+
+ err = sc6000_init_board(devptr, sc6000);
if (err < 0)
return err;
card->private_free = snd_sc6000_free;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 170/508] dm cache: fix missing return in invalidate_committeds error path
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 169/508] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 171/508] crypto: jitterentropy - replace long-held spinlock with mutex Greg Kroah-Hartman
` (339 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Ming-Hung Tsai,
Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 8c0ee19db81f0fa1ff25fd75b22b17c0cc2acde3 ]
In passthrough mode, dm-cache defers write submission until after
metadata commit completes via the invalidate_committed() continuation.
On commit error, invalidate_committed() calls invalidate_complete() to
end the bio and free the migration struct, after which it should return
immediately.
The patch 4ca8b8bd952d ("dm cache: fix write hang in passthrough mode")
omitted this early return, causing execution to fall through into the
success path on error. This results in use-after-free on the migration
struct in the subsequent calls.
Fix by adding the missing return after the invalidate_complete() call.
Fixes: 4ca8b8bd952d ("dm cache: fix write hang in passthrough mode")
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/dm-devel/adjMq6T5RRjv_uxM@stanley.mountain/
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 8db906ea3bef0..5522f8e9443f2 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1523,8 +1523,10 @@ static void invalidate_committed(struct work_struct *ws)
struct bio *bio = mg->overwrite_bio;
struct per_bio_data *pb = get_per_bio_data(bio);
- if (mg->k.input)
+ if (mg->k.input) {
invalidate_complete(mg, false);
+ return;
+ }
init_continuation(&mg->k, invalidate_completed);
remap_to_origin_clear_discard(cache, bio, mg->invalidate_oblock);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 171/508] crypto: jitterentropy - replace long-held spinlock with mutex
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 170/508] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 172/508] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
` (338 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Haixin Xu, Stephan Mueller, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haixin Xu <jerryxucs@gmail.com>
[ Upstream commit 01d798e9feb30212952d4e992801ba6bd6a82351 ]
jent_kcapi_random() serializes the shared jitterentropy state, but it
currently holds a spinlock across the jent_read_entropy() call. That
path performs expensive jitter collection and SHA3 conditioning, so
parallel readers can trigger stalls as contending waiters spin for
the same lock.
To prevent non-preemptible lock hold, replace rng->jent_lock with a
mutex so contended readers sleep instead of spinning on a shared lock
held across expensive entropy generation.
Fixes: bb5530e40824 ("crypto: jitterentropy - add jitterentropy RNG")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Haixin Xu <jerryxucs@gmail.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/jitterentropy-kcapi.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index dd05faf00571f..8ae5245081f6a 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -42,6 +42,7 @@
#include <linux/fips.h>
#include <linux/kernel.h>
#include <linux/module.h>
+#include <linux/mutex.h>
#include <linux/slab.h>
#include <linux/time.h>
#include <crypto/internal/rng.h>
@@ -182,7 +183,7 @@ int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len)
***************************************************************************/
struct jitterentropy {
- spinlock_t jent_lock;
+ struct mutex jent_lock;
struct rand_data *entropy_collector;
struct crypto_shash *tfm;
struct shash_desc *sdesc;
@@ -192,7 +193,7 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
{
struct jitterentropy *rng = crypto_tfm_ctx(tfm);
- spin_lock(&rng->jent_lock);
+ mutex_lock(&rng->jent_lock);
if (rng->sdesc) {
shash_desc_zero(rng->sdesc);
@@ -207,7 +208,7 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
if (rng->entropy_collector)
jent_entropy_collector_free(rng->entropy_collector);
rng->entropy_collector = NULL;
- spin_unlock(&rng->jent_lock);
+ mutex_unlock(&rng->jent_lock);
}
static int jent_kcapi_init(struct crypto_tfm *tfm)
@@ -217,7 +218,7 @@ static int jent_kcapi_init(struct crypto_tfm *tfm)
struct shash_desc *sdesc;
int size, ret = 0;
- spin_lock_init(&rng->jent_lock);
+ mutex_init(&rng->jent_lock);
/*
* Use SHA3-256 as conditioner. We allocate only the generic
@@ -252,7 +253,6 @@ static int jent_kcapi_init(struct crypto_tfm *tfm)
goto err;
}
- spin_lock_init(&rng->jent_lock);
return 0;
err:
@@ -267,7 +267,7 @@ static int jent_kcapi_random(struct crypto_rng *tfm,
struct jitterentropy *rng = crypto_rng_ctx(tfm);
int ret = 0;
- spin_lock(&rng->jent_lock);
+ mutex_lock(&rng->jent_lock);
ret = jent_read_entropy(rng->entropy_collector, rdata, dlen);
@@ -293,7 +293,7 @@ static int jent_kcapi_random(struct crypto_rng *tfm,
ret = -EINVAL;
}
- spin_unlock(&rng->jent_lock);
+ mutex_unlock(&rng->jent_lock);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 172/508] gfs2: Call unlock_new_inode before d_instantiate
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 171/508] crypto: jitterentropy - replace long-held spinlock with mutex Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 173/508] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
` (337 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0ea5108a1f5fb4fcc2d8,
Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 2ff7cf7e0640ff071ebc5c7e3dc2df024a7c91e6 ]
As Neil Brown describes in detail in the link referenced below, new
inodes must be unlocked before they can be instantiated.
An even better fix is to use d_instantiate_new(), which combines
d_instantiate() and unlock_new_inode().
Fixes: 3d36e57ff768 ("gfs2: gfs2_create_inode rework")
Reported-by: syzbot+0ea5108a1f5fb4fcc2d8@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-fsdevel/177153754005.8396.8777398743501764194@noble.neil.brown.name/
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/inode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 45040622d316e..18f75beea0890 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -805,7 +805,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
goto fail_gunlock4;
mark_inode_dirty(inode);
- d_instantiate(dentry, inode);
+ d_instantiate_new(dentry, inode);
/* After instantiate, errors should result in evict which will destroy
* both inode and iopen glocks properly. */
if (file) {
@@ -817,7 +817,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
gfs2_glock_dq_uninit(&gh);
gfs2_glock_put(io_gl);
gfs2_qa_put(dip);
- unlock_new_inode(inode);
return error;
fail_gunlock4:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 173/508] ktest: Avoid undef warning when WARNINGS_FILE is unset
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 172/508] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 174/508] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
` (336 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 057854f8a595160656fe77ed7bf0d2403724b915 ]
check_buildlog() probes $warnings_file with -f even when WARNINGS_FILE is
not configured. Perl warns about the uninitialized value and adds noise to
the test log, which can hide the output we actually care about.
Check that WARNINGS_FILE is defined before testing whether the file exists.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-1-565d412f4925@suse.com
Fixes: 4283b169abfb ("ktest: Add make_warnings_file and process full warnings")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index e93ac83270dad..4eca66310d9b4 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -2472,7 +2472,7 @@ sub check_buildlog {
my $save_no_reboot = $no_reboot;
$no_reboot = 1;
- if (-f $warnings_file) {
+ if (defined($warnings_file) && -f $warnings_file) {
open(IN, $warnings_file) or
dodie "Error opening $warnings_file";
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 174/508] ktest: Honor empty per-test option overrides
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 173/508] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 175/508] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
` (335 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit a2de57a3c8192dcd67cccaff6c341b93748d799b ]
A per-test override can clear an inherited default option by assigning an
empty value, but __set_test_option() still used option_defined() to decide
whether a per-test key existed. That turned an empty per-test assignment
back into "fall back to the default", so tests still could not clear
inherited settings.
For example:
DEFAULTS
(...)
LOG_FILE = /tmp/ktest-empty-override.log
CLEAR_LOG = 1
ADD_CONFIG = /tmp/.config
TEST_START
TEST_TYPE = build
BUILD_TYPE = nobuild
ADD_CONFIG =
This would run the test with ADD_CONFIG[1] = /tmp/.config
Fix by checking whether the per-test key exists before falling back. If it
does exist but is empty, treat it as unset for that test and stop the
fallback chain there.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-4-565d412f4925@suse.com
Fixes: 22c37a9ac49d ("ktest: Allow tests to undefine default options")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 4eca66310d9b4..13686e7629c4d 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -4113,7 +4113,8 @@ sub __set_test_option {
my $option = "$name\[$i\]";
- if (option_defined($option)) {
+ if (exists($opt{$option})) {
+ return undef if (!option_defined($option));
return $opt{$option};
}
@@ -4121,7 +4122,8 @@ sub __set_test_option {
if ($i >= $test &&
$i < $test + $repeat_tests{$test}) {
$option = "$name\[$test\]";
- if (option_defined($option)) {
+ if (exists($opt{$option})) {
+ return undef if (!option_defined($option));
return $opt{$option};
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 175/508] ktest: Run POST_KTEST hooks on failure and cancellation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 174/508] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 176/508] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
` (334 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit bc6e165a452da909cef0efbc286e6695624db372 ]
PRE_KTEST can be useful for setting up the environment and POST_KTEST to
tear it down, however POST_KTEST only runs on the normal end-of-run path.
It is skipped when ktest exits through dodie() or cancel_test(). Final
cleanup hooks are skipped.
Factor the final hook execution into run_post_ktest(), call it from the
normal exit path and from the early exit paths, and guard it so the hook
runs at most once.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-8-565d412f4925@suse.com
Fixes: 921ed4c7208e ("ktest: Add PRE/POST_KTEST and TEST options")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 13686e7629c4d..d78d5f3b0a55e 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -98,6 +98,7 @@ my $test_type;
my $build_type;
my $build_options;
my $final_post_ktest;
+my $post_ktest_done = 0;
my $pre_ktest;
my $post_ktest;
my $pre_test;
@@ -1537,6 +1538,24 @@ sub get_test_name() {
return $name;
}
+sub run_post_ktest {
+ my $cmd;
+
+ return if ($post_ktest_done);
+
+ if (defined($final_post_ktest)) {
+ $cmd = $final_post_ktest;
+ } elsif (defined($post_ktest)) {
+ $cmd = $post_ktest;
+ } else {
+ return;
+ }
+
+ my $cp_post_ktest = eval_kernel_version($cmd);
+ run_command $cp_post_ktest;
+ $post_ktest_done = 1;
+}
+
sub dodie {
# avoid recursion
return if ($in_die);
@@ -1596,6 +1615,7 @@ sub dodie {
if (defined($post_test)) {
run_command $post_test;
}
+ run_post_ktest;
die @_, "\n";
}
@@ -4230,6 +4250,7 @@ sub cancel_test {
send_email("KTEST: Your [$name] test was cancelled",
"Your test started at $script_start_time was cancelled: sig int");
}
+ run_post_ktest;
die "\nCaught Sig Int, test interrupted: $!\n"
}
@@ -4540,11 +4561,7 @@ for (my $i = 1; $i <= $opt{"NUM_TESTS"}; $i++) {
success $i;
}
-if (defined($final_post_ktest)) {
-
- my $cp_final_post_ktest = eval_kernel_version $final_post_ktest;
- run_command $cp_final_post_ktest;
-}
+run_post_ktest;
if ($opt{"POWEROFF_ON_SUCCESS"}) {
halt;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 176/508] quota: Fix race of dquot_scan_active() with quota deactivation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 175/508] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 177/508] gfs2: add some missing log locking Greg Kroah-Hartman
` (333 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Sun, Jan Kara, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit e93ab401da4b2e2c1b8ef2424de2f238d51c8b2d ]
dquot_scan_active() can race with quota deactivation in
quota_release_workfn() like:
CPU0 (quota_release_workfn) CPU1 (dquot_scan_active)
============================== ==============================
spin_lock(&dq_list_lock);
list_replace_init(
&releasing_dquots, &rls_head);
/* dquot X on rls_head,
dq_count == 0,
DQ_ACTIVE_B still set */
spin_unlock(&dq_list_lock);
synchronize_srcu(&dquot_srcu);
spin_lock(&dq_list_lock);
list_for_each_entry(dquot,
&inuse_list, dq_inuse) {
/* finds dquot X */
dquot_active(X) -> true
atomic_inc(&X->dq_count);
}
spin_unlock(&dq_list_lock);
spin_lock(&dq_list_lock);
dquot = list_first_entry(&rls_head);
WARN_ON_ONCE(atomic_read(&dquot->dq_count));
The problem is not only a cosmetic one as under memory pressure the
caller of dquot_scan_active() can end up working on freed dquot.
Fix the problem by making sure the dquot is removed from releasing list
when we acquire a reference to it.
Fixes: 869b6ea1609f ("quota: Fix slow quotaoff")
Reported-by: Sam Sun <samsun1006219@gmail.com>
Link: https://lore.kernel.org/all/CAEkJfYPTt3uP1vAYnQ5V2ZWn5O9PLhhGi5HbOcAzyP9vbXyjeg@mail.gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/quota/dquot.c | 38 ++++++++++++++++++++++++++++++--------
include/linux/quotaops.h | 9 +--------
2 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index 42a7d0a71b22e..7562ee4ff2929 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -364,6 +364,31 @@ static inline int dquot_active(struct dquot *dquot)
return test_bit(DQ_ACTIVE_B, &dquot->dq_flags);
}
+static struct dquot *__dqgrab(struct dquot *dquot)
+{
+ lockdep_assert_held(&dq_list_lock);
+ if (!atomic_read(&dquot->dq_count))
+ remove_free_dquot(dquot);
+ atomic_inc(&dquot->dq_count);
+ return dquot;
+}
+
+/*
+ * Get reference to dquot when we got pointer to it by some other means. The
+ * dquot has to be active and the caller has to make sure it cannot get
+ * deactivated under our hands.
+ */
+struct dquot *dqgrab(struct dquot *dquot)
+{
+ spin_lock(&dq_list_lock);
+ WARN_ON_ONCE(!dquot_active(dquot));
+ dquot = __dqgrab(dquot);
+ spin_unlock(&dq_list_lock);
+
+ return dquot;
+}
+EXPORT_SYMBOL_GPL(dqgrab);
+
static inline int dquot_dirty(struct dquot *dquot)
{
return test_bit(DQ_MOD_B, &dquot->dq_flags);
@@ -642,15 +667,14 @@ int dquot_scan_active(struct super_block *sb,
continue;
if (dquot->dq_sb != sb)
continue;
- /* Now we have active dquot so we can just increase use count */
- atomic_inc(&dquot->dq_count);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
dqput(old_dquot);
old_dquot = dquot;
/*
* ->release_dquot() can be racing with us. Our reference
- * protects us from new calls to it so just wait for any
- * outstanding call and recheck the DQ_ACTIVE_B after that.
+ * protects us from dquot_release() proceeding so just wait for
+ * any outstanding call and recheck the DQ_ACTIVE_B after that.
*/
wait_on_dquot(dquot);
if (dquot_active(dquot)) {
@@ -718,7 +742,7 @@ int dquot_writeback_dquots(struct super_block *sb, int type)
/* Now we have active dquot from which someone is
* holding reference so we can safely just increase
* use count */
- dqgrab(dquot);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
err = dquot_write_dquot(dquot);
if (err && !ret)
@@ -973,9 +997,7 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
spin_unlock(&dq_list_lock);
dqstats_inc(DQST_LOOKUPS);
} else {
- if (!atomic_read(&dquot->dq_count))
- remove_free_dquot(dquot);
- atomic_inc(&dquot->dq_count);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
dqstats_inc(DQST_CACHE_HITS);
dqstats_inc(DQST_LOOKUPS);
diff --git a/include/linux/quotaops.h b/include/linux/quotaops.h
index 4fa4ef0a173a3..a9be09f96b10e 100644
--- a/include/linux/quotaops.h
+++ b/include/linux/quotaops.h
@@ -44,14 +44,7 @@ int dquot_initialize(struct inode *inode);
bool dquot_initialize_needed(struct inode *inode);
void dquot_drop(struct inode *inode);
struct dquot *dqget(struct super_block *sb, struct kqid qid);
-static inline struct dquot *dqgrab(struct dquot *dquot)
-{
- /* Make sure someone else has active reference to dquot */
- WARN_ON_ONCE(!atomic_read(&dquot->dq_count));
- WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags));
- atomic_inc(&dquot->dq_count);
- return dquot;
-}
+struct dquot *dqgrab(struct dquot *dquot);
static inline bool dquot_is_busy(struct dquot *dquot)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 177/508] gfs2: add some missing log locking
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.6 176/508] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 178/508] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
` (332 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit fe2c8d051150b90b3ccb85f89e3b1d636cb88ec8 ]
Function gfs2_logd() calls the log flushing functions gfs2_ail1_start(),
gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock,
but these functions require exclusion against concurrent transactions.
To fix that, add a non-locking __gfs2_log_flush() function. Then, in
gfs2_logd(), take sdp->sd_log_flush_lock before calling the above mentioned log
flushing functions and __gfs2_log_flush().
Fixes: 5e4c7632aae1c ("gfs2: Issue revokes more intelligently")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/log.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 2be5551241b3a..01fa92ac9ab20 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -1024,14 +1024,15 @@ static void trans_drain(struct gfs2_trans *tr)
}
/**
- * gfs2_log_flush - flush incore transaction(s)
+ * __gfs2_log_flush - flush incore transaction(s)
* @sdp: The filesystem
* @gl: The glock structure to flush. If NULL, flush the whole incore log
* @flags: The log header flags: GFS2_LOG_HEAD_FLUSH_* and debug flags
*
*/
-void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
+static void __gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl,
+ u32 flags)
{
struct gfs2_trans *tr = NULL;
unsigned int reserved_blocks = 0, used_blocks = 0;
@@ -1039,7 +1040,6 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
unsigned int first_log_head;
unsigned int reserved_revokes = 0;
- down_write(&sdp->sd_log_flush_lock);
trace_gfs2_log_flush(sdp, 1, flags);
repeat:
@@ -1151,7 +1151,6 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
gfs2_assert_withdraw_delayed(sdp, used_blocks < reserved_blocks);
gfs2_log_release(sdp, reserved_blocks - used_blocks);
}
- up_write(&sdp->sd_log_flush_lock);
gfs2_trans_free(sdp, tr);
if (gfs2_withdrawing(sdp))
gfs2_withdraw(sdp);
@@ -1174,6 +1173,13 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
goto out_end;
}
+void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
+{
+ down_write(&sdp->sd_log_flush_lock);
+ __gfs2_log_flush(sdp, gl, flags);
+ up_write(&sdp->sd_log_flush_lock);
+}
+
/**
* gfs2_merge_trans - Merge a new transaction into a cached transaction
* @sdp: the filesystem
@@ -1315,19 +1321,25 @@ int gfs2_logd(void *data)
}
if (gfs2_jrnl_flush_reqd(sdp) || t == 0) {
+ down_write(&sdp->sd_log_flush_lock);
gfs2_ail1_empty(sdp, 0);
- gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_NORMAL |
- GFS2_LFC_LOGD_JFLUSH_REQD);
+ __gfs2_log_flush(sdp, NULL,
+ GFS2_LOG_HEAD_FLUSH_NORMAL |
+ GFS2_LFC_LOGD_JFLUSH_REQD);
+ up_write(&sdp->sd_log_flush_lock);
}
if (test_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags) ||
gfs2_ail_flush_reqd(sdp)) {
clear_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags);
+ down_write(&sdp->sd_log_flush_lock);
gfs2_ail1_start(sdp);
gfs2_ail1_wait(sdp);
gfs2_ail1_empty(sdp, 0);
- gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_NORMAL |
- GFS2_LFC_LOGD_AIL_FLUSH_REQD);
+ __gfs2_log_flush(sdp, NULL,
+ GFS2_LOG_HEAD_FLUSH_NORMAL |
+ GFS2_LFC_LOGD_AIL_FLUSH_REQD);
+ up_write(&sdp->sd_log_flush_lock);
}
t = gfs2_tune_get(sdp, gt_logd_secs) * HZ;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 178/508] gfs2: prevent NULL pointer dereference during unmount
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 177/508] gfs2: add some missing log locking Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 179/508] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
` (331 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 74b4dbb946060a3233604d91859a9abd3708141d ]
When flushing out outstanding glock work during an unmount, gfs2_log_flush()
can be called when sdp->sd_jdesc has already been deallocated and sdp->sd_jdesc
is NULL. Commit 35264909e9d1 ("gfs2: Fix NULL pointer dereference in
gfs2_log_flush") added a check for that to gfs2_log_flush() itself, but it
missed the sdp->sd_jdesc dereference in gfs2_log_release(). Fix that.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604071139.HNJiCaAi-lkp@intel.com/
Fixes: 35264909e9d1 ("gfs2: Fix NULL pointer dereference in gfs2_log_flush")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/log.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 01fa92ac9ab20..b8be6c1c942d4 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -478,8 +478,9 @@ void gfs2_log_release(struct gfs2_sbd *sdp, unsigned int blks)
{
atomic_add(blks, &sdp->sd_log_blks_free);
trace_gfs2_log_blocks(sdp, blks);
- gfs2_assert_withdraw(sdp, atomic_read(&sdp->sd_log_blks_free) <=
- sdp->sd_jdesc->jd_blocks);
+ gfs2_assert_withdraw(sdp, !sdp->sd_jdesc ||
+ atomic_read(&sdp->sd_log_blks_free) <=
+ sdp->sd_jdesc->jd_blocks);
if (atomic_read(&sdp->sd_log_blks_needed))
wake_up(&sdp->sd_log_waitq);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 179/508] efi/capsule-loader: fix incorrect sizeof in phys array reallocation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 178/508] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 180/508] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
` (330 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Huth, Ard Biesheuvel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Huth <thuth@redhat.com>
[ Upstream commit 48a428215782321b56956974f23593e40ce84b7a ]
The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses
sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be
causing an undersized allocation.
The allocation is also inconsistent with the initial array allocation in
efi_capsule_open() that allocates one entry with sizeof(phys_addr_t),
and the efi_capsule_write() function that stores phys_addr_t values (not
pointers) via page_to_phys().
On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this
goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but
pointers are 32-bit, this allocates half the required space, which might
lead to a heap buffer overflow when storing physical addresses.
This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader:
fix incorrect allocation size") which fixed the same issue at the initial
allocation site.
Fixes: f24c4d478013 ("efi/capsule-loader: Reinstate virtual capsule mapping")
Assisted-by: Claude:claude-sonnet-4-5
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/capsule-loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/capsule-loader.c b/drivers/firmware/efi/capsule-loader.c
index 97bafb5f70389..c6a8bdbcae71b 100644
--- a/drivers/firmware/efi/capsule-loader.c
+++ b/drivers/firmware/efi/capsule-loader.c
@@ -67,7 +67,7 @@ int __efi_capsule_setup_info(struct capsule_info *cap_info)
cap_info->pages = temp_page;
temp_page = krealloc(cap_info->phys,
- pages_needed * sizeof(phys_addr_t *),
+ pages_needed * sizeof(phys_addr_t),
GFP_KERNEL | __GFP_ZERO);
if (!temp_page)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 180/508] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 179/508] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 181/508] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
` (329 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Klinesmith, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Klinesmith <joshuaklinesmith@gmail.com>
[ Upstream commit 3e298897f41c61450c2e7a4f457e8b2485eb35b3 ]
ksmbd_crypt_message() sets a NULL completion callback on AEAD requests
and does not handle the -EINPROGRESS return code from async hardware
crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns
-EINPROGRESS, ksmbd treats it as an error and immediately frees the
request while the hardware DMA operation is still in flight. The DMA
completion callback then dereferences freed memory, causing a NULL
pointer crash:
pc : qce_skcipher_done+0x24/0x174
lr : vchan_complete+0x230/0x27c
...
el1h_64_irq+0x68/0x6c
ksmbd_free_work_struct+0x20/0x118 [ksmbd]
ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]
Use the standard crypto_wait_req() pattern with crypto_req_done() as
the completion callback, matching the approach used by the SMB client
in fs/smb/client/smb2ops.c. This properly handles both synchronous
engines (immediate return) and async engines (-EINPROGRESS followed
by callback notification).
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Link: https://github.com/openwrt/openwrt/issues/21822
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/auth.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c
index 16a57425099de..d28b34e1d047a 100644
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -1106,6 +1106,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
struct smb2_transform_hdr *tr_hdr = smb2_get_msg(iov[0].iov_base);
unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20;
int rc;
+ DECLARE_CRYPTO_WAIT(wait);
struct scatterlist *sg;
u8 sign[SMB2_SIGNATURE_SIZE] = {};
u8 key[SMB3_ENC_DEC_KEY_SIZE];
@@ -1192,12 +1193,12 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
aead_request_set_crypt(req, sg, sg, crypt_len, iv);
aead_request_set_ad(req, assoc_data_len);
- aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
+ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
+ CRYPTO_TFM_REQ_MAY_SLEEP,
+ crypto_req_done, &wait);
- if (enc)
- rc = crypto_aead_encrypt(req);
- else
- rc = crypto_aead_decrypt(req);
+ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) :
+ crypto_aead_decrypt(req), &wait);
if (rc)
goto free_iv;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 181/508] ARM: dts: mediatek: mt7623: fix efuse fallback compatible
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 180/508] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 182/508] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
` (328 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafał Miłecki,
AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafał Miłecki <rafal@milecki.pl>
[ Upstream commit 5978ff33cc6f0988388a2830dc5cd2ea4e81f36a ]
Fix following validation error:
arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: efuse@10206000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt7623-efuse', 'mediatek,mt8173-efuse'] is too long
'mediatek,mt8173-efuse' was expected
'mediatek,efuse' was expected
from schema $id: http://devicetree.org/schemas/nvmem/mediatek,efuse.yaml#
arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: efuse@10206000: Unevaluated properties are not allowed ('compatible' was unexpected)
from schema $id: http://devicetree.org/schemas/nvmem/mediatek,efuse.yaml#
Fixes: 43c7a91b4b3a ("arm: dts: mt7623: add efuse nodes to the mt7623.dtsi file")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/mediatek/mt7623.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/mediatek/mt7623.dtsi b/arch/arm/boot/dts/mediatek/mt7623.dtsi
index 9c5a52ce9351a..748f9b3668975 100644
--- a/arch/arm/boot/dts/mediatek/mt7623.dtsi
+++ b/arch/arm/boot/dts/mediatek/mt7623.dtsi
@@ -328,7 +328,7 @@ sysirq: interrupt-controller@10200100 {
efuse: efuse@10206000 {
compatible = "mediatek,mt7623-efuse",
- "mediatek,mt8173-efuse";
+ "mediatek,efuse";
reg = <0 0x10206000 0 0x1000>;
#address-cells = <1>;
#size-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 182/508] memory: tegra124-emc: Fix dll_change check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 181/508] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 183/508] memory: tegra30-emc: " Greg Kroah-Hartman
` (327 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Krzysztof Kozlowski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 9597ab9a8296ab337e6820f8a717ff621078b632 ]
The code checking whether the specified memory timing enables DLL
in the EMRS register was reversed. DLL is enabled if bit A0 is low.
Fix the check.
Fixes: 73a7f0a90641 ("memory: tegra: Add EMC (external memory controller) driver")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Link: https://patch.msgid.link/20260126-fix-emc-dllchange-v1-1-47ad3bb63262@nvidia.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/tegra/tegra124-emc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memory/tegra/tegra124-emc.c b/drivers/memory/tegra/tegra124-emc.c
index 00ed2b6a0d1b2..ca2714b0a521a 100644
--- a/drivers/memory/tegra/tegra124-emc.c
+++ b/drivers/memory/tegra/tegra124-emc.c
@@ -608,7 +608,7 @@ static int tegra_emc_prepare_timing_change(struct tegra_emc *emc,
if ((last->emc_mode_1 & 0x1) == (timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_NONE;
- else if (timing->emc_mode_1 & 0x1)
+ else if (!(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_ON;
else
dll_change = DLL_CHANGE_OFF;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 183/508] memory: tegra30-emc: Fix dll_change check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 182/508] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 184/508] arm64: dts: imx8-apalis: Fix LEDs name collision Greg Kroah-Hartman
` (326 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Krzysztof Kozlowski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 0a93f2355cf4922ad2399dbef5ea1049fef116d4 ]
The code checking whether the specified memory timing enables DLL
in the EMRS register was reversed. DLL is enabled if bit A0 is low.
Fix the check.
Fixes: e34212c75a68 ("memory: tegra: Introduce Tegra30 EMC driver")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Link: https://patch.msgid.link/20260126-fix-emc-dllchange-v1-2-47ad3bb63262@nvidia.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/tegra/tegra30-emc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/memory/tegra/tegra30-emc.c b/drivers/memory/tegra/tegra30-emc.c
index 9eae25c57ec6e..b5cf2df6b1933 100644
--- a/drivers/memory/tegra/tegra30-emc.c
+++ b/drivers/memory/tegra/tegra30-emc.c
@@ -554,14 +554,14 @@ static int emc_prepare_timing_change(struct tegra_emc *emc, unsigned long rate)
emc->emc_cfg = readl_relaxed(emc->regs + EMC_CFG);
emc_dbg = readl_relaxed(emc->regs + EMC_DBG);
- if (emc->dll_on == !!(timing->emc_mode_1 & 0x1))
+ if (emc->dll_on == !(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_NONE;
- else if (timing->emc_mode_1 & 0x1)
+ else if (!(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_ON;
else
dll_change = DLL_CHANGE_OFF;
- emc->dll_on = !!(timing->emc_mode_1 & 0x1);
+ emc->dll_on = !(timing->emc_mode_1 & 0x1);
if (timing->data[80] && !readl_relaxed(emc->regs + EMC_ZCAL_INTERVAL))
emc->zcal_long = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 184/508] arm64: dts: imx8-apalis: Fix LEDs name collision
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 183/508] memory: tegra30-emc: " Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 185/508] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
` (325 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Dolcini, Frank Li,
Daniel Baluta, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Dolcini <francesco.dolcini@toradex.com>
[ Upstream commit 92ab53b9bb2a72581c32073755077af916eb9aee ]
Ixora boards have multiple instances of status leds, to avoid a name
collision add the function-enumerator property.
This fixes the following Linux kernel warnings:
leds-gpio leds: Led green:status renamed to green:status_1 due to name collision
leds-gpio leds: Led red:status renamed to red:status_1 due to name collision
Fixes: c083131c9021 ("arm64: dts: freescale: add apalis imx8 aka quadmax carrier board support")
Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi | 4 ++++
arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi
index c6d51f1162985..4802834e26a86 100644
--- a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi
@@ -21,6 +21,7 @@ led-1 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 27 GPIO_ACTIVE_HIGH>;
};
@@ -29,6 +30,7 @@ led-2 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 29 GPIO_ACTIVE_HIGH>;
};
@@ -37,6 +39,7 @@ led-3 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 20 GPIO_ACTIVE_HIGH>;
};
@@ -45,6 +48,7 @@ led-4 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 21 GPIO_ACTIVE_HIGH>;
};
};
diff --git a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi
index 40067ab8aa74b..b28dd1cece8ab 100644
--- a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi
@@ -21,6 +21,7 @@ led-1 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 27 GPIO_ACTIVE_HIGH>;
};
@@ -29,6 +30,7 @@ led-2 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 29 GPIO_ACTIVE_HIGH>;
};
@@ -37,6 +39,7 @@ led-3 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 20 GPIO_ACTIVE_HIGH>;
};
@@ -45,6 +48,7 @@ led-4 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 21 GPIO_ACTIVE_HIGH>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 185/508] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 184/508] arm64: dts: imx8-apalis: Fix LEDs name collision Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 186/508] iommufd: vfio compatibility extension check for noiommu mode Greg Kroah-Hartman
` (324 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sherry Sun, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sherry Sun <sherry.sun@nxp.com>
[ Upstream commit d1e7eab6033f9885a02c4b4e8f09e34d8e9d21ab ]
The current pin configuration for MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06
sets the weak pull-up but does not enable the pull select field.
Bit 8 in the IOMUX register must be set in order for the weak pull-up
to actually take effect.
Update the pinctrl setting from 0x40 to 0x140 to enable both the pull
select and the weak pull-up, ensuring the line behaves as expected.
Fixes: d50650500064 ("arm64: dts: imx8mp-evk: Add PCIe support")
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
index 92f8cc05fe9da..e29b6e9a70276 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
@@ -764,7 +764,7 @@ MX8MP_IOMUXC_SD1_DATA5__GPIO2_IO07 0x40
pinctrl_pcie0_reg: pcie0reggrp {
fsl,pins = <
- MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x40
+ MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x140
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 186/508] iommufd: vfio compatibility extension check for noiommu mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 185/508] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 187/508] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
` (323 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jacob Pan, Jason Gunthorpe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Pan <jacob.pan@linux.microsoft.com>
[ Upstream commit 7147ec874ea08c322d779d8eba28946e294ed1f3 ]
VFIO_CHECK_EXTENSION should return false for TYPE1_IOMMU variants when
in NO-IOMMU mode and IOMMUFD compat container is set. This change makes
the behavior match VFIO_CONTAINER in noiommu mode. It also prevents
userspace from incorrectly attempting to use TYPE1 IOMMU operations
in a no-iommu context.
Fixes: d624d6652a65 ("iommufd: vfio container FD ioctl compatibility")
Link: https://patch.msgid.link/r/20260213183636.3340-1-jacob.pan@linux.microsoft.com
Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommufd/vfio_compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/vfio_compat.c b/drivers/iommu/iommufd/vfio_compat.c
index 6c810bf80f99a..7351320394c85 100644
--- a/drivers/iommu/iommufd/vfio_compat.c
+++ b/drivers/iommu/iommufd/vfio_compat.c
@@ -283,7 +283,7 @@ static int iommufd_vfio_check_extension(struct iommufd_ctx *ictx,
case VFIO_TYPE1_IOMMU:
case VFIO_TYPE1v2_IOMMU:
case VFIO_UNMAP_ALL:
- return 1;
+ return !ictx->no_iommu_mode;
case VFIO_NOIOMMU_IOMMU:
return IS_ENABLED(CONFIG_VFIO_NOIOMMU);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 187/508] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 186/508] iommufd: vfio compatibility extension check for noiommu mode Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 188/508] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
` (322 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akari Tsuyukusa,
AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akari Tsuyukusa <akkun11.open@gmail.com>
[ Upstream commit c4c4823c8a5baa10b8100b01f49d7c3f4a871689 ]
The gpio-ranges in the MT6795 pinctrl node were incorrectly defined,
therefore, GPIO196 cannot be used.
Correct the range count to match the driver.
Fixes: b888886a4536 ("arm64: dts: mediatek: mt6795: Add pinctrl controller node")
Signed-off-by: Akari Tsuyukusa <akkun11.open@gmail.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6795.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt6795.dtsi b/arch/arm64/boot/dts/mediatek/mt6795.dtsi
index 597bce2fed729..228c15b962ea0 100644
--- a/arch/arm64/boot/dts/mediatek/mt6795.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6795.dtsi
@@ -353,7 +353,7 @@ pio: pinctrl@10005000 {
<GIC_SPI 154 IRQ_TYPE_LEVEL_HIGH>;
gpio-controller;
#gpio-cells = <2>;
- gpio-ranges = <&pio 0 0 196>;
+ gpio-ranges = <&pio 0 0 197>;
interrupt-controller;
#interrupt-cells = <2>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 188/508] arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 187/508] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 189/508] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value Greg Kroah-Hartman
` (321 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akari Tsuyukusa,
AngeloGioacchino Del Regno, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akari Tsuyukusa <akkun11.open@gmail.com>
[ Upstream commit 820ed0c1a13c5fafb36232538d793f99a0986ef3 ]
The gpio-ranges in the MT7986A pinctrl node were incorrectly defined,
therefore, pin 100 cannot be used.
Correct the range count to match the driver.
Fixes: c3a064a32ed9 ("arm64: dts: mediatek: add pinctrl support for mt7986a")
Signed-off-by: Akari Tsuyukusa <akkun11.open@gmail.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
index 559990dcd1d17..05bd2938242fc 100644
--- a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
@@ -187,7 +187,7 @@ pio: pinctrl@1001f000 {
"iocfg_lb", "iocfg_tr", "iocfg_tl", "eint";
gpio-controller;
#gpio-cells = <2>;
- gpio-ranges = <&pio 0 0 100>;
+ gpio-ranges = <&pio 0 0 101>;
interrupt-controller;
interrupts = <GIC_SPI 225 IRQ_TYPE_LEVEL_HIGH>;
interrupt-parent = <&gic>;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 189/508] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 188/508] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 190/508] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight Greg Kroah-Hartman
` (320 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio,
Barnabás Czémán, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 9e87f0eaadccc3fecdf3c3c0334e05694804b5f5 ]
PMI8950 doesn't actually support setting an OVP threshold value of
29.6 V. The closest allowed value is 29.5 V. Set that instead.
Fixes: aa17e707e04a ("arm64: dts: qcom: msm8953: Add device tree for Xiaomi Redmi 5 Plus")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20260116-pmi8950-wled-v3-5-e6c93de84079@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts
index b0588f30f8f1a..4318d11df322b 100644
--- a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts
+++ b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts
@@ -169,7 +169,7 @@ &pm8953_resin {
&pmi8950_wled {
qcom,current-limit-microamp = <20000>;
- qcom,ovp-millivolt = <29600>;
+ qcom,ovp-millivolt = <29500>;
qcom,num-strings = <2>;
qcom,external-pfet;
qcom,cabc;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 190/508] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 189/508] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 191/508] soc: qcom: ocmem: make the core clock optional Greg Kroah-Hartman
` (319 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Czémán,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 7131f6d909a6546329b71f2bacfdc60cb3e6020e ]
The backlight on this device is connected via 3 strings. Currently,
the DT claims only two are present, which results in visible stripes
on the display (since every third backlight string remains unconfigured).
Fix the number of strings to avoid that.
Fixes: 38d779c26395 ("arm64: dts: qcom: msm8953: Add device tree for Xiaomi Mi A2 Lite")
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260116-pmi8950-wled-v3-7-e6c93de84079@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts
index a5957e79b818c..eaea9d843f2ff 100644
--- a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts
+++ b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts
@@ -157,7 +157,7 @@ &pm8953_resin {
&pmi8950_wled {
qcom,current-limit-microamp = <20000>;
- qcom,num-strings = <2>;
+ qcom,num-strings = <3>;
status = "okay";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 191/508] soc: qcom: ocmem: make the core clock optional
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 190/508] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 192/508] soc: qcom: ocmem: use scoped device node handling to simplify error paths Greg Kroah-Hartman
` (318 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit e8a61c51417c679d1a599fb36695e9d3b8d95514 ]
OCMEM's core clock (aka RPM bus 2 clock) is being handled internally by
the interconnect driver. Corresponding clock has been dropped from the
SMD RPM clock driver. The users of the ocmem will vote on the ocmemnoc
interconnect paths, making sure that ocmem is on. Make the clock
optional, keeping it for compatibility with older DT.
Fixes: d6edc31f3a68 ("clk: qcom: smd-rpm: Separate out interconnect bus clocks")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-1-ad9bcae44763@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index 1511d19643d41..c5fc6db9870a2 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -313,7 +313,7 @@ static int ocmem_dev_probe(struct platform_device *pdev)
ocmem->dev = dev;
ocmem->config = device_get_match_data(dev);
- ocmem->core_clk = devm_clk_get(dev, "core");
+ ocmem->core_clk = devm_clk_get_optional(dev, "core");
if (IS_ERR(ocmem->core_clk))
return dev_err_probe(dev, PTR_ERR(ocmem->core_clk),
"Unable to get core clock\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 192/508] soc: qcom: ocmem: use scoped device node handling to simplify error paths
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 191/508] soc: qcom: ocmem: make the core clock optional Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 193/508] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
` (317 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Bjorn Andersson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit f4c1c19f5c0e5cf2870df91dedc6b40400fd9c8a ]
Obtain the device node reference with scoped/cleanup.h to reduce error
handling and make the code a bit simpler.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20240813-b4-cleanup-h-of-node-put-other-v1-4-cfb67323a95c@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 9dfd69cd89cd ("soc: qcom: ocmem: register reasons for probe deferrals")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index c5fc6db9870a2..697c8a6a400b1 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -185,23 +185,20 @@ static void update_range(struct ocmem *ocmem, struct ocmem_buf *buf,
struct ocmem *of_get_ocmem(struct device *dev)
{
struct platform_device *pdev;
- struct device_node *devnode;
struct ocmem *ocmem;
- devnode = of_parse_phandle(dev->of_node, "sram", 0);
+ struct device_node *devnode __free(device_node) = of_parse_phandle(dev->of_node,
+ "sram", 0);
if (!devnode || !devnode->parent) {
dev_err(dev, "Cannot look up sram phandle\n");
- of_node_put(devnode);
return ERR_PTR(-ENODEV);
}
pdev = of_find_device_by_node(devnode->parent);
if (!pdev) {
dev_err(dev, "Cannot find device node %s\n", devnode->name);
- of_node_put(devnode);
return ERR_PTR(-EPROBE_DEFER);
}
- of_node_put(devnode);
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 193/508] soc: qcom: ocmem: register reasons for probe deferrals
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 192/508] soc: qcom: ocmem: use scoped device node handling to simplify error paths Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 194/508] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
` (316 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Brian Masney,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 9dfd69cd89cd6afa4723be9098979abeef3bb8c6 ]
Instead of printing messages to the dmesg, let the message be recorded
as a reason for the OCMEM client deferral.
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-2-ad9bcae44763@oss.qualcomm.com
[bjorn: s/ERR_PTR(dev_err_probe)/dev_err_ptr_probe/
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index 697c8a6a400b1..b37f21793687c 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -195,10 +195,10 @@ struct ocmem *of_get_ocmem(struct device *dev)
}
pdev = of_find_device_by_node(devnode->parent);
- if (!pdev) {
- dev_err(dev, "Cannot find device node %s\n", devnode->name);
- return ERR_PTR(-EPROBE_DEFER);
- }
+ if (!pdev)
+ return dev_err_ptr_probe(dev, -EPROBE_DEFER,
+ "Cannot find device node %s\n",
+ devnode->name);
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 194/508] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 193/508] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 195/508] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
` (315 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 91b59009c7d48b58dbc50fecb27f2ad20749a05a ]
If OCMEM is declared in DT, it is expected that it is present and
handled by the driver. The GPU driver will ignore -ENODEV error, which
typically means that OCMEM isn't defined in DT. Let ocmem return
-EPROBE_DEFER if it supposed to be used, but it is not probed (yet).
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-3-ad9bcae44763@oss.qualcomm.com
[bjorn: s/ERR_PTR(dev_err_probe)/dev_err_ptr_probe/
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index b37f21793687c..1b7fc1fe671bb 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -202,10 +202,9 @@ struct ocmem *of_get_ocmem(struct device *dev)
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
- if (!ocmem) {
- dev_err(dev, "Cannot get ocmem\n");
- return ERR_PTR(-ENODEV);
- }
+ if (!ocmem)
+ return dev_err_ptr_probe(dev, -EPROBE_DEFER, "Cannot get ocmem\n");
+
return ocmem;
}
EXPORT_SYMBOL(of_get_ocmem);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 195/508] arm64: dts: qcom: sm8450: Fix GIC_ITS range length
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 194/508] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 196/508] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
` (314 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Neil Armstrong,
Abel Vesa, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 14044fa192c50265bc1f636108371044bbdcf7b7 ]
Currently, the GITS_SGIR register is cut off. Fix it up.
Fixes: fc8b0b9b630d ("arm64: dts: qcom: sm8450 add ITS device tree node")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260317-topic-its_range_fixup-v1-3-49be8076adb1@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
index c1ed39cac8c5b..b745d8b476408 100644
--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
@@ -3947,7 +3947,7 @@ intc: interrupt-controller@17100000 {
gic_its: msi-controller@17140000 {
compatible = "arm,gic-v3-its";
- reg = <0x0 0x17140000 0x0 0x20000>;
+ reg = <0x0 0x17140000 0x0 0x40000>;
msi-controller;
#msi-cells = <1>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 196/508] arm64: dts: qcom: sm8550: Fix GIC_ITS range length
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 195/508] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 197/508] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller Greg Kroah-Hartman
` (313 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Neil Armstrong,
Abel Vesa, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 357c559e386705609b6b9dc0544c420e3f91f3a0 ]
Currently, the GITS_SGIR register is cut off. Fix it up.
Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260317-topic-its_range_fixup-v1-4-49be8076adb1@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8550.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
index 2f0f1c2ab7391..beab9fd10da87 100644
--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
@@ -3830,7 +3830,7 @@ intc: interrupt-controller@17100000 {
gic_its: msi-controller@17140000 {
compatible = "arm,gic-v3-its";
- reg = <0 0x17140000 0 0x20000>;
+ reg = <0 0x17140000 0 0x40000>;
msi-controller;
#msi-cells = <1>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 197/508] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 196/508] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 198/508] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
` (312 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Konrad Dybcio,
Neil Armstrong, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 30ac651c69bddbc83cab6d52fc5d2e03bed83282 ]
The expected frequency of SD host controller core supply clock is 19.2MHz,
while RPMH_CXO_CLK clock frequency on SM8650 platform is 38.4MHz.
Apparently the overclocked supply clock could be good enough on some
boards and even with the most of SD cards, however some low-end UHS-I
SD cards in SDR104 mode of the host controller produce I/O errors in
runtime, fortunately this problem is gone, if the "xo" clock frequency
matches the expected 19.2MHz clock rate.
Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-2-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8550.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
index beab9fd10da87..3d14575e5aace 100644
--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
@@ -2521,7 +2521,7 @@ sdhc_2: mmc@8804000 {
clocks = <&gcc GCC_SDCC2_AHB_CLK>,
<&gcc GCC_SDCC2_APPS_CLK>,
- <&rpmhcc RPMH_CXO_CLK>;
+ <&bi_tcxo_div2>;
clock-names = "iface", "core", "xo";
iommus = <&apps_smmu 0x540 0>;
qcom,dll-config = <0x0007642c>;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 198/508] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 197/508] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 199/508] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
` (311 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Konrad Dybcio,
Vladimir Zapolskiy, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit db0c5ef1abda6effdc5c85d6688fb6af2b351ae5 ]
The reported problem of some non-working UHS-I speed modes on SM8450
originates in commit 0a631a36f724 ("arm64: dts: qcom: Add device tree
for Sony Xperia 1 IV"), and then it was spread to all SM8450 powered
platforms by commit 9d561dc4e5cc ("arm64: dts: qcom: sm8450: disable
SDHCI SDR104/SDR50 on all boards").
The tests show that the rootcause of the problem was related to an
overclocking of SD cards, and it's fixed later on by commit a27ac3806b0a
("clk: qcom: gcc-sm8450: Use floor ops for SDCC RCGs").
Since then both SDR50 and SDR104 speed modes are working fine on SM8450,
tested on SM8450-HDK:
SDR50 speed mode:
mmc0: new UHS-I speed SDR50 SDHC card at address 0001
mmcblk0: mmc0:0001 00000 14.6 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 24.6254 s, 43.6 MB/s
SDR104 speed mode:
mmc0: new UHS-I speed SDR104 SDHC card at address 59b4
mmcblk0: mmc0:59b4 USDU1 28.3 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 12.3266 s, 87.1 MB/s
Remove the restrictions on SD card speed modes from the SM8450 platform
dtsi file and enable UHS-I speed modes.
Fixes: 9d561dc4e5cc ("arm64: dts: qcom: sm8450: disable SDHCI SDR104/SDR50 on all boards")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-5-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8450.dtsi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
index b745d8b476408..c1c62c6d34bd1 100644
--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
@@ -4279,9 +4279,6 @@ sdhc_2: mmc@8804000 {
bus-width = <4>;
dma-coherent;
- /* Forbid SDR104/SDR50 - broken hw! */
- sdhci-caps-mask = <0x3 0x0>;
-
status = "disabled";
sdhc2_opp_table: opp-table {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 199/508] arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 198/508] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 200/508] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl Greg Kroah-Hartman
` (310 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Vladimir Zapolskiy,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 66b0f024fba0728ddce6916dce173bb1bdd4eab0 ]
The restriction on UHS-I speed modes was added to all SM8550 platforms
by copying it from SM8450 dtsi file, and due to the overclocking of SD
cards it was an actually reproducible problem. Since the latter issue
has been fixed, UHS-I speed modes are working fine on SM8550 boards,
below is the test performed on SM8550-HDK:
SDR50 speed mode:
mmc0: new UHS-I speed SDR50 SDHC card at address 0001
mmcblk0: mmc0:0001 00000 14.6 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 23.5468 s, 45.6 MB/s
SDR104 speed mode:
mmc0: new UHS-I speed SDR104 SDHC card at address 59b4
mmcblk0: mmc0:59b4 USDU1 28.3 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 11.9819 s, 89.6 MB/s
Unset the UHS-I speed mode restrictions from the SM8550 platform dtsi
file, there is no indication that the SDHC controller is broken.
Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-6-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8550.dtsi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
index 3d14575e5aace..5a79adbe8da12 100644
--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
@@ -2535,9 +2535,6 @@ sdhc_2: mmc@8804000 {
bus-width = <4>;
dma-coherent;
- /* Forbid SDR104/SDR50 - broken hw! */
- sdhci-caps-mask = <0x3 0>;
-
status = "disabled";
sdhc2_opp_table: opp-table {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 200/508] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 199/508] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 201/508] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
` (309 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Conor Dooley, Luca Weiss,
Konrad Dybcio, Conor Dooley, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit be7c1badb0b934cfe88427b1d4ec3eb9f52ba587 ]
The pinctrl nodes from sm6350.dtsi already contain a bias-* property, so
that needs to be deleted, otherwise the dtb will contain two conflicting
bias-* properties.
Reported-by: Conor Dooley <conor@kernel.org>
Closes: https://lore.kernel.org/r/20260310-maritime-silly-05e7b7e03aa6@spud/
Fixes: c4ef464b24c5 ("arm64: dts: qcom: sm7225-fairphone-fp4: Add Bluetooth")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20260319-fp4-uart1-fix-v1-1-f6b3fedef583@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts b/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts
index c010e86134ff9..606f7a6f41791 100644
--- a/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts
+++ b/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts
@@ -533,12 +533,14 @@ &qup_uart1_cts {
* the Bluetooth module drives the pin in either
* direction or leaves the pin fully unpowered.
*/
+ /delete-property/ bias-disable;
bias-bus-hold;
};
&qup_uart1_rts {
/* We'll drive RTS, so no pull */
drive-strength = <2>;
+ /delete-property/ bias-pull-down;
bias-disable;
};
@@ -549,12 +551,14 @@ &qup_uart1_rx {
* in tri-state (module powered off or not driving the
* signal yet).
*/
+ /delete-property/ bias-disable;
bias-pull-up;
};
&qup_uart1_tx {
/* We'll drive TX, so no pull */
drive-strength = <2>;
+ /delete-property/ bias-pull-up;
bias-disable;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 201/508] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 200/508] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 202/508] arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual Greg Kroah-Hartman
` (308 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Heidelberg, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Heidelberg <david@ixit.cz>
[ Upstream commit 3b0dd81eea6b7a239fce456ce4545af76f1a9715 ]
The regulator must be on, since it provides the display subsystem and
therefore the bootloader had turned it on before Linux booted.
Fixes: 77809cf74a8c ("arm64: dts: qcom: Add support for Xiaomi Poco F1 (Beryllium)")
Signed-off-by: David Heidelberg <david@ixit.cz>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260320-beryllium-booton-v2-1-931d1be21eae@ixit.cz
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi
index 9d6faeb656244..f0a185b559ec0 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi
@@ -147,6 +147,7 @@ vreg_l1a_0p875: ldo1 {
regulator-min-microvolt = <880000>;
regulator-max-microvolt = <880000>;
regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+ regulator-boot-on;
};
vreg_l5a_0p8: ldo5 {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 202/508] arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 201/508] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 203/508] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
` (307 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
[ Upstream commit 825b8c7e1d2918d89eb378b761530d1e51dba82e ]
When attach to PC Type-A port, the USB device controller does not function
at all. Because it is configured as source-only and a Type-A port doesn't
support PD capability, a data role swap is impossible.
Actually, PTN5110THQ is configured for Source role only at POR, but after
POR it can operate as a DRP (Dual-Role Power). By switching the power-role
to dual, the port can operate as a sink and enter device mode when attach
to Type-A port.
Since the board design uses EN_SRC to control the 5V VBUS path and EN_SNK
to control the 12V VBUS output, to avoid outputting a higher VBUS when in
sink role, we set the operation current limit to 0mA so that SW will not
control EN_SNK at all.
Fixes: 2faf4ebcee2e5 ("arm64: dts: freescale: imx8qxp-mek: enable cadence usb3")
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8qxp-mek.dts | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts b/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
index 7924b0969ad8f..3814568e4ee50 100644
--- a/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
@@ -161,9 +161,17 @@ typec_dr_sw: endpoint {
usb_con1: connector {
compatible = "usb-c-connector";
label = "USB-C";
- power-role = "source";
+ power-role = "dual";
data-role = "dual";
+ try-power-role = "sink";
source-pdos = <PDO_FIXED(5000, 3000, PDO_FIXED_USB_COMM)>;
+ /*
+ * Set operational current to 0mA as we don't want EN_SNK
+ * enable 12V VBUS switch when it work as a sink.
+ */
+ sink-pdos = <PDO_FIXED(5000, 0, PDO_FIXED_USB_COMM)>;
+ op-sink-microwatt = <0>;
+ self-powered;
ports {
#address-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 203/508] soc/tegra: cbb: Set ERD on resume for err interrupt
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 202/508] arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 204/508] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
` (306 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Gupta, Thierry Reding,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumit Gupta <sumitg@nvidia.com>
[ Upstream commit b6ff71c5d1d4ad858ddf6f39394d169c96689596 ]
Set the Error Response Disable (ERD) bit to mask SError responses
and use interrupt-based error reporting. When the ERD bit is set,
inband error responses to the initiator via SError are suppressed,
and fabric errors are reported via an interrupt instead.
The register is set during boot but the info is lost during system
suspend and needs to be set again on resume.
Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0")
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/tegra/cbb/tegra234-cbb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c
index e8cc46874c729..eace89ed16176 100644
--- a/drivers/soc/tegra/cbb/tegra234-cbb.c
+++ b/drivers/soc/tegra/cbb/tegra234-cbb.c
@@ -1176,6 +1176,10 @@ static int __maybe_unused tegra234_cbb_resume_noirq(struct device *dev)
{
struct tegra234_cbb *cbb = dev_get_drvdata(dev);
+ /* set ERD bit to mask SError and generate interrupt to report error */
+ if (cbb->fabric->off_mask_erd)
+ tegra234_cbb_mask_serror(cbb);
+
tegra234_cbb_error_enable(&cbb->base);
dev_dbg(dev, "%s resumed\n", cbb->fabric->name);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 204/508] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 203/508] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 205/508] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
` (305 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Grzedzicki, Andrew Morton,
Alexey Gladkov (Intel), Ben Segall, David Hildenbrand,
Dietmar Eggemann, Ingo Molnar, Juri Lelli, Kees Cook,
Liam R. Howlett, Lorenzo Stoakes (Oracle), Mel Gorman,
Michal Hocko, Mike Rapoport, Peter Zijlstra, Steven Rostedt,
Suren Baghdasaryan, Valentin Schneider, Vincent Guittot,
Vlastimil Babka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Grzedzicki <mge@meta.com>
[ Upstream commit a98621a0f187a934c115dcfe79a49520ae892111 ]
When set_cred_ucounts() fails in ksys_unshare() new_nsproxy is leaked.
Let's call put_nsproxy() if that happens.
Link: https://lkml.kernel.org/r/20260213193959.2556730-1-mge@meta.com
Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
Signed-off-by: Michal Grzedzicki <mge@meta.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexey Gladkov (Intel) <legion@kernel.org>
Cc: Ben Segall <bsegall@google.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index c65a70581af73..e280f02b6446a 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3443,11 +3443,10 @@ int ksys_unshare(unsigned long unshare_flags)
new_cred, new_fs);
if (err)
goto bad_unshare_cleanup_cred;
-
if (new_cred) {
err = set_cred_ucounts(new_cred);
if (err)
- goto bad_unshare_cleanup_cred;
+ goto bad_unshare_cleanup_nsproxy;
}
if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
@@ -3463,8 +3462,10 @@ int ksys_unshare(unsigned long unshare_flags)
shm_init_task(current);
}
- if (new_nsproxy)
+ if (new_nsproxy) {
switch_task_namespaces(current, new_nsproxy);
+ new_nsproxy = NULL;
+ }
task_lock(current);
@@ -3493,13 +3494,15 @@ int ksys_unshare(unsigned long unshare_flags)
perf_event_namespaces(current);
+bad_unshare_cleanup_nsproxy:
+ if (new_nsproxy)
+ put_nsproxy(new_nsproxy);
bad_unshare_cleanup_cred:
if (new_cred)
put_cred(new_cred);
bad_unshare_cleanup_fd:
if (new_fd)
put_files_struct(new_fd);
-
bad_unshare_cleanup_fs:
if (new_fs)
free_fs_struct(new_fs);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 205/508] ocfs2/dlm: validate qr_numregions in dlm_match_regions()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 204/508] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 206/508] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
` (304 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yuhao Jiang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 7ab3fbb01bc6d79091bc375e5235d360cd9b78be ]
Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".
In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:
- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.
- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.
This patch (of 2):
The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.
Add a bounds check for qr_numregions before entering the loops.
Link: https://lkml.kernel.org/r/SYBPR01MB7881A334D02ACEE5E0645801AF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Link: https://lkml.kernel.org/r/SYBPR01MB788166F524AD04E262E174BEAF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/dlm/dlmdomain.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index 5c04dde99981c..5b6c893d9f489 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -980,6 +980,14 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
goto bail;
}
+ if (qr->qr_numregions > O2NM_MAX_REGIONS) {
+ mlog(ML_ERROR, "Domain %s: Joining node %d has invalid "
+ "number of heartbeat regions %u\n",
+ qr->qr_domain, qr->qr_node, qr->qr_numregions);
+ status = -EINVAL;
+ goto bail;
+ }
+
r = remote;
for (i = 0; i < qr->qr_numregions; ++i) {
mlog(0, "Region %.*s\n", O2HB_MAX_REGION_NAME_LEN, r);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 206/508] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 205/508] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 207/508] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
` (303 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yuhao Jiang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 01b61e8dda9b0fdb0d4cda43de25f4e390554d7b ]
The local-vs-remote region comparison loop uses '<=' instead of '<',
causing it to read one entry past the valid range of qr_regions. The
other loops in the same function correctly use '<'.
Fix the loop condition to use '<' for consistency and correctness.
Link: https://lkml.kernel.org/r/SYBPR01MB78813DA26B50EC5E01F00566AF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/dlm/dlmdomain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index 5b6c893d9f489..8e4b575a2bc9f 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -1002,7 +1002,7 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
for (i = 0; i < localnr; ++i) {
foundit = 0;
r = remote;
- for (j = 0; j <= qr->qr_numregions; ++j) {
+ for (j = 0; j < qr->qr_numregions; ++j) {
if (!memcmp(l, r, O2HB_MAX_REGION_NAME_LEN)) {
foundit = 1;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 207/508] soc: qcom: llcc: fix v1 SB syndrome register offset
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 206/508] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 208/508] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
` (302 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Manivannan Sadhasivam,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 24e7625df5ce065393249b78930781be593bc381 ]
The llcc_v1_edac_reg_offset table uses 0x2304c for trp_ecc_sb_err_syn0,
which is inconsistent with the surrounding TRP ECC registers (0x2034x)
and with llcc_v2_1_edac_reg_offset, where trp_ecc_sb_err_syn0 is 0x2034c
adjacent to trp_ecc_error_status0/1 at 0x20344/0x20348.
Use 0x2034c for llcc v1 so the SB syndrome register follows the expected
+0x4 progression from trp_ecc_error_status1. This fixes EDAC reading the
wrong register for SB syndrome reporting.
Fixes: c13d7d261e36 ("soc: qcom: llcc: Pass LLCC version based register offsets to EDAC driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260330095118.2657362-1-alok.a.tiwari@oracle.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/llcc-qcom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c
index 03d5de759b256..191da9350ca62 100644
--- a/drivers/soc/qcom/llcc-qcom.c
+++ b/drivers/soc/qcom/llcc-qcom.c
@@ -359,7 +359,7 @@ static const struct llcc_slice_config sm8550_data[] = {
static const struct llcc_edac_reg_offset llcc_v1_edac_reg_offset = {
.trp_ecc_error_status0 = 0x20344,
.trp_ecc_error_status1 = 0x20348,
- .trp_ecc_sb_err_syn0 = 0x2304c,
+ .trp_ecc_sb_err_syn0 = 0x2034c,
.trp_ecc_db_err_syn0 = 0x20370,
.trp_ecc_error_cntr_clear = 0x20440,
.trp_interrupt_0_status = 0x20480,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 208/508] soc: qcom: aoss: compare against normalized cooling state
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 207/508] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 209/508] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
` (301 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit cd3c4670db3ffe997be9548c7a9db3952563cf14 ]
qmp_cdev_set_cur_state() normalizes the requested state to a boolean
(cdev_state = !!state). The existing early-return check compares
qmp_cdev->state == state, which can be wrong if state is non-boolean
(any non-zero value). Compare qmp_cdev->state against cdev_state instead,
so the check matches the effective state and avoids redundant updates.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Fixes: 05589b30b21a ("soc: qcom: Extend AOSS QMP driver to support resources that are used to wake up the SoC.")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260329195333.1478090-1-alok.a.tiwari@oracle.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/qcom_aoss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/qcom_aoss.c b/drivers/soc/qcom/qcom_aoss.c
index 77f0cf126629e..078561b9314ad 100644
--- a/drivers/soc/qcom/qcom_aoss.c
+++ b/drivers/soc/qcom/qcom_aoss.c
@@ -340,7 +340,7 @@ static int qmp_cdev_set_cur_state(struct thermal_cooling_device *cdev,
/* Normalize state */
cdev_state = !!state;
- if (qmp_cdev->state == state)
+ if (qmp_cdev->state == cdev_state)
return 0;
ret = qmp_send(qmp_cdev->qmp, "{class: volt_flr, event:zero_temp, res:%s, value:%s}",
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 209/508] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 208/508] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 210/508] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
` (300 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Koskovich, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <AKoskovich@pm.me>
[ Upstream commit b683730e27ba4f91986c4c92f5cb7297f1e01a6d ]
This resolves the following error seen on the ASUS ROG Phone 3:
cpu cpu7: Voltage update failed freq=3091200
cpu cpu7: failed to update OPP for freq=3091200
Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables")
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260307-sm8250-cpu7-opp-v1-1-435f5f6628a1@pm.me
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8250.dtsi | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
index c9a7d1b75c658..d8086dae6e4f8 100644
--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
@@ -659,6 +659,11 @@ cpu7_opp20: opp-2841600000 {
opp-hz = /bits/ 64 <2841600000>;
opp-peak-kBps = <8368000 51609600>;
};
+
+ cpu7_opp21: opp-3091200000 {
+ opp-hz = /bits/ 64 <3091200000>;
+ opp-peak-kBps = <8368000 51609600>;
+ };
};
firmware {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 210/508] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 209/508] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 211/508] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
` (299 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaro Koskinen, Kevin Hilman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
[ Upstream commit 7e74b606dd39c46d4378d6f6563f560a00ab8694 ]
On OMAP16XX, the UART enable bit shifts are written instead of the actual
bits. This breaks the boot when DEBUG_LL and earlyprintk is enabled;
the UART gets disabled and some random bits get enabled. Fix that.
Fixes: 34c86239b184 ("ARM: OMAP1: clock: Fix early UART rate issues")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Link: https://patch.msgid.link/aca7HnXZ-aCSJPW7@darkstar.musicnaut.iki.fi
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-omap1/clock_data.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-omap1/clock_data.c b/arch/arm/mach-omap1/clock_data.c
index c58d200e4816b..5203b047deac8 100644
--- a/arch/arm/mach-omap1/clock_data.c
+++ b/arch/arm/mach-omap1/clock_data.c
@@ -700,8 +700,8 @@ int __init omap1_clk_init(void)
/* Make sure UART clocks are enabled early */
if (cpu_is_omap16xx())
omap_writel(omap_readl(MOD_CONF_CTRL_0) |
- CONF_MOD_UART1_CLK_MODE_R |
- CONF_MOD_UART3_CLK_MODE_R, MOD_CONF_CTRL_0);
+ (1 << CONF_MOD_UART1_CLK_MODE_R) |
+ (1 << CONF_MOD_UART3_CLK_MODE_R), MOD_CONF_CTRL_0);
#endif
/* USB_REQ_EN will be disabled later if necessary (usb_dc_ck) */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 211/508] arm64/xor: fix conflicting attributes for xor_block_template
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 210/508] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 212/508] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended Greg Kroah-Hartman
` (298 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Eric Biggers,
Albert Ou, Alexander Gordeev, Alexandre Ghiti, Andreas Larsson,
Anton Ivanov, Ard Biesheuvel, Arnd Bergmann,
Borislav Petkov (AMD), Catalin Marinas, Chris Mason,
Christian Borntraeger, Dan Williams, David S. Miller,
David Sterba, Heiko Carstens, Herbert Xu, H. Peter Anvin,
Huacai Chen, Ingo Molnar, Jason A. Donenfeld, Johannes Berg,
Li Nan, Madhavan Srinivasan, Magnus Lindholm, Matt Turner,
Michael Ellerman, Nicholas Piggin, Palmer Dabbelt,
Richard Henderson, Richard Weinberger, Russell King, Song Liu,
Sven Schnelle, Ted Tso, Vasily Gorbik, WANG Xuerui, Will Deacon,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 675a0dd596e712404557286d0a883b54ee28e4f4 ]
Commit 2c54b423cf85 ("arm64/xor: use EOR3 instructions when available")
changes the definition to __ro_after_init instead of const, but failed to
update the external declaration in xor.h. This was not found because
xor-neon.c doesn't include <asm/xor.h>, and can't easily do that due to
current architecture of the XOR code.
Link: https://lkml.kernel.org/r/20260327061704.3707577-4-hch@lst.de
Fixes: 2c54b423cf85 ("arm64/xor: use EOR3 instructions when available")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Tested-by: Eric Biggers <ebiggers@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Andreas Larsson <andreas@gaisler.com>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Borislav Petkov (AMD)" <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Chris Mason <clm@fb.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: David Sterba <dsterba@suse.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Huacai Chen <chenhuacai@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jason A. Donenfeld <jason@zx2c4.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Li Nan <linan122@huawei.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Magnus Lindholm <linmag7@gmail.com>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Song Liu <song@kernel.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: WANG Xuerui <kernel@xen0n.name>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/xor.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/xor.h b/arch/arm64/include/asm/xor.h
index befcd8a7abc98..7c03207157196 100644
--- a/arch/arm64/include/asm/xor.h
+++ b/arch/arm64/include/asm/xor.h
@@ -13,7 +13,7 @@
#ifdef CONFIG_KERNEL_MODE_NEON
-extern struct xor_block_template const xor_block_inner_neon;
+extern struct xor_block_template xor_block_inner_neon __ro_after_init;
static void
xor_neon_2(unsigned long bytes, unsigned long * __restrict p1,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 212/508] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 211/508] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 213/508] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
` (297 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit 0477a6b31e2874e554e3bcfac9883684b8f8ca2d ]
The property interrupts use default interrupt controllers. But pass down
gpio<n> as phandle. Correct it by use interrupts-extended.
Fixes: d8cae888aa2bc ("ARM: dts: Add support for the cpuimx27 board from Eukrea and its baseboard")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi | 8 ++++----
.../boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi
index c7e9235848782..9f0e65526d5f9 100644
--- a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi
+++ b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi
@@ -106,7 +106,7 @@ uart8250@3,200000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 23 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 23 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x200000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
@@ -119,7 +119,7 @@ uart8250@3,400000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 22 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 22 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x400000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
@@ -132,7 +132,7 @@ uart8250@3,800000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 27 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 27 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x800000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
@@ -145,7 +145,7 @@ uart8250@3,1000000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 30 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 30 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x1000000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
diff --git a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts
index d78793601306c..c71f802983304 100644
--- a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts
+++ b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts
@@ -76,7 +76,7 @@ ads7846@0 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_touch>;
reg = <0>;
- interrupts = <&gpio4 25 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio4 25 IRQ_TYPE_LEVEL_LOW>;
spi-cpol;
spi-max-frequency = <1500000>;
ti,keep-vref-on;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 213/508] ocfs2: fix listxattr handling when the buffer is full
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 212/508] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 214/508] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
` (296 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit d12f558e6200b3f47dbef9331ed6d115d2410e59 ]
[BUG]
If an OCFS2 inode has both inline and block-based xattrs, listxattr()
can return a size larger than the caller's buffer when the inline names
consume that buffer exactly.
kernel BUG at mm/usercopy.c:102!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102
Call Trace:
__check_heap_object+0xe3/0x120 mm/slub.c:8243
check_heap_object mm/usercopy.c:196 [inline]
__check_object_size mm/usercopy.c:250 [inline]
__check_object_size+0x5c5/0x780 mm/usercopy.c:215
check_object_size include/linux/ucopysize.h:22 [inline]
check_copy_size include/linux/ucopysize.h:59 [inline]
copy_to_user include/linux/uaccess.h:219 [inline]
listxattr+0xb0/0x170 fs/xattr.c:926
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x137/0x320 fs/xattr.c:988
__do_sys_listxattr fs/xattr.c:1001 [inline]
__se_sys_listxattr fs/xattr.c:998 [inline]
__x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998
...
[CAUSE]
Commit 936b8834366e ("ocfs2: Refactor xattr list and remove
ocfs2_xattr_handler().") replaced the old per-handler list accounting
with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect
probe mode.
That assumption stops being true once ocfs2_listxattr() finishes the
inline-xattr pass. If the inline names fill the caller buffer exactly,
the block-xattr pass runs with a non-NULL buffer and a remaining size of
zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps
counting block names, and returns a positive size larger than the
supplied buffer.
[FIX]
Detect probe mode by testing whether the destination buffer pointer is
NULL instead of whether the remaining size is zero.
That restores the pre-refactor behavior and matches the OCFS2 getxattr
helpers. Once the remaining buffer reaches zero while more names are
left, the block-xattr pass now returns -ERANGE instead of reporting a
size larger than the allocated list buffer.
Link: https://lkml.kernel.org/r/20260410040339.3837162-1-gality369@gmail.com
Fixes: 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/xattr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index d0cb529b612a7..750c1fc70d25a 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -907,8 +907,8 @@ static int ocfs2_xattr_list_entry(struct super_block *sb,
total_len = prefix_len + name_len + 1;
*result += total_len;
- /* we are just looking for how big our buffer needs to be */
- if (!size)
+ /* No buffer means we are only looking for the required size. */
+ if (!buffer)
return 0;
if (*result > size)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 214/508] ocfs2: validate bg_bits during freefrag scan
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 213/508] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 215/508] ocfs2: validate group add input before caching Greg Kroah-Hartman
` (295 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Heming Zhao,
Joseph Qi, Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge,
Jun Piao, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit 8f687eeed3da3012152b0f9473f578869de0cd7b ]
[BUG]
A crafted filesystem can trigger an out-of-bounds bitmap walk when
OCFS2_IOC_INFO is issued with OCFS2_INFO_FL_NON_COHERENT.
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in test_bit_le include/asm-generic/bitops/le.h:21 [inline]
BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline]
BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline]
BUG: KASAN: use-after-free in ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline]
BUG: KASAN: use-after-free in ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754
Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xbe/0x130 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xd1/0x650 mm/kasan/report.c:482
kasan_report+0xfb/0x140 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:186 [inline]
kasan_check_range+0x11c/0x200 mm/kasan/generic.c:200
__kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
test_bit_le include/asm-generic/bitops/le.h:21 [inline]
ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline]
ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline]
ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline]
ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754
ocfs2_info_handle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828
ocfs2_ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
...
[CAUSE]
ocfs2_info_freefrag_scan_chain() uses on-disk bg_bits directly as the
bitmap scan limit. The coherent path reads group descriptors through
ocfs2_read_group_descriptor(), which validates the descriptor before
use. The non-coherent path uses ocfs2_read_blocks_sync() instead and
skips that validation, so an impossible bg_bits value can drive the
bitmap walk past the end of the block.
[FIX]
Compute the bitmap capacity from the filesystem format with
ocfs2_group_bitmap_size(), report descriptors whose bg_bits exceeds
that limit, and clamp the scan to the computed capacity. This keeps the
freefrag report going while avoiding reads beyond the buffer.
Link: https://lkml.kernel.org/r/20260410034220.3825769-1-gality369@gmail.com
Fixes: d24a10b9f8ed ("Ocfs2: Add a new code 'OCFS2_INFO_FREEFRAG' for o2info ioctl.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/ioctl.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
index b1550ba73f963..f34f404af2f77 100644
--- a/fs/ocfs2/ioctl.c
+++ b/fs/ocfs2/ioctl.c
@@ -442,13 +442,16 @@ static int ocfs2_info_freefrag_scan_chain(struct ocfs2_super *osb,
struct buffer_head *bh = NULL;
struct ocfs2_group_desc *bg = NULL;
- unsigned int max_bits, num_clusters;
+ unsigned int max_bits, max_bitmap_bits, num_clusters;
unsigned int offset = 0, cluster, chunk;
unsigned int chunk_free, last_chunksize = 0;
if (!le32_to_cpu(rec->c_free))
goto bail;
+ max_bitmap_bits = 8 * ocfs2_group_bitmap_size(osb->sb, 0,
+ osb->s_feature_incompat);
+
do {
if (!bg)
blkno = le64_to_cpu(rec->c_blkno);
@@ -480,6 +483,19 @@ static int ocfs2_info_freefrag_scan_chain(struct ocfs2_super *osb,
continue;
max_bits = le16_to_cpu(bg->bg_bits);
+
+ /*
+ * Non-coherent scans read raw blocks and do not get the
+ * bg_bits validation from
+ * ocfs2_read_group_descriptor().
+ */
+ if (max_bits > max_bitmap_bits) {
+ mlog(ML_ERROR,
+ "Group desc #%llu has %u bits, max bitmap bits %u\n",
+ (unsigned long long)blkno, max_bits, max_bitmap_bits);
+ max_bits = max_bitmap_bits;
+ }
+
offset = 0;
for (chunk = 0; chunk < chunks_in_group; chunk++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 215/508] ocfs2: validate group add input before caching
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 214/508] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 216/508] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
` (294 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit 70b672833f4025341c11b22c7f83778a5cd611bc ]
[BUG]
OCFS2_IOC_GROUP_ADD can trigger a BUG_ON in
ocfs2_set_new_buffer_uptodate():
kernel BUG at fs/ocfs2/uptodate.c:509!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_set_new_buffer_uptodate+0x194/0x1e0 fs/ocfs2/uptodate.c:509
Code: ffffe88f 42b9fe4c 89e64889 dfe8b4df
Call Trace:
ocfs2_group_add+0x3f1/0x1510 fs/ocfs2/resize.c:507
ocfs2_ioctl+0x309/0x6e0 fs/ocfs2/ioctl.c:887
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7bbfb55a966d
[CAUSE]
ocfs2_group_add() calls ocfs2_set_new_buffer_uptodate() on a
user-controlled group block before ocfs2_verify_group_and_input()
validates that block number. That helper is only valid for newly
allocated metadata and asserts that the block is not already present in
the chosen metadata cache. The code also uses INODE_CACHE(inode) even
though the group descriptor belongs to main_bm_inode and later journal
accesses use that cache context instead.
[FIX]
Validate the on-disk group descriptor before caching it, then add it to
the metadata cache tracked by INODE_CACHE(main_bm_inode). Keep the
validation failure path separate from the later cleanup path so we only
remove the buffer from that cache after it has actually been inserted.
This keeps the group buffer lifetime consistent across validation,
journaling, and cleanup.
Link: https://lkml.kernel.org/r/20260410020209.3786348-1-gality369@gmail.com
Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/resize.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
index 42c0d314f95e8..acf2769f4c8c7 100644
--- a/fs/ocfs2/resize.c
+++ b/fs/ocfs2/resize.c
@@ -500,14 +500,14 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
goto out_unlock;
}
- ocfs2_set_new_buffer_uptodate(INODE_CACHE(inode), group_bh);
-
ret = ocfs2_verify_group_and_input(main_bm_inode, fe, input, group_bh);
if (ret) {
mlog_errno(ret);
goto out_free_group_bh;
}
+ ocfs2_set_new_buffer_uptodate(INODE_CACHE(main_bm_inode), group_bh);
+
trace_ocfs2_group_add((unsigned long long)input->group,
input->chain, input->clusters, input->frees);
@@ -515,7 +515,7 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
if (IS_ERR(handle)) {
mlog_errno(PTR_ERR(handle));
ret = -EINVAL;
- goto out_free_group_bh;
+ goto out_remove_cache;
}
cl_bpc = le16_to_cpu(fe->id2.i_chain.cl_bpc);
@@ -569,9 +569,11 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
out_commit:
ocfs2_commit_trans(osb, handle);
-out_free_group_bh:
+out_remove_cache:
if (ret < 0)
- ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh);
+ ocfs2_remove_from_cache(INODE_CACHE(main_bm_inode), group_bh);
+
+out_free_group_bh:
brelse(group_bh);
out_unlock:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 216/508] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 215/508] ocfs2: validate group add input before caching Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 217/508] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
` (293 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Khairul Anuar Romli, Vinod Koul,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khairul Anuar Romli <karom.9560@gmail.com>
[ Upstream commit 48278a72fce8a8d30efaedeb206c9c3f05c1eb3f ]
checkpatch.pl --strict reports a WARNING in dw-axi-dmac-platform.c:
WARNING: void function return statements are not generally useful
FILE: drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
According to Linux kernel coding style [Documentation/process/
coding-style.rst], explicit "return;" statements at the end of void
functions are redundant and should be omitted. The function will
automatically return upon reaching the closing brace, so the extra
statement adds unnecessary clutter without functional benefit.
This patch removes the superfluous "return;" statement in
dw_axi_dma_set_hw_channel() to comply with kernel coding standards and
eliminate the checkpatch warning.
Fixes: 32286e279385 ("dmaengine: dw-axi-dmac: Remove free slot check algorithm in dw_axi_dma_set_hw_channel")
Signed-off-by: Khairul Anuar Romli <karom.9560@gmail.com>
Link: https://patch.msgid.link/20260202060224.12616-4-karom.9560@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
index 72fb40de58b3f..3ea3e203253a9 100644
--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
@@ -546,8 +546,6 @@ static void dw_axi_dma_set_hw_channel(struct axi_dma_chan *chan, bool set)
(chan->id * DMA_APB_HS_SEL_BIT_SIZE));
reg_value |= (val << (chan->id * DMA_APB_HS_SEL_BIT_SIZE));
lo_hi_writeq(reg_value, chip->apb_regs + DMAC_APB_HW_HS_SEL_0);
-
- return;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 217/508] soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 216/508] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 218/508] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
` (292 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cole Leavitt, Richard Fitzgerald,
Vinod Koul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cole Leavitt <cole@unwrap.rs>
[ Upstream commit 2c96956fe764f8224f9ec93b2a9160a578949a7a ]
The dev_warn() messages in sdw_handle_slave_status() for UNATTACHED
transitions were added in commit d1b328557058 ("soundwire: bus: add
dev_warn() messages to track UNATTACHED devices") to debug attachment
failures with dynamic debug enabled.
These warnings fire during normal operation -- for example when a codec
driver triggers a hardware reset after firmware download, causing the
device to momentarily go UNATTACHED before re-attaching -- producing
misleading noise on every boot.
Demote the messages to dev_dbg() so they remain available via dynamic
debug for diagnosing real attachment failures without alarming users
during expected initialization sequences.
Fixes: d1b328557058 ("soundwire: bus: add dev_warn() messages to track UNATTACHED devices")
Signed-off-by: Cole Leavitt <cole@unwrap.rs>
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260218180210.9263-1-cole@unwrap.rs
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c
index e7397fd8e9ad9..50448a4dd0b38 100644
--- a/drivers/soundwire/bus.c
+++ b/drivers/soundwire/bus.c
@@ -1864,8 +1864,8 @@ int sdw_handle_slave_status(struct sdw_bus *bus,
if (status[i] == SDW_SLAVE_UNATTACHED &&
slave->status != SDW_SLAVE_UNATTACHED) {
- dev_warn(&slave->dev, "Slave %d state check1: UNATTACHED, status was %d\n",
- i, slave->status);
+ dev_dbg(&slave->dev, "Slave %d state check1: UNATTACHED, status was %d\n",
+ i, slave->status);
sdw_modify_slave_status(slave, SDW_SLAVE_UNATTACHED);
/* Ensure driver knows that peripheral unattached */
@@ -1916,8 +1916,8 @@ int sdw_handle_slave_status(struct sdw_bus *bus,
if (slave->status == SDW_SLAVE_UNATTACHED)
break;
- dev_warn(&slave->dev, "Slave %d state check2: UNATTACHED, status was %d\n",
- i, slave->status);
+ dev_dbg(&slave->dev, "Slave %d state check2: UNATTACHED, status was %d\n",
+ i, slave->status);
sdw_modify_slave_status(slave, SDW_SLAVE_UNATTACHED);
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 218/508] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 217/508] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 219/508] soundwire: cadence: Clear message complete before signaling waiting thread Greg Kroah-Hartman
` (291 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Vinod Koul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit ab2bf6d4c0a0152907b18d25c1b118ea5ea779df ]
Propagate the return value of of_dma_controller_register() in probe()
instead of ignoring it.
Fixes: a580b8c5429a6 ("dmaengine: mxs-dma: add dma support for i.MX23/28")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260225-mxsdma-module-v3-2-8f798b13baa6@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/mxs-dma.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma/mxs-dma.c b/drivers/dma/mxs-dma.c
index cfb9962417ef6..53f572b6b6fc6 100644
--- a/drivers/dma/mxs-dma.c
+++ b/drivers/dma/mxs-dma.c
@@ -824,6 +824,7 @@ static int mxs_dma_probe(struct platform_device *pdev)
if (ret) {
dev_err(mxs_dma->dma_device.dev,
"failed to register controller\n");
+ return ret;
}
dev_info(mxs_dma->dma_device.dev, "initialized\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 219/508] soundwire: cadence: Clear message complete before signaling waiting thread
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 218/508] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 220/508] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
` (290 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Norman Bintang,
Pierre-Louis Bossart, Vinod Koul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit cbfea84f820962c3c5394ff06e7e9344c96bf761 ]
Clear the CDNS_MCP_INT_RX_WL interrupt before signaling completion.
This is to prevent the potential race where:
- The main thread is scheduled immediately the completion is signaled,
and starts a new message
- The RX_WL IRQ for this new message happens before sdw_cdns_irq() has
been re-scheduled.
- When sdw_cdns_irq() is re-scheduled it clears the new RX_WL interrupt.
MAIN THREAD | IRQ THREAD
|
_cdns_xfer_msg() |
{ |
write data to FIFO |
wait_for_completion_timeout() |
<BLOCKED> | <---- RX_WL IRQ
| sdw_cdns_irq()
| {
| signal completion
<== RESCHEDULE <==
Handle message completion |
} |
|
Start new message |
_cdns_xfer_msg() |
{ |
write data to FIFO |
wait_for_completion_timeout() |
<BLOCKED> | <---- RX_WL IRQ
==> RESCHEDULE ==>
| // New RX_WL IRQ is cleared before
| // it has been handled.
| clear CDNS_MCP_INTSTAT
| return IRQ_HANDLED;
| }
Before this change, this error message was sometimes seen on kernels
that have large amounts of debugging enabled:
SCP Msg trf timed out
This error indicates that the completion has not been signalled after
500ms.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 956baa1992f9 ("soundwire: cdns: Add sdw_master_ops and IO transfer support")
Reported-by: Norman Bintang <normanbt@google.com>
Closes: https://issuetracker.google.com/issues/477099834
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
Link: https://patch.msgid.link/20260310113133.1707288-1-rf@opensource.cirrus.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/cadence_master.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
index e69982dbd449b..fdbd5d477a68e 100644
--- a/drivers/soundwire/cadence_master.c
+++ b/drivers/soundwire/cadence_master.c
@@ -932,6 +932,14 @@ irqreturn_t sdw_cdns_irq(int irq, void *dev_id)
cdns_read_response(cdns);
+ /*
+ * Clear interrupt before signalling the completion to avoid
+ * a race between this thread and the main thread starting
+ * another TX.
+ */
+ cdns_writel(cdns, CDNS_MCP_INTSTAT, CDNS_MCP_INT_RX_WL);
+ int_status &= ~CDNS_MCP_INT_RX_WL;
+
if (defer && defer->msg) {
cdns_fill_msg_resp(cdns, defer->msg,
defer->length, 0);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 220/508] tracing: Rebuild full_name on each hist_field_name() call
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 219/508] soundwire: cadence: Clear message complete before signaling waiting thread Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 221/508] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
` (289 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Zanussi, Pengpeng Hou,
Steven Rostedt (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 5ec1d1e97de134beed3a5b08235a60fc1c51af96 ]
hist_field_name() uses a static MAX_FILTER_STR_VAL buffer for fully
qualified variable-reference names, but it currently appends into that
buffer with strcat() without rebuilding it first. As a result, repeated
calls append a new "system.event.field" name onto the previous one,
which can eventually run past the end of full_name.
Build the name with snprintf() on each call and return NULL if the fully
qualified name does not fit in MAX_FILTER_STR_VAL.
Link: https://patch.msgid.link/20260401112224.85582-1-pengpeng@iscas.ac.cn
Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Tested-by: Tom Zanussi <zanussi@kernel.org>
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_hist.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 19b3d388fbc69..597f47397c726 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1349,12 +1349,14 @@ static const char *hist_field_name(struct hist_field *field,
field->flags & HIST_FIELD_FL_VAR_REF) {
if (field->system) {
static char full_name[MAX_FILTER_STR_VAL];
+ int len;
+
+ len = snprintf(full_name, sizeof(full_name), "%s.%s.%s",
+ field->system, field->event_name,
+ field->name);
+ if (len >= sizeof(full_name))
+ return NULL;
- strcat(full_name, field->system);
- strcat(full_name, ".");
- strcat(full_name, field->event_name);
- strcat(full_name, ".");
- strcat(full_name, field->name);
field_name = full_name;
} else
field_name = field->name;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 221/508] ima: check return value of crypto_shash_final() in boot aggregate
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 220/508] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 222/508] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
` (288 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Roberto Sassu,
Mimi Zohar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <hodgesd@meta.com>
[ Upstream commit 870819434c8dfcc3158033b66e7851b81bb17e21 ]
The return value of crypto_shash_final() is not checked in
ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the
function returns success and a corrupted boot aggregate digest could
be used for IMA measurements.
Capture the return value and propagate any error to the caller.
Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash")
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 51ad29940f05c..2b611bf169dd9 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -837,7 +837,7 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
}
}
if (!rc)
- crypto_shash_final(shash, digest);
+ rc = crypto_shash_final(shash, digest);
return rc;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 222/508] HID: asus: make asus_resume adhere to linux kernel coding standards
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 221/508] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 223/508] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
` (287 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Benato, Jiri Kosina,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 51d33b42b8ae23da92819d28439fdd5636c45186 ]
Linux kernel coding standars requires functions opening brackets to be in
a newline: move the opening bracket of asus_resume in its own line.
Fixes: 546edbd26cff ("HID: hid-asus: reset the backlight brightness level on resume")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 544b74eda284a..e4ea87cdb05fd 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -990,7 +990,8 @@ static int asus_start_multitouch(struct hid_device *hdev)
return 0;
}
-static int __maybe_unused asus_resume(struct hid_device *hdev) {
+static int __maybe_unused asus_resume(struct hid_device *hdev)
+{
struct asus_drvdata *drvdata = hid_get_drvdata(hdev);
int ret = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 223/508] HID: asus: do not abort probe when not necessary
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 222/508] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 224/508] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
` (286 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Benato, Jiri Kosina,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 7253091766ded0fd81fe8d8be9b8b835495b06e8 ]
In order to avoid dereferencing a NULL pointer asus_probe is aborted early
and control of some asus devices is transferred over hid-generic after
erroring out even when such NULL dereference cannot happen: only early
abort when the NULL dereference can happen.
Also make the code shorter and more adherent to coding standards
removing square brackets enclosing single-line if-else statements.
Fixes: d3af6ca9a8c3 ("HID: asus: fix UAF via HID_CLAIMED_INPUT validation")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index e4ea87cdb05fd..d3913f70d263d 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1118,22 +1118,17 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id)
* were freed during registration due to no usages being mapped,
* leaving drvdata->input pointing to freed memory.
*/
- if (!drvdata->input || !(hdev->claimed & HID_CLAIMED_INPUT)) {
- hid_err(hdev, "Asus input not registered\n");
- ret = -ENOMEM;
- goto err_stop_hw;
- }
-
- if (drvdata->tp) {
- drvdata->input->name = "Asus TouchPad";
- } else {
- drvdata->input->name = "Asus Keyboard";
- }
+ if (drvdata->input && (hdev->claimed & HID_CLAIMED_INPUT)) {
+ if (drvdata->tp)
+ drvdata->input->name = "Asus TouchPad";
+ else
+ drvdata->input->name = "Asus Keyboard";
- if (drvdata->tp) {
- ret = asus_start_multitouch(hdev);
- if (ret)
- goto err_stop_hw;
+ if (drvdata->tp) {
+ ret = asus_start_multitouch(hdev);
+ if (ret)
+ goto err_stop_hw;
+ }
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 224/508] mtd: physmap_of_gemini: Fix disabled pinctrl state check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 223/508] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 225/508] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range Greg Kroah-Hartman
` (285 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Linus Walleij,
Miquel Raynal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit b7c0982184b0661f5b1b805f3a56f1bd3757b63e ]
The condition for checking the disabled pinctrl state incorrectly checks
gf->enabled_state instead of gf->disabled_state. This causes misleading
error messages and could lead to incorrect behavior when only one of the
pinctrl states is defined.
Fix the condition to properly check gf->disabled_state.
Fixes: 9d3b5086f6d4 ("mtd: physmap_of_gemini: Handle pin control")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/maps/physmap-gemini.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/maps/physmap-gemini.c b/drivers/mtd/maps/physmap-gemini.c
index 9d3b4bf84a1ad..1c34b4ef77ea3 100644
--- a/drivers/mtd/maps/physmap-gemini.c
+++ b/drivers/mtd/maps/physmap-gemini.c
@@ -181,7 +181,7 @@ int of_flash_probe_gemini(struct platform_device *pdev,
dev_err(dev, "no enabled pin control state\n");
gf->disabled_state = pinctrl_lookup_state(gf->p, "disabled");
- if (IS_ERR(gf->enabled_state)) {
+ if (IS_ERR(gf->disabled_state)) {
dev_err(dev, "no disabled pin control state\n");
} else {
ret = pinctrl_select_state(gf->p, gf->disabled_state);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 225/508] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 224/508] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 226/508] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
` (284 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Marc Zyngier,
Rob Herring (Arm), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 15cfc8984defc17e5e4de1f58db7b993240fcbda ]
According to the "Arm Generic Interrupt Controller (GIC) Architecture
Specification, v3 and v4", revision H.b[1], there can be only 64
Extended PPI interrupts.
[1] https://developer.arm.com/documentation/ihi0069/hb/
Fixes: 4b049063e0bcbfd3 ("dt-bindings: interrupt-controller: arm,gic-v3: Describe EPPI range support")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Brain-farted-by: Marc Zyngier <maz@kernel.org>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://patch.msgid.link/3e49a63c6b2b6ee48e3737adee87781f9c136c5f.1772792753.git.geert+renesas@glider.be
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../devicetree/bindings/interrupt-controller/arm,gic-v3.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
index 0f4a062c9d6fe..72e70f9d4b4a2 100644
--- a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
+++ b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
@@ -50,7 +50,7 @@ properties:
The 2nd cell contains the interrupt number for the interrupt type.
SPI interrupts are in the range [0-987]. PPI interrupts are in the
range [0-15]. Extended SPI interrupts are in the range [0-1023].
- Extended PPI interrupts are in the range [0-127].
+ Extended PPI interrupts are in the range [0-63].
The 3rd cell is the flags, encoded as follows:
bits[3:0] trigger type and level flags.
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 226/508] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 225/508] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 227/508] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
` (283 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haibo Chen, Pratyush Yadav,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit 756564a536ecd8c9d33edd89f0647a91a0b03587 ]
When check read operation, need to setting the op.dummy.nbytes based
on current read operation rather than the nor->read_proto.
Fixes: 0e30f47232ab ("mtd: spi-nor: add support for DTR protocol")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
index 6e135581ec62a..6f8a9c6253205 100644
--- a/drivers/mtd/spi-nor/core.c
+++ b/drivers/mtd/spi-nor/core.c
@@ -2477,7 +2477,7 @@ static int spi_nor_spimem_check_readop(struct spi_nor *nor,
/* convert the dummy cycles to the number of bytes */
op.dummy.nbytes = (read->num_mode_clocks + read->num_wait_states) *
op.dummy.buswidth / 8;
- if (spi_nor_protocol_is_dtr(nor->read_proto))
+ if (spi_nor_protocol_is_dtr(read->proto))
op.dummy.nbytes *= 2;
return spi_nor_spimem_check_op(nor, &op);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 227/508] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 226/508] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 228/508] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
` (282 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Pratyush Yadav, Sasha Levin, Marek Vasut
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit 653f6def567c81f37302f9591ffd54df3e2a11eb ]
SMPT contains config detection info that describes opcode, address, and
dummy cycles to read sector map config. The dummy cycles parameter can
be SMPT_CMD_READ_DUMMY_IS_VARIABLE and in that case nor->read_dummy
(initialized as 0) is used. In Infineon flash chips, Read Any Register
command with variable dummy cycle is defined in SMPT. S25Hx/S28Hx flash
has 0 dummy cycle by default to read volatile regiters and
nor->read_dummy can work. S25FS-S flash has 8 dummy cycles so we need a
hook that can fix dummy cycles with actually used value.
Inroduce smpt_read_dummy() in struct spi_nor_fixups. It is called when
the dummy cycle field in SMPT config detection is 'varialble'.
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # S25FS512S
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 3 +++
drivers/mtd/spi-nor/sfdp.c | 18 ++++++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index 9217379b9cfef..a68cf82498ed8 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -416,6 +416,8 @@ struct spi_nor_flash_parameter {
* flash parameters when information provided by the flash_info
* table is incomplete or wrong.
* @post_bfpt: called after the BFPT table has been parsed
+ * @smpt_read_dummy: called during SMPT table is being parsed. Used to fix the
+ * number of dummy cycles in read register ops.
* @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
@@ -433,6 +435,7 @@ struct spi_nor_fixups {
int (*post_bfpt)(struct spi_nor *nor,
const struct sfdp_parameter_header *bfpt_header,
const struct sfdp_bfpt *bfpt);
+ void (*smpt_read_dummy)(const struct spi_nor *nor, u8 *read_dummy);
int (*post_sfdp)(struct spi_nor *nor);
int (*late_init)(struct spi_nor *nor);
};
diff --git a/drivers/mtd/spi-nor/sfdp.c b/drivers/mtd/spi-nor/sfdp.c
index b3b11dfed7893..f1ec785628bfb 100644
--- a/drivers/mtd/spi-nor/sfdp.c
+++ b/drivers/mtd/spi-nor/sfdp.c
@@ -674,6 +674,17 @@ static u8 spi_nor_smpt_addr_nbytes(const struct spi_nor *nor, const u32 settings
}
}
+static void spi_nor_smpt_read_dummy_fixups(const struct spi_nor *nor,
+ u8 *read_dummy)
+{
+ if (nor->manufacturer && nor->manufacturer->fixups &&
+ nor->manufacturer->fixups->smpt_read_dummy)
+ nor->manufacturer->fixups->smpt_read_dummy(nor, read_dummy);
+
+ if (nor->info->fixups && nor->info->fixups->smpt_read_dummy)
+ nor->info->fixups->smpt_read_dummy(nor, read_dummy);
+}
+
/**
* spi_nor_smpt_read_dummy() - return the configuration detection command read
* latency, in clock cycles.
@@ -686,8 +697,11 @@ static u8 spi_nor_smpt_read_dummy(const struct spi_nor *nor, const u32 settings)
{
u8 read_dummy = SMPT_CMD_READ_DUMMY(settings);
- if (read_dummy == SMPT_CMD_READ_DUMMY_IS_VARIABLE)
- return nor->read_dummy;
+ if (read_dummy == SMPT_CMD_READ_DUMMY_IS_VARIABLE) {
+ read_dummy = nor->read_dummy;
+ spi_nor_smpt_read_dummy_fixups(nor, &read_dummy);
+ }
+
return read_dummy;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 228/508] mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 227/508] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 229/508] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
` (281 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Tudor Ambarus,
Takahiro Kuwano, Pratyush Yadav, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit f74de390557bf2bcc5dca4a357b41c0701d3f76e ]
Certain chips have inconsistent Sector Map Parameter Table (SMPT) data,
which leads to the wrong map ID being identified, causing failures to
detect the correct sector map.
To fix this, introduce smpt_map_id() into the struct spi_nor_fixups.
This function will be called after the initial SMPT-based detection,
allowing chip-specific logic to correct the map ID.
Infineon S25FS512S needs this fixup as it has inconsistency between map
ID definition and configuration register value actually obtained.
Co-developed-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # S25FS512S
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 3 +++
drivers/mtd/spi-nor/sfdp.c | 12 ++++++++++++
2 files changed, 15 insertions(+)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index a68cf82498ed8..6c478331e494e 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -418,6 +418,8 @@ struct spi_nor_flash_parameter {
* @post_bfpt: called after the BFPT table has been parsed
* @smpt_read_dummy: called during SMPT table is being parsed. Used to fix the
* number of dummy cycles in read register ops.
+ * @smpt_map_id: called after map ID in SMPT table has been determined for the
+ * case the map ID is wrong and needs to be fixed.
* @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
@@ -436,6 +438,7 @@ struct spi_nor_fixups {
const struct sfdp_parameter_header *bfpt_header,
const struct sfdp_bfpt *bfpt);
void (*smpt_read_dummy)(const struct spi_nor *nor, u8 *read_dummy);
+ void (*smpt_map_id)(const struct spi_nor *nor, u8 *map_id);
int (*post_sfdp)(struct spi_nor *nor);
int (*late_init)(struct spi_nor *nor);
};
diff --git a/drivers/mtd/spi-nor/sfdp.c b/drivers/mtd/spi-nor/sfdp.c
index f1ec785628bfb..dcf88ad2a00b2 100644
--- a/drivers/mtd/spi-nor/sfdp.c
+++ b/drivers/mtd/spi-nor/sfdp.c
@@ -705,6 +705,16 @@ static u8 spi_nor_smpt_read_dummy(const struct spi_nor *nor, const u32 settings)
return read_dummy;
}
+static void spi_nor_smpt_map_id_fixups(const struct spi_nor *nor, u8 *map_id)
+{
+ if (nor->manufacturer && nor->manufacturer->fixups &&
+ nor->manufacturer->fixups->smpt_map_id)
+ nor->manufacturer->fixups->smpt_map_id(nor, map_id);
+
+ if (nor->info->fixups && nor->info->fixups->smpt_map_id)
+ nor->info->fixups->smpt_map_id(nor, map_id);
+}
+
/**
* spi_nor_get_map_in_use() - get the configuration map in use
* @nor: pointer to a 'struct spi_nor'
@@ -758,6 +768,8 @@ static const u32 *spi_nor_get_map_in_use(struct spi_nor *nor, const u32 *smpt,
map_id = map_id << 1 | !!(*buf & read_data_mask);
}
+ spi_nor_smpt_map_id_fixups(nor, &map_id);
+
/*
* If command descriptors are provided, they always precede map
* descriptors in the table. There is no need to start the iteration
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 229/508] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 228/508] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 230/508] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
` (280 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Pratyush Yadav,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit 3620d67b48493c6252bbc873dc88dde81641d56b ]
After commit 5273cc6df984 ("mtd: spi-nor: core: Call
spi_nor_post_sfdp_fixups() only when SFDP is defined")
spi_nor_post_sfdp_fixups() isn't called anymore if no SFDP is detected.
Update the documentation accordingly.
Fixes: 5273cc6df984 ("mtd: spi-nor: core: Call spi_nor_post_sfdp_fixups() only when SFDP is defined")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index 6c478331e494e..398383ba0d8d6 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -420,7 +420,7 @@ struct spi_nor_flash_parameter {
* number of dummy cycles in read register ops.
* @smpt_map_id: called after map ID in SMPT table has been determined for the
* case the map ID is wrong and needs to be fixed.
- * @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
+ * @post_sfdp: called after SFDP has been parsed (is not called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
* when information provided by the SFDP/flash_info tables are
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 230/508] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 229/508] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 231/508] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
` (279 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Michael Walle,
Miquel Raynal, Pratyush Yadav (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit 94645aa41bf9ecb87c2ce78b1c3405bfb6074a37 ]
When the chip does not support top/bottom block protect, the tb_mask
must be set to 0, otherwise SR1 bit5 will be unexpectedly modified.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Fixes: 3dd8012a8eeb ("mtd: spi-nor: add TB (Top/Bottom) protect support")
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/swp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/swp.c b/drivers/mtd/spi-nor/swp.c
index a186d1fde8694..4f34283603587 100644
--- a/drivers/mtd/spi-nor/swp.c
+++ b/drivers/mtd/spi-nor/swp.c
@@ -27,8 +27,10 @@ static u8 spi_nor_get_sr_tb_mask(struct spi_nor *nor)
{
if (nor->flags & SNOR_F_HAS_SR_TB_BIT6)
return SR_TB_BIT6;
- else
+ else if (nor->flags & SNOR_F_HAS_SR_TB)
return SR_TB_BIT5;
+ else
+ return 0;
}
static u64 spi_nor_get_min_prot_length_sr(struct spi_nor *nor)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 231/508] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 230/508] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 232/508] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
` (278 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Tommaso Merciai,
Miquel Raynal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
[ Upstream commit 0c87dea1aab86116211cb37387c404c9e9231c39 ]
ofpart_none can only be reached after the for_each_child_of_node() loop
finishes. for_each_child_of_node() correctly calls of_node_put() for all
device nodes it iterates over as long as we don't break or jump out of
the loop.
Calling of_node_put() inside the ofpart_none path will wrongly decrement
the ref count of the last node in the for_each_child_of_node() loop.
Move the call to of_node_put() under the ofpart_fail label to fix this.
Fixes: ebd5a74db74e ("mtd: ofpart: Check availability of reg property instead of name property")
Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
Tested-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/parsers/ofpart_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/ofpart_core.c b/drivers/mtd/parsers/ofpart_core.c
index 3cf75b56d5a2e..110994b1e02f5 100644
--- a/drivers/mtd/parsers/ofpart_core.c
+++ b/drivers/mtd/parsers/ofpart_core.c
@@ -191,11 +191,11 @@ static int parse_fixed_partitions(struct mtd_info *master,
ofpart_fail:
pr_err("%s: error parsing ofpart partition %pOF (%pOF)\n",
master->name, pp, mtd_node);
+ of_node_put(pp);
ret = -EINVAL;
ofpart_none:
if (dedicated)
of_node_put(ofpart_node);
- of_node_put(pp);
kfree(parts);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 232/508] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 231/508] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 233/508] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
` (277 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Tommaso Merciai,
Miquel Raynal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
[ Upstream commit e882626c1747653f1f01ea9d12e278e613b11d0f ]
In order to parse sub-partitions, add_mtd_partitions() calls
parse_mtd_partitions() for all previously found partitions.
Each partition will end up being passed to parse_fixed_partitions(), and
its of_node will be treated as the ofpart_node.
Commit 7cce81df7d26 ("mtd: parsers: ofpart: fix OF node refcount leak in
parse_fixed_partitions()") added of_node_put() calls for ofpart_node on
all exit paths.
In the case where the partition passed to parse_fixed_partitions() has a
parent, it is treated as a dedicated partitions node, and of_node_put()
is wrongly called for it, even if of_node_get() was not called
explicitly.
On repeated bind / unbinds of the MTD, the extra of_node_put() ends up
decrementing the refcount down to 0, which should never happen,
resulting in the following error:
OF: ERROR: of_node_release() detected bad of_node_put() on
/soc/spi@80007000/flash@0/partitions/partition@0
Call of_node_get() to balance the call to of_node_put() done for
dedicated partitions nodes.
Fixes: 7cce81df7d26 ("mtd: parsers: ofpart: fix OF node refcount leak in parse_fixed_partitions()")
Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
Tested-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/parsers/ofpart_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/ofpart_core.c b/drivers/mtd/parsers/ofpart_core.c
index 110994b1e02f5..c18fa1b3e3276 100644
--- a/drivers/mtd/parsers/ofpart_core.c
+++ b/drivers/mtd/parsers/ofpart_core.c
@@ -71,7 +71,7 @@ static int parse_fixed_partitions(struct mtd_info *master,
dedicated = false;
}
} else { /* Partition */
- ofpart_node = mtd_node;
+ ofpart_node = of_node_get(mtd_node);
}
of_id = of_match_node(parse_ofpart_match_table, ofpart_node);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 233/508] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 232/508] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 234/508] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
` (276 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jernej Skrabec, Richard Genoud,
Miquel Raynal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Genoud <richard.genoud@bootlin.com>
[ Upstream commit 848c13996c55fe4ea6bf5acc3ce6c8c5c944b5f6 ]
When dumping the OOB, the bytes at the end where actually copied from
the beginning of the OOB instead of current_offset.
That leads to something like:
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
instead of:
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
(example with BCH16, user data [8,0], no scrambling)
*cur_off (offset from the beginning of the page) was compared to offset
(offset from the beginning of the OOB), and then, the
nand_change_read_column_op() sets the current position to the beginning
of the OOB instead of OOB+offset
Fixes: 15d6f118285f ("mtd: rawnand: sunxi: Stop supporting ECC_HW_SYNDROME mode")
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/sunxi_nand.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c
index 4469618ee6033..8d31cb0133acc 100644
--- a/drivers/mtd/nand/raw/sunxi_nand.c
+++ b/drivers/mtd/nand/raw/sunxi_nand.c
@@ -886,9 +886,9 @@ static void sunxi_nfc_hw_ecc_read_extra_oob(struct nand_chip *nand,
if (len <= 0)
return;
- if (!cur_off || *cur_off != offset)
- nand_change_read_column_op(nand, mtd->writesize, NULL, 0,
- false);
+ if (!cur_off || *cur_off != (offset + mtd->writesize))
+ nand_change_read_column_op(nand, mtd->writesize + offset,
+ NULL, 0, false);
if (!randomize)
sunxi_nfc_read_buf(nand, oob + offset, len);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 234/508] HID: usbhid: fix deadlock in hid_post_reset()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 233/508] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 235/508] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
` (275 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Jiri Kosina,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 8df2c1b47ee3cd50fd454f75c7a7e2ae8a6adf72 ]
You can build a USB device that includes a HID component
and a storage or UAS component. The components can be reset
only together. That means that hid_pre_reset() and hid_post_reset()
are in the block IO error handling. Hence no memory allocation
used in them may do block IO because the IO can deadlock
on the mutex held while resetting a device and calling the
interface drivers.
Use GFP_NOIO for all allocations in them.
Fixes: dc3c78e434690 ("HID: usbhid: Check HID report descriptor contents after device reset")
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 5e3bd615066c1..415d44ac14807 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1549,7 +1549,7 @@ static int hid_post_reset(struct usb_interface *intf)
* configuration descriptors passed, we already know that
* the size of the HID report descriptor has not changed.
*/
- rdesc = kmalloc(hid->dev_rsize, GFP_KERNEL);
+ rdesc = kmalloc(hid->dev_rsize, GFP_NOIO);
if (!rdesc)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 235/508] bpf, arm64: Fix off-by-one in check_imm signed range check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 234/508] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 236/508] bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize Greg Kroah-Hartman
` (274 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Puranjay Mohan,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 1dd8be4ec722ce54e4cace59f3a4ba658111b3ec ]
check_imm(bits, imm) is used in the arm64 BPF JIT to verify that
a branch displacement (in arm64 instruction units) fits into the
signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding
before it is handed to the encoder. The macro currently tests for
(imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits
values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A
signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check
admits one extra bit of range on each side.
In particular, for check_imm19(), values in [2^18, 2^19) slip past
the check but do not fit into the 19-bit signed imm19 field of
B.cond. aarch64_insn_encode_immediate() then masks the raw value
into the 19-bit field, setting bit 18 (the sign bit) and flipping
a forward branch into a backward one. Same class of issue exists
for check_imm26() and the B/BL encoding. Shift by (bits - 1)
instead of bits so the actual signed N-bit range is enforced.
Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/r/20260415121403.639619-2-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index f11de7484ced8..9fd0b658e4602 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -33,8 +33,8 @@
#define FP_BOTTOM (MAX_BPF_JIT_REG + 4)
#define check_imm(bits, imm) do { \
- if ((((imm) > 0) && ((imm) >> (bits))) || \
- (((imm) < 0) && (~(imm) >> (bits)))) { \
+ if ((((imm) > 0) && ((imm) >> ((bits) - 1))) || \
+ (((imm) < 0) && (~(imm) >> ((bits) - 1)))) { \
pr_info("[%2d] imm=%d(0x%x) out of range\n", \
i, imm, imm); \
return -EINVAL; \
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 236/508] bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 235/508] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 237/508] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
` (273 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Puranjay Mohan, Pu Lehui,
Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 46ee1342b887c9387a933397d846ff6c9584322c ]
bpf_flush_icache() calls flush_icache_range() to clean the data cache
and invalidate the instruction cache for the JITed code region. However,
since commit 48a8f78c50bd ("bpf, riscv: use prog pack allocator in the
BPF JIT"), this flush is redundant.
bpf_jit_binary_pack_finalize() copies the JITed instructions to the ROX
region via bpf_arch_text_copy() -> patch_text_nosync(), and
patch_text_nosync() already calls flush_icache_range() on the written
range. The subsequent bpf_flush_icache() repeats the same cache
maintenance on an overlapping range.
Remove the redundant bpf_flush_icache() call and its now-unused
definition.
Fixes: 48a8f78c50bd ("bpf, riscv: use prog pack allocator in the BPF JIT")
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Pu Lehui <pulehui@huawei.com>
Tested-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260413191111.3426023-3-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/net/bpf_jit.h | 6 ------
arch/riscv/net/bpf_jit_core.c | 7 -------
2 files changed, 13 deletions(-)
diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h
index a5ce1ab76ecee..c444c79596703 100644
--- a/arch/riscv/net/bpf_jit.h
+++ b/arch/riscv/net/bpf_jit.h
@@ -11,7 +11,6 @@
#include <linux/bpf.h>
#include <linux/filter.h>
-#include <asm/cacheflush.h>
static inline bool rvc_enabled(void)
{
@@ -97,11 +96,6 @@ static inline void bpf_fill_ill_insns(void *area, unsigned int size)
memset(area, 0, size);
}
-static inline void bpf_flush_icache(void *start, void *end)
-{
- flush_icache_range((unsigned long)start, (unsigned long)end);
-}
-
/* Emit a 4-byte riscv instruction. */
static inline void emit(const u32 insn, struct rv_jit_context *ctx)
{
diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
index 7b70ccb7fec34..f57b95e830ac0 100644
--- a/arch/riscv/net/bpf_jit_core.c
+++ b/arch/riscv/net/bpf_jit_core.c
@@ -182,13 +182,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
prog = orig_prog;
goto out_offset;
}
- /*
- * The instructions have now been copied to the ROX region from
- * where they will execute.
- * Write any modified data cache blocks out to memory and
- * invalidate the corresponding blocks in the instruction cache.
- */
- bpf_flush_icache(jit_data->ro_header, ctx->ro_insns + ctx->ninsns);
for (i = 0; i < prog->len; i++)
ctx->offset[i] = ninsns_rvoff(ctx->offset[i]);
bpf_prog_fill_jited_linfo(prog, ctx->offset);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 237/508] bpf, sockmap: Fix af_unix iter deadlock
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.6 236/508] bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 238/508] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
` (272 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Martin KaFai Lau,
Michal Luczaj, Martin KaFai Lau, Jiayuan Chen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 4d328dd695383224aa750ddee6b4ad40c0f8d205 ]
bpf_iter_unix_seq_show() may deadlock when lock_sock_fast() takes the fast
path and the iter prog attempts to update a sockmap. Which ends up spinning
at sock_map_update_elem()'s bh_lock_sock():
WARNING: possible recursive locking detected
test_progs/1393 is trying to acquire lock:
ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: sock_map_update_elem+0xdb/0x1f0
but task is already holding lock:
ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(slock-AF_UNIX);
lock(slock-AF_UNIX);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by test_progs/1393:
#0: ffff88814b59c790 (&p->lock){+.+.}-{4:4}, at: bpf_seq_read+0x59/0x10d0
#1: ffff88811ec25fd8 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: bpf_seq_read+0x42c/0x10d0
#2: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0
#3: ffffffff85a6a7c0 (rcu_read_lock){....}-{1:3}, at: bpf_iter_run_prog+0x51d/0xb00
Call Trace:
dump_stack_lvl+0x5d/0x80
print_deadlock_bug.cold+0xc0/0xce
__lock_acquire+0x130f/0x2590
lock_acquire+0x14e/0x2b0
_raw_spin_lock+0x30/0x40
sock_map_update_elem+0xdb/0x1f0
bpf_prog_2d0075e5d9b721cd_dump_unix+0x55/0x4f4
bpf_iter_run_prog+0x5b9/0xb00
bpf_iter_unix_seq_show+0x1f7/0x2e0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0x6b/0x3a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain socket.")
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-2-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 651c7debe799d..8bf6c2b7215e8 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3561,15 +3561,14 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
struct bpf_prog *prog;
struct sock *sk = v;
uid_t uid;
- bool slow;
int ret;
if (v == SEQ_START_TOKEN)
return 0;
- slow = lock_sock_fast(sk);
+ lock_sock(sk);
- if (unlikely(sk_unhashed(sk))) {
+ if (unlikely(sock_flag(sk, SOCK_DEAD))) {
ret = SEQ_SKIP;
goto unlock;
}
@@ -3579,7 +3578,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
prog = bpf_iter_get_info(&meta, false);
ret = unix_prog_seq_show(prog, &meta, v, uid);
unlock:
- unlock_sock_fast(sk, slow);
+ release_sock(sk);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 238/508] bpf, sockmap: Fix af_unix null-ptr-deref in proto update
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 237/508] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 239/508] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
` (271 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj,
钱一铭, Kuniyuki Iwashima, Martin KaFai Lau,
Martin KaFai Lau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit dca38b7734d2ea00af4818ff3ae836fab33d5d5a ]
unix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state,
TCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).
sk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that
socket is properly set up, which would include having a defined peer. IOW,
there's a window when unix_stream_bpf_update_proto() can be called on
socket which still has unix_peer(sk) == NULL.
CPU0 bpf CPU1 connect
-------- ------------
WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)
sock_map_sk_state_allowed(sk)
...
sk_pair = unix_peer(sk)
sock_hold(sk_pair)
sock_hold(newsk)
smp_mb__after_atomic()
unix_peer(sk) = newsk
BUG: kernel NULL pointer dereference, address: 0000000000000080
RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0
Call Trace:
sock_map_link+0x564/0x8b0
sock_map_update_common+0x6e/0x340
sock_map_update_elem_sys+0x17d/0x240
__sys_bpf+0x26db/0x3250
__x64_sys_bpf+0x21/0x30
do_syscall_64+0x6b/0x3a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Initial idea was to move peer assignment _before_ the sk_state update[1],
but that involved an additional memory barrier, and changing the hot path
was rejected.
Then a NULL check during proto update in unix_stream_bpf_update_proto() was
considered[2], but the follow-up discussion[3] focused on the root cause,
i.e. sockmap update taking a wrong lock. Or, more specifically, missing
unix_state_lock()[4].
In the end it was concluded that teaching sockmap about the af_unix locking
would be unnecessarily complex[5].
Complexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT
are allowed to update sockmaps, sock_map_update_elem() taking the unix
lock, as it is currently implemented in unix_state_lock():
spin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken
in a process context, followed by a softirq-context TC BPF program
attempting to take the same spinlock -- deadlock[6].
This way we circled back to the peer check idea[2].
[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/
[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/
[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/
[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/
[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/
[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/
Summary of scenarios where af_unix/stream connect() may race a sockmap
update:
1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()
Implemented NULL check is sufficient. Once assigned, socket peer won't
be released until socket fd is released. And that's not an issue because
sock_map_update_elem_sys() bumps fd refcnf.
2. connect() vs BPF program doing update
Update restricted per verifier.c:may_update_sockmap() to
BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER
BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)
BPF_PROG_TYPE_SOCKET_FILTER
BPF_PROG_TYPE_SCHED_CLS
BPF_PROG_TYPE_SCHED_ACT
BPF_PROG_TYPE_XDP
BPF_PROG_TYPE_SK_REUSEPORT
BPF_PROG_TYPE_FLOW_DISSECTOR
BPF_PROG_TYPE_SK_LOOKUP
Plus one more race to consider:
CPU0 bpf CPU1 connect
-------- ------------
WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)
sock_map_sk_state_allowed(sk)
sock_hold(newsk)
smp_mb__after_atomic()
unix_peer(sk) = newsk
sk_pair = unix_peer(sk)
if (unlikely(!sk_pair))
return -EINVAL;
CPU1 close
----------
skpair = unix_peer(sk);
unix_peer(sk) = NULL;
sock_put(skpair)
// use after free?
sock_hold(sk_pair)
2.1 BPF program invoking helper function bpf_sock_map_update() ->
BPF_CALL_4(bpf_sock_map_update(), ...)
Helper limited to BPF_PROG_TYPE_SOCK_OPS. Nevertheless, a unix sock
might be accessible via bpf_map_lookup_elem(). Which implies sk
already having psock, which in turn implies sk already having
sk_pair. Since sk_psock_destroy() is queued as RCU work, sk_pair
won't go away while BPF executes the update.
2.2 BPF program invoking helper function bpf_map_update_elem() ->
sock_map_update_elem()
2.2.1 Unix sock accessible to BPF prog only via sockmap lookup in
BPF_PROG_TYPE_SOCKET_FILTER, BPF_PROG_TYPE_SCHED_CLS,
BPF_PROG_TYPE_SCHED_ACT, BPF_PROG_TYPE_XDP,
BPF_PROG_TYPE_SK_REUSEPORT, BPF_PROG_TYPE_FLOW_DISSECTOR,
BPF_PROG_TYPE_SK_LOOKUP.
Pretty much the same as case 2.1.
2.2.2 Unix sock accessible to BPF program directly:
BPF_PROG_TYPE_TRACING, narrowed down to BPF_TRACE_ITER.
Sockmap iterator (sock_map_seq_ops) is safe: unix sock
residing in a sockmap means that the sock already went through
the proto update step.
Unix sock iterator (bpf_iter_unix_seq_ops), on the other hand,
gives access to socks that may still be unconnected. Which
means iterator prog can race sockmap/proto update against
connect().
BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x253/0x4d0
Write of size 4 at addr 0000000000000080 by task test_progs/3140
Call Trace:
dump_stack_lvl+0x5d/0x80
kasan_report+0xe4/0x1c0
kasan_check_range+0x125/0x200
unix_stream_bpf_update_proto+0x253/0x4d0
sock_map_link+0x71c/0xec0
sock_map_update_common+0xbc/0x600
sock_map_update_elem+0x19a/0x1f0
bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217
bpf_iter_run_prog+0x21e/0xae0
bpf_iter_unix_seq_show+0x1e0/0x2a0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
While the introduced NULL check prevents null-ptr-deref in the
BPF program path as well, it is insufficient to guard against
a poorly timed close() leading to a use-after-free. This will
be addressed in a subsequent patch.
Fixes: c63829182c37 ("af_unix: Implement ->psock_update_sk_prot()")
Closes: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/
Reported-by: Michal Luczaj <mhal@rbox.co>
Reported-by: 钱一铭 <yimingqian591@gmail.com>
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-4-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/unix_bpf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
index bca2d86ba97d8..976e035053e5a 100644
--- a/net/unix/unix_bpf.c
+++ b/net/unix/unix_bpf.c
@@ -184,6 +184,9 @@ int unix_stream_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool r
*/
if (!psock->sk_pair) {
sk_pair = unix_peer(sk);
+ if (unlikely(!sk_pair))
+ return -EINVAL;
+
sock_hold(sk_pair);
psock->sk_pair = sk_pair;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 239/508] bpf, sockmap: Take state lock for af_unix iter
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 238/508] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 240/508] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
` (270 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Michal Luczaj,
Martin KaFai Lau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 64c2f93fc3254d3bf5de4445fb732ee5c451edb6 ]
When a BPF iterator program updates a sockmap, there is a race condition in
unix_stream_bpf_update_proto() where the `peer` pointer can become stale[1]
during a state transition TCP_ESTABLISHED -> TCP_CLOSE.
CPU0 bpf CPU1 close
-------- ----------
// unix_stream_bpf_update_proto()
sk_pair = unix_peer(sk)
if (unlikely(!sk_pair))
return -EINVAL;
// unix_release_sock()
skpair = unix_peer(sk);
unix_peer(sk) = NULL;
sock_put(skpair)
sock_hold(sk_pair) // UaF
More practically, this fix guarantees that the iterator program is
consistently provided with a unix socket that remains stable during
iterator execution.
[1]:
BUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490
Write of size 4 at addr ffff8881178c9a00 by task test_progs/2231
Call Trace:
dump_stack_lvl+0x5d/0x80
print_report+0x170/0x4f3
kasan_report+0xe4/0x1c0
kasan_check_range+0x125/0x200
unix_stream_bpf_update_proto+0x155/0x490
sock_map_link+0x71c/0xec0
sock_map_update_common+0xbc/0x600
sock_map_update_elem+0x19a/0x1f0
bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217
bpf_iter_run_prog+0x21e/0xae0
bpf_iter_unix_seq_show+0x1e0/0x2a0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 2236:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x63/0x80
kmem_cache_alloc_noprof+0x1d5/0x680
sk_prot_alloc+0x59/0x210
sk_alloc+0x34/0x470
unix_create1+0x86/0x8a0
unix_stream_connect+0x318/0x15b0
__sys_connect+0xfd/0x130
__x64_sys_connect+0x72/0xd0
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 2236:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x47/0x70
kmem_cache_free+0x11c/0x590
__sk_destruct+0x432/0x6e0
unix_release_sock+0x9b3/0xf60
unix_release+0x8a/0xf0
__sock_release+0xb0/0x270
sock_close+0x18/0x20
__fput+0x36e/0xac0
fput_close_sync+0xe5/0x1a0
__x64_sys_close+0x7d/0xd0
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain socket.")
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-5-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 8bf6c2b7215e8..87908ae74efb3 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3567,6 +3567,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
return 0;
lock_sock(sk);
+ unix_state_lock(sk);
if (unlikely(sock_flag(sk, SOCK_DEAD))) {
ret = SEQ_SKIP;
@@ -3578,6 +3579,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
prog = bpf_iter_get_info(&meta, false);
ret = unix_prog_seq_show(prog, &meta, v, uid);
unlock:
+ unix_state_unlock(sk);
release_sock(sk);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 240/508] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 239/508] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 241/508] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Greg Kroah-Hartman
` (269 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit e5f635edd393aeaa7cad9e42831d397e6e2e1eed ]
Fix an operator precedence issue in convert_bpf_ld_abs() where the
expression offset + ip_align % size evaluates as offset + (ip_align % size)
due to % having higher precedence than +. That latter evaluation does
not make any sense. The intended check is (offset + ip_align) % size == 0
to verify that the packet load offset is properly aligned for direct
access.
With NET_IP_ALIGN == 2, the bug causes the inline fast-path for direct
packet loads to almost never be taken on !CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
platforms. This forces nearly all cBPF BPF_LD_ABS packet loads through
the bpf_skb_load_helper slow path on the affected archs.
Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260416122719.661033-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index c24510037334c..371f4e789998d 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -492,7 +492,7 @@ static bool convert_bpf_ld_abs(struct sock_filter *fp, struct bpf_insn **insnp)
((unaligned_ok && offset >= 0) ||
(!unaligned_ok && offset >= 0 &&
offset + ip_align >= 0 &&
- offset + ip_align % size == 0))) {
+ (offset + ip_align) % size == 0))) {
bool ldx_off_ok = offset <= S16_MAX;
*insn++ = BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_H);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 241/508] bpf: Fix NULL deref in map_kptr_match_type for scalar regs
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 240/508] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 242/508] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
` (268 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hiker Cl, Mykyta Yatsenko,
Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mykyta Yatsenko <yatsenko@meta.com>
[ Upstream commit 4d0a375887ab4d49e4da1ff10f9606cab8f7c3ad ]
Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local
kptr") refactored map_kptr_match_type() to branch on btf_is_kernel()
before checking base_type(). A scalar register stored into a kptr
slot has no btf, so the btf_is_kernel(reg->btf) call dereferences
NULL.
Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf
access.
Fixes: ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr")
Reported-by: Hiker Cl <clhiker365@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221372
Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260416-kptr_crash-v1-1-5589356584b4@meta.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b7fd3995538bf..0d90236d0ad94 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5336,6 +5336,9 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
int perm_flags;
const char *reg_name = "";
+ if (base_type(reg->type) != PTR_TO_BTF_ID)
+ goto bad_type;
+
if (btf_is_kernel(reg->btf)) {
perm_flags = PTR_MAYBE_NULL | PTR_TRUSTED | MEM_RCU;
@@ -5346,7 +5349,7 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
perm_flags = PTR_MAYBE_NULL | MEM_ALLOC;
}
- if (base_type(reg->type) != PTR_TO_BTF_ID || (type_flag(reg->type) & ~perm_flags))
+ if (type_flag(reg->type) & ~perm_flags)
goto bad_type;
/* We need to verify reg->type and reg->btf, before accessing reg->btf */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 242/508] bpf: allow UTF-8 literals in bpf_bprintf_prepare()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 241/508] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 243/508] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
` (267 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihan Ding, Paul Chaignon,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihan Ding <dingyihan@uniontech.com>
[ Upstream commit b960430ea8862ef37ce53c8bf74a8dc79d3f2404 ]
bpf_bprintf_prepare() only needs ASCII parsing for conversion
specifiers. Plain text can safely carry bytes >= 0x80, so allow
UTF-8 literals outside '%' sequences while keeping ASCII control
bytes rejected and format specifiers ASCII-only.
This keeps existing parsing rules for format directives unchanged,
while allowing helpers such as bpf_trace_printk() to emit UTF-8
literal text.
Update test_snprintf_negative() in the same commit so selftests keep
matching the new plain-text vs format-specifier split during bisection.
Fixes: 48cac3f4a96d ("bpf: Implement formatted output helpers with bstr_printf")
Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260416120142.1420646-2-dingyihan@uniontech.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/helpers.c | 17 ++++++++++++++++-
.../testing/selftests/bpf/prog_tests/snprintf.c | 3 ++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 2cfbc48b82425..885ff0710a8b9 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -849,7 +849,13 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
data->buf = buffers->buf;
for (i = 0; i < fmt_size; i++) {
- if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) {
+ unsigned char c = fmt[i];
+
+ /*
+ * Permit bytes >= 0x80 in plain text so UTF-8 literals can pass
+ * through unchanged, while still rejecting ASCII control bytes.
+ */
+ if (isascii(c) && !isprint(c) && !isspace(c)) {
err = -EINVAL;
goto out;
}
@@ -871,6 +877,15 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
* always access fmt[i + 1], in the worst case it will be a 0
*/
i++;
+ c = fmt[i];
+ /*
+ * The format parser below only understands ASCII conversion
+ * specifiers and modifiers, so reject non-ASCII after '%'.
+ */
+ if (!isascii(c)) {
+ err = -EINVAL;
+ goto out;
+ }
/* skip optional "[0 +-][num]" width formatting field */
while (fmt[i] == '0' || fmt[i] == '+' || fmt[i] == '-' ||
diff --git a/tools/testing/selftests/bpf/prog_tests/snprintf.c b/tools/testing/selftests/bpf/prog_tests/snprintf.c
index 4be6fdb78c6a1..20a3c622bd28a 100644
--- a/tools/testing/selftests/bpf/prog_tests/snprintf.c
+++ b/tools/testing/selftests/bpf/prog_tests/snprintf.c
@@ -114,7 +114,8 @@ static void test_snprintf_negative(void)
ASSERT_ERR(load_single_snprintf("%--------"), "invalid specifier 5");
ASSERT_ERR(load_single_snprintf("%lc"), "invalid specifier 6");
ASSERT_ERR(load_single_snprintf("%llc"), "invalid specifier 7");
- ASSERT_ERR(load_single_snprintf("\x80"), "non ascii character");
+ ASSERT_OK(load_single_snprintf("\x80"), "non ascii plain text");
+ ASSERT_ERR(load_single_snprintf("%\x80"), "non ascii in specifier");
ASSERT_ERR(load_single_snprintf("\x1"), "non printable character");
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 243/508] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 242/508] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 244/508] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
` (266 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Jonas Rebmann,
Puranjay Mohan, Emil Tsalapatis, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit e1d486445af3c392628532229f7ce5f5cf7891b6 ]
The ARM32 BPF JIT does not support BPF-to-BPF function calls
(BPF_PSEUDO_CALL) or callbacks (BPF_PSEUDO_FUNC), but it does
not reject them either.
When a program with subprograms is loaded (e.g. libxdp's XDP
dispatcher uses __noinline__ subprograms, or any program using
callbacks like bpf_loop or bpf_for_each_map_elem), the verifier
invokes bpf_jit_subprogs() which calls bpf_int_jit_compile()
for each subprogram.
For BPF_PSEUDO_CALL, since ARM32 does not reject it, the JIT
silently emits code using the wrong address computation:
func = __bpf_call_base + imm
where imm is a pc-relative subprogram offset, producing a bogus
function pointer.
For BPF_PSEUDO_FUNC, the ldimm64 handler ignores src_reg and
loads the immediate as a normal 64-bit value without error.
In both cases, build_body() reports success and a JIT image is
allocated. ARM32 lacks the jit_data/extra_pass mechanism needed
for the second JIT pass in bpf_jit_subprogs(). On the second
pass, bpf_int_jit_compile() performs a full fresh compilation,
allocating a new JIT binary and overwriting prog->bpf_func. The
first allocation is never freed. bpf_jit_subprogs() then detects
the function pointer changed and aborts with -ENOTSUPP, but the
original JIT binary has already been leaked. Each program
load/unload cycle leaks one JIT binary allocation, as reported
by kmemleak:
unreferenced object 0xbf0a1000 (size 4096):
backtrace:
bpf_jit_binary_alloc+0x64/0xfc
bpf_int_jit_compile+0x14c/0x348
bpf_jit_subprogs+0x4fc/0xa60
Fix this by rejecting both BPF_PSEUDO_CALL in the BPF_CALL
handler and BPF_PSEUDO_FUNC in the BPF_LD_IMM64 handler, falling
through to the existing 'notyet' path. This causes build_body()
to fail before any JIT binary is allocated, so
bpf_int_jit_compile() returns the original program unjitted.
bpf_jit_subprogs() then sees !prog->jited and cleanly falls
back to the interpreter with no leak.
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs")
Reported-by: Jonas Rebmann <jre@pengutronix.de>
Closes: https://lore.kernel.org/bpf/b63e9174-7a3d-4e22-8294-16df07a4af89@pengutronix.de
Tested-by: Jonas Rebmann <jre@pengutronix.de>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260417143353.838911-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/net/bpf_jit_32.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index 6a1c9fca5260b..2292245cfe7a9 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -1594,6 +1594,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
{
u64 val = (u32)imm | (u64)insn[1].imm << 32;
+ if (insn->src_reg == BPF_PSEUDO_FUNC)
+ goto notyet;
+
emit_a32_mov_i64(dst, val, ctx);
return 1;
@@ -1785,6 +1788,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
const s8 *r5 = bpf2a32[BPF_REG_5];
const u32 func = (u32)__bpf_call_base + (u32)imm;
+ if (insn->src_reg == BPF_PSEUDO_CALL)
+ goto notyet;
+
emit_a32_mov_r64(true, r0, r1, ctx);
emit_a32_mov_r64(true, r1, r2, ctx);
emit_push_r64(r5, ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 244/508] pinctrl: pinctrl-pic32: Fix resource leak
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 243/508] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 245/508] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
` (265 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit fe5560688f3ba98364c7de7b4f8dc240ffd1ff75 ]
Fix three possible resource leaks by using the devres version of
clk_prepare_enable(). Also, update error message accordingly.
Detected by Smatch:
drivers/pinctrl/pinctrl-pic32.c:2211 pic32_pinctrl_probe() warn:
'pctl->clk' from clk_prepare_enable() not released on lines: 2208.
drivers/pinctrl/pinctrl-pic32.c:2274 pic32_gpio_probe() warn:
'bank->clk' from clk_prepare_enable() not released on lines: 2264,2272.
Fixes: 2ba384e6c3810 ("pinctrl: pinctrl-pic32: Add PIC32 pin control driver")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-pic32.c | 20 ++++----------------
1 file changed, 4 insertions(+), 16 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-pic32.c b/drivers/pinctrl/pinctrl-pic32.c
index bf827ab081a1d..f87b5964e8b31 100644
--- a/drivers/pinctrl/pinctrl-pic32.c
+++ b/drivers/pinctrl/pinctrl-pic32.c
@@ -2173,16 +2173,10 @@ static int pic32_pinctrl_probe(struct platform_device *pdev)
if (IS_ERR(pctl->reg_base))
return PTR_ERR(pctl->reg_base);
- pctl->clk = devm_clk_get(&pdev->dev, NULL);
+ pctl->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(pctl->clk)) {
ret = PTR_ERR(pctl->clk);
- dev_err(&pdev->dev, "clk get failed\n");
- return ret;
- }
-
- ret = clk_prepare_enable(pctl->clk);
- if (ret) {
- dev_err(&pdev->dev, "clk enable failed\n");
+ dev_err(&pdev->dev, "Failed to get and enable clock\n");
return ret;
}
@@ -2238,16 +2232,10 @@ static int pic32_gpio_probe(struct platform_device *pdev)
if (irq < 0)
return irq;
- bank->clk = devm_clk_get(&pdev->dev, NULL);
+ bank->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(bank->clk)) {
ret = PTR_ERR(bank->clk);
- dev_err(&pdev->dev, "clk get failed\n");
- return ret;
- }
-
- ret = clk_prepare_enable(bank->clk);
- if (ret) {
- dev_err(&pdev->dev, "clk enable failed\n");
+ dev_err(&pdev->dev, "Failed to get and enable clock\n");
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 245/508] pinctrl: cy8c95x0: remove duplicate error message
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 244/508] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 246/508] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
` (264 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 970dacb3b9f0fedbbbcfd7dbf1f4f22340b3f359 ]
The pin control core is covered to report any error via message.
The devm_request_threaded_irq() already prints an error message.
Remove the duplicates.
While at it, drop the info message as the same information about
an IRQ in use can be retrieved differently.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Stable-dep-of: 5ad32c3607cf ("pinctrl: cy8c95x0: Avoid returning positive values to user space")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 21 +++++----------------
1 file changed, 5 insertions(+), 16 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index d2488d80912c9..97eeaae17f669 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1253,6 +1253,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
{
struct gpio_irq_chip *girq = &chip->gpio_chip.irq;
DECLARE_BITMAP(pending_irqs, MAX_LINE);
+ struct device *dev = chip->dev;
int ret;
mutex_init(&chip->irq_lock);
@@ -1279,17 +1280,9 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
girq->handler = handle_simple_irq;
girq->threaded = true;
- ret = devm_request_threaded_irq(chip->dev, irq,
- NULL, cy8c95x0_irq_handler,
- IRQF_ONESHOT | IRQF_SHARED,
- dev_name(chip->dev), chip);
- if (ret) {
- dev_err(chip->dev, "failed to request irq %d\n", irq);
- return ret;
- }
- dev_info(chip->dev, "Registered threaded IRQ\n");
-
- return 0;
+ return devm_request_threaded_irq(dev, irq, NULL, cy8c95x0_irq_handler,
+ IRQF_ONESHOT | IRQF_SHARED,
+ dev_name(chip->dev), chip);
}
static int cy8c95x0_setup_pinctrl(struct cy8c95x0_pinctrl *chip)
@@ -1305,11 +1298,7 @@ static int cy8c95x0_setup_pinctrl(struct cy8c95x0_pinctrl *chip)
pd->owner = THIS_MODULE;
chip->pctldev = devm_pinctrl_register(chip->dev, pd, chip);
- if (IS_ERR(chip->pctldev))
- return dev_err_probe(chip->dev, PTR_ERR(chip->pctldev),
- "can't register controller\n");
-
- return 0;
+ return PTR_ERR_OR_ZERO(chip->pctldev);
}
static int cy8c95x0_detect(struct i2c_client *client,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 246/508] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 245/508] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 247/508] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
` (263 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 014884732095b982412d13d3220c3fe8483b9b3e ]
Unify error messages that might appear during probe phase by
switching to use dev_err_probe().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Stable-dep-of: 5ad32c3607cf ("pinctrl: cy8c95x0: Avoid returning positive values to user space")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index 97eeaae17f669..1432b6714dc69 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1262,10 +1262,8 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
/* Read IRQ status register to clear all pending interrupts */
ret = cy8c95x0_irq_pending(chip, pending_irqs);
- if (ret) {
- dev_err(chip->dev, "failed to clear irq status register\n");
- return ret;
- }
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to clear irq status register\n");
/* Mask all interrupts */
bitmap_fill(chip->irq_mask, MAX_LINE);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 247/508] pinctrl: cy8c95x0: Avoid returning positive values to user space
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 246/508] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 248/508] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
` (262 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Andy Shevchenko, Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 5ad32c3607cf241a1a2680cabd64cbcd757227aa ]
When probe fails due to unclear interrupt status register, it returns
a positive number instead of the proper error code. Fix this accordingly.
Fixes: e6cbbe42944d ("pinctrl: Add Cypress cy8c95x0 support")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202602271847.vVWkqLBD-lkp@intel.com/
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index 1432b6714dc69..727f3c5605ced 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1263,7 +1263,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
/* Read IRQ status register to clear all pending interrupts */
ret = cy8c95x0_irq_pending(chip, pending_irqs);
if (ret)
- return dev_err_probe(dev, ret, "failed to clear irq status register\n");
+ return dev_err_probe(dev, -EBUSY, "failed to clear irq status register\n");
/* Mask all interrupts */
bitmap_fill(chip->irq_mask, MAX_LINE);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 248/508] perf branch: Avoid incrementing NULL
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 247/508] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 249/508] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
` (261 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit c969a9d7bbf46f983c4a48566b3b2f7340b02296 ]
If the entry is NULL the value is meaningless so early return NULL to
avoid an increment of NULL. This was happening in calls from
has_stitched_lbr when running the "perf record LBR tests". The return
value isn't used in that case, so returning NULL as no effect.
Fixes: 42bbabed09ce ("perf tools: Add hw_idx in struct branch_stack")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/branch.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/perf/util/branch.h b/tools/perf/util/branch.h
index e41bfffe22170..31ad6ded983ec 100644
--- a/tools/perf/util/branch.h
+++ b/tools/perf/util/branch.h
@@ -64,6 +64,9 @@ static inline struct branch_entry *perf_sample__branch_entries(struct perf_sampl
{
u64 *entry = (u64 *)sample->branch_stack;
+ if (entry == NULL)
+ return NULL;
+
entry++;
if (sample->no_hw_idx)
return (struct branch_entry *)entry;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 249/508] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 248/508] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 250/508] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
` (260 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Mike Leach, Namhyung Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Leach <mike.leach@arm.com>
[ Upstream commit 6c478e7b3eba3f387a2d6c749e3e3ee0f8ad1c53 ]
Building perf with CORESIGHT=1 and the optional CSTRACE_RAW=1 enables
additional debug printing of raw trace data when using command:-
perf report --dump.
This raw trace prints the CoreSight formatted trace frames, which may be
used to investigate suspected issues with trace quality / corruption /
decode.
These frames are not present in ETE + TRBE trace.
This fix removes the unnecessary call to print these frames.
This fix also rationalises implementation - original code had helper
function that unnecessarily repeated initialisation calls that had
already been made.
Due to an addtional fault with the OpenCSD library, this call when ETE/TRBE
are being decoded will cause a segfault in perf. This fix also prevents
that problem for perf using older (<= 1.8.0 version) OpenCSD libraries.
Fixes: 68ffe3902898 ("perf tools: Add decoder mechanic to support dumping trace data")
Reported-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Mike Leach <mike.leach@arm.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../perf/util/cs-etm-decoder/cs-etm-decoder.c | 51 +++++--------------
1 file changed, 13 insertions(+), 38 deletions(-)
diff --git a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
index e917985bbbe6d..640e383cef441 100644
--- a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
+++ b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
@@ -237,46 +237,24 @@ cs_etm_decoder__init_def_logger_printing(struct cs_etm_decoder_params *d_params,
(void *)decoder,
cs_etm_decoder__print_str_cb);
if (ret != 0)
- ret = -1;
-
- return 0;
-}
+ return -1;
#ifdef CS_LOG_RAW_FRAMES
-static void
-cs_etm_decoder__init_raw_frame_logging(struct cs_etm_decoder_params *d_params,
- struct cs_etm_decoder *decoder)
-{
- /* Only log these during a --dump operation */
- if (d_params->operation == CS_ETM_OPERATION_PRINT) {
- /* set up a library default logger to process the
- * raw frame printer we add later
- */
- ocsd_def_errlog_init(OCSD_ERR_SEV_ERROR, 1);
-
- /* no stdout / err / file output */
- ocsd_def_errlog_config_output(C_API_MSGLOGOUT_FLG_NONE, NULL);
-
- /* set the string CB for the default logger,
- * passes strings to perf print logger.
- */
- ocsd_def_errlog_set_strprint_cb(decoder->dcd_tree,
- (void *)decoder,
- cs_etm_decoder__print_str_cb);
-
+ /*
+ * Only log raw frames if --dump operation and hardware is actually
+ * generating formatted CoreSight trace frames
+ */
+ if ((d_params->operation == CS_ETM_OPERATION_PRINT) &&
+ (d_params->formatted == true)) {
/* use the built in library printer for the raw frames */
- ocsd_dt_set_raw_frame_printer(decoder->dcd_tree,
- CS_RAW_DEBUG_FLAGS);
+ ret = ocsd_dt_set_raw_frame_printer(decoder->dcd_tree,
+ CS_RAW_DEBUG_FLAGS);
+ if (ret != 0)
+ return -1;
}
-}
-#else
-static void
-cs_etm_decoder__init_raw_frame_logging(
- struct cs_etm_decoder_params *d_params __maybe_unused,
- struct cs_etm_decoder *decoder __maybe_unused)
-{
-}
#endif
+ return 0;
+}
static ocsd_datapath_resp_t
cs_etm_decoder__do_soft_timestamp(struct cs_etm_queue *etmq,
@@ -755,9 +733,6 @@ cs_etm_decoder__new(int decoders, struct cs_etm_decoder_params *d_params,
if (ret != 0)
goto err_free_decoder;
- /* init raw frame logging if required */
- cs_etm_decoder__init_raw_frame_logging(d_params, decoder);
-
for (i = 0; i < decoders; i++) {
ret = cs_etm_decoder__create_etm_decoder(d_params,
&t_params[i],
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 250/508] pinctrl: abx500: Fix type of argument variable
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 249/508] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 251/508] perf lock: Fix option value type in parse_max_stack Greg Kroah-Hartman
` (259 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu-Chun Lin, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu-Chun Lin <eleanor15x@gmail.com>
[ Upstream commit 34006f77890d050e6d80cbee365b5d703c1140b4 ]
The argument variable is assigned the return value of
pinconf_to_config_argument(), which returns a u32. Change its type from
enum pin_config_param to unsigned int to correctly store the configuration
argument.
Fixes: 03b054e9696c ("pinctrl: Pass all configs to driver on pin_config_set()")
Signed-off-by: Yu-Chun Lin <eleanor15x@gmail.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/nomadik/pinctrl-abx500.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/nomadik/pinctrl-abx500.c b/drivers/pinctrl/nomadik/pinctrl-abx500.c
index 0cfa74365733c..a4940199f2ad0 100644
--- a/drivers/pinctrl/nomadik/pinctrl-abx500.c
+++ b/drivers/pinctrl/nomadik/pinctrl-abx500.c
@@ -853,7 +853,7 @@ static int abx500_pin_config_set(struct pinctrl_dev *pctldev,
int ret = -EINVAL;
int i;
enum pin_config_param param;
- enum pin_config_param argument;
+ unsigned int argument;
for (i = 0; i < num_configs; i++) {
param = pinconf_to_config_param(configs[i]);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 251/508] perf lock: Fix option value type in parse_max_stack
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 250/508] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 252/508] perf tools: Fix module symbol resolution for non-zero .text sh_addr Greg Kroah-Hartman
` (258 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit cfaade34b52aa1ec553044255702c4b31b57c005 ]
The value is a void* and the address of an int, max_stack_depth, is
set up in the perf lock options. The parse_max_stack function treats
the int* as a long*, make this more correct by declaring the value to
be an int*.
Fixes: 0a277b622670 ("perf lock contention: Check --max-stack option")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-lock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-lock.c b/tools/perf/builtin-lock.c
index bd24ed0af208a..bd294fd574972 100644
--- a/tools/perf/builtin-lock.c
+++ b/tools/perf/builtin-lock.c
@@ -2271,7 +2271,7 @@ static int parse_map_entry(const struct option *opt, const char *str,
static int parse_max_stack(const struct option *opt, const char *str,
int unset __maybe_unused)
{
- unsigned long *len = (unsigned long *)opt->value;
+ int *len = opt->value;
long val;
char *endptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 252/508] perf tools: Fix module symbol resolution for non-zero .text sh_addr
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 251/508] perf lock: Fix option value type in parse_max_stack Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 253/508] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
` (257 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Ian Rogers,
Thomas Richter, Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 9a82bfde4775b7a87cd1a7e791f46f83ae442848 ]
When perf resolves symbols from kernel module ELF files (ET_REL),
it converts symbol addresses to file offsets so that sample IPs
can be matched to the correct symbol. The conversion adjusts each
symbol's st_value:
sym->st_value -= shdr->sh_addr - shdr->sh_offset;
For vmlinux (ET_EXEC), st_value is a virtual address and sh_addr
is the section's virtual base, so subtracting sh_addr and adding
sh_offset correctly yields a file offset.
For kernel modules (ET_REL), st_value is a section-relative
offset. The module loader ignores sh_addr entirely and places
symbols at module_base + st_value. Converting to file offset
requires only adding sh_offset; subtracting sh_addr introduces an
error equal to sh_addr bytes.
When .text has sh_addr == 0 -- the historical norm for simple
modules -- both formulas produce the same result and the bug is
latent. As modules gain more metadata sections before .text (.note,
.static_call.text, etc.), the linker assigns .text a non-zero
sh_addr, exposing the defect. For example, nfsd.ko on this kernel
has sh_addr=0xa80, kvm-intel.ko has sh_addr=0x1e90.
The effect is that all .text symbols in affected modules
shift by sh_addr bytes relative to sample IPs, causing perf
report to attribute samples to incorrect, nearby symbols. This
was observed as 13% of LLC-load-miss samples misattributed
to nfsd_file_get_dio_attrs when the actual hot function was
nfsd_cache_lookup, approximately 0xa80 bytes away in the symbol
table.
Use the existing dso__rel() flag (already set for ET_REL modules)
to select the correct adjustment: add sh_offset for ET_REL,
subtract (sh_addr - sh_offset) for ET_EXEC/ET_DYN.
Fixes: 0131c4ec794a ("perf tools: Make it possible to read object code from kernel modules")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Tested-by: Thomas Richter <tmricht@linux.ibm.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol-elf.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index 95e99c332d7e3..af610cb00a987 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -1375,8 +1375,12 @@ static int dso__process_kernel_symbol(struct dso *dso, struct map *map,
char dso_name[PATH_MAX];
/* Adjust symbol to map to file offset */
- if (adjust_kernel_syms)
- sym->st_value -= shdr->sh_addr - shdr->sh_offset;
+ if (adjust_kernel_syms) {
+ if (dso__rel(dso))
+ sym->st_value += shdr->sh_offset;
+ else
+ sym->st_value -= shdr->sh_addr - shdr->sh_offset;
+ }
if (strcmp(section_name, (curr_dso->short_name + dso->short_name_len)) == 0)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 253/508] perf expr: Return -EINVAL for syntax error in expr__find_ids()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 252/508] perf tools: Fix module symbol resolution for non-zero .text sh_addr Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 254/508] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure Greg Kroah-Hartman
` (256 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers, Namhyung Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 3a61fd866ef9aaa1d3158b460f852b74a2df07f4 ]
expr__find_ids() propagates the parser return value directly. For syntax
errors, the parser can return a positive value, but callers treat it as
success, e.g., for below case on Arm64 platform:
metric expr 100 * (STALL_SLOT_BACKEND / (CPU_CYCLES * #slots) - BR_MIS_PRED * 3 / CPU_CYCLES) for backend_bound
parsing metric: 100 * (STALL_SLOT_BACKEND / (CPU_CYCLES * #slots) - BR_MIS_PRED * 3 / CPU_CYCLES)
Failure to read '#slots' literal: #slots = nan
syntax error
Convert positive parser returns in expr__find_ids() to -EINVAL, as a
result, the error value will be respected by callers.
Before:
perf stat -C 5
Failure to read '#slots'Failure to read '#slots'Failure to read '#slots'Failure to read '#slots'Segmentation fault
After:
perf stat -C 5
Failure to read '#slots'Cannot find metric or group `Default'
Fixes: ded80bda8bc9 ("perf expr: Migrate expr ids table to a hashmap")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/expr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/expr.c b/tools/perf/util/expr.c
index fa0473f7a4ff4..d952ce37c873b 100644
--- a/tools/perf/util/expr.c
+++ b/tools/perf/util/expr.c
@@ -377,7 +377,8 @@ int expr__find_ids(const char *expr, const char *one,
if (one)
expr__del_id(ctx, one);
- return ret;
+ /* A positive value means syntax error, convert to -EINVAL */
+ return ret > 0 ? -EINVAL : ret;
}
double expr_id_data__value(const struct expr_id_data *data)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 254/508] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 253/508] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 255/508] ipmi: ssif_bmc: fix message desynchronization after truncated response Greg Kroah-Hartman
` (255 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Corey Minyard,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
[ Upstream commit ea641be7a4faee4351f9c5ed6b188e1bbf5586a6 ]
copy_to_user() returns the number of bytes that could not be copied,
with a non-zero value indicating a partial or complete failure. The
current code only checks for negative return values and treats all
non-negative results as success.
Treating any positive return value from copy_to_user() as
an error and returning -EFAULT.
Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Message-ID: <20260403090603.3988423-2-zhangjian.3032@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ssif_bmc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c
index e8460e966b83e..6928adb5df5ab 100644
--- a/drivers/char/ipmi/ssif_bmc.c
+++ b/drivers/char/ipmi/ssif_bmc.c
@@ -163,6 +163,8 @@ static ssize_t ssif_bmc_read(struct file *file, char __user *buf, size_t count,
spin_unlock_irqrestore(&ssif_bmc->lock, flags);
ret = copy_to_user(buf, &msg, count);
+ if (ret > 0)
+ ret = -EFAULT;
}
return (ret < 0) ? ret : count;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 255/508] ipmi: ssif_bmc: fix message desynchronization after truncated response
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 254/508] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 256/508] ipmi: ssif_bmc: change log level to dbg in irq callback Greg Kroah-Hartman
` (254 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Corey Minyard,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
[ Upstream commit 1d38e849adb6851ee280aa1a1d687b2181549a66 ]
A truncated response, caused by host power-off, or other conditions,
can lead to message desynchronization.
Raw trace data (STOP loss scenario, add state transition comment):
1. T-1: Read response phase (SSIF_RES_SENDING)
8271.955342 WR_RCV [03] <- Read polling cmd
8271.955348 RD_REQ [04] <== SSIF_RES_SENDING <- start sending response
8271.955436 RD_PRO [b4]
8271.955527 RD_PRO [00]
8271.955618 RD_PRO [c1]
8271.955707 RD_PRO [00]
8271.955814 RD_PRO [ad] <== SSIF_RES_SENDING <- last byte
<- !! STOP lost (truncated response)
2. T: New Write request arrives, BMC still in SSIF_RES_SENDING
8271.967973 WR_REQ [] <== SSIF_RES_SENDING >> SSIF_ABORTING <- log: unexpected WR_REQ in RES_SENDING
8271.968447 WR_RCV [02] <== SSIF_ABORTING <- do nothing
8271.968452 WR_RCV [02] <== SSIF_ABORTING <- do nothing
8271.968454 WR_RCV [18] <== SSIF_ABORTING <- do nothing
8271.968456 WR_RCV [01] <== SSIF_ABORTING <- do nothing
8271.968458 WR_RCV [66] <== SSIF_ABORTING <- do nothing
8271.978714 STOP [] <== SSIF_ABORTING >> SSIF_READY <- log: unexpected SLAVE STOP in state=SSIF_ABORTING
3. T+1: Next Read polling, treated as a fresh transaction
8271.979125 WR_REQ [] <== SSIF_READY >> SSIF_START
8271.979326 WR_RCV [03] <== SSIF_START >> SSIF_SMBUS_CMD <- smbus_cmd=0x03
8271.979331 RD_REQ [04] <== SSIF_RES_SENDING <- sending response
8271.979427 RD_PRO [b4] <- !! this is T's stale response -> desynchronization
When in SSIF_ABORTING state, a newly arrived command should still be
handled to avoid dropping the request or causing message
desynchronization.
Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Message-ID: <20260403090603.3988423-3-zhangjian.3032@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ssif_bmc.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c
index 6928adb5df5ab..a13dc48120581 100644
--- a/drivers/char/ipmi/ssif_bmc.c
+++ b/drivers/char/ipmi/ssif_bmc.c
@@ -457,6 +457,15 @@ static bool supported_write_cmd(u8 cmd)
return false;
}
+static bool supported_write_start_cmd(u8 cmd)
+{
+ if (cmd == SSIF_IPMI_SINGLEPART_WRITE ||
+ cmd == SSIF_IPMI_MULTIPART_WRITE_START)
+ return true;
+
+ return false;
+}
+
/* Process the IPMI response that will be read by master */
static void handle_read_processed(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
{
@@ -708,6 +717,11 @@ static void on_write_received_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state = SSIF_ABORTING;
else
ssif_bmc->state = SSIF_REQ_RECVING;
+ } else if (ssif_bmc->state == SSIF_ABORTING) {
+ if (supported_write_start_cmd(*val)) {
+ ssif_bmc->state = SSIF_SMBUS_CMD;
+ ssif_bmc->aborting = false;
+ }
}
/* This is response sending state */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 256/508] ipmi: ssif_bmc: change log level to dbg in irq callback
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 255/508] ipmi: ssif_bmc: fix message desynchronization after truncated response Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 257/508] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
` (253 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Corey Minyard,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
[ Upstream commit c9c99b7b7051eb7121b3224bfce181fb023b0269 ]
Long-running tests indicate that this logging can occasionally disrupt
timing and lead to request/response corruption.
Irq handler need to be executed as fast as possible,
most I2C slave IRQ implementations are byte-level, logging here
can significantly affect transfer behavior and timing. It is recommended
to use dev_dbg() for these messages.
Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Message-ID: <20260403090603.3988423-4-zhangjian.3032@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ssif_bmc.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c
index a13dc48120581..5d5444b567a04 100644
--- a/drivers/char/ipmi/ssif_bmc.c
+++ b/drivers/char/ipmi/ssif_bmc.c
@@ -568,7 +568,7 @@ static void process_request_part(struct ssif_bmc_ctx *ssif_bmc)
len = ssif_bmc->request.len + part->length;
/* Do the bound check here, not allow the request len exceed 254 bytes */
if (len > IPMI_SSIF_PAYLOAD_MAX) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: Request exceeded 254 bytes, aborting");
/* Request too long, aborting */
ssif_bmc->aborting = true;
@@ -614,7 +614,7 @@ static void on_read_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_REQ_RECVING ||
ssif_bmc->state == SSIF_RES_SENDING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected READ REQUESTED in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -623,7 +623,7 @@ static void on_read_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
} else if (ssif_bmc->state == SSIF_SMBUS_CMD) {
if (!supported_read_cmd(ssif_bmc->part_buf.smbus_cmd)) {
- dev_warn(&ssif_bmc->client->dev, "Warn: Unknown SMBus read command=0x%x",
+ dev_dbg(&ssif_bmc->client->dev, "Warn: Unknown SMBus read command=0x%x",
ssif_bmc->part_buf.smbus_cmd);
ssif_bmc->aborting = true;
}
@@ -658,7 +658,7 @@ static void on_read_processed_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_REQ_RECVING ||
ssif_bmc->state == SSIF_SMBUS_CMD) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected READ PROCESSED in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -683,7 +683,7 @@ static void on_write_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
} else if (ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_REQ_RECVING ||
ssif_bmc->state == SSIF_RES_SENDING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected WRITE REQUEST in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -698,7 +698,7 @@ static void on_write_received_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
{
if (ssif_bmc->state == SSIF_READY ||
ssif_bmc->state == SSIF_RES_SENDING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected WRITE RECEIVED in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -708,7 +708,7 @@ static void on_write_received_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
} else if (ssif_bmc->state == SSIF_SMBUS_CMD) {
if (!supported_write_cmd(ssif_bmc->part_buf.smbus_cmd)) {
- dev_warn(&ssif_bmc->client->dev, "Warn: Unknown SMBus write command=0x%x",
+ dev_dbg(&ssif_bmc->client->dev, "Warn: Unknown SMBus write command=0x%x",
ssif_bmc->part_buf.smbus_cmd);
ssif_bmc->aborting = true;
}
@@ -737,7 +737,7 @@ static void on_stop_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_SMBUS_CMD ||
ssif_bmc->state == SSIF_ABORTING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected SLAVE STOP in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_READY;
@@ -804,7 +804,7 @@ static int ssif_bmc_cb(struct i2c_client *client, enum i2c_slave_event event, u8
break;
default:
- dev_warn(&ssif_bmc->client->dev, "Warn: Unknown i2c slave event\n");
+ dev_dbg(&ssif_bmc->client->dev, "Warn: Unknown i2c slave event\n");
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 257/508] perf util: Kill die() prototype, dead for a long time
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 256/508] ipmi: ssif_bmc: change log level to dbg in irq callback Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 258/508] i3c: master: Fix error codes at send_ccc_cmd Greg Kroah-Hartman
` (252 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Arnaldo Carvalho de Melo,
Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit e5cce1b9c82fbd48e2f1f7a25a9fad8ee228176f ]
In fef2a735167a827a ("perf tools: Kill die()") the die() function was
removed, but not the prototype in util.h, now when building with
LIBPERL=1, during a 'make -C tools/perf build-test' routine test, it is
failing as perl likes die() calls and then this clashes with this
remnant, remove it.
Fixes: fef2a735167a827a ("perf tools: Kill die()")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/util.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h
index 7c8915d92dca2..d49f66a986ae7 100644
--- a/tools/perf/util/util.h
+++ b/tools/perf/util/util.h
@@ -25,7 +25,6 @@ extern bool perf_guest;
/* General helper functions */
void usage(const char *err) __noreturn;
-void die(const char *err, ...) __noreturn __printf(1, 2);
struct dirent;
struct strlist;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 258/508] i3c: master: Fix error codes at send_ccc_cmd
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 257/508] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 259/508] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
` (251 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Adrian Hunter,
Jorge Marques, Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Marques <jorge.marques@analog.com>
[ Upstream commit ef8b5229348f0719aca557c4ca5530630ae4d134 ]
i3c_master_send_ccc_cmd_locked() would propagate cmd->err (positive,
Mx codes) to the ret variable, cascading down multiple methods until
reaching methods that explicitly stated they would return 0 on success
or negative error code. For example, the call chain:
i3c_device_enable_ibi <- i3c_dev_enable_ibi_locked <-
master->ops.enable_ibi <- i3c_master_enec_locked <-
i3c_master_enec_disec_locked <- i3c_master_send_ccc_cmd_locked
Fix this by returning the ret value, callers can still read the cmd->err
value if ret is negative.
All corner cases where the Mx codes do need to be handled individually,
are resolved in previous commits. Those corner cases are all scenarios
when I3C_ERROR_M2 is expected and acceptable.
The prerequisite patches for the fix are:
i3c: master: Move rstdaa error suppression
i3c: master: Move entdaa error suppression
i3c: master: Move bus_init error suppression
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-iio/aYXvT5FW0hXQwhm_@stanley.mountain/
Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Jorge Marques <jorge.marques@analog.com>
Link: https://patch.msgid.link/20260323-ad4062-positive-error-fix-v3-4-30bdc68004be@analog.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 32 +++++++++++++-------------------
1 file changed, 13 insertions(+), 19 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index f74ef65d257d7..84fe0de5a9bc7 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -792,11 +792,17 @@ static void i3c_ccc_cmd_init(struct i3c_ccc_cmd *cmd, bool rnw, u8 id,
cmd->err = I3C_ERROR_UNKNOWN;
}
+/**
+ * i3c_master_send_ccc_cmd_locked() - send a CCC (Common Command Codes)
+ * @master: master used to send frames on the bus
+ * @cmd: command to send
+ *
+ * Return: 0 in case of success, or a negative error code otherwise.
+ * I3C Mx error codes are stored in cmd->err.
+ */
static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
struct i3c_ccc_cmd *cmd)
{
- int ret;
-
if (!cmd || !master)
return -EINVAL;
@@ -814,15 +820,7 @@ static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
!master->ops->supports_ccc_cmd(master, cmd))
return -ENOTSUPP;
- ret = master->ops->send_ccc_cmd(master, cmd);
- if (ret) {
- if (cmd->err != I3C_ERROR_UNKNOWN)
- return cmd->err;
-
- return ret;
- }
-
- return 0;
+ return master->ops->send_ccc_cmd(master, cmd);
}
static struct i2c_dev_desc *
@@ -926,8 +924,7 @@ static int i3c_master_rstdaa_locked(struct i3c_master_controller *master,
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_entdaa_locked(struct i3c_master_controller *master)
{
@@ -979,8 +976,7 @@ static int i3c_master_enec_disec_locked(struct i3c_master_controller *master,
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_disec_locked(struct i3c_master_controller *master, u8 addr,
u8 evts)
@@ -1000,8 +996,7 @@ EXPORT_SYMBOL_GPL(i3c_master_disec_locked);
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_enec_locked(struct i3c_master_controller *master, u8 addr,
u8 evts)
@@ -1026,8 +1021,7 @@ EXPORT_SYMBOL_GPL(i3c_master_enec_locked);
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_defslvs_locked(struct i3c_master_controller *master)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 259/508] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 258/508] i3c: master: Fix error codes at send_ccc_cmd Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 260/508] dev_printk: add new dev_err_probe() helpers Greg Kroah-Hartman
` (250 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Billy Tsai, Frank Li,
Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Billy Tsai <billy_tsai@aspeedtech.com>
[ Upstream commit d35a6db887eeae7c57b719521e39d64f929c6dc3 ]
In DMA mode, the IBI status descriptor encodes the payload using
CHUNKS (number of chunks) and DATA_LENGTH (valid bytes in the last
chunk). All preceding chunks are implicitly full-sized.
The current code accumulates full chunk sizes for non-final status
descriptors, but for the final status descriptor it only adds
DATA_LENGTH. This ignores the contribution of the preceding full
chunks described by the same final status entry.
As a result, the computed IBI payload length is truncated whenever
the final status spans multiple chunks. For example, with a chunk
size of 4 bytes, CHUNKS=2 and DATA_LENGTH=1 should result in a total
payload size of 5 bytes, but the current code reports only 1 byte.
Fix the calculation by adding the size of (CHUNKS - 1) full chunks
plus DATA_LENGTH for the last chunk.
Fixes: 9ad9a52cce28 ("i3c/master: introduce the mipi-i3c-hci driver")
Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260407-i3c-hci-dma-v2-1-a583187b9d22@aspeedtech.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index e270fcd0f7c38..624d00b853a51 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -636,7 +636,10 @@ static void hci_dma_process_ibi(struct i3c_hci *hci, struct hci_rh_data *rh)
if (!(ibi_status & IBI_LAST_STATUS)) {
ibi_size += chunks * rh->ibi_chunk_sz;
} else {
- ibi_size += FIELD_GET(IBI_DATA_LENGTH, ibi_status);
+ if (chunks) {
+ ibi_size += (chunks - 1) * rh->ibi_chunk_sz;
+ ibi_size += FIELD_GET(IBI_DATA_LENGTH, ibi_status);
+ }
last_ptr = ptr;
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 260/508] dev_printk: add new dev_err_probe() helpers
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 259/508] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 261/508] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
` (249 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nuno Sa, Jonathan Cameron,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sa <nuno.sa@analog.com>
[ Upstream commit dbbe7eaf0e4795bf003ac06872aaf52b6b6b1310 ]
This is similar to dev_err_probe() but for cases where an ERR_PTR() or
ERR_CAST() is to be returned simplifying patterns like:
dev_err_probe(dev, ret, ...);
return ERR_PTR(ret)
or
dev_err_probe(dev, PTR_ERR(ptr), ...);
return ERR_CAST(ptr)
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Link: https://patch.msgid.link/20240606-dev-add_dev_errp_probe-v3-1-51bb229edd79@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 797cc011ae02 ("backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dev_printk.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/include/linux/dev_printk.h b/include/linux/dev_printk.h
index ae80a303c216b..ca32b5bb28eb5 100644
--- a/include/linux/dev_printk.h
+++ b/include/linux/dev_printk.h
@@ -277,4 +277,12 @@ do { \
__printf(3, 4) int dev_err_probe(const struct device *dev, int err, const char *fmt, ...);
+/* Simple helper for dev_err_probe() when ERR_PTR() is to be returned. */
+#define dev_err_ptr_probe(dev, ___err, fmt, ...) \
+ ERR_PTR(dev_err_probe(dev, ___err, fmt, ##__VA_ARGS__))
+
+/* Simple helper for dev_err_probe() when ERR_CAST() is to be returned. */
+#define dev_err_cast_probe(dev, ___err_ptr, fmt, ...) \
+ ERR_PTR(dev_err_probe(dev, PTR_ERR(___err_ptr), fmt, ##__VA_ARGS__))
+
#endif /* _DEVICE_PRINTK_H_ */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 261/508] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 260/508] dev_printk: add new dev_err_probe() helpers Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 262/508] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
` (248 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Linus Walleij,
Daniel Thompson (RISCstar), Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 797cc011ae02bda26f93d25a4442d7a1a77d84df ]
The devm_gpiod_get_optional() function may return an ERR_PTR in case of
genuine GPIO acquisition errors, not just NULL which indicates the
legitimate absence of an optional GPIO.
Add an IS_ERR() check after the call in sky81452_bl_parse_dt(). On
error, return the error code to ensure proper failure handling rather
than proceeding with invalid pointers.
Fixes: e1915eec54a6 ("backlight: sky81452: Convert to GPIO descriptors")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Daniel Thompson (RISCstar) <danielt@kernel.org>
Link: https://patch.msgid.link/20260203021625.578678-1-nichen@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/sky81452-backlight.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c
index eb18c6eb0ff0d..6ce1c3c5f5676 100644
--- a/drivers/video/backlight/sky81452-backlight.c
+++ b/drivers/video/backlight/sky81452-backlight.c
@@ -204,6 +204,9 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt(
pdata->dpwm_mode = of_property_read_bool(np, "skyworks,dpwm-mode");
pdata->phase_shift = of_property_read_bool(np, "skyworks,phase-shift");
pdata->gpiod_enable = devm_gpiod_get_optional(dev, NULL, GPIOD_OUT_HIGH);
+ if (IS_ERR(pdata->gpiod_enable))
+ return dev_err_cast_probe(dev, pdata->gpiod_enable,
+ "failed to get gpio\n");
ret = of_property_count_u32_elems(np, "led-sources");
if (ret < 0) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 262/508] platform/surface: surfacepro3_button: Drop wakeup source on remove
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 261/508] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 263/508] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
` (247 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 1410a228ab2d36fe2b383415a632ae12048d4f3a ]
The wakeup source added by device_init_wakeup() in surface_button_add()
needs to be dropped during driver removal, so update the driver to do
that.
Fixes: 19351f340765 ("platform/x86: surfacepro3: Support for wakeup from suspend-to-idle")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/4368848.1IzOArtZ34@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/surface/surfacepro3_button.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/platform/surface/surfacepro3_button.c b/drivers/platform/surface/surfacepro3_button.c
index 2755601f979cd..7c7622f8f8716 100644
--- a/drivers/platform/surface/surfacepro3_button.c
+++ b/drivers/platform/surface/surfacepro3_button.c
@@ -243,6 +243,7 @@ static void surface_button_remove(struct acpi_device *device)
{
struct surface_button *button = acpi_driver_data(device);
+ device_init_wakeup(&device->dev, false);
input_unregister_device(button->input);
kfree(button);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 263/508] leds: lgm-sso: Remove duplicate assignments for priv->mmap
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 262/508] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 264/508] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
` (246 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 7186d0330c3f3e86de577687a82f4ebd96dcb5ac ]
Remove duplicate assignment of priv->mmap in intel_sso_led_probe().
Fixes: fba8a6f2263b ("leds: lgm-sso: Fix clock handling")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260226033048.3715915-1-nichen@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/blink/leds-lgm-sso.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/leds/blink/leds-lgm-sso.c b/drivers/leds/blink/leds-lgm-sso.c
index 35c61311e7fd8..e104010345b18 100644
--- a/drivers/leds/blink/leds-lgm-sso.c
+++ b/drivers/leds/blink/leds-lgm-sso.c
@@ -806,8 +806,6 @@ static int intel_sso_led_probe(struct platform_device *pdev)
priv->fpid_clkrate = clk_get_rate(priv->clocks[1].clk);
- priv->mmap = syscon_node_to_regmap(dev->of_node);
-
priv->mmap = syscon_node_to_regmap(dev->of_node);
if (IS_ERR(priv->mmap)) {
dev_err(dev, "Failed to map iomem!\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 264/508] tty: hvc_iucv: fix off-by-one in number of supported devices
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 263/508] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 265/508] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
` (245 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit f2a880e802ad12d1e38039d1334fb1475d0f5241 ]
MAX_HVC_IUCV_LINES == HVC_ALLOC_TTY_ADAPTERS == 8.
This is the number of entries in:
static struct hvc_iucv_private *hvc_iucv_table[MAX_HVC_IUCV_LINES];
Sometimes hvc_iucv_table[] is limited by:
(a) if (num > hvc_iucv_devices) // for error detection
or
(b) for (i = 0; i < hvc_iucv_devices; i++) // in 2 places
(so these 2 don't agree; second one appears to be correct to me.)
hvc_iucv_devices can be 0..8. This is a counter.
(c) if (hvc_iucv_devices > MAX_HVC_IUCV_LINES)
If hvc_iucv_devices == 8, (a) allows the code to access hvc_iucv_table[8].
Oops.
Fixes: 44a01d5ba8a4 ("[S390] s390/hvc_console: z/VM IUCV hypervisor console support")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260130072939.1535869-1-rdunlap@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/hvc/hvc_iucv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/hvc/hvc_iucv.c b/drivers/tty/hvc/hvc_iucv.c
index 543f35ddf523c..26953f0daa9fc 100644
--- a/drivers/tty/hvc/hvc_iucv.c
+++ b/drivers/tty/hvc/hvc_iucv.c
@@ -130,7 +130,7 @@ static struct iucv_handler hvc_iucv_handler = {
*/
static struct hvc_iucv_private *hvc_iucv_get_private(uint32_t num)
{
- if (num > hvc_iucv_devices)
+ if (num >= hvc_iucv_devices)
return NULL;
return hvc_iucv_table[num];
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 265/508] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 264/508] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 266/508] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
` (244 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 8baeff2c1d33dad8572216c6ad3a7425852507d4 ]
An ACPI notify handler is leaked if device_create_file() returns an
error in acpi_pcc_hotkey_add().
Also, it is pointless to call pcc_unregister_optd_notifier() in
acpi_pcc_hotkey_remove() if pcc->platform is NULL and it is better
to arrange the cleanup code in that function in the same order as
the rollback code in acpi_pcc_hotkey_add().
Address the above by placing the pcc_register_optd_notifier() call in
acpi_pcc_hotkey_add() after the device_create_file() return value
check and placing the pcc_unregister_optd_notifier() call in
acpi_pcc_hotkey_remove() right before the device_remove_file() call.
Fixes: d5a81d8e864b ("platform/x86: panasonic-laptop: Add support for optical driver power in Y and W series")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2411055.ElGaqSPkdT@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/panasonic-laptop.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
index ad907c558997a..f6dcf8d6a1dbb 100644
--- a/drivers/platform/x86/panasonic-laptop.c
+++ b/drivers/platform/x86/panasonic-laptop.c
@@ -1081,9 +1081,10 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
}
result = device_create_file(&pcc->platform->dev,
&dev_attr_cdpower);
- pcc_register_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
if (result)
goto out_platform;
+
+ pcc_register_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
} else {
pcc->platform = NULL;
}
@@ -1117,10 +1118,10 @@ static void acpi_pcc_hotkey_remove(struct acpi_device *device)
i8042_remove_filter(panasonic_i8042_filter);
if (pcc->platform) {
+ pcc_unregister_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
device_remove_file(&pcc->platform->dev, &dev_attr_cdpower);
platform_device_unregister(pcc->platform);
}
- pcc_unregister_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
sysfs_remove_group(&device->dev.kobj, &pcc_attr_group);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 266/508] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 265/508] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 267/508] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
` (243 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit a5a65a7fb2f7796bbe492cd6be59c92cb64377d1 ]
The memory allocated for cell.name using kmemdup() is not freed when
mfd_add_devices() fails. Fix that by using devm_kmemdup().
Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20260120102622.66921-1-nihaal@cse.iitm.ac.in
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mc13xxx-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c
index 1000572761a84..ddc90cbb7be52 100644
--- a/drivers/mfd/mc13xxx-core.c
+++ b/drivers/mfd/mc13xxx-core.c
@@ -377,7 +377,7 @@ static int mc13xxx_add_subdevice_pdata(struct mc13xxx *mc13xxx,
if (snprintf(buf, sizeof(buf), format, name) > sizeof(buf))
return -E2BIG;
- cell.name = kmemdup(buf, strlen(buf) + 1, GFP_KERNEL);
+ cell.name = devm_kmemdup(mc13xxx->dev, buf, strlen(buf) + 1, GFP_KERNEL);
if (!cell.name)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 267/508] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 266/508] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 268/508] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
` (242 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anna Schumaker, Jeff Layton,
Andy Shevchenko, Chuck Lever, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit f83c8dda456ce4863f346aa26d88efa276eda35d ]
Clang compiler is not happy about set but unused variable
(when dprintk() is no-op):
.../blocklayout/blocklayout.c:384:9: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
Remove a leftover from the previous cleanup.
Fixes: 3a6fd1f004fc ("pnfs/blocklayout: remove read-modify-write handling in bl_write_pagelist")
Acked-by: Anna Schumaker <anna.schumkaer@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/blocklayout.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
index e498aade8c479..15f66d949adda 100644
--- a/fs/nfs/blocklayout/blocklayout.c
+++ b/fs/nfs/blocklayout/blocklayout.c
@@ -381,14 +381,13 @@ bl_write_pagelist(struct nfs_pgio_header *header, int sync)
sector_t isect, extent_length = 0;
struct parallel_io *par = NULL;
loff_t offset = header->args.offset;
- size_t count = header->args.count;
struct page **pages = header->args.pages;
int pg_index = header->args.pgbase >> PAGE_SHIFT;
unsigned int pg_len;
struct blk_plug plug;
int i;
- dprintk("%s enter, %zu@%lld\n", __func__, count, offset);
+ dprintk("%s enter, %u@%lld\n", __func__, header->args.count, offset);
/* At this point, header->page_aray is a (sequential) list of nfs_pages.
* We want to write each, and if there is an error set pnfs_error
@@ -429,7 +428,6 @@ bl_write_pagelist(struct nfs_pgio_header *header, int sync)
}
offset += pg_len;
- count -= pg_len;
isect += (pg_len >> SECTOR_SHIFT);
extent_length -= (pg_len >> SECTOR_SHIFT);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 268/508] fs/ntfs3: terminate the cached volume label after UTF-8 conversion
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 267/508] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 269/508] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
` (241 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Konstantin Komarov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit a6cd43fe9b083fa23fe1595666d5738856cb261a ]
ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s()
and stores the result in sbi->volume.label. The converted label is later
exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only
returns the number of bytes written and does not add a trailing NUL.
If the converted label fills the entire fixed buffer,
ntfs3_label_show() can read past the end of sbi->volume.label while
looking for a terminator.
Terminate the cached label explicitly after a successful conversion and
clamp the exact-full case to the last byte of the buffer.
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/super.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 0b96d0f995c61..a4cc56df549a6 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1228,8 +1228,13 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
le32_to_cpu(attr->res.data_size) >> 1,
UTF16_LITTLE_ENDIAN, sbi->volume.label,
sizeof(sbi->volume.label));
- if (err < 0)
+ if (err < 0) {
sbi->volume.label[0] = 0;
+ } else if (err >= sizeof(sbi->volume.label)) {
+ sbi->volume.label[sizeof(sbi->volume.label) - 1] = 0;
+ } else {
+ sbi->volume.label[err] = 0;
+ }
} else {
/* Should we break mounting here? */
//err = -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 269/508] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 268/508] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 270/508] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
` (240 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Ilpo Järvinen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit f8fd138c2363c0e2d3235c32bfb4fb5c6474e4ae ]
Ensure the temp value has been properly parsed from the user-provided
buffer and initialized to be used in later operations. While at it,
prefer a convenient kstrtoul() helper.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: ad6ce87e5bd4 ("[PATCH] dell_rbu: changes in packet update mechanism")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Link: https://patch.msgid.link/20260403134240.604837-1-pchelkin@ispras.ru
[ij: add include]
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/dell/dell_rbu.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c
index fee20866b41e4..9039e494131fd 100644
--- a/drivers/platform/x86/dell/dell_rbu.c
+++ b/drivers/platform/x86/dell/dell_rbu.c
@@ -30,6 +30,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/init.h>
+#include <linux/kstrtox.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/string.h>
@@ -617,9 +618,12 @@ static ssize_t packet_size_write(struct file *filp, struct kobject *kobj,
char *buffer, loff_t pos, size_t count)
{
unsigned long temp;
+
+ if (kstrtoul(buffer, 10, &temp))
+ return -EINVAL;
+
spin_lock(&rbu_data.lock);
packet_empty_list();
- sscanf(buffer, "%lu", &temp);
if (temp < 0xffffffff)
rbu_data.packetsize = temp;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 270/508] platform/x86: dell-wmi-sysman: bound enumeration string aggregation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 269/508] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 271/508] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
` (239 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Ilpo Järvinen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 3c34471c26abc52a37f5ad90949e2e4b8027eb14 ]
populate_enum_data() aggregates firmware-provided value-modifier
and possible-value strings into fixed 512-byte struct members.
The current code bounds each individual source string but then
appends every string and separator with raw strcat() and no
remaining-space check.
Switch the aggregation loops to a bounded append helper and
reject enumeration packages whose combined strings do not fit
in the destination buffers.
Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260408084501.1-dell-wmi-sysman-v2-pengpeng@iscas.ac.cn
[ij: add include]
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../dell/dell-wmi-sysman/enum-attributes.c | 34 +++++++++++++++----
1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
index fc2f58b4cbc6e..7e44ba3015627 100644
--- a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+++ b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
@@ -6,10 +6,32 @@
* Copyright (c) 2020 Dell Inc.
*/
+#include <linux/bug.h>
+
#include "dell-wmi-sysman.h"
get_instance_id(enumeration);
+static int append_enum_string(char *dest, const char *src)
+{
+ size_t dest_len = strlen(dest);
+ ssize_t copied;
+
+ if (WARN_ON_ONCE(dest_len >= MAX_BUFF))
+ return -EINVAL;
+
+ copied = strscpy(dest + dest_len, src, MAX_BUFF - dest_len);
+ if (copied < 0)
+ return -EINVAL;
+
+ dest_len += copied;
+ copied = strscpy(dest + dest_len, ";", MAX_BUFF - dest_len);
+ if (copied < 0)
+ return -EINVAL;
+
+ return 0;
+}
+
static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf)
{
int instance_id = get_enumeration_instance_id(kobj);
@@ -176,9 +198,9 @@ int populate_enum_data(union acpi_object *enumeration_obj, int instance_id,
return -EINVAL;
if (check_property_type(enumeration, next_obj, ACPI_TYPE_STRING))
return -EINVAL;
- strcat(wmi_priv.enumeration_data[instance_id].dell_value_modifier,
- enumeration_obj[next_obj++].string.pointer);
- strcat(wmi_priv.enumeration_data[instance_id].dell_value_modifier, ";");
+ if (append_enum_string(wmi_priv.enumeration_data[instance_id].dell_value_modifier,
+ enumeration_obj[next_obj++].string.pointer))
+ return -EINVAL;
}
if (next_obj >= enum_property_count)
@@ -193,9 +215,9 @@ int populate_enum_data(union acpi_object *enumeration_obj, int instance_id,
return -EINVAL;
if (check_property_type(enumeration, next_obj, ACPI_TYPE_STRING))
return -EINVAL;
- strcat(wmi_priv.enumeration_data[instance_id].possible_values,
- enumeration_obj[next_obj++].string.pointer);
- strcat(wmi_priv.enumeration_data[instance_id].possible_values, ";");
+ if (append_enum_string(wmi_priv.enumeration_data[instance_id].possible_values,
+ enumeration_obj[next_obj++].string.pointer))
+ return -EINVAL;
}
return sysfs_create_group(attr_name_kobj, &enumeration_attr_group);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 271/508] RDMA/core: Prefer NLA_NUL_STRING
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 270/508] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 272/508] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
` (238 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Jason Gunthorpe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 6ed3d14fc45d3da6025e7fe4a6a09066856698e2 ]
These attributes are evaluated as c-string (passed to strcmp), but
NLA_STRING doesn't check for the presence of a \0 terminator.
Either this needs to switch to nla_strcmp() and needs to adjust printf fmt
specifier to not use plain %s, or this needs to use NLA_NUL_STRING.
As the code has been this way for long time, it seems to me that userspace
does include the terminating nul, even tough its not enforced so far, and
thus NLA_NUL_STRING use is the simpler solution.
Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service")
Link: https://patch.msgid.link/r/20260330122742.13315-1-fw@strlen.de
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/iwpm_msg.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/core/iwpm_msg.c b/drivers/infiniband/core/iwpm_msg.c
index 3c9a9869212bb..feb09008eb9ca 100644
--- a/drivers/infiniband/core/iwpm_msg.c
+++ b/drivers/infiniband/core/iwpm_msg.c
@@ -365,9 +365,9 @@ int iwpm_remove_mapping(struct sockaddr_storage *local_addr, u8 nl_client)
/* netlink attribute policy for the received response to register pid request */
static const struct nla_policy resp_reg_policy[IWPM_NLA_RREG_PID_MAX] = {
[IWPM_NLA_RREG_PID_SEQ] = { .type = NLA_U32 },
- [IWPM_NLA_RREG_IBDEV_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_RREG_IBDEV_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_DEVNAME_SIZE - 1 },
- [IWPM_NLA_RREG_ULIB_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_RREG_ULIB_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_ULIBNAME_SIZE - 1 },
[IWPM_NLA_RREG_ULIB_VER] = { .type = NLA_U16 },
[IWPM_NLA_RREG_PID_ERR] = { .type = NLA_U16 }
@@ -677,7 +677,7 @@ int iwpm_remote_info_cb(struct sk_buff *skb, struct netlink_callback *cb)
/* netlink attribute policy for the received request for mapping info */
static const struct nla_policy resp_mapinfo_policy[IWPM_NLA_MAPINFO_REQ_MAX] = {
- [IWPM_NLA_MAPINFO_ULIB_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_MAPINFO_ULIB_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_ULIBNAME_SIZE - 1 },
[IWPM_NLA_MAPINFO_ULIB_VER] = { .type = NLA_U16 }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 272/508] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 271/508] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 273/508] scsi: sg: Make sg_sysfs_class constant Greg Kroah-Hartman
` (237 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abel Vesa,
Konrad Dybcio, Taniya Das, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 141af1be817c42c7f1e1605348d4b1983d319bea ]
The clk_dp_ops are supposed to be used for DP-related clocks with a
proper MND divier. Use standard RCG2 ops for dptx1_aux_clk_src, the same
as all other DPTX AUX clocks in this driver.
Fixes: 16fb89f92ec4 ("clk: qcom: Add support for Display Clock Controller on SM8450")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260112-dp-aux-clks-v1-2-456b0c11b069@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8450.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm8450.c b/drivers/clk/qcom/dispcc-sm8450.c
index 239cc726c7e29..ab796f4f0ac03 100644
--- a/drivers/clk/qcom/dispcc-sm8450.c
+++ b/drivers/clk/qcom/dispcc-sm8450.c
@@ -364,7 +364,7 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_aux_clk_src = {
.parent_data = disp_cc_parent_data_1,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_1),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_dp_ops,
+ .ops = &clk_rcg2_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 273/508] scsi: sg: Make sg_sysfs_class constant
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 272/508] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 274/508] scsi: sg: Fix sysctl sg-big-buff register during sg_init() Greg Kroah-Hartman
` (236 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo B. Marliere,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marliere <ricardo@marliere.net>
[ Upstream commit f1fb41765d0bff77514ffeaef37bbb45608f6c62 ]
Since commit 43a7206b0963 ("driver core: class: make class_register() take
a const *"), the driver core allows for struct class to be in read-only
memory, so move the sg_sysfs_class structure to be declared at build time
placing it into read-only memory, instead of having to be dynamically
allocated at boot time.
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
Link: https://lore.kernel.org/r/20240302-class_cleanup-scsi-v1-1-b9096b990e27@marliere.net
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 3033c471aaf6 ("scsi: sg: Fix sysctl sg-big-buff register during sg_init()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 0dd8b9f8d6717..799773a879188 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1421,7 +1421,9 @@ static const struct file_operations sg_fops = {
.llseek = no_llseek,
};
-static struct class *sg_sysfs_class;
+static const struct class sg_sysfs_class = {
+ .name = "scsi_generic"
+};
static int sg_sysfs_valid = 0;
@@ -1523,7 +1525,7 @@ sg_add_device(struct device *cl_dev)
if (sg_sysfs_valid) {
struct device *sg_class_member;
- sg_class_member = device_create(sg_sysfs_class, cl_dev->parent,
+ sg_class_member = device_create(&sg_sysfs_class, cl_dev->parent,
MKDEV(SCSI_GENERIC_MAJOR,
sdp->index),
sdp, "%s", sdp->name);
@@ -1613,7 +1615,7 @@ sg_remove_device(struct device *cl_dev)
read_unlock_irqrestore(&sdp->sfd_lock, iflags);
sysfs_remove_link(&scsidp->sdev_gendev.kobj, "generic");
- device_destroy(sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index));
+ device_destroy(&sg_sysfs_class, MKDEV(SCSI_GENERIC_MAJOR, sdp->index));
cdev_del(sdp->cdev);
sdp->cdev = NULL;
@@ -1685,11 +1687,9 @@ init_sg(void)
SG_MAX_DEVS, "sg");
if (rc)
return rc;
- sg_sysfs_class = class_create("scsi_generic");
- if ( IS_ERR(sg_sysfs_class) ) {
- rc = PTR_ERR(sg_sysfs_class);
+ rc = class_register(&sg_sysfs_class);
+ if (rc)
goto err_out;
- }
sg_sysfs_valid = 1;
rc = scsi_register_interface(&sg_interface);
if (0 == rc) {
@@ -1698,7 +1698,7 @@ init_sg(void)
#endif /* CONFIG_SCSI_PROC_FS */
return 0;
}
- class_destroy(sg_sysfs_class);
+ class_unregister(&sg_sysfs_class);
register_sg_sysctls();
err_out:
unregister_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0), SG_MAX_DEVS);
@@ -1713,7 +1713,7 @@ exit_sg(void)
remove_proc_subtree("scsi/sg", NULL);
#endif /* CONFIG_SCSI_PROC_FS */
scsi_unregister_interface(&sg_interface);
- class_destroy(sg_sysfs_class);
+ class_unregister(&sg_sysfs_class);
sg_sysfs_valid = 0;
unregister_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0),
SG_MAX_DEVS);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 274/508] scsi: sg: Fix sysctl sg-big-buff register during sg_init()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 273/508] scsi: sg: Make sg_sysfs_class constant Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 275/508] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
` (235 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Erkun, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Erkun <yangerkun@huawei.com>
[ Upstream commit 3033c471aaf675254efaa0da431e95d91a104b41 ]
Commit 26d1c80fd61e ("scsi/sg: move sg-big-buff sysctl to scsi/sg.c") made
a mistake. sysctl sg-big-buff was not created because the call to
register_sg_sysctls() was placed on the wrong code path.
Fixes: 26d1c80fd61e ("scsi/sg: move sg-big-buff sysctl to scsi/sg.c")
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260127062044.3034148-2-yangerkun@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 799773a879188..f958bdf09587d 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1693,13 +1693,13 @@ init_sg(void)
sg_sysfs_valid = 1;
rc = scsi_register_interface(&sg_interface);
if (0 == rc) {
+ register_sg_sysctls();
#ifdef CONFIG_SCSI_PROC_FS
sg_proc_init();
#endif /* CONFIG_SCSI_PROC_FS */
return 0;
}
class_unregister(&sg_sysfs_class);
- register_sg_sysctls();
err_out:
unregister_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0), SG_MAX_DEVS);
return rc;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 275/508] scsi: sg: Resolve soft lockup issue when opening /dev/sgX
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 274/508] scsi: sg: Fix sysctl sg-big-buff register during sg_init() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 276/508] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers Greg Kroah-Hartman
` (234 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Erkun, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Erkun <yangerkun@huawei.com>
[ Upstream commit d06a310b45e153872033dd0cf19d5a2279121099 ]
The parameter def_reserved_size defines the default buffer size reserved
for each Sg_fd and should be restricted to a range between 0 and 1,048,576
(see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the
function sg_proc_write_dressz enforces this limit, it is possible to bypass
it by directly modifying the module parameter as shown below, which then
causes a soft lockup:
echo -1 > /sys/module/sg/parameters/def_reserved_size
exec 4<> /dev/sg0
watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537]
Modules loaded:
CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134,
PREEMPT disabled
Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version
1.16.1-2.fc37 dated 04/01/2014
...
Call Trace:
sg_build_reserve+0x5c/0xa0
sg_add_sfp+0x168/0x270
sg_open+0x16e/0x340
chrdev_open+0xbe/0x230
do_dentry_open+0x175/0x480
vfs_open+0x34/0xf0
do_open+0x265/0x3d0
path_openat+0x110/0x290
do_filp_open+0xc3/0x170
do_sys_openat2+0x71/0xe0
__x64_sys_openat+0x6d/0xa0
do_syscall_64+0x62/0x310
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The fix is to use module_param_cb to validate and reject invalid values
assigned to def_reserved_size.
Fixes: 6460e75a104d ("[SCSI] sg: fixes for large page_size")
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260127062044.3034148-3-yangerkun@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index f958bdf09587d..96921a661f64c 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1623,10 +1623,35 @@ sg_remove_device(struct device *cl_dev)
}
module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR);
-module_param_named(def_reserved_size, def_reserved_size, int,
- S_IRUGO | S_IWUSR);
module_param_named(allow_dio, sg_allow_dio, int, S_IRUGO | S_IWUSR);
+static int def_reserved_size_set(const char *val, const struct kernel_param *kp)
+{
+ int size, ret;
+
+ if (!val)
+ return -EINVAL;
+
+ ret = kstrtoint(val, 0, &size);
+ if (ret)
+ return ret;
+
+ /* limit to 1 MB */
+ if (size < 0 || size > 1048576)
+ return -ERANGE;
+
+ def_reserved_size = size;
+ return 0;
+}
+
+static const struct kernel_param_ops def_reserved_size_ops = {
+ .set = def_reserved_size_set,
+ .get = param_get_int,
+};
+
+module_param_cb(def_reserved_size, &def_reserved_size_ops, &def_reserved_size,
+ S_IRUGO | S_IWUSR);
+
MODULE_AUTHOR("Douglas Gilbert");
MODULE_DESCRIPTION("SCSI generic (sg) driver");
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 276/508] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 275/508] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 277/508] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
` (233 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, White Lewis, Pengyu Luo,
Dmitry Baryshkov, Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: White Lewis <liu224806@gmail.com>
[ Upstream commit 0b151a6307205eb867250985a910a88787cbf12e ]
The four byte_div_clk_src dividers (disp{0,1}_cc_mdss_byte{0,1}_div_clk_src)
had CLK_SET_RATE_PARENT set. When the DSI driver calls clk_set_rate() on
byte_intf_clk, the rate-change propagates through the divider up to the
parent PLL (byte_clk_src), halving the byte clock rate.
A simiar issue had been also encountered on SM8750.
b8501febdc51 ("clk: qcom: dispcc-sm8750: Drop incorrect CLK_SET_RATE_PARENT on byte intf parent").
Likewise, remove CLK_SET_RATE_PARENT from all four byte divider clocks
so that clk_set_rate() on the divider adjusts only the divider ratio,
leaving the parent PLL untouched.
Fixes: 4a66e76fdb6d ("clk: qcom: Add SC8280XP display clock controller")
Signed-off-by: White Lewis <liu224806@gmail.com>
[pengyu: reword]
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260303115550.9279-1-mitltlatltl@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sc8280xp.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/clk/qcom/dispcc-sc8280xp.c b/drivers/clk/qcom/dispcc-sc8280xp.c
index 30f636b9f0ec8..7f8819ece5eb0 100644
--- a/drivers/clk/qcom/dispcc-sc8280xp.c
+++ b/drivers/clk/qcom/dispcc-sc8280xp.c
@@ -1161,7 +1161,6 @@ static struct clk_regmap_div disp0_cc_mdss_byte0_div_clk_src = {
&disp0_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -1176,7 +1175,6 @@ static struct clk_regmap_div disp1_cc_mdss_byte0_div_clk_src = {
&disp1_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -1191,7 +1189,6 @@ static struct clk_regmap_div disp0_cc_mdss_byte1_div_clk_src = {
&disp0_cc_mdss_byte1_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -1206,7 +1203,6 @@ static struct clk_regmap_div disp1_cc_mdss_byte1_div_clk_src = {
&disp1_cc_mdss_byte1_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 277/508] scsi: target: core: Fix integer overflow in UNMAP bounds check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 276/508] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 278/508] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
` (232 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 2bf2d65f76697820dbc4227d13866293576dd90a ]
sbc_execute_unmap() checks LBA + range does not exceed the device capacity,
but does not guard against LBA + range wrapping around on 64-bit overflow.
Add an overflow check matching the pattern already used for WRITE_SAME in
the same file.
Fixes: 86d7182985d2 ("target: Add sbc_execute_unmap() helper")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881593C61AD52C69FBDB0BDAF7CA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_sbc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index 6a02561cc20ce..ad091a216b076 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -1136,7 +1136,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
goto err;
}
- if (lba + range > dev->transport->get_blocks(dev) + 1) {
+ if (lba + range < lba ||
+ lba + range > dev->transport->get_blocks(dev) + 1) {
ret = TCM_ADDRESS_OUT_OF_RANGE;
goto err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 278/508] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 277/508] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 279/508] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
` (231 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Krzysztof Kozlowski,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 76404ffbf07f28a5ec04748e18fce3dac2e78ef6 ]
There are 5 more GDSCs that we were ignoring and not putting to sleep,
which are listed in downstream DTS. Add them.
Signed-off-by: Val Packett <val@packett.cool>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-2-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 3565741eb985 ("clk: qcom: gcc-sc8180x: Add missing GDSCs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/dt-bindings/clock/qcom,gcc-sc8180x.h b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
index 2569f874fe13c..be97a0ca2ade4 100644
--- a/include/dt-bindings/clock/qcom,gcc-sc8180x.h
+++ b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
@@ -308,5 +308,10 @@
#define USB30_MP_GDSC 8
#define USB30_PRIM_GDSC 9
#define USB30_SEC_GDSC 10
+#define HLOS1_VOTE_MMNOC_MMU_TBU_HF0_GDSC 11
+#define HLOS1_VOTE_MMNOC_MMU_TBU_HF1_GDSC 12
+#define HLOS1_VOTE_MMNOC_MMU_TBU_SF_GDSC 13
+#define HLOS1_VOTE_TURING_MMU_TBU0_GDSC 14
+#define HLOS1_VOTE_TURING_MMU_TBU1_GDSC 15
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 279/508] clk: qcom: gcc-sc8180x: Add missing GDSCs
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 278/508] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 280/508] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
` (230 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Val Packett, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 3565741eb985a8a7cc6656eb33496195468cb99e ]
There are 5 more GDSCs that we were ignoring and not putting to sleep,
which are listed in downstream DTS. Add them.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Link: https://lore.kernel.org/r/20260312112321.370983-3-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 50 ++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index ec0c45881c67a..08011db603503 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4199,6 +4199,51 @@ static struct gdsc usb30_mp_gdsc = {
.flags = POLL_CFG_GDSCR,
};
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc = {
+ .gdscr = 0x7d050,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc = {
+ .gdscr = 0x7d058,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_sf_gdsc = {
+ .gdscr = 0x7d054,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_sf_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_turing_mmu_tbu0_gdsc = {
+ .gdscr = 0x7d05c,
+ .pd = {
+ .name = "hlos1_vote_turing_mmu_tbu0_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_turing_mmu_tbu1_gdsc = {
+ .gdscr = 0x7d060,
+ .pd = {
+ .name = "hlos1_vote_turing_mmu_tbu1_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
static struct clk_regmap *gcc_sc8180x_clocks[] = {
[GCC_AGGRE_NOC_PCIE_TBU_CLK] = &gcc_aggre_noc_pcie_tbu_clk.clkr,
[GCC_AGGRE_UFS_CARD_AXI_CLK] = &gcc_aggre_ufs_card_axi_clk.clkr,
@@ -4499,6 +4544,11 @@ static struct gdsc *gcc_sc8180x_gdscs[] = {
[USB30_MP_GDSC] = &usb30_mp_gdsc,
[USB30_PRIM_GDSC] = &usb30_prim_gdsc,
[USB30_SEC_GDSC] = &usb30_sec_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_HF0_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_HF1_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_SF_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_sf_gdsc,
+ [HLOS1_VOTE_TURING_MMU_TBU0_GDSC] = &hlos1_vote_turing_mmu_tbu0_gdsc,
+ [HLOS1_VOTE_TURING_MMU_TBU1_GDSC] = &hlos1_vote_turing_mmu_tbu1_gdsc,
};
static const struct regmap_config gcc_sc8180x_regmap_config = {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 280/508] clk: qcom: gcc-sc8180x: Use retention for USB power domains
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 279/508] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 281/508] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
` (229 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Val Packett, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 25bc96f26cd6c19dde13a0b9859183e531d6fbfc ]
The USB subsystem does not expect to lose its state on suspend:
xhci-hcd xhci-hcd.0.auto: xHC error in resume, USBSTS 0x401, Reinit
usb usb1: root hub lost power or was reset
(The reinitialization usually succeeds, but it does slow down resume.)
To maintain state during suspend, the relevant GDSCs need to stay in
retention mode, like they do on other similar SoCs. Change the mode to
PWRSTS_RET_ON to fix.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Link: https://lore.kernel.org/r/20260312112321.370983-4-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index 08011db603503..889c1ab6d63f2 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4105,7 +4105,7 @@ static struct gdsc usb30_sec_gdsc = {
.pd = {
.name = "usb30_sec_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4123,7 +4123,7 @@ static struct gdsc usb30_prim_gdsc = {
.pd = {
.name = "usb30_prim_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4195,7 +4195,7 @@ static struct gdsc usb30_mp_gdsc = {
.pd = {
.name = "usb30_mp_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 281/508] clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 280/508] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 282/508] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
` (228 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Val Packett,
Konrad Dybcio, Manivannan Sadhasivam, Bjorn Andersson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit ccb92c78b42edd26225b4d5920847dfee3e1b093 ]
As the PCIe host controller driver does not yet support dealing with the
loss of state during suspend, use retention for relevant GDSCs.
This fixes the link not surviving upon resume:
nvme 0002:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
nvme nvme0: controller is down; will reset: CSTS=0xffffffff, PCI_STATUS read failed (134)
nvme 0002:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
nvme nvme0: Disabling device after reset failure: -19
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://lore.kernel.org/r/20260312112321.370983-5-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index 889c1ab6d63f2..dd21a5898c5a5 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4132,7 +4132,7 @@ static struct gdsc pcie_0_gdsc = {
.pd = {
.name = "pcie_0_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4159,7 +4159,7 @@ static struct gdsc pcie_1_gdsc = {
.pd = {
.name = "pcie_1_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4168,7 +4168,7 @@ static struct gdsc pcie_2_gdsc = {
.pd = {
.name = "pcie_2_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4186,7 +4186,7 @@ static struct gdsc pcie_3_gdsc = {
.pd = {
.name = "pcie_3_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 282/508] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 281/508] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 283/508] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
` (227 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 8c522da70f0c2e5148c4c13ccb1c64cca57a6fdb ]
mdss_gdsc can get stuck on boot due to RCGs being left on from last boot.
As a fix, commit 01a0a6cc8cfd ("clk: qcom: Park shared RCGs upon
registration") introduced a callback to ensure the RCG is off upon init.
However, the fix depends on all shared RCGs being marked as such in code.
For SM8150/SC8180X/SM8250 the MDSS vsync clock was using regular ops,
unlike the same clock in the SC7180 code. This was causing display to
frequently fail to initialize after rebooting on the Surface Pro X.
Fix by using shared ops for this clock.
Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-8-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8250.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
index 317a7e2b50bfb..cd6df240953fd 100644
--- a/drivers/clk/qcom/dispcc-sm8250.c
+++ b/drivers/clk/qcom/dispcc-sm8250.c
@@ -632,7 +632,7 @@ static struct clk_rcg2 disp_cc_mdss_vsync_clk_src = {
.parent_data = disp_cc_parent_data_1,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_1),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_rcg2_ops,
+ .ops = &clk_rcg2_shared_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 283/508] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 282/508] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 284/508] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
` (226 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit acf7a91d0b0e9e3ef374944021de62062125b7e4 ]
Add CLK_OPS_PARENT_ENABLE to MDSS pixel clock sources to ensure parent
clocks are enabled during clock operations, preventing potential
stability issues during display configuration.
Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-9-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8250.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
index cd6df240953fd..7aa84c341f598 100644
--- a/drivers/clk/qcom/dispcc-sm8250.c
+++ b/drivers/clk/qcom/dispcc-sm8250.c
@@ -578,7 +578,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk0_clk_src = {
.name = "disp_cc_mdss_pclk0_clk_src",
.parent_data = disp_cc_parent_data_6,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_6),
- .flags = CLK_SET_RATE_PARENT,
+ .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE,
.ops = &clk_pixel_ops,
},
};
@@ -592,7 +592,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk1_clk_src = {
.name = "disp_cc_mdss_pclk1_clk_src",
.parent_data = disp_cc_parent_data_6,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_6),
- .flags = CLK_SET_RATE_PARENT,
+ .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE,
.ops = &clk_pixel_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 284/508] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 283/508] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 285/508] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
` (225 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Frank Li, Peng Fan,
Abel Vesa, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 4b84d496c804b470124cd3a08e928df6801d8eae ]
The function pll6_bypassed() calls of_parse_phandle_with_args()
but never calls of_node_put() to release the reference, causing
a memory leak.
Fix this by adding proper cleanup calls on all exit paths.
Fixes: 3cc48976e9763 ("clk: imx6q: handle ENET PLL bypass")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260203-clk-imx6q-v3-1-6cd2696bb371@gmail.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx6q.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c
index bf4c1d9c99287..ba696cf34fe3b 100644
--- a/drivers/clk/imx/clk-imx6q.c
+++ b/drivers/clk/imx/clk-imx6q.c
@@ -238,8 +238,11 @@ static bool pll6_bypassed(struct device_node *node)
return false;
if (clkspec.np == node &&
- clkspec.args[0] == IMX6QDL_PLL6_BYPASS)
+ clkspec.args[0] == IMX6QDL_PLL6_BYPASS) {
+ of_node_put(clkspec.np);
break;
+ }
+ of_node_put(clkspec.np);
}
/* PLL6 bypass is not part of the assigned clock list */
@@ -249,6 +252,9 @@ static bool pll6_bypassed(struct device_node *node)
ret = of_parse_phandle_with_args(node, "assigned-clock-parents",
"#clock-cells", index, &clkspec);
+ if (!ret)
+ of_node_put(clkspec.np);
+
if (clkspec.args[0] != IMX6QDL_CLK_PLL6)
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 285/508] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 284/508] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 286/508] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
` (224 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Frank Li, Peng Fan,
Abel Vesa, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 9faf207208951460f3f7eefbc112246c8d28ff1b ]
The function of_assigned_ldb_sels() calls of_parse_phandle_with_args()
but never calls of_node_put() to release the reference, causing a memory
leak.
Fix this by adding proper cleanup calls on all exit paths.
Fixes: 5d283b083800 ("clk: imx6: Fix procedure to switch the parent of LDB_DI_CLK")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260203-clk-imx6q-v3-2-6cd2696bb371@gmail.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx6q.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c
index ba696cf34fe3b..048e2ddba490b 100644
--- a/drivers/clk/imx/clk-imx6q.c
+++ b/drivers/clk/imx/clk-imx6q.c
@@ -188,9 +188,11 @@ static void of_assigned_ldb_sels(struct device_node *node,
}
if (clkspec.np != node || clkspec.args[0] >= IMX6QDL_CLK_END) {
pr_err("ccm: parent clock %d not in ccm\n", index);
+ of_node_put(clkspec.np);
return;
}
parent = clkspec.args[0];
+ of_node_put(clkspec.np);
rc = of_parse_phandle_with_args(node, "assigned-clocks",
"#clock-cells", index, &clkspec);
@@ -198,9 +200,11 @@ static void of_assigned_ldb_sels(struct device_node *node,
return;
if (clkspec.np != node || clkspec.args[0] >= IMX6QDL_CLK_END) {
pr_err("ccm: child clock %d not in ccm\n", index);
+ of_node_put(clkspec.np);
return;
}
child = clkspec.args[0];
+ of_node_put(clkspec.np);
if (child != IMX6QDL_CLK_LDB_DI0_SEL &&
child != IMX6QDL_CLK_LDB_DI1_SEL)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 286/508] clk: imx8mq: Correct the CSI PHY sels
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 285/508] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 287/508] clk: qoriq: avoid format string warning Greg Kroah-Hartman
` (223 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Krzyszkowiak, Peng Fan,
Abel Vesa, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit d16f57caa78776e6e8a88b96cb2597797b376138 ]
According to i.MX 8M Quad Reference Manual (Section 5.1.2 Table 5-1)
MIPI_CSI1_PHY_REF_CLK_ROOT and MIPI_CSI2_PHY_REF_CLK_ROOT have
SYSTEM_PLL2_DIV3 available as their second source, which corresponds
to sys2_pll_333m rather than sys2_pll_125m.
Fixes: b80522040cd3 ("clk: imx: Add clock driver for i.MX8MQ CCM")
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260128-imx8mq-csi-clk-v1-1-ac028ed26e8c@puri.sm
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx8mq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/imx/clk-imx8mq.c b/drivers/clk/imx/clk-imx8mq.c
index f70ed231b92d6..cedc8a02aa1f0 100644
--- a/drivers/clk/imx/clk-imx8mq.c
+++ b/drivers/clk/imx/clk-imx8mq.c
@@ -237,7 +237,7 @@ static const char * const imx8mq_dsi_esc_sels[] = {"osc_25m", "sys2_pll_100m", "
static const char * const imx8mq_csi1_core_sels[] = {"osc_25m", "sys1_pll_266m", "sys2_pll_250m", "sys1_pll_800m",
"sys2_pll_1000m", "sys3_pll_out", "audio_pll2_out", "video_pll1_out", };
-static const char * const imx8mq_csi1_phy_sels[] = {"osc_25m", "sys2_pll_125m", "sys2_pll_100m", "sys1_pll_800m",
+static const char * const imx8mq_csi1_phy_sels[] = {"osc_25m", "sys2_pll_333m", "sys2_pll_100m", "sys1_pll_800m",
"sys2_pll_1000m", "clk_ext2", "audio_pll2_out", "video_pll1_out", };
static const char * const imx8mq_csi1_esc_sels[] = {"osc_25m", "sys2_pll_100m", "sys1_pll_80m", "sys1_pll_800m",
@@ -246,7 +246,7 @@ static const char * const imx8mq_csi1_esc_sels[] = {"osc_25m", "sys2_pll_100m",
static const char * const imx8mq_csi2_core_sels[] = {"osc_25m", "sys1_pll_266m", "sys2_pll_250m", "sys1_pll_800m",
"sys2_pll_1000m", "sys3_pll_out", "audio_pll2_out", "video_pll1_out", };
-static const char * const imx8mq_csi2_phy_sels[] = {"osc_25m", "sys2_pll_125m", "sys2_pll_100m", "sys1_pll_800m",
+static const char * const imx8mq_csi2_phy_sels[] = {"osc_25m", "sys2_pll_333m", "sys2_pll_100m", "sys1_pll_800m",
"sys2_pll_1000m", "clk_ext2", "audio_pll2_out", "video_pll1_out", };
static const char * const imx8mq_csi2_esc_sels[] = {"osc_25m", "sys2_pll_100m", "sys1_pll_80m", "sys1_pll_800m",
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 287/508] clk: qoriq: avoid format string warning
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 286/508] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 288/508] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
` (222 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Kees Cook,
Stephen Boyd, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 096abbb6682ee031a0f5ce9f4c71ead9fa63d31e ]
clang-22 warns about the use of non-variadic format arguments passed into
snprintf():
drivers/clk/clk-qoriq.c:925:39: error: diagnostic behavior may be improved by adding the
'format(printf, 7, 8)' attribute to the declaration of 'create_mux_common' [-Werror,-Wmissing-format-attribute]
910 | static struct clk * __init create_mux_common(struct clockgen *cg,
| __attribute__((format(printf, 7, 8)))
911 | struct mux_hwclock *hwc,
912 | const struct clk_ops *ops,
913 | unsigned long min_rate,
914 | unsigned long max_rate,
915 | unsigned long pct80_rate,
916 | const char *fmt, int idx)
917 | {
918 | struct clk_init_data init = {};
919 | struct clk *clk;
920 | const struct clockgen_pll_div *div;
921 | const char *parent_names[NUM_MUX_PARENTS];
922 | char name[32];
923 | int i, j;
924 |
925 | snprintf(name, sizeof(name), fmt, idx);
| ^
drivers/clk/clk-qoriq.c:910:28: note: 'create_mux_common' declared here
910 | static struct clk * __init create_mux_common(struct clockgen *cg,
Rework this to pass the 'int idx' as a varargs argument, allowing the
format string to be verified at the caller location.
Fixes: 0dfc86b3173f ("clk: qoriq: Move chip-specific knowledge into driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk-qoriq.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/clk/clk-qoriq.c b/drivers/clk/clk-qoriq.c
index 4dcde305944c4..318acd176a2ef 100644
--- a/drivers/clk/clk-qoriq.c
+++ b/drivers/clk/clk-qoriq.c
@@ -906,13 +906,11 @@ static const struct clockgen_pll_div *get_pll_div(struct clockgen *cg,
return &cg->pll[pll].div[div];
}
-static struct clk * __init create_mux_common(struct clockgen *cg,
- struct mux_hwclock *hwc,
- const struct clk_ops *ops,
- unsigned long min_rate,
- unsigned long max_rate,
- unsigned long pct80_rate,
- const char *fmt, int idx)
+static struct clk * __init __printf(7, 8)
+create_mux_common(struct clockgen *cg, struct mux_hwclock *hwc,
+ const struct clk_ops *ops, unsigned long min_rate,
+ unsigned long max_rate, unsigned long pct80_rate,
+ const char *fmt, ...)
{
struct clk_init_data init = {};
struct clk *clk;
@@ -920,8 +918,11 @@ static struct clk * __init create_mux_common(struct clockgen *cg,
const char *parent_names[NUM_MUX_PARENTS];
char name[32];
int i, j;
+ va_list args;
- snprintf(name, sizeof(name), fmt, idx);
+ va_start(args, fmt);
+ vsnprintf(name, sizeof(name), fmt, args);
+ va_end(args);
for (i = 0, j = 0; i < NUM_MUX_PARENTS; i++) {
unsigned long rate;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 288/508] clk: xgene: Fix mapping leak in xgene_pllclk_init()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 287/508] clk: qoriq: avoid format string warning Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 289/508] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
` (221 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Brian Masney,
Stephen Boyd, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit f520a492e07bc6718e26cfb7543ab4cadd8bb0e2 ]
If xgene_register_clk_pll() fails, the mapped register block is never
unmapped.
Fixes: 308964caeebc45eb ("clk: Add APM X-Gene SoC clock driver")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk-xgene.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/clk-xgene.c b/drivers/clk/clk-xgene.c
index 0c3d0cee98c83..a542b78d9c731 100644
--- a/drivers/clk/clk-xgene.c
+++ b/drivers/clk/clk-xgene.c
@@ -187,6 +187,8 @@ static void xgene_pllclk_init(struct device_node *np, enum xgene_pll_type pll_ty
of_clk_add_provider(np, of_clk_src_simple_get, clk);
clk_register_clkdev(clk, clk_name, NULL);
pr_debug("Add %s clock PLL\n", clk_name);
+ } else {
+ iounmap(reg);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 289/508] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 288/508] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 290/508] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
` (220 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Taniya Das,
Krzysztof Kozlowski, Bjorn Andersson, Sasha Levin, Val Packett
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit fc6e29d42872680dca017f2e5169eefe971f8d89 ]
The MDSS resets have so far been left undescribed. Fix that.
Fixes: 75616da71291 ("dt-bindings: clock: Introduce QCOM sc7180 display clock bindings")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Tested-by: Val Packett <val@packett.cool> # sc7180-ecs-liva-qc710
Link: https://lore.kernel.org/r/20260120-topic-7180_dispcc_bcr-v1-1-0b1b442156c3@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: b0bc6011c549 ("clk: qcom: dispcc-sc7180: Add missing MDSS resets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,dispcc-sc7180.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/dt-bindings/clock/qcom,dispcc-sc7180.h b/include/dt-bindings/clock/qcom,dispcc-sc7180.h
index b9b51617a335d..0705103060748 100644
--- a/include/dt-bindings/clock/qcom,dispcc-sc7180.h
+++ b/include/dt-bindings/clock/qcom,dispcc-sc7180.h
@@ -6,6 +6,7 @@
#ifndef _DT_BINDINGS_CLK_QCOM_DISP_CC_SC7180_H
#define _DT_BINDINGS_CLK_QCOM_DISP_CC_SC7180_H
+/* Clocks */
#define DISP_CC_PLL0 0
#define DISP_CC_PLL0_OUT_EVEN 1
#define DISP_CC_MDSS_AHB_CLK 2
@@ -40,7 +41,11 @@
#define DISP_CC_MDSS_VSYNC_CLK_SRC 31
#define DISP_CC_XO_CLK 32
-/* DISP_CC GDSCR */
+/* Resets */
+#define DISP_CC_MDSS_CORE_BCR 0
+#define DISP_CC_MDSS_RSCC_BCR 1
+
+/* GDSCs */
#define MDSS_GDSC 0
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 290/508] clk: qcom: dispcc-sc7180: Add missing MDSS resets
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 289/508] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 291/508] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
` (219 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Taniya Das, Bjorn Andersson, Sasha Levin, Val Packett
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit b0bc6011c5499bdfddd0390262bfa13dce1eff74 ]
The MDSS resets have so far been left undescribed. Fix that.
Fixes: dd3d06622138 ("clk: qcom: Add display clock controller driver for SC7180")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Tested-by: Val Packett <val@packett.cool> # sc7180-ecs-liva-qc710
Link: https://lore.kernel.org/r/20260120-topic-7180_dispcc_bcr-v1-2-0b1b442156c3@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sc7180.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/clk/qcom/dispcc-sc7180.c b/drivers/clk/qcom/dispcc-sc7180.c
index 9536bfc72a43c..166a4170e76f7 100644
--- a/drivers/clk/qcom/dispcc-sc7180.c
+++ b/drivers/clk/qcom/dispcc-sc7180.c
@@ -16,6 +16,7 @@
#include "clk-regmap-divider.h"
#include "common.h"
#include "gdsc.h"
+#include "reset.h"
enum {
P_BI_TCXO,
@@ -635,6 +636,11 @@ static struct gdsc mdss_gdsc = {
.flags = HW_CTRL,
};
+static const struct qcom_reset_map disp_cc_sc7180_resets[] = {
+ [DISP_CC_MDSS_CORE_BCR] = { 0x2000 },
+ [DISP_CC_MDSS_RSCC_BCR] = { 0x4000 },
+};
+
static struct gdsc *disp_cc_sc7180_gdscs[] = {
[MDSS_GDSC] = &mdss_gdsc,
};
@@ -686,6 +692,8 @@ static const struct qcom_cc_desc disp_cc_sc7180_desc = {
.config = &disp_cc_sc7180_regmap_config,
.clks = disp_cc_sc7180_clocks,
.num_clks = ARRAY_SIZE(disp_cc_sc7180_clocks),
+ .resets = disp_cc_sc7180_resets,
+ .num_resets = ARRAY_SIZE(disp_cc_sc7180_resets),
.gdscs = disp_cc_sc7180_gdscs,
.num_gdscs = ARRAY_SIZE(disp_cc_sc7180_gdscs),
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 291/508] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 290/508] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 292/508] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
` (218 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Petr Mladek,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 36776b7f8a8955b4e75b5d490a75fee0c7a2a7ef ]
print_hex_dump_bytes() claims to be a simple wrapper around
print_hex_dump(), but it actally calls print_hex_dump_debug(), which
means no output is printed if (dynamic) DEBUG is disabled.
Update the documentation to match the implementation.
Fixes: 091cb0994edd20d6 ("lib/hexdump: make print_hex_dump_bytes() a nop on !DEBUG builds")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/3d5c3069fd9102ecaf81d044b750cd613eb72a08.1774970392.git.geert+renesas@glider.be
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/printk.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/printk.h b/include/linux/printk.h
index 478203bb2369c..794476418ccef 100644
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -759,7 +759,8 @@ static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
#endif
/**
- * print_hex_dump_bytes - shorthand form of print_hex_dump() with default params
+ * print_hex_dump_bytes - shorthand form of print_hex_dump_debug() with default
+ * params
* @prefix_str: string to prefix each line with;
* caller supplies trailing spaces for alignment if desired
* @prefix_type: controls whether prefix of an offset, address, or none
@@ -767,7 +768,7 @@ static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
* @buf: data blob to dump
* @len: number of bytes in the @buf
*
- * Calls print_hex_dump(), with log level of KERN_DEBUG,
+ * Calls print_hex_dump_debug(), with log level of KERN_DEBUG,
* rowsize of 16, groupsize of 1, and ASCII output included.
*/
#define print_hex_dump_bytes(prefix_str, prefix_type, buf, len) \
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 292/508] clk: visconti: pll: initialize clk_init_data to zero
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 291/508] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 293/508] f2fs: Use sysfs_emit_at() to simplify code Greg Kroah-Hartman
` (217 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Benoît Monin,
Nobuhiro Iwamatsu, Stephen Boyd, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 1603cbb64173a0e9fa7500f2a686f4aa011c58b9 ]
Sashiko reported the following:
> The struct clk_init_data init is declared on the stack without being
> fully zero-initialized. While fields like name, flags, parent_names,
> num_parents, and ops are explicitly assigned, the parent_data and
> parent_hws fields are left containing stack garbage.
clk_core_populate_parent_map() currently prefers the parent names over
the parent data and hws, so this isn't a problem at the moment. If that
ordering ever changed in the future, then this could lead to some
unexpected crashes. Let's just go ahead and make sure that the struct
clk_init_data is initialized to zero as a good practice.
Fixes: b4cbe606dc367 ("clk: visconti: Add support common clock driver and reset driver")
Link: https://sashiko.dev/#/patchset/20260326042317.122536-1-rosenp%40gmail.com
Signed-off-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Benoît Monin <benoit.monin@bootlin.com>
Reviewed-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.x90@mail.toshiba>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/visconti/pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/visconti/pll.c b/drivers/clk/visconti/pll.c
index e9cd80e085dc3..a540936196ca3 100644
--- a/drivers/clk/visconti/pll.c
+++ b/drivers/clk/visconti/pll.c
@@ -244,7 +244,7 @@ static struct clk_hw *visconti_register_pll(struct visconti_pll_provider *ctx,
const struct visconti_pll_rate_table *rate_table,
spinlock_t *lock)
{
- struct clk_init_data init;
+ struct clk_init_data init = {};
struct visconti_pll *pll;
struct clk_hw *pll_hw_clk;
size_t len;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 293/508] f2fs: Use sysfs_emit_at() to simplify code
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 292/508] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 294/508] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
` (216 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Yu, Christophe JAILLET,
Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit f7a678bbe5a8f22cfcef5369757cc9b95f73e027 ]
This file already uses sysfs_emit(). So be consistent and also use
sysfs_emit_at().
This slightly simplifies the code and makes it more readable.
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 5909bedbed38 ("f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/sysfs.c | 45 +++++++++++++++++++++------------------------
1 file changed, 21 insertions(+), 24 deletions(-)
diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
index 436bbf23f8e7c..7d377da9c2631 100644
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -162,50 +162,50 @@ static ssize_t features_show(struct f2fs_attr *a,
int len = 0;
if (f2fs_sb_has_encrypt(sbi))
- len += scnprintf(buf, PAGE_SIZE - len, "%s",
+ len += sysfs_emit_at(buf, len, "%s",
"encryption");
if (f2fs_sb_has_blkzoned(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "blkzoned");
if (f2fs_sb_has_extra_attr(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "extra_attr");
if (f2fs_sb_has_project_quota(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "projquota");
if (f2fs_sb_has_inode_chksum(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "inode_checksum");
if (f2fs_sb_has_flexible_inline_xattr(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "flexible_inline_xattr");
if (f2fs_sb_has_quota_ino(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "quota_ino");
if (f2fs_sb_has_inode_crtime(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "inode_crtime");
if (f2fs_sb_has_lost_found(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "lost_found");
if (f2fs_sb_has_verity(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "verity");
if (f2fs_sb_has_sb_chksum(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "sb_checksum");
if (f2fs_sb_has_casefold(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "casefold");
if (f2fs_sb_has_readonly(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "readonly");
if (f2fs_sb_has_compression(sbi))
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "compression");
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s",
+ len += sysfs_emit_at(buf, len, "%s%s",
len ? ", " : "", "pin_file");
- len += scnprintf(buf + len, PAGE_SIZE - len, "\n");
+ len += sysfs_emit_at(buf, len, "\n");
return len;
}
@@ -322,17 +322,14 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
int hot_count = sbi->raw_super->hot_ext_count;
int len = 0, i;
- len += scnprintf(buf + len, PAGE_SIZE - len,
- "cold file extension:\n");
+ len += sysfs_emit_at(buf, len, "cold file extension:\n");
for (i = 0; i < cold_count; i++)
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s\n",
- extlist[i]);
+ len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
- len += scnprintf(buf + len, PAGE_SIZE - len,
- "hot file extension:\n");
+ len += sysfs_emit_at(buf, len, "hot file extension:\n");
for (i = cold_count; i < cold_count + hot_count; i++)
- len += scnprintf(buf + len, PAGE_SIZE - len, "%s\n",
- extlist[i]);
+ len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
+
return len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 294/508] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 293/508] f2fs: Use sysfs_emit_at() to simplify code Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 295/508] drm/i915: Constify watermark state checker Greg Kroah-Hartman
` (215 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongpeng Yang, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 5909bedbed38c558bee7cb6758ceedf9bc3a9194 ]
In f2fs_sbi_show(), the extension_list, extension_count and
hot_ext_count are read without holding sbi->sb_lock. If a concurrent
sysfs store modifies the extension list via f2fs_update_extension_list(),
the show path may read inconsistent count and array contents, potentially
leading to out-of-bounds access or displaying stale data.
Fix this by holding sb_lock around the entire extension list read
and format operation.
Fixes: b6a06cbbb5f7 ("f2fs: support hot file extension")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/sysfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
index 7d377da9c2631..4cd2d4bde217a 100644
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -318,10 +318,12 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
if (!strcmp(a->attr.name, "extension_list")) {
__u8 (*extlist)[F2FS_EXTENSION_LEN] =
sbi->raw_super->extension_list;
- int cold_count = le32_to_cpu(sbi->raw_super->extension_count);
- int hot_count = sbi->raw_super->hot_ext_count;
+ int cold_count, hot_count;
int len = 0, i;
+ f2fs_down_read(&sbi->sb_lock);
+ cold_count = le32_to_cpu(sbi->raw_super->extension_count);
+ hot_count = sbi->raw_super->hot_ext_count;
len += sysfs_emit_at(buf, len, "cold file extension:\n");
for (i = 0; i < cold_count; i++)
len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
@@ -329,6 +331,7 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
len += sysfs_emit_at(buf, len, "hot file extension:\n");
for (i = cold_count; i < cold_count + hot_count; i++)
len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
+ f2fs_up_read(&sbi->sb_lock);
return len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 295/508] drm/i915: Constify watermark state checker
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 294/508] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 296/508] drm/i915: Simplify watermark state checker calling convention Greg Kroah-Hartman
` (214 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä, Jani Nikula,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 487a2db8bc4eb79c53c9ff8fca65a7fc8350df6c ]
The skl+ wm state checker has no reason to modify the crtc state,
so make it const.
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231004155607.7719-6-ville.syrjala@linux.intel.com
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Stable-dep-of: a97c88a176b6 ("drm/i915/wm: Verify the correct plane DDB entry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 2 +-
drivers/gpu/drm/i915/display/skl_watermark.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index 063929a42a42f..8a82576ca0289 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3133,7 +3133,7 @@ static void skl_wm_get_hw_state_and_sanitize(struct drm_i915_private *i915)
}
void intel_wm_state_verify(struct intel_crtc *crtc,
- struct intel_crtc_state *new_crtc_state)
+ const struct intel_crtc_state *new_crtc_state)
{
struct drm_i915_private *i915 = to_i915(crtc->base.dev);
struct skl_hw_state {
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.h b/drivers/gpu/drm/i915/display/skl_watermark.h
index f91a3d4ddc075..3aa138d387900 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.h
+++ b/drivers/gpu/drm/i915/display/skl_watermark.h
@@ -39,7 +39,7 @@ bool skl_ddb_allocation_overlaps(const struct skl_ddb_entry *ddb,
int num_entries, int ignore_idx);
void intel_wm_state_verify(struct intel_crtc *crtc,
- struct intel_crtc_state *new_crtc_state);
+ const struct intel_crtc_state *new_crtc_state);
void skl_watermark_ipc_init(struct drm_i915_private *i915);
void skl_watermark_ipc_update(struct drm_i915_private *i915);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 296/508] drm/i915: Simplify watermark state checker calling convention
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 295/508] drm/i915: Constify watermark state checker Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 297/508] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() Greg Kroah-Hartman
` (213 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jani Nikula, Ville Syrjälä,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 8f0994d47e89711e654df4e31eabb8881079880a ]
There is never any reason to pass in both the crtc and its state
as one can always dig out the crtc from its state. But for more
consistency across the whole state checker let's just pass the
overall atomic state+crtc here as well.
v2: Also pass state+crtc here (Jani)
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231005122713.3531-1-ville.syrjala@linux.intel.com
Stable-dep-of: a97c88a176b6 ("drm/i915/wm: Verify the correct plane DDB entry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_modeset_verify.c | 2 +-
drivers/gpu/drm/i915/display/skl_watermark.c | 8 +++++---
drivers/gpu/drm/i915/display/skl_watermark.h | 4 ++--
3 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/intel_modeset_verify.c b/drivers/gpu/drm/i915/display/intel_modeset_verify.c
index 138144a65a457..6e65b867137e7 100644
--- a/drivers/gpu/drm/i915/display/intel_modeset_verify.c
+++ b/drivers/gpu/drm/i915/display/intel_modeset_verify.c
@@ -234,7 +234,7 @@ void intel_modeset_verify_crtc(struct intel_crtc *crtc,
!intel_crtc_needs_fastset(new_crtc_state))
return;
- intel_wm_state_verify(crtc, new_crtc_state);
+ intel_wm_state_verify(state, crtc);
verify_connector_state(state, crtc);
verify_crtc_state(crtc, old_crtc_state, new_crtc_state);
intel_shared_dpll_state_verify(crtc, old_crtc_state, new_crtc_state);
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index 8a82576ca0289..d77e598deb2d9 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3132,10 +3132,12 @@ static void skl_wm_get_hw_state_and_sanitize(struct drm_i915_private *i915)
skl_wm_sanitize(i915);
}
-void intel_wm_state_verify(struct intel_crtc *crtc,
- const struct intel_crtc_state *new_crtc_state)
+void intel_wm_state_verify(struct intel_atomic_state *state,
+ struct intel_crtc *crtc)
{
- struct drm_i915_private *i915 = to_i915(crtc->base.dev);
+ struct drm_i915_private *i915 = to_i915(state->base.dev);
+ const struct intel_crtc_state *new_crtc_state =
+ intel_atomic_get_new_crtc_state(state, crtc);
struct skl_hw_state {
struct skl_ddb_entry ddb[I915_MAX_PLANES];
struct skl_ddb_entry ddb_y[I915_MAX_PLANES];
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.h b/drivers/gpu/drm/i915/display/skl_watermark.h
index 3aa138d387900..c7de2b3b2f915 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.h
+++ b/drivers/gpu/drm/i915/display/skl_watermark.h
@@ -38,8 +38,8 @@ bool skl_ddb_allocation_overlaps(const struct skl_ddb_entry *ddb,
const struct skl_ddb_entry *entries,
int num_entries, int ignore_idx);
-void intel_wm_state_verify(struct intel_crtc *crtc,
- const struct intel_crtc_state *new_crtc_state);
+void intel_wm_state_verify(struct intel_atomic_state *state,
+ struct intel_crtc *crtc);
void skl_watermark_ipc_init(struct drm_i915_private *i915);
void skl_watermark_ipc_update(struct drm_i915_private *i915);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 297/508] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.6 296/508] drm/i915: Simplify watermark state checker calling convention Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 298/508] drm/i915: Loop over all active pipes in intel_mbus_dbox_update Greg Kroah-Hartman
` (212 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Roper, Gustavo Sousa,
Lucas De Marchi, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo Sousa <gustavo.sousa@intel.com>
[ Upstream commit 66a0e0681392420b326f00ba732e6bda099eda29 ]
As of Xe2LPD, it is now possible to select the source of the MDCLK
as either the CD2XCLK or the CDCLK PLL.
Previous display IPs were hardcoded to use the CD2XCLK. For those, the
ratio between MDCLK and CDCLK remained constant, namely 2. For Xe2LPD,
when we select the CDCLK PLL as the source, the ratio will vary
according to the squashing configuration (since the cd2x divisor is
fixed for all supported configurations).
To help the transition to supporting changes in the ratio, extract the
function intel_dbuf_mdclk_cdclk_ratio_update() from the existing logic
and call it using 2 as hardcoded ratio. Upcoming changes will use that
function for updates in the ratio due to CDCLK changes.
Bspec: 50057, 69445, 49213, 68868
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Gustavo Sousa <gustavo.sousa@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240312163639.172321-5-gustavo.sousa@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Stable-dep-of: a97c88a176b6 ("drm/i915/wm: Verify the correct plane DDB entry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 30 +++++++++++++-------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index d77e598deb2d9..6c657ef8b45b4 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3472,6 +3472,21 @@ int intel_dbuf_init(struct drm_i915_private *i915)
return 0;
}
+static void intel_dbuf_mdclk_cdclk_ratio_update(struct drm_i915_private *i915,
+ u8 ratio,
+ bool joined_mbus)
+{
+ enum dbuf_slice slice;
+
+ if (joined_mbus)
+ ratio *= 2;
+
+ for_each_dbuf_slice(i915, slice)
+ intel_de_rmw(i915, DBUF_CTL_S(slice),
+ DBUF_MIN_TRACKER_STATE_SERVICE_MASK,
+ DBUF_MIN_TRACKER_STATE_SERVICE(ratio - 1));
+}
+
/*
* Configure MBUS_CTL and all DBUF_CTL_S of each slice to join_mbus state before
* update the request state of all DBUS slices.
@@ -3479,8 +3494,7 @@ int intel_dbuf_init(struct drm_i915_private *i915)
static void update_mbus_pre_enable(struct intel_atomic_state *state)
{
struct drm_i915_private *i915 = to_i915(state->base.dev);
- u32 mbus_ctl, dbuf_min_tracker_val;
- enum dbuf_slice slice;
+ u32 mbus_ctl;
const struct intel_dbuf_state *dbuf_state =
intel_atomic_get_new_dbuf_state(state);
@@ -3491,24 +3505,18 @@ static void update_mbus_pre_enable(struct intel_atomic_state *state)
* TODO: Implement vblank synchronized MBUS joining changes.
* Must be properly coordinated with dbuf reprogramming.
*/
- if (dbuf_state->joined_mbus) {
+ if (dbuf_state->joined_mbus)
mbus_ctl = MBUS_HASHING_MODE_1x4 | MBUS_JOIN |
MBUS_JOIN_PIPE_SELECT_NONE;
- dbuf_min_tracker_val = DBUF_MIN_TRACKER_STATE_SERVICE(3);
- } else {
+ else
mbus_ctl = MBUS_HASHING_MODE_2x2 |
MBUS_JOIN_PIPE_SELECT_NONE;
- dbuf_min_tracker_val = DBUF_MIN_TRACKER_STATE_SERVICE(1);
- }
intel_de_rmw(i915, MBUS_CTL,
MBUS_HASHING_MODE_MASK | MBUS_JOIN |
MBUS_JOIN_PIPE_SELECT_MASK, mbus_ctl);
- for_each_dbuf_slice(i915, slice)
- intel_de_rmw(i915, DBUF_CTL_S(slice),
- DBUF_MIN_TRACKER_STATE_SERVICE_MASK,
- dbuf_min_tracker_val);
+ intel_dbuf_mdclk_cdclk_ratio_update(i915, 2, dbuf_state->joined_mbus);
}
void intel_dbuf_pre_plane_update(struct intel_atomic_state *state)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 298/508] drm/i915: Loop over all active pipes in intel_mbus_dbox_update
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 297/508] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 299/508] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
` (211 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uma Shankar, Stanislav Lisovskiy,
Ville Syrjälä, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
[ Upstream commit e8333ab22cd8c750b7c14d3da7c0eef3ba85527f ]
We need to loop through all active pipes, not just the ones, that
are in current state, because disabling and enabling even a particular
pipe affects credits in another one.
Reviewed-by: Uma Shankar <uma.shankar@intel.com>
Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240402155016.13733-6-ville.syrjala@linux.intel.com
Stable-dep-of: a97c88a176b6 ("drm/i915/wm: Verify the correct plane DDB entry")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index 6c657ef8b45b4..9653ed8726935 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3582,10 +3582,8 @@ void intel_mbus_dbox_update(struct intel_atomic_state *state)
{
struct drm_i915_private *i915 = to_i915(state->base.dev);
const struct intel_dbuf_state *new_dbuf_state, *old_dbuf_state;
- const struct intel_crtc_state *new_crtc_state;
const struct intel_crtc *crtc;
u32 val = 0;
- int i;
if (DISPLAY_VER(i915) < 11)
return;
@@ -3629,12 +3627,9 @@ void intel_mbus_dbox_update(struct intel_atomic_state *state)
val |= MBUS_DBOX_B_CREDIT(8);
}
- for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i) {
+ for_each_intel_crtc_in_pipe_mask(&i915->drm, crtc, new_dbuf_state->active_pipes) {
u32 pipe_val = val;
- if (!new_crtc_state->hw.active)
- continue;
-
if (DISPLAY_VER(i915) >= 14) {
if (xelpdp_is_only_pipe_per_dbuf_bank(crtc->pipe,
new_dbuf_state->active_pipes))
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 299/508] drm/i915/wm: Verify the correct plane DDB entry
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 298/508] drm/i915: Loop over all active pipes in intel_mbus_dbox_update Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 300/508] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
` (210 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Vinod Govindapillai, Tvrtko Ursulin, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit a97c88a176b6b8d116f4d3f508f3bd02bc77b462 ]
Actually verify the DDB entry for the plane we're looking
at instead of always verifying the cursor DDB.
Fixes: 7d4561722c3b ("drm/i915: Tweak plane ddb allocation tracking")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260324134843.2364-5-ville.syrjala@linux.intel.com
Reviewed-by: Vinod Govindapillai <vinod.govindapillai@intel.com>
(cherry picked from commit f002f7c7439de18117a31ca84dc87a59719c3dd6)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index 9653ed8726935..3b30776b73b21 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3239,8 +3239,8 @@ void intel_wm_state_verify(struct intel_atomic_state *state,
}
/* DDB */
- hw_ddb_entry = &hw->ddb[PLANE_CURSOR];
- sw_ddb_entry = &new_crtc_state->wm.skl.plane_ddb[PLANE_CURSOR];
+ hw_ddb_entry = &hw->ddb[plane->id];
+ sw_ddb_entry = &new_crtc_state->wm.skl.plane_ddb[plane->id];
if (!skl_ddb_entry_equal(hw_ddb_entry, sw_ddb_entry)) {
drm_err(&i915->drm,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 300/508] crypto: sa2ul - Fix AEAD fallback algorithm names
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 299/508] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 301/508] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
` (209 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, T Pratham, Manorit Chawdhry,
Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Pratham <t-pratham@ti.com>
[ Upstream commit 8451ab6ad686ffdcdf9ddadaa446a79ab48e5590 ]
For authenc AEAD algorithms, sa2ul is trying to register very specific
-ce version as a fallback. This causes registration failure on SoCs
which do not have ARMv8-CE enabled/available. Change the fallback
algorithm from the specific driver name to generic algorithm name so
that the kernel can allocate any available fallback.
Fixes: d2c8ac187fc92 ("crypto: sa2ul - Add AEAD algorithm support")
Signed-off-by: T Pratham <t-pratham@ti.com>
Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/sa2ul.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c
index 94eb6f6afa257..af221d5d999f2 100644
--- a/drivers/crypto/sa2ul.c
+++ b/drivers/crypto/sa2ul.c
@@ -1775,13 +1775,13 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash,
static int sa_cra_init_aead_sha1(struct crypto_aead *tfm)
{
return sa_cra_init_aead(tfm, "sha1",
- "authenc(hmac(sha1-ce),cbc(aes-ce))");
+ "authenc(hmac(sha1),cbc(aes))");
}
static int sa_cra_init_aead_sha256(struct crypto_aead *tfm)
{
return sa_cra_init_aead(tfm, "sha256",
- "authenc(hmac(sha256-ce),cbc(aes-ce))");
+ "authenc(hmac(sha256),cbc(aes))");
}
static void sa_exit_tfm_aead(struct crypto_aead *tfm)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 301/508] crypto: ccp - copy IV using skcipher ivsize
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 300/508] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 302/508] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
` (208 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moses, Tom Lendacky, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moses <p@1g4.org>
[ Upstream commit a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4 ]
AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.
ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV
buffer while RFC3686 skciphers expose an 8-byte IV, so the restore
overruns the provided buffer.
Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
Fixes: 2b789435d7f3 ("crypto: ccp - CCP AES crypto API support")
Signed-off-by: Paul Moses <p@1g4.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccp/ccp-crypto-aes.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/ccp/ccp-crypto-aes.c b/drivers/crypto/ccp/ccp-crypto-aes.c
index 918e223f21b65..5a48155ea796a 100644
--- a/drivers/crypto/ccp/ccp-crypto-aes.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes.c
@@ -29,8 +29,11 @@ static int ccp_aes_complete(struct crypto_async_request *async_req, int ret)
if (ret)
return ret;
- if (ctx->u.aes.mode != CCP_AES_MODE_ECB)
- memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE);
+ if (ctx->u.aes.mode != CCP_AES_MODE_ECB) {
+ size_t ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(req));
+
+ memcpy(req->iv, rctx->iv, ivsize);
+ }
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 302/508] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 301/508] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 303/508] arm64: dts: imx8mp-debix-som-a: " Greg Kroah-Hartman
` (207 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Peng Fan, Frank Li,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 3b778178997aee24537b521a8cb60970bc1ce01c ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there is interrupt storm for i.MX8MP DEBIX Model A. Per schematic, there
is no on board PULL-UP resistors for GPIO1_IO03, so need to set PAD
PUE and PU together to make pull up work properly.
Fixes: c86d350aae68e ("arm64: dts: Add device tree for the Debix Model A Board")
Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Closes: https://lore.kernel.org/all/20260323105858.GA2185714@killaraus.ideasonboard.com/
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts b/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts
index 267ceffc02d84..5525240ff351e 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts
@@ -395,7 +395,7 @@ MX8MP_IOMUXC_SAI5_RXC__I2C6_SDA 0x400001c3
pinctrl_pmic: pmicirqgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 303/508] arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 302/508] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 304/508] arm64: dts: imx8mp-icore-mx8mp: " Greg Kroah-Hartman
` (206 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Kieran Bingham,
Peng Fan, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 2ea7872048a179b0ea8dadc67771961df3f0fc4a ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there is interrupt storm for i.MX8MP DEBIX SOM A. Need to set PAD
PUE and PU together to make pull up work properly.
Fixes: 21baf0b47f81b ("arm64: dts: freescale: Add DEBIX SOM A and SOM A I/O Board support")
Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Closes: https://lore.kernel.org/all/20260323105858.GA2185714@killaraus.ideasonboard.com/
Reported-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Closes: https://lore.kernel.org/imx/20260324194353.GB2352505@killaraus.ideasonboard.com/T/#m9a07fdc75496369a7d76d52c5e34ed140dcabfe3
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts | 2 +-
arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts
index 0b0c95432bdc4..3ee28e9f99877 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts
@@ -409,7 +409,7 @@ MX8MP_IOMUXC_SAI1_RXD1__GPIO4_IO03 0x140
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi
index bc312aa1bfc8b..ad3e22008b697 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi
@@ -219,7 +219,7 @@ MX8MP_IOMUXC_I2C4_SDA__I2C4_SDA 0x400001c3
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 304/508] arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 303/508] arm64: dts: imx8mp-debix-som-a: " Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 305/508] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
` (205 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit ea8c90f5c7ceeb6657a8fe564aa7b190dce298a6 ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: eefe06b295087 ("arm64: dts: imx8mp: Add Engicam i.Core MX8M Plus SoM")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
index a6319824ea2eb..69558ffefa9a6 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
@@ -132,7 +132,7 @@ MX8MP_IOMUXC_I2C1_SDA__I2C1_SDA 0x400001c3
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01 0x41
+ MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 305/508] arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 304/508] arm64: dts: imx8mp-icore-mx8mp: " Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 306/508] arm64: dts: imx8mp-data-modul-edm-sbc: " Greg Kroah-Hartman
` (204 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit f9ed5afc988da3e22543725e35be6addbb0497bc ]
PMIC_nINT is low level triggered, but the current PAD settings is
PE=0,PUE=0,FSEL_1_FAST_SLEW_RATE=1,SION=1. So PAD needs to be configured
as PULL UP with PULL Enable, no need SION. Correct it.
Fixes: 8d6712695bc8e ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
index 2ff47f6ec7979..e1b2b1d4ff39f 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
@@ -902,7 +902,7 @@ MX8MP_IOMUXC_HDMI_DDC_SDA__GPIO3_IO27 0x84
pinctrl_pmic: dhcom-pmic-grp {
fsl,pins = <
/* PMIC_nINT */
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x40000090
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 306/508] arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 305/508] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 307/508] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
` (203 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 8ff145577e93f312ff398cb950ee3bd44835f5be ]
PMIC_nINT is low level triggered, but the current PAD settings is
PE=0,PUE=0,FSEL_1_FAST_SLEW_RATE=1,SION=1. So PAD needs to be configured
as PULL UP with PULL Enable, no need SION. Correct it.
Fixes: 562d222f23f0f ("arm64: dts: imx8mp: Add support for Data Modul i.MX8M Plus eDM SBC")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
index 678ecc9f81dbb..816469fcd5d76 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
@@ -780,7 +780,7 @@ MX8MP_IOMUXC_SAI3_RXFS__AUDIOMIX_PDM_BIT_STREAM00 0x0
pinctrl_pmic: pmic-grp {
fsl,pins = <
/* PMIC_nINT */
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x40000090
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 307/508] PCMCIA: Fix garbled log messages for KERN_CONT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 306/508] arm64: dts: imx8mp-data-modul-edm-sbc: " Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 308/508] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
` (202 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Dominik Brodowski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit bfeaa6814bd3f9a1f6d525b3b35a03b9a0368961 ]
For years the PCMCIA info messages are messed up by superfluous
newlines. While f2e6cf76751d ("pcmcia: Convert dev_printk to
dev_<level>") converted the code to pr_cont(), dev_info enforces a \n
via vprintk_store setting LOG_NEWLINE, breaking subsequent pr_cont.
Fix by logging the device name manually to allow pr_cont to work for
more readable and not \n distorted logs.
Fixes: f2e6cf76751d ("pcmcia: Convert dev_printk to dev_<level>")
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pcmcia/rsrc_nonstatic.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
index da494fe451baf..efc439c748862 100644
--- a/drivers/pcmcia/rsrc_nonstatic.c
+++ b/drivers/pcmcia/rsrc_nonstatic.c
@@ -188,7 +188,7 @@ static void do_io_probe(struct pcmcia_socket *s, unsigned int base,
int any;
u_char *b, hole, most;
- dev_info(&s->dev, "cs: IO port probe %#x-%#x:", base, base+num-1);
+ pr_info("%s: cs: IO port probe %#x-%#x:", dev_name(&s->dev), base, base+num-1);
/* First, what does a floating port look like? */
b = kzalloc(256, GFP_KERNEL);
@@ -410,8 +410,8 @@ static int do_mem_probe(struct pcmcia_socket *s, u_long base, u_long num,
struct socket_data *s_data = s->resource_data;
u_long i, j, bad, fail, step;
- dev_info(&s->dev, "cs: memory probe 0x%06lx-0x%06lx:",
- base, base+num-1);
+ pr_info("%s: cs: memory probe 0x%06lx-0x%06lx:",
+ dev_name(&s->dev), base, base+num-1);
bad = fail = 0;
step = (num < 0x20000) ? 0x2000 : ((num>>4) & ~0x1fff);
/* don't allow too large steps */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 308/508] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 307/508] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 309/508] arm64: dts: imx8mn-tqma8mqnl: " Greg Kroah-Hartman
` (201 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 721dec3ee9ff5231d13a412ff87df63b966d137b ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
While at here, also correct interrupt type as IRQ_TYPE_LEVEL_LOW.
Fixes: cbd3ef64eb9d1 ("arm64: dts: Add support for Emtop SoM & Baseboard")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi
index 67d22d3768aa8..507d1824d99d9 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi
@@ -60,7 +60,7 @@ pmic@25 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_pmic>;
interrupt-parent = <&gpio1>;
- interrupts = <3 IRQ_TYPE_EDGE_RISING>;
+ interrupts = <3 IRQ_TYPE_LEVEL_LOW>;
regulators {
buck1: BUCK1 {
@@ -194,7 +194,7 @@ MX8MM_IOMUXC_I2C1_SDA_I2C1_SDA 0x400001c3
pinctrl_pmic: emtop-pmic-grp {
fsl,pins = <
- MX8MM_IOMUXC_GPIO1_IO03_GPIO1_IO3 0x41
+ MX8MM_IOMUXC_GPIO1_IO03_GPIO1_IO3 0x141
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 309/508] arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 308/508] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 310/508] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
` (200 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 0fb37990774113afd943eaa91323679388584b6d ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: 3e56e354db6d3 ("arm64: dts: freescale: add initial device tree for TQMa8MQNL with i.MX8MN")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
index 78aaa04ebbc08..ca02f7ff37645 100644
--- a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
@@ -284,7 +284,7 @@ pinctrl_i2c1_gpio: i2c1gpiogrp {
};
pinctrl_pmic: pmicgrp {
- fsl,pins = <MX8MN_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x84>;
+ fsl,pins = <MX8MN_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x1c4>;
};
pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 310/508] arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 309/508] arm64: dts: imx8mn-tqma8mqnl: " Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 311/508] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF Greg Kroah-Hartman
` (199 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 42a9f5a16328ed78a88e0498556965b6c6ec515c ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: dfcd1b6f7620e ("arm64: dts: freescale: add initial device tree for TQMa8MQML with i.MX8MM")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
index b4466a26d838a..6d79447b8fa08 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
@@ -282,7 +282,7 @@ pinctrl_i2c1_gpio: i2c1gpiogrp {
};
pinctrl_pmic: pmicgrp {
- fsl,pins = <MX8MM_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x94>;
+ fsl,pins = <MX8MM_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x1d4>;
};
pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 311/508] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 310/508] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 312/508] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
` (198 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Vadim Fedorenko,
Eric Dumazet, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit fa92a77b0ed4d5f11a71665a232ac5a54a4b055d ]
macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but
macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1.
This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb
runs out of space, triggering a WARN_ON in rtnetlink and preventing the
interface from being dumped.
The bug can be reproduced with:
ip link add macvlan0 link eth0 type macvlan mode bridge
ip link set macvlan0 type macvlan bc_cutoff 0
ip -d link show macvlan0 # fails with -EMSGSIZE
The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add
netlink attribute for broadcast cutoff"), which added the nla_put_s32()
call in macvlan_fill_info() but missed adding the corresponding
nla_total_size(4) in macvlan_get_size(). A follow-up commit
55cef78c244d ("macvlan: add forgotten nla_policy for
IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still
did not fix the size calculation.
Fixes: 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260413085349.73977-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macvlan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 1035a95beee6f..399c8deb35103 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1687,6 +1687,7 @@ static size_t macvlan_get_size(const struct net_device *dev)
+ macvlan_get_size_mac(vlan) /* IFLA_MACVLAN_MACADDR */
+ nla_total_size(4) /* IFLA_MACVLAN_BC_QUEUE_LEN */
+ nla_total_size(4) /* IFLA_MACVLAN_BC_QUEUE_LEN_USED */
+ + nla_total_size(4) /* IFLA_MACVLAN_BC_CUTOFF */
);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 312/508] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 311/508] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 313/508] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
` (197 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu,
Toke Høiland-Jørgensen, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit f9e40664706927d7ae22a448a3383e23c38a4c0b ]
cake_update_flowkeys() is supposed to update the flow dissector keys
with the NAT-translated addresses and ports from conntrack, so that
CAKE's per-flow fairness correctly identifies post-NAT flows as
belonging to the same connection.
For the source port, this works correctly:
keys->ports.src = port;
But for the destination port, the assignment is reversed:
port = keys->ports.dst;
This means the NAT destination port is never updated in the flow keys.
As a result, when multiple connections are NATed to the same destination,
CAKE treats them as separate flows because the original (pre-NAT)
destination ports differ. This breaks CAKE's NAT-aware flow isolation
when using the "nat" mode.
The bug was introduced in commit b0c19ed6088a ("sch_cake: Take advantage
of skb->hash where appropriate") which refactored the original direct
assignment into a compare-and-conditionally-update pattern, but wrote
the destination port update backwards.
Fix by reversing the assignment direction to match the source port
pattern.
Fixes: b0c19ed6088a ("sch_cake: Take advantage of skb->hash where appropriate")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20260413110041.44704-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 14e06f474b6ca..55e8b682ec14c 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -620,7 +620,7 @@ static bool cake_update_flowkeys(struct flow_keys *keys,
}
port = rev ? tuple.src.u.all : tuple.dst.u.all;
if (port != keys->ports.dst) {
- port = keys->ports.dst;
+ keys->ports.dst = port;
upd = true;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 313/508] nexthop: fix IPv6 route referencing IPv4 nexthop
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 312/508] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 314/508] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
` (196 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, David Ahern,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 29c95185ba32b621fbc3800fb86e7dc3edf5c2be ]
syzbot reported a panic [1] [2].
When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag
of all groups containing this nexthop is not updated. This is because
nh_group_v4_update is only called when replacing AF_INET to AF_INET6,
but the reverse direction (AF_INET6 to AF_INET) is missed.
This allows a stale has_v4=false to bypass fib6_check_nexthop, causing
IPv6 routes to be attached to groups that effectively contain only AF_INET
members. Subsequent route lookups then call nexthop_fib6_nh() which
returns NULL for the AF_INET member, leading to a NULL pointer
dereference.
Fix by calling nh_group_v4_update whenever the family changes, not just
AF_INET to AF_INET6.
Reproducer:
# AF_INET6 blackhole
ip -6 nexthop add id 1 blackhole
# group with has_v4=false
ip nexthop add id 100 group 1
# replace with AF_INET (no -6), has_v4 stays false
ip nexthop replace id 1 blackhole
# pass stale has_v4 check
ip -6 route add 2001:db8::/64 nhid 100
# panic
ping -6 2001:db8::1
[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0
[2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
Fixes: 7bf4796dd099 ("nexthops: add support for replace")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260413114522.147784-1-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/nexthop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 99385fe34a1e5..4f30ddd2016b6 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2183,10 +2183,10 @@ static int replace_nexthop_single(struct net *net, struct nexthop *old,
goto err_notify;
}
- /* When replacing an IPv4 nexthop with an IPv6 nexthop, potentially
+ /* When replacing a nexthop with one of a different family, potentially
* update IPv4 indication in all the groups using the nexthop.
*/
- if (oldi->family == AF_INET && newi->family == AF_INET6) {
+ if (oldi->family != newi->family) {
list_for_each_entry(nhge, &old->grp_list, nh_list) {
struct nexthop *nhp = nhge->nh_parent;
struct nh_group *nhg;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 314/508] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 313/508] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 315/508] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
` (195 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxi Qian, Vinicius Costa Gomes,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 105425b1969c5affe532713cfac1c0b320d7ac2b ]
In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.
Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.
The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.
Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
Reported-by: Junxi Qian <qjx1298677004@gmail.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index a01d17d03bf57..6df93d5c2e9d9 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -982,11 +982,12 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
}
if (should_change_schedules(admin, oper, end_time)) {
- /* Set things so the next time this runs, the new
- * schedule runs.
- */
- end_time = sched_base_time(admin);
switch_schedules(q, &admin, &oper);
+ /* After changing schedules, the next entry is the first one
+ * in the new schedule, with a pre-calculated end_time.
+ */
+ next = list_first_entry(&oper->entries, struct sched_entry, list);
+ end_time = next->end_time;
}
next->end_time = end_time;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 315/508] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 314/508] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 316/508] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
` (194 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 21e92a38cfd891538598ba8f805e0165a820d532 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7e98102f4897 ("tcp: record pkts sent and retransmistted")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_output.c | 8 +++++---
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 33b724dcde6ed..8187fefa52206 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3962,9 +3962,9 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u64_64bit(stats, TCP_NLA_SNDBUF_LIMITED,
info.tcpi_sndbuf_limited, TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_DATA_SEGS_OUT,
- tp->data_segs_out, TCP_NLA_PAD);
+ READ_ONCE(tp->data_segs_out), TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_TOTAL_RETRANS,
- tp->total_retrans, TCP_NLA_PAD);
+ READ_ONCE(tp->total_retrans), TCP_NLA_PAD);
rate = READ_ONCE(sk->sk_pacing_rate);
rate64 = (rate != ~0UL) ? rate : ~0ULL;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index db8f2830c67bf..5e2e14df787d4 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1400,7 +1400,8 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
if (skb->len != tcp_header_size) {
tcp_event_data_sent(tp, sk);
- tp->data_segs_out += tcp_skb_pcount(skb);
+ WRITE_ONCE(tp->data_segs_out,
+ tp->data_segs_out + tcp_skb_pcount(skb));
tp->bytes_sent += skb->len - tcp_header_size;
}
@@ -3347,7 +3348,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
TCP_ADD_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS, segs);
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
- tp->total_retrans += segs;
+ WRITE_ONCE(tp->total_retrans, tp->total_retrans + segs);
tp->bytes_retrans += skb->len;
/* make sure skb->data is aligned on arches that require it
@@ -4285,7 +4286,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
* However in this case, we are dealing with a passive fastopen
* socket thus we can change total_retrans value.
*/
- tcp_sk_rw(sk)->total_retrans++;
+ WRITE_ONCE(tcp_sk_rw(sk)->total_retrans,
+ tcp_sk_rw(sk)->total_retrans + 1);
}
trace_tcp_retransmit_synack(sk, req);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 316/508] tcp: annotate data-races around tp->bytes_sent
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 315/508] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 317/508] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
` (193 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ee43e957ce2ec77b2ec47fef28f3c0df6ab01a31 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: ba113c3aa79a ("tcp: add data bytes sent stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-8-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_output.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 8187fefa52206..c6b58bbb43c8a 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3986,7 +3986,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u32(stats, TCP_NLA_SNDQ_SIZE, tp->write_seq - tp->snd_una);
nla_put_u8(stats, TCP_NLA_CA_STATE, inet_csk(sk)->icsk_ca_state);
- nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, tp->bytes_sent,
+ nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, READ_ONCE(tp->bytes_sent),
TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS, tp->bytes_retrans,
TCP_NLA_PAD);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5e2e14df787d4..1fd807236c651 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1402,7 +1402,8 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
tcp_event_data_sent(tp, sk);
WRITE_ONCE(tp->data_segs_out,
tp->data_segs_out + tcp_skb_pcount(skb));
- tp->bytes_sent += skb->len - tcp_header_size;
+ WRITE_ONCE(tp->bytes_sent,
+ tp->bytes_sent + skb->len - tcp_header_size);
}
if (after(tcb->end_seq, tp->snd_nxt) || tcb->seq == tcb->end_seq)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 317/508] tcp: annotate data-races around tp->bytes_retrans
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 316/508] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 318/508] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
` (192 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5efc7b9f7cbd43401f1af81d3d7f2be00f93390d ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: fb31c9b9f6c8 ("tcp: add data bytes retransmitted stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-9-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_output.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index c6b58bbb43c8a..2ab4b8f4d8d10 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3988,8 +3988,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, READ_ONCE(tp->bytes_sent),
TCP_NLA_PAD);
- nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS, tp->bytes_retrans,
- TCP_NLA_PAD);
+ nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS,
+ READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
nla_put_u32(stats, TCP_NLA_DSACK_DUPS, tp->dsack_dups);
nla_put_u32(stats, TCP_NLA_REORD_SEEN, tp->reord_seen);
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 1fd807236c651..ea982c3670d33 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3350,7 +3350,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
WRITE_ONCE(tp->total_retrans, tp->total_retrans + segs);
- tp->bytes_retrans += skb->len;
+ WRITE_ONCE(tp->bytes_retrans, tp->bytes_retrans + skb->len);
/* make sure skb->data is aligned on arches that require it
* and check if ack-trimming & collapsing extended the headroom
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 318/508] tcp: annotate data-races around tp->dsack_dups
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 317/508] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 319/508] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
` (191 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a984705ca88b976bf1087978fd98b7f3993da88c ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7e10b6554ff2 ("tcp: add dsack blocks received stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-10-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 2ab4b8f4d8d10..51e71407f4b89 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3990,7 +3990,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS,
READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
- nla_put_u32(stats, TCP_NLA_DSACK_DUPS, tp->dsack_dups);
+ nla_put_u32(stats, TCP_NLA_DSACK_DUPS, READ_ONCE(tp->dsack_dups));
nla_put_u32(stats, TCP_NLA_REORD_SEEN, tp->reord_seen);
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 359d36be04829..eb1bf58634741 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1041,7 +1041,7 @@ static u32 tcp_dsack_seen(struct tcp_sock *tp, u32 start_seq,
else if (tp->tlp_high_seq && tp->tlp_high_seq == end_seq)
state->flag |= FLAG_DSACK_TLP;
- tp->dsack_dups += dup_segs;
+ WRITE_ONCE(tp->dsack_dups, tp->dsack_dups + dup_segs);
/* Skip the DSACK if dup segs weren't retransmitted by sender */
if (tp->dsack_dups > tp->total_retrans)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 319/508] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 318/508] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 320/508] tcp: annotate data-races around tp->plb_rehash Greg Kroah-Hartman
` (190 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3a63b3d160560ef51e43fb4c880a5cde8078053c ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() annotations to keep KCSAN happy.
WRITE_ONCE() annotations are already present.
Fixes: e08ab0b377a1 ("tcp: add bytes not sent to SCM_TIMESTAMPING_OPT_STATS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-14-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 51e71407f4b89..a8cba4dc7df5c 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3995,7 +3995,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
nla_put_u32(stats, TCP_NLA_BYTES_NOTSENT,
- max_t(int, 0, tp->write_seq - tp->snd_nxt));
+ max_t(int, 0,
+ READ_ONCE(tp->write_seq) - READ_ONCE(tp->snd_nxt)));
nla_put_u64_64bit(stats, TCP_NLA_EDT, orig_skb->skb_mstamp_ns,
TCP_NLA_PAD);
if (ack_skb)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 320/508] tcp: annotate data-races around tp->plb_rehash
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 319/508] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 321/508] ice: Remove jumbo_remove step from TX path Greg Kroah-Hartman
` (189 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9e89b9d03a2d2e30dcca166d5af52f9a8eceab25 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 29c1c44646ae ("tcp: add u32 counter in tcp_sock and an SNMP counter for PLB")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-15-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 3 ++-
net/ipv4/tcp_plb.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index a8cba4dc7df5c..5b1fbb0ca2ff6 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4003,7 +4003,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u8(stats, TCP_NLA_TTL,
tcp_skb_ttl_or_hop_limit(ack_skb));
- nla_put_u32(stats, TCP_NLA_REHASH, tp->plb_rehash + tp->timeout_rehash);
+ nla_put_u32(stats, TCP_NLA_REHASH,
+ READ_ONCE(tp->plb_rehash) + READ_ONCE(tp->timeout_rehash));
return stats;
}
diff --git a/net/ipv4/tcp_plb.c b/net/ipv4/tcp_plb.c
index 4bcf7eff95e39..b7f9b60d8991f 100644
--- a/net/ipv4/tcp_plb.c
+++ b/net/ipv4/tcp_plb.c
@@ -79,7 +79,7 @@ void tcp_plb_check_rehash(struct sock *sk, struct tcp_plb_state *plb)
sk_rethink_txhash(sk);
plb->consec_cong_rounds = 0;
- tcp_sk(sk)->plb_rehash++;
+ WRITE_ONCE(tcp_sk(sk)->plb_rehash, tcp_sk(sk)->plb_rehash + 1);
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPPLBREHASH);
}
EXPORT_SYMBOL_GPL(tcp_plb_check_rehash);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 321/508] ice: Remove jumbo_remove step from TX path
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 320/508] tcp: annotate data-races around tp->plb_rehash Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 322/508] ice: fix double-free of tx_buf skb Greg Kroah-Hartman
` (188 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alice Mikityanska, Paolo Abeni,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Mikityanska <alice@isovalent.com>
[ Upstream commit 8b76102c5e00d1f090e0c31d17b060c76d8fa859 ]
Now that the kernel doesn't insert HBH for BIG TCP IPv6 packets, remove
unnecessary steps from the ice TX path, that used to check and remove
HBH.
Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260205133925.526371-8-alice.kernel@fastmail.im
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1a303baa715e ("ice: fix double-free of tx_buf skb")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index eae4376c68595..66da8a34be0f1 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -2364,9 +2364,6 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
ice_trace(xmit_frame_ring, tx_ring, skb);
- if (unlikely(ipv6_hopopt_jumbo_remove(skb)))
- goto out_drop;
-
count = ice_xmit_desc_count(skb);
if (ice_chk_linearize(skb, count)) {
if (__skb_linearize(skb))
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 322/508] ice: fix double-free of tx_buf skb
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 321/508] ice: Remove jumbo_remove step from TX path Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 323/508] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
` (187 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit 1a303baa715e6b78d6a406aaf335f87ff35acfcd ]
If ice_tso() or ice_tx_csum() fail, the error path in
ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points
to it and is marked as valid (ICE_TX_BUF_SKB).
'next_to_use' remains unchanged, so the potential problem will
likely fix itself when the next packet is transmitted and the tx_buf
gets overwritten. But if there is no next packet and the interface is
brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf()
will find the tx_buf and free the skb for the second time.
The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error
path, so that ice_unmap_and_free_tx_buf().
Move the initialization of 'first' up, to ensure it's already valid in
case we hit the linearization error path.
The bug was spotted by AI while I had it looking for something else.
It also proposed an initial version of the patch.
I reproduced the bug and tested the fix by adding code to inject
failures, on a build with KASAN.
I looked for similar bugs in related Intel drivers and did not find any.
Fixes: d76a60ba7afb ("ice: Add support for VLANs and offloads")
Assisted-by: Claude:claude-4.6-opus-high Cursor
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-4-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 66da8a34be0f1..4e110a008a257 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -2364,6 +2364,9 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
ice_trace(xmit_frame_ring, tx_ring, skb);
+ /* record the location of the first descriptor for this packet */
+ first = &tx_ring->tx_buf[tx_ring->next_to_use];
+
count = ice_xmit_desc_count(skb);
if (ice_chk_linearize(skb, count)) {
if (__skb_linearize(skb))
@@ -2389,8 +2392,6 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
offload.tx_ring = tx_ring;
- /* record the location of the first descriptor for this packet */
- first = &tx_ring->tx_buf[tx_ring->next_to_use];
first->skb = skb;
first->type = ICE_TX_BUF_SKB;
first->bytecount = max_t(unsigned int, skb->len, ETH_ZLEN);
@@ -2452,6 +2453,7 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
out_drop:
ice_trace(xmit_frame_ring_drop, tx_ring, skb);
dev_kfree_skb_any(skb);
+ first->type = ICE_TX_BUF_EMPTY;
return NETDEV_TX_OK;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 323/508] i40e: dont advertise IFF_SUPP_NOFCS
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 322/508] ice: fix double-free of tx_buf skb Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 324/508] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
` (186 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Aleksandr Loktionov,
Sunitha Mekala, Jacob Keller, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit a24162f18825684ad04e3a5d0531f8a50d679347 ]
i40e advertises IFF_SUPP_NOFCS, allowing users to use the SO_NOFCS
socket option. However, this option is silently ignored, as the driver
does not check skb->no_fcs, and always enables FCS insertion offload.
Fix this by removing the advertisement of IFF_SUPP_NOFCS.
This behavior can be reproduced with a simple AF_PACKET socket:
import socket
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
s.setsockopt(socket.SOL_SOCKET, 43, 1) # SO_NOFCS
s.bind(("eth0", 0))
s.send(b'\xff' * 64)
Previously, send() succeeds but the driver ignores SO_NOFCS.
With this change, send() fails with -EPROTONOSUPPORT, as expected.
Fixes: 41c445ff0f48 ("i40e: main driver core")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-9-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 9bcd32d31da77..24879ddd603e5 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -13940,7 +13940,6 @@ static int i40e_config_netdev(struct i40e_vsi *vsi)
netdev->neigh_priv_len = sizeof(u32) * 4;
netdev->priv_flags |= IFF_UNICAST_FLT;
- netdev->priv_flags |= IFF_SUPP_NOFCS;
/* Setup netdev TC information */
i40e_vsi_config_netdev_tc(vsi, vsi->tc_config.enabled_tc);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 324/508] e1000e: Unroll PTP in probe error handling
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 323/508] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 325/508] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
` (185 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Vollrath, Avigail Dahan,
Jacob Keller, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
[ Upstream commit aa3f7fe409350857c25d050482a2eef2cfd69b58 ]
If probe fails after registering the PTP clock and its delayed work,
these resources must be released.
This was not an issue until a 2016 fix moved the e1000e_ptp_init() call
before the jump to err_register.
Fixes: aa524b66c5ef ("e1000e: don't modify SYSTIM registers during SIOCSHWTSTAMP ioctl")
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-12-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 9e9138ccac421..3b1d142ebf276 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -7700,6 +7700,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err_register:
if (!(adapter->flags & FLAG_HAS_AMT))
e1000e_release_hw_control(adapter);
+ e1000e_ptp_remove(adapter);
err_eeprom:
if (hw->phy.ops.check_reset_block && !hw->phy.ops.check_reset_block(hw))
e1000_phy_hw_reset(&adapter->hw);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 325/508] ipv6: fix possible UAF in icmpv6_rcv()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 324/508] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 326/508] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
` (184 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Fernando Fernandez Mancera, Joe Damato, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f996edd7615e686ada141b7f3395025729ff8ccb ]
Caching saddr and daddr before pskb_pull() is problematic
since skb->head can change.
Remove these temporary variables:
- We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr
when net_dbg_ratelimited() is called in the slow path.
- Avoid potential future misuse after pskb_pull() call.
Fixes: 4b3418fba0fe ("ipv6: icmp: include addresses in debug messages")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Joe Damato <joe@dama.to>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260416103505.2380753-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/icmp.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 0002fe04e0409..9c56612c66211 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -907,7 +907,6 @@ static int icmpv6_rcv(struct sk_buff *skb)
struct net *net = dev_net_rcu(skb->dev);
struct net_device *dev = icmp6_dev(skb);
struct inet6_dev *idev = __in6_dev_get(dev);
- const struct in6_addr *saddr, *daddr;
struct icmp6hdr *hdr;
u8 type;
@@ -938,12 +937,10 @@ static int icmpv6_rcv(struct sk_buff *skb)
__ICMP6_INC_STATS(dev_net_rcu(dev), idev, ICMP6_MIB_INMSGS);
- saddr = &ipv6_hdr(skb)->saddr;
- daddr = &ipv6_hdr(skb)->daddr;
-
if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
- saddr, daddr);
+ &ipv6_hdr(skb)->saddr,
+ &ipv6_hdr(skb)->daddr);
goto csum_error;
}
@@ -1026,7 +1023,8 @@ static int icmpv6_rcv(struct sk_buff *skb)
break;
net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
- saddr, daddr);
+ &ipv6_hdr(skb)->saddr,
+ &ipv6_hdr(skb)->daddr);
/*
* error of unknown type.
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 326/508] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 325/508] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 327/508] pppoe: drop PFC frames Greg Kroah-Hartman
` (183 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Xin Long,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 0cf004ffb61cd32d140531c3a84afe975f9fc7ea ]
sctp_getsockopt_peer_auth_chunks() checks that the caller's optval
buffer is large enough for the peer AUTH chunk list with
if (len < num_chunks)
return -EINVAL;
but then writes num_chunks bytes to p->gauth_chunks, which lives
at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8
inside optval. The check is missing the sizeof(struct
sctp_authchunks) = 8-byte header. When the caller supplies
len == num_chunks (for any num_chunks > 0) the test passes but
copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes
past the declared buffer.
The sibling function sctp_getsockopt_local_auth_chunks() at the
next line already has the correct check:
if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
Align the peer variant with its sibling.
Reproducer confirms on v7.0-13-generic: an unprivileged userspace
caller that opens a loopback SCTP association with AUTH enabled,
queries num_chunks with a short optval, then issues the real
getsockopt with len == num_chunks and sentinel bytes painted past
the buffer observes those sentinel bytes overwritten with the
peer's AUTH chunk type. The bytes written are under the peer's
control but land in the caller's own userspace; this is not a
kernel memory corruption, but it is a kernel-side contract
violation that can silently corrupt adjacent userspace data.
Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260416031903.1447072-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index b3c19210667fb..98586bcf83ceb 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6997,7 +6997,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
/* See if the user provided enough room for all the data */
num_chunks = ntohs(ch->param_hdr.length) - sizeof(struct sctp_paramhdr);
- if (len < num_chunks)
+ if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
if (copy_to_user(to, ch->chunks, num_chunks))
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 327/508] pppoe: drop PFC frames
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 326/508] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 328/508] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
` (182 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <qingfang.deng@linux.dev>
[ Upstream commit cc1ff87bce1ccd38410ab10960f576dcd17db679 ]
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.
If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.
To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.
Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415022456.141758-2-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 2 +-
drivers/net/ppp/pppoe.c | 8 +++++++-
include/linux/ppp_defs.h | 16 ++++++++++++++++
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 7c863cb99383b..2b5843d14cbb8 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2245,7 +2245,7 @@ ppp_do_recv(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
*/
static void __ppp_decompress_proto(struct sk_buff *skb)
{
- if (skb->data[0] & 0x01)
+ if (ppp_skb_is_compressed_proto(skb))
*(u8 *)skb_push(skb, 1) = 0x00;
}
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 96cca4ee470a4..bc726b54ca745 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -425,7 +425,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
if (skb_mac_header_len(skb) < ETH_HLEN)
goto drop;
- if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
+ if (!pskb_may_pull(skb, PPPOE_SES_HLEN))
goto drop;
ph = pppoe_hdr(skb);
@@ -435,6 +435,12 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
if (skb->len < len)
goto drop;
+ /* skb->data points to the PPP protocol header after skb_pull_rcsum.
+ * Drop PFC frames.
+ */
+ if (ppp_skb_is_compressed_proto(skb))
+ goto drop;
+
if (pskb_trim_rcsum(skb, len))
goto drop;
diff --git a/include/linux/ppp_defs.h b/include/linux/ppp_defs.h
index b7e57fdbd4139..b1d1f46d7d3be 100644
--- a/include/linux/ppp_defs.h
+++ b/include/linux/ppp_defs.h
@@ -8,6 +8,7 @@
#define _PPP_DEFS_H_
#include <linux/crc-ccitt.h>
+#include <linux/skbuff.h>
#include <uapi/linux/ppp_defs.h>
#define PPP_FCS(fcs, c) crc_ccitt_byte(fcs, c)
@@ -25,4 +26,19 @@ static inline bool ppp_proto_is_valid(u16 proto)
return !!((proto & 0x0101) == 0x0001);
}
+/**
+ * ppp_skb_is_compressed_proto - checks if PPP protocol in a skb is compressed
+ * @skb: skb to check
+ *
+ * Check if the PPP protocol field is compressed (the least significant
+ * bit of the most significant octet is 1). skb->data must point to the PPP
+ * protocol header.
+ *
+ * Return: Whether the PPP protocol field is compressed.
+ */
+static inline bool ppp_skb_is_compressed_proto(const struct sk_buff *skb)
+{
+ return unlikely(skb->data[0] & 0x01);
+}
+
#endif /* _PPP_DEFS_H_ */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 328/508] openvswitch: cap upcall PID array size and pre-size vport replies
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 327/508] pppoe: drop PFC frames Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 329/508] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
` (181 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Ilya Maximets, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 2091c6aa0df6aba47deb5c8ab232b1cb60af3519 ]
The vport netlink reply helpers allocate a fixed-size skb with
nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID
array via ovs_vport_get_upcall_portids(). Since
ovs_vport_set_upcall_portids() accepts any non-zero multiple of
sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID
array large enough to overflow the reply buffer, causing nla_put() to
fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with
unprivileged user namespaces enabled (e.g., Ubuntu default), this is
reachable via unshare -Urn since OVS vport mutation operations use
GENL_UNS_ADMIN_PERM.
kernel BUG at net/openvswitch/datapath.c:2414!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1
RIP: 0010:ovs_vport_cmd_set+0x34c/0x400
Call Trace:
<TASK>
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)
genl_rcv_msg (net/netlink/genetlink.c:1194)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Kernel panic - not syncing: Fatal exception
Reject attempts to set more PIDs than nr_cpu_ids in
ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply
size in ovs_vport_cmd_msg_size() based on that bound, similar to the
existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already
used by the per-CPU dispatch configuration on the datapath side
(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the
two sides stay consistent.
Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/20260416024653.153456-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 35 +++++++++++++++++++++++++++++++++--
net/openvswitch/vport.c | 3 +++
2 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index cb52fac7caa3c..7803e7548d920 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2158,9 +2158,40 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
return err;
}
+static size_t ovs_vport_cmd_msg_size(void)
+{
+ size_t msgsize = NLMSG_ALIGN(sizeof(struct ovs_header));
+
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_PORT_NO */
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_TYPE */
+ msgsize += nla_total_size(IFNAMSIZ); /* OVS_VPORT_ATTR_NAME */
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_IFINDEX */
+ msgsize += nla_total_size(sizeof(s32)); /* OVS_VPORT_ATTR_NETNSID */
+
+ /* OVS_VPORT_ATTR_STATS */
+ msgsize += nla_total_size_64bit(sizeof(struct ovs_vport_stats));
+
+ /* OVS_VPORT_ATTR_UPCALL_STATS(OVS_VPORT_UPCALL_ATTR_SUCCESS +
+ * OVS_VPORT_UPCALL_ATTR_FAIL)
+ */
+ msgsize += nla_total_size(nla_total_size_64bit(sizeof(u64)) +
+ nla_total_size_64bit(sizeof(u64)));
+
+ /* OVS_VPORT_ATTR_UPCALL_PID */
+ msgsize += nla_total_size(nr_cpu_ids * sizeof(u32));
+
+ /* OVS_VPORT_ATTR_OPTIONS(OVS_TUNNEL_ATTR_DST_PORT +
+ * OVS_TUNNEL_ATTR_EXTENSION(OVS_VXLAN_EXT_GBP))
+ */
+ msgsize += nla_total_size(nla_total_size(sizeof(u16)) +
+ nla_total_size(nla_total_size(0)));
+
+ return msgsize;
+}
+
static struct sk_buff *ovs_vport_cmd_alloc_info(void)
{
- return nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ return genlmsg_new(ovs_vport_cmd_msg_size(), GFP_KERNEL);
}
/* Called with ovs_mutex, only via ovs_dp_notify_wq(). */
@@ -2170,7 +2201,7 @@ struct sk_buff *ovs_vport_cmd_build_info(struct vport *vport, struct net *net,
struct sk_buff *skb;
int retval;
- skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ skb = ovs_vport_cmd_alloc_info();
if (!skb)
return ERR_PTR(-ENOMEM);
diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c
index 0faa6e097829c..a0a8854e9f19e 100644
--- a/net/openvswitch/vport.c
+++ b/net/openvswitch/vport.c
@@ -407,6 +407,9 @@ int ovs_vport_set_upcall_portids(struct vport *vport, const struct nlattr *ids)
if (!nla_len(ids) || nla_len(ids) % sizeof(u32))
return -EINVAL;
+ if (nla_len(ids) / sizeof(u32) > nr_cpu_ids)
+ return -EINVAL;
+
old = ovsl_dereference(vport->upcall_portids);
vport_portids = kmalloc(sizeof(*vport_portids) + nla_len(ids),
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 329/508] netfilter: nft_osf: restrict it to ipv4
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 328/508] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 330/508] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
` (180 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit b336fdbb7103fb1484e1dcb6741151d4b5a41e35 ]
This expression only supports for ipv4, restrict it.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Acked-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_osf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index 123b4f47ccef4..23ec9b397f1eb 100644
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -28,6 +28,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
struct nf_osf_data data;
struct tcphdr _tcph;
+ if (nft_pf(pkt) != NFPROTO_IPV4) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
if (pkt->tprot != IPPROTO_TCP) {
regs->verdict.code = NFT_BREAK;
return;
@@ -119,7 +124,6 @@ static int nft_osf_validate(const struct nft_ctx *ctx,
switch (ctx->family) {
case NFPROTO_IPV4:
- case NFPROTO_IPV6:
case NFPROTO_INET:
hooks = (1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_PRE_ROUTING) |
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 330/508] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 329/508] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 331/508] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
` (179 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Florian Westphal,
Pablo Neira Ayuso, Xiang Mei, Fernando Fernandez Mancera,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 2195574dc6d9017d32ac346987e12659f931d932 ]
nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".
Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index da9d5d6de98f4..000a5c280ef96 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -320,6 +320,10 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
if (f->opt_num > ARRAY_SIZE(f->opt))
return -EINVAL;
+ if (f->wss.wc >= OSF_WSS_MAX ||
+ (f->wss.wc == OSF_WSS_MODULO && f->wss.val == 0))
+ return -EINVAL;
+
for (i = 0; i < f->opt_num; i++) {
if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
return -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 331/508] netfilter: conntrack: remove sprintf usage
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 330/508] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 332/508] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
` (178 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 6e7066bdb481a87fe88c4fa563e348c03b2d373d ]
Replace it with scnprintf, the buffer sizes are expected to be large enough
to hold the result, no need for snprintf+overflow check.
Increase buffer size in mangle_content_len() while at it.
BUG: KASAN: stack-out-of-bounds in vsnprintf+0xea5/0x1270
Write of size 1 at addr [..]
vsnprintf+0xea5/0x1270
sprintf+0xb1/0xe0
mangle_content_len+0x1ac/0x280
nf_nat_sdp_session+0x1cc/0x240
process_sdp+0x8f8/0xb80
process_invite_request+0x108/0x2b0
process_sip_msg+0x5da/0xf50
sip_help_tcp+0x45e/0x780
nf_confirm+0x34d/0x990
[..]
Fixes: 9fafcd7b2032 ("[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_nat_amanda.c | 2 +-
net/netfilter/nf_nat_sip.c | 33 ++++++++++++++++++---------------
2 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c
index 98deef6cde694..8f1054920a857 100644
--- a/net/netfilter/nf_nat_amanda.c
+++ b/net/netfilter/nf_nat_amanda.c
@@ -50,7 +50,7 @@ static unsigned int help(struct sk_buff *skb,
return NF_DROP;
}
- sprintf(buffer, "%u", port);
+ snprintf(buffer, sizeof(buffer), "%u", port);
if (!nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
protoff, matchoff, matchlen,
buffer, strlen(buffer))) {
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index cf4aeb299bdef..c845b6d1a2bdf 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -68,25 +68,27 @@ static unsigned int mangle_packet(struct sk_buff *skb, unsigned int protoff,
}
static int sip_sprintf_addr(const struct nf_conn *ct, char *buffer,
+ size_t size,
const union nf_inet_addr *addr, bool delim)
{
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
- return sprintf(buffer, "%pI4", &addr->ip);
+ return scnprintf(buffer, size, "%pI4", &addr->ip);
else {
if (delim)
- return sprintf(buffer, "[%pI6c]", &addr->ip6);
+ return scnprintf(buffer, size, "[%pI6c]", &addr->ip6);
else
- return sprintf(buffer, "%pI6c", &addr->ip6);
+ return scnprintf(buffer, size, "%pI6c", &addr->ip6);
}
}
static int sip_sprintf_addr_port(const struct nf_conn *ct, char *buffer,
+ size_t size,
const union nf_inet_addr *addr, u16 port)
{
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
- return sprintf(buffer, "%pI4:%u", &addr->ip, port);
+ return scnprintf(buffer, size, "%pI4:%u", &addr->ip, port);
else
- return sprintf(buffer, "[%pI6c]:%u", &addr->ip6, port);
+ return scnprintf(buffer, size, "[%pI6c]:%u", &addr->ip6, port);
}
static int map_addr(struct sk_buff *skb, unsigned int protoff,
@@ -119,7 +121,7 @@ static int map_addr(struct sk_buff *skb, unsigned int protoff,
if (nf_inet_addr_cmp(&newaddr, addr) && newport == port)
return 1;
- buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, ntohs(newport));
+ buflen = sip_sprintf_addr_port(ct, buffer, sizeof(buffer), &newaddr, ntohs(newport));
return mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen);
}
@@ -212,7 +214,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
&addr, true) > 0 &&
nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3) &&
!nf_inet_addr_cmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3)) {
- buflen = sip_sprintf_addr(ct, buffer,
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer),
&ct->tuplehash[!dir].tuple.dst.u3,
true);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
@@ -229,7 +231,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
&addr, false) > 0 &&
nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.dst.u3) &&
!nf_inet_addr_cmp(&addr, &ct->tuplehash[!dir].tuple.src.u3)) {
- buflen = sip_sprintf_addr(ct, buffer,
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer),
&ct->tuplehash[!dir].tuple.src.u3,
false);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
@@ -247,7 +249,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
__be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
- buflen = sprintf(buffer, "%u", ntohs(p));
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", ntohs(p));
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
poff, plen, buffer, buflen)) {
nf_ct_helper_log(skb, ct, "cannot mangle rport");
@@ -418,7 +420,8 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff,
if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) ||
exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
- buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port);
+ buflen = sip_sprintf_addr_port(ct, buffer, sizeof(buffer),
+ &newaddr, port);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen)) {
nf_ct_helper_log(skb, ct, "cannot mangle packet");
@@ -438,8 +441,8 @@ static int mangle_content_len(struct sk_buff *skb, unsigned int protoff,
{
enum ip_conntrack_info ctinfo;
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+ char buffer[sizeof("4294967295")];
unsigned int matchoff, matchlen;
- char buffer[sizeof("65536")];
int buflen, c_len;
/* Get actual SDP length */
@@ -454,7 +457,7 @@ static int mangle_content_len(struct sk_buff *skb, unsigned int protoff,
&matchoff, &matchlen) <= 0)
return 0;
- buflen = sprintf(buffer, "%u", c_len);
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", c_len);
return mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen);
}
@@ -491,7 +494,7 @@ static unsigned int nf_nat_sdp_addr(struct sk_buff *skb, unsigned int protoff,
char buffer[INET6_ADDRSTRLEN];
unsigned int buflen;
- buflen = sip_sprintf_addr(ct, buffer, addr, false);
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer), addr, false);
if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen,
sdpoff, type, term, buffer, buflen))
return 0;
@@ -509,7 +512,7 @@ static unsigned int nf_nat_sdp_port(struct sk_buff *skb, unsigned int protoff,
char buffer[sizeof("nnnnn")];
unsigned int buflen;
- buflen = sprintf(buffer, "%u", port);
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", port);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen))
return 0;
@@ -529,7 +532,7 @@ static unsigned int nf_nat_sdp_session(struct sk_buff *skb, unsigned int protoff
unsigned int buflen;
/* Mangle session description owner and contact addresses */
- buflen = sip_sprintf_addr(ct, buffer, addr, false);
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer), addr, false);
if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen, sdpoff,
SDP_HDR_OWNER, SDP_HDR_MEDIA, buffer, buflen))
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 332/508] netfilter: xtables: restrict several matches to inet family
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 331/508] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 333/508] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
` (177 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501),
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit b6fe26f86a1649f84e057f3f15605b08eda15497 ]
This is a partial revert of:
commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
to allow ipv4 and ipv6 only.
- xt_mac
- xt_owner
- xt_physdev
These extensions are not used by ebtables in userspace.
Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4
specific.
Fixes: ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
Reported-by: "Kito Xu (veritas501)" <hxzene@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_mac.c | 34 +++++++++++++++++++++++-----------
net/netfilter/xt_owner.c | 37 +++++++++++++++++++++++++------------
net/netfilter/xt_physdev.c | 29 +++++++++++++++++++----------
net/netfilter/xt_realm.c | 2 +-
4 files changed, 68 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 81649da57ba5d..bd2354760895d 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -38,25 +38,37 @@ static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
return ret;
}
-static struct xt_match mac_mt_reg __read_mostly = {
- .name = "mac",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .match = mac_mt,
- .matchsize = sizeof(struct xt_mac_info),
- .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) |
- (1 << NF_INET_FORWARD),
- .me = THIS_MODULE,
+static struct xt_match mac_mt_reg[] __read_mostly = {
+ {
+ .name = "mac",
+ .family = NFPROTO_IPV4,
+ .match = mac_mt,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "mac",
+ .family = NFPROTO_IPV6,
+ .match = mac_mt,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD),
+ .me = THIS_MODULE,
+ },
};
static int __init mac_mt_init(void)
{
- return xt_register_match(&mac_mt_reg);
+ return xt_register_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));
}
static void __exit mac_mt_exit(void)
{
- xt_unregister_match(&mac_mt_reg);
+ xt_unregister_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));
}
module_init(mac_mt_init);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 50332888c8d23..7be2fe22b067e 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -127,26 +127,39 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
return true;
}
-static struct xt_match owner_mt_reg __read_mostly = {
- .name = "owner",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .checkentry = owner_check,
- .match = owner_mt,
- .matchsize = sizeof(struct xt_owner_match_info),
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
+static struct xt_match owner_mt_reg[] __read_mostly = {
+ {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .checkentry = owner_check,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .checkentry = owner_check,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ }
};
static int __init owner_mt_init(void)
{
- return xt_register_match(&owner_mt_reg);
+ return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
static void __exit owner_mt_exit(void)
{
- xt_unregister_match(&owner_mt_reg);
+ xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
module_init(owner_mt_init);
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 343e65f377d44..130842c35c6fa 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -115,24 +115,33 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
return 0;
}
-static struct xt_match physdev_mt_reg __read_mostly = {
- .name = "physdev",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .checkentry = physdev_mt_check,
- .match = physdev_mt,
- .matchsize = sizeof(struct xt_physdev_info),
- .me = THIS_MODULE,
+static struct xt_match physdev_mt_reg[] __read_mostly = {
+ {
+ .name = "physdev",
+ .family = NFPROTO_IPV4,
+ .checkentry = physdev_mt_check,
+ .match = physdev_mt,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "physdev",
+ .family = NFPROTO_IPV6,
+ .checkentry = physdev_mt_check,
+ .match = physdev_mt,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .me = THIS_MODULE,
+ },
};
static int __init physdev_mt_init(void)
{
- return xt_register_match(&physdev_mt_reg);
+ return xt_register_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
}
static void __exit physdev_mt_exit(void)
{
- xt_unregister_match(&physdev_mt_reg);
+ xt_unregister_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
}
module_init(physdev_mt_init);
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 6df485f4403d0..61b2f1e58d150 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -33,7 +33,7 @@ static struct xt_match realm_mt_reg __read_mostly = {
.matchsize = sizeof(struct xt_realm_info),
.hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |
(1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),
- .family = NFPROTO_UNSPEC,
+ .family = NFPROTO_IPV4,
.me = THIS_MODULE
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 333/508] ipvs: fix MTU check for GSO packets in tunnel mode
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 332/508] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 334/508] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
` (176 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yingnan Zhang, Julian Anastasov,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yingnan Zhang <342144303@qq.com>
[ Upstream commit 67bf42cae41d847fd6e5749eb68278ca5d748b25 ]
Currently, IPVS skips MTU checks for GSO packets by excluding them with
the !skb_is_gso(skb) condition. This creates problems when IPVS tunnel
mode encapsulates GSO packets with IPIP headers.
The issue manifests in two ways:
1. MTU violation after encapsulation:
When a GSO packet passes through IPVS tunnel mode, the original MTU
check is bypassed. After adding the IPIP tunnel header, the packet
size may exceed the outgoing interface MTU, leading to unexpected
fragmentation at the IP layer.
2. Fragmentation with problematic IP IDs:
When net.ipv4.vs.pmtu_disc=1 and a GSO packet with multiple segments
is fragmented after encapsulation, each segment gets a sequentially
incremented IP ID (0, 1, 2, ...). This happens because:
a) The GSO packet bypasses MTU check and gets encapsulated
b) At __ip_finish_output, the oversized GSO packet is split into
separate SKBs (one per segment), with IP IDs incrementing
c) Each SKB is then fragmented again based on the actual MTU
This sequential IP ID allocation differs from the expected behavior
and can cause issues with fragment reassembly and packet tracking.
Fix this by properly validating GSO packets using
skb_gso_validate_network_len(). This function correctly validates
whether the GSO segments will fit within the MTU after segmentation. If
validation fails, send an ICMP Fragmentation Needed message to enable
proper PMTU discovery.
Fixes: 4cdd34084d53 ("netfilter: nf_conntrack_ipv6: improve fragmentation handling")
Signed-off-by: Yingnan Zhang <342144303@qq.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_xmit.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 2877706f0162f..819538d2e4600 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -103,6 +103,18 @@ __ip_vs_dst_check(struct ip_vs_dest *dest)
return dest_dst;
}
+/* Based on ip_exceeds_mtu(). */
+static bool ip_vs_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
+{
+ if (skb->len <= mtu)
+ return false;
+
+ if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
+ return false;
+
+ return true;
+}
+
static inline bool
__mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
{
@@ -112,10 +124,9 @@ __mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
*/
if (IP6CB(skb)->frag_max_size > mtu)
return true; /* largest fragment violate MTU */
- }
- else if (skb->len > mtu && !skb_is_gso(skb)) {
+ } else if (ip_vs_exceeds_mtu(skb, mtu))
return true; /* Packet size violate MTU size */
- }
+
return false;
}
@@ -233,7 +244,7 @@ static inline bool ensure_mtu_is_adequate(struct netns_ipvs *ipvs, int skb_af,
return true;
if (unlikely(ip_hdr(skb)->frag_off & htons(IP_DF) &&
- skb->len > mtu && !skb_is_gso(skb) &&
+ ip_vs_exceeds_mtu(skb, mtu) &&
!ip_vs_iph_icmp(ipvsh))) {
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
htonl(mtu));
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 334/508] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 333/508] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 335/508] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
` (175 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit f5ca450087c3baf3651055e7a6de92600f827af3 ]
In nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once
and passed by reference to nf_osf_match_one() for each fingerprint
checked. During TCP option parsing, nf_osf_match_one() advances the
shared ctx->optp pointer.
If a fingerprint perfectly matches, the function returns early without
restoring ctx->optp to its initial state. If the user has configured
NF_OSF_LOGLEVEL_ALL, the loop continues to the next fingerprint.
However, because ctx->optp was not restored, the next call to
nf_osf_match_one() starts parsing from the end of the options buffer.
This causes subsequent matches to read garbage data and fail
immediately, making it impossible to log more than one match or logging
incorrect matches.
Instead of using a shared ctx->optp pointer, pass the context as a
constant pointer and use a local pointer (optp) for TCP option
traversal. This makes nf_osf_match_one() strictly stateless from the
caller's perspective, ensuring every fingerprint check starts at the
correct option offset.
Fixes: 1a6a0951fc00 ("netfilter: nfnetlink_osf: add missing fmatch check")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 000a5c280ef96..2207bda442d54 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -64,9 +64,9 @@ struct nf_osf_hdr_ctx {
static bool nf_osf_match_one(const struct sk_buff *skb,
const struct nf_osf_user_finger *f,
int ttl_check,
- struct nf_osf_hdr_ctx *ctx)
+ const struct nf_osf_hdr_ctx *ctx)
{
- const __u8 *optpinit = ctx->optp;
+ const __u8 *optp = ctx->optp;
unsigned int check_WSS = 0;
int fmatch = FMATCH_WRONG;
int foptsize, optnum;
@@ -95,17 +95,17 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
check_WSS = f->wss.wc;
for (optnum = 0; optnum < f->opt_num; ++optnum) {
- if (f->opt[optnum].kind == *ctx->optp) {
+ if (f->opt[optnum].kind == *optp) {
__u32 len = f->opt[optnum].length;
- const __u8 *optend = ctx->optp + len;
+ const __u8 *optend = optp + len;
fmatch = FMATCH_OK;
- switch (*ctx->optp) {
+ switch (*optp) {
case OSFOPT_MSS:
- mss = ctx->optp[3];
+ mss = optp[3];
mss <<= 8;
- mss |= ctx->optp[2];
+ mss |= optp[2];
mss = ntohs((__force __be16)mss);
break;
@@ -113,7 +113,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
break;
}
- ctx->optp = optend;
+ optp = optend;
} else
fmatch = FMATCH_OPT_WRONG;
@@ -156,9 +156,6 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
}
}
- if (fmatch != FMATCH_OK)
- ctx->optp = optpinit;
-
return fmatch == FMATCH_OK;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 335/508] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 334/508] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 336/508] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
` (174 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501),
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 711987ba281fd806322a7cd244e98e2a81903114 ]
The nf_osf_ttl() function accessed skb->dev to perform a local interface
address lookup without verifying that the device pointer was valid.
Additionally, the implementation utilized an in_dev_for_each_ifa_rcu
loop to match the packet source address against local interface
addresses. It assumed that packets from the same subnet should not see a
decrement on the initial TTL. A packet might appear it is from the same
subnet but it actually isn't especially in modern environments with
containers and virtual switching.
Remove the device dereference and interface loop. Replace the logic with
a switch statement that evaluates the TTL according to the ttl_check.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Kito Xu (veritas501) <hxzene@gmail.com>
Closes: https://lore.kernel.org/netfilter-devel/20260414074556.2512750-1-hxzene@gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 2207bda442d54..6d3dfbeb398cb 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -31,26 +31,18 @@ EXPORT_SYMBOL_GPL(nf_osf_fingers);
static inline int nf_osf_ttl(const struct sk_buff *skb,
int ttl_check, unsigned char f_ttl)
{
- struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
const struct iphdr *ip = ip_hdr(skb);
- const struct in_ifaddr *ifa;
- int ret = 0;
- if (ttl_check == NF_OSF_TTL_TRUE)
+ switch (ttl_check) {
+ case NF_OSF_TTL_TRUE:
return ip->ttl == f_ttl;
- if (ttl_check == NF_OSF_TTL_NOCHECK)
- return 1;
- else if (ip->ttl <= f_ttl)
+ break;
+ case NF_OSF_TTL_NOCHECK:
return 1;
-
- in_dev_for_each_ifa_rcu(ifa, in_dev) {
- if (inet_ifa_match(ip->saddr, ifa)) {
- ret = (ip->ttl == f_ttl);
- break;
- }
+ case NF_OSF_TTL_LESS:
+ default:
+ return ip->ttl <= f_ttl;
}
-
- return ret;
}
struct nf_osf_hdr_ctx {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 336/508] slip: reject VJ receive packets on instances with no rstate array
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 335/508] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 337/508] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
` (173 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit e76607442d5b73e1ba6768f501ef815bb58c2c0e ]
slhc_init() accepts rslots == 0 as a valid configuration, with the
documented meaning of 'no receive compression'. In that case the
allocation loop in slhc_init() is skipped, so comp->rstate stays
NULL and comp->rslot_limit stays 0 (from the kzalloc of struct
slcompress).
The receive helpers do not defend against that configuration.
slhc_uncompress() dereferences comp->rstate[x] when the VJ header
carries an explicit connection ID, and slhc_remember() later assigns
cs = &comp->rstate[...] after only comparing the packet's slot number
to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the
range check, and the code dereferences a NULL rstate.
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID
stores its argument in a signed int, and (val >> 16) uses arithmetic
shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1
is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because
/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path
is reachable from an unprivileged user namespace. Once the malformed
VJ state is installed, any inbound VJ-compressed or VJ-uncompressed
frame that selects slot 0 crashes the kernel in softirq context:
Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)
Call Trace:
<TASK>
ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)
ppp_input (drivers/net/ppp/ppp_generic.c:2359)
ppp_async_process (drivers/net/ppp/ppp_async.c:492)
tasklet_action_common (kernel/softirq.c:926)
handle_softirqs (kernel/softirq.c:623)
run_ksoftirqd (kernel/softirq.c:1055)
smpboot_thread_fn (kernel/smpboot.c:160)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:164)
</TASK>
Reject the receive side on such instances instead of touching rstate.
slhc_uncompress() falls through to its existing 'bad' label, which
bumps sls_i_error and enters the toss state. slhc_remember() mirrors
that with an explicit sls_i_error increment followed by slhc_toss();
the sls_i_runt counter is not used here because a missing rstate is
an internal configuration state, not a runt packet.
The transmit path is unaffected: the only in-tree caller that picks
rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and
slip.c always calls slhc_init(16, 16), so comp->tstate remains valid
and slhc_compress() continues to work.
Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415204130.258866-2-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slhc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index bf9e801cc61cc..3474792a37a67 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -506,6 +506,8 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
comp->sls_i_error++;
return 0;
}
+ if (!comp->rstate)
+ goto bad;
changes = *cp++;
if(changes & NEW_C){
/* Make sure the state index is in range, then grab the state.
@@ -649,6 +651,10 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
struct cstate *cs;
unsigned int ihl;
+ if (!comp->rstate) {
+ comp->sls_i_error++;
+ return slhc_toss(comp);
+ }
/* The packet is shorter than a legal IP header.
* Also make sure isize is positive.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 337/508] slip: bound decode() reads against the compressed packet length
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 336/508] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 338/508] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
` (172 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Weiming Shi,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7 ]
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Simon Horman <horms@kernel.org>
Closes: https://lore.kernel.org/netdev/20260414134126.758795-2-horms@kernel.org/
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260416100147.531855-5-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slhc.c | 43 ++++++++++++++++++++++++-----------------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 3474792a37a67..ef586ab250747 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -80,9 +80,9 @@
#include <asm/unaligned.h>
static unsigned char *encode(unsigned char *cp, unsigned short n);
-static long decode(unsigned char **cpp);
+static long decode(unsigned char **cpp, const unsigned char *end);
static unsigned char * put16(unsigned char *cp, unsigned short x);
-static unsigned short pull16(unsigned char **cpp);
+static long pull16(unsigned char **cpp, const unsigned char *end);
/* Allocate compression data structure
* slots must be in range 0 to 255 (zero meaning no compression)
@@ -190,30 +190,34 @@ encode(unsigned char *cp, unsigned short n)
return cp;
}
-/* Pull a 16-bit integer in host order from buffer in network byte order */
-static unsigned short
-pull16(unsigned char **cpp)
+/* Pull a 16-bit integer in host order from buffer in network byte order.
+ * Returns -1 if the buffer is exhausted, otherwise the 16-bit value.
+ */
+static long
+pull16(unsigned char **cpp, const unsigned char *end)
{
- short rval;
+ long rval;
+ if (*cpp + 2 > end)
+ return -1;
rval = *(*cpp)++;
rval <<= 8;
rval |= *(*cpp)++;
return rval;
}
-/* Decode a number */
+/* Decode a number. Returns -1 if the buffer is exhausted. */
static long
-decode(unsigned char **cpp)
+decode(unsigned char **cpp, const unsigned char *end)
{
int x;
+ if (*cpp >= end)
+ return -1;
x = *(*cpp)++;
- if(x == 0){
- return pull16(cpp) & 0xffff; /* pull16 returns -1 on error */
- } else {
- return x & 0xff; /* -1 if PULLCHAR returned error */
- }
+ if (x == 0)
+ return pull16(cpp, end);
+ return x & 0xff;
}
/*
@@ -499,6 +503,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
struct cstate *cs;
int len, hdrlen;
unsigned char *cp = icp;
+ const unsigned char *end = icp + isize;
/* We've got a compressed packet; read the change byte */
comp->sls_i_compressed++;
@@ -536,6 +541,8 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
thp = &cs->cs_tcp;
ip = &cs->cs_ip;
+ if (cp + 2 > end)
+ goto bad;
thp->check = *(__sum16 *)cp;
cp += 2;
@@ -566,26 +573,26 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
default:
if(changes & NEW_U){
thp->urg = 1;
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->urg_ptr = htons(x);
} else
thp->urg = 0;
if(changes & NEW_W){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->window = htons( ntohs(thp->window) + x);
}
if(changes & NEW_A){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->ack_seq = htonl( ntohl(thp->ack_seq) + x);
}
if(changes & NEW_S){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->seq = htonl( ntohl(thp->seq) + x);
@@ -593,7 +600,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
break;
}
if(changes & NEW_I){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
ip->id = htons (ntohs (ip->id) + x);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 338/508] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 337/508] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 339/508] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
` (171 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jun Yan, Martin Blumenstingl,
Neil Armstrong, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jun Yan <jerrysteve1101@gmail.com>
[ Upstream commit 174a0ef3b33434f475c87e66f37980e39b73805a ]
Correct the interrupt number assigned to the Realtek PHY in the p230
following the same logic as commit 3106507e1004 ("ARM64: dts: meson-gxm:
fix q200 interrupt number"),as reported in [PATCH 0/2] Ethernet PHY
interrupt improvements [1].
[1] https://lore.kernel.org/all/20171202214037.17017-1-martin.blumenstingl@googlemail.com/
Fixes: b94d22d94ad2 ("ARM64: dts: meson-gx: add external PHY interrupt on some platforms")
Signed-off-by: Jun Yan <jerrysteve1101@gmail.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://patch.msgid.link/20260330145111.115318-1-jerrysteve1101@gmail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
index c1470416faade..36e97ed585ae7 100644
--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
@@ -84,7 +84,8 @@ external_phy: ethernet-phy@0 {
reset-gpios = <&gpio GPIOZ_14 GPIO_ACTIVE_LOW>;
interrupt-parent = <&gpio_intc>;
- interrupts = <29 IRQ_TYPE_LEVEL_LOW>;
+ /* MAC_INTR on GPIOZ_15 */
+ interrupts = <25 IRQ_TYPE_LEVEL_LOW>;
eee-broken-1000t;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 339/508] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 338/508] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 340/508] ksmbd: Use struct_size() to improve smb_direct_rdma_xmit() Greg Kroah-Hartman
` (170 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit c049ee14eb4343b69b6f7755563f961f5e153423 ]
When per-session tree_conn_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from ksmbd_session_destroy() but no matching ida_destroy()
was added. The session is therefore freed with the IDA's backing
xarray still intact.
The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
enclosing session is freed.
Also move ida_init() to right after the session is allocated so that
it is always paired with the destroy call even on the early error
paths of __session_create() (ksmbd_init_file_table() or
__init_smb2_session() failures), both of which jump to the error
label and invoke ksmbd_session_destroy() on a partially initialised
session.
No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.
Fixes: d40012a83f87 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_session.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index e344475a41bd1..d0a13a5cccece 100644
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -168,6 +168,7 @@ void ksmbd_session_destroy(struct ksmbd_session *sess)
free_channel_list(sess);
kfree(sess->Preauth_HashValue);
ksmbd_release_id(&session_ida, sess->id);
+ ida_destroy(&sess->tree_conn_ida);
kfree(sess);
}
@@ -438,6 +439,8 @@ static struct ksmbd_session *__session_create(int protocol)
if (!sess)
return NULL;
+ ida_init(&sess->tree_conn_ida);
+
if (ksmbd_init_file_table(&sess->file_table))
goto error;
@@ -456,8 +459,6 @@ static struct ksmbd_session *__session_create(int protocol)
if (ret)
goto error;
- ida_init(&sess->tree_conn_ida);
-
down_write(&sessions_table_lock);
hash_add(sessions_table, &sess->hlist, sess->id);
up_write(&sessions_table_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 340/508] ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 339/508] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 341/508] ksmbd: add support for supplementary groups Greg Kroah-Hartman
` (169 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 9c383396362a4d1db99ed5240f4708d443361ef3 ]
Use struct_size() to calculate the number of bytes to allocate for a
new message.
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: b32c8db48212 ("ksmbd: destroy async_ida in ksmbd_conn_free()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/transport_rdma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
index 3528ec33919d5..10ceade590529 100644
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@@ -1407,8 +1407,8 @@ static int smb_direct_rdma_xmit(struct smb_direct_transport *t,
/* build rdma_rw_ctx for each descriptor */
desc_buf = buf;
for (i = 0; i < desc_num; i++) {
- msg = kzalloc(offsetof(struct smb_direct_rdma_rw_msg, sg_list) +
- sizeof(struct scatterlist) * SG_CHUNK_SIZE, GFP_KERNEL);
+ msg = kzalloc(struct_size(msg, sg_list, SG_CHUNK_SIZE),
+ GFP_KERNEL);
if (!msg) {
ret = -ENOMEM;
goto out;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 341/508] ksmbd: add support for supplementary groups
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 340/508] ksmbd: Use struct_size() to improve smb_direct_rdma_xmit() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 342/508] ksmbd: destroy async_ida in ksmbd_conn_free() Greg Kroah-Hartman
` (168 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Atte Heikkilä, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit a77e0e02af1c2db5fc040511aa78a58a52e116ab ]
Even though system user has a supplementary group, It gets
NT_STATUS_ACCESS_DENIED when attempting to create file or directory.
This patch add KSMBD_EVENT_LOGIN_REQUEST_EXT/RESPONSE_EXT netlink events
to get supplementary groups list. The new netlink event doesn't break
backward compatibility when using old ksmbd-tools.
Co-developed-by: Atte Heikkilä <atteh.mailbox@gmail.com>
Signed-off-by: Atte Heikkilä <atteh.mailbox@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: b32c8db48212 ("ksmbd: destroy async_ida in ksmbd_conn_free()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/auth.c | 6 ++-
fs/smb/server/ksmbd_netlink.h | 17 +++++++++
fs/smb/server/mgmt/user_config.c | 45 ++++++++++++++++++----
fs/smb/server/mgmt/user_config.h | 5 ++-
fs/smb/server/smb_common.c | 15 ++++++--
fs/smb/server/transport_ipc.c | 64 ++++++++++++++++++++++++++++++--
fs/smb/server/transport_ipc.h | 2 +
7 files changed, 137 insertions(+), 17 deletions(-)
diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c
index d28b34e1d047a..825cc03692754 100644
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -514,6 +514,7 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob,
int in_len, char *out_blob, int *out_len)
{
struct ksmbd_spnego_authen_response *resp;
+ struct ksmbd_login_response_ext *resp_ext = NULL;
struct ksmbd_user *user = NULL;
int retval;
@@ -542,7 +543,10 @@ int ksmbd_krb5_authenticate(struct ksmbd_session *sess, char *in_blob,
goto out;
}
- user = ksmbd_alloc_user(&resp->login_response);
+ if (resp->login_response.status & KSMBD_USER_FLAG_EXTENSION)
+ resp_ext = ksmbd_ipc_login_request_ext(resp->login_response.account);
+
+ user = ksmbd_alloc_user(&resp->login_response, resp_ext);
if (!user) {
ksmbd_debug(AUTH, "login failure\n");
retval = -ENOMEM;
diff --git a/fs/smb/server/ksmbd_netlink.h b/fs/smb/server/ksmbd_netlink.h
index 363501fc308aa..125ea1b9839ef 100644
--- a/fs/smb/server/ksmbd_netlink.h
+++ b/fs/smb/server/ksmbd_netlink.h
@@ -51,6 +51,9 @@
* - KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST/RESPONSE(ksmbd_spnego_authen_request/response)
* This event is to make kerberos authentication to be processed in
* userspace.
+ *
+ * - KSMBD_EVENT_LOGIN_REQUEST_EXT/RESPONSE_EXT(ksmbd_login_request_ext/response_ext)
+ * This event is to get user account extension info to user IPC daemon.
*/
#define KSMBD_GENL_NAME "SMBD_GENL"
@@ -147,6 +150,16 @@ struct ksmbd_login_response {
__u32 reserved[16]; /* Reserved room */
};
+/*
+ * IPC user login response extension.
+ */
+struct ksmbd_login_response_ext {
+ __u32 handle;
+ __s32 ngroups; /* supplementary group count */
+ __s8 reserved[128]; /* Reserved room */
+ __s8 ____payload[];
+};
+
/*
* IPC request to fetch net share config.
*/
@@ -308,6 +321,9 @@ enum ksmbd_event {
KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST,
KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE = 15,
+ KSMBD_EVENT_LOGIN_REQUEST_EXT,
+ KSMBD_EVENT_LOGIN_RESPONSE_EXT,
+
__KSMBD_EVENT_MAX,
KSMBD_EVENT_MAX = __KSMBD_EVENT_MAX - 1
};
@@ -338,6 +354,7 @@ enum KSMBD_TREE_CONN_STATUS {
#define KSMBD_USER_FLAG_BAD_USER BIT(3)
#define KSMBD_USER_FLAG_GUEST_ACCOUNT BIT(4)
#define KSMBD_USER_FLAG_DELAY_SESSION BIT(5)
+#define KSMBD_USER_FLAG_EXTENSION BIT(6)
/*
* Share config flags.
diff --git a/fs/smb/server/mgmt/user_config.c b/fs/smb/server/mgmt/user_config.c
index 279d00feff216..421a4a95e216a 100644
--- a/fs/smb/server/mgmt/user_config.c
+++ b/fs/smb/server/mgmt/user_config.c
@@ -12,6 +12,7 @@
struct ksmbd_user *ksmbd_login_user(const char *account)
{
struct ksmbd_login_response *resp;
+ struct ksmbd_login_response_ext *resp_ext = NULL;
struct ksmbd_user *user = NULL;
resp = ksmbd_ipc_login_request(account);
@@ -21,15 +22,19 @@ struct ksmbd_user *ksmbd_login_user(const char *account)
if (!(resp->status & KSMBD_USER_FLAG_OK))
goto out;
- user = ksmbd_alloc_user(resp);
+ if (resp->status & KSMBD_USER_FLAG_EXTENSION)
+ resp_ext = ksmbd_ipc_login_request_ext(account);
+
+ user = ksmbd_alloc_user(resp, resp_ext);
out:
kvfree(resp);
return user;
}
-struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp)
+struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp,
+ struct ksmbd_login_response_ext *resp_ext)
{
- struct ksmbd_user *user = NULL;
+ struct ksmbd_user *user;
user = kmalloc(sizeof(struct ksmbd_user), GFP_KERNEL);
if (!user)
@@ -44,18 +49,42 @@ struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp)
if (user->passkey)
memcpy(user->passkey, resp->hash, resp->hash_sz);
- if (!user->name || !user->passkey) {
- kfree(user->name);
- kfree(user->passkey);
- kfree(user);
- user = NULL;
+ user->ngroups = 0;
+ user->sgid = NULL;
+
+ if (!user->name || !user->passkey)
+ goto err_free;
+
+ if (resp_ext) {
+ if (resp_ext->ngroups > NGROUPS_MAX) {
+ pr_err("ngroups(%u) from login response exceeds max groups(%d)\n",
+ resp_ext->ngroups, NGROUPS_MAX);
+ goto err_free;
+ }
+
+ user->sgid = kmemdup(resp_ext->____payload,
+ resp_ext->ngroups * sizeof(gid_t),
+ GFP_KERNEL);
+ if (!user->sgid)
+ goto err_free;
+
+ user->ngroups = resp_ext->ngroups;
+ ksmbd_debug(SMB, "supplementary groups : %d\n", user->ngroups);
}
+
return user;
+
+err_free:
+ kfree(user->name);
+ kfree(user->passkey);
+ kfree(user);
+ return NULL;
}
void ksmbd_free_user(struct ksmbd_user *user)
{
ksmbd_ipc_logout_request(user->name, user->flags);
+ kfree(user->sgid);
kfree(user->name);
kfree(user->passkey);
kfree(user);
diff --git a/fs/smb/server/mgmt/user_config.h b/fs/smb/server/mgmt/user_config.h
index e068a19fd9049..8c227b8d49543 100644
--- a/fs/smb/server/mgmt/user_config.h
+++ b/fs/smb/server/mgmt/user_config.h
@@ -18,6 +18,8 @@ struct ksmbd_user {
size_t passkey_sz;
char *passkey;
+ int ngroups;
+ gid_t *sgid;
};
static inline bool user_guest(struct ksmbd_user *user)
@@ -60,7 +62,8 @@ static inline unsigned int user_gid(struct ksmbd_user *user)
}
struct ksmbd_user *ksmbd_login_user(const char *account);
-struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp);
+struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp,
+ struct ksmbd_login_response_ext *resp_ext);
void ksmbd_free_user(struct ksmbd_user *user);
int ksmbd_anonymous_user(struct ksmbd_user *user);
bool ksmbd_compare_user(struct ksmbd_user *u1, struct ksmbd_user *u2);
diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c
index 2839c704110cd..c64d1fc34d6bf 100644
--- a/fs/smb/server/smb_common.c
+++ b/fs/smb/server/smb_common.c
@@ -740,13 +740,15 @@ int __ksmbd_override_fsids(struct ksmbd_work *work,
struct ksmbd_share_config *share)
{
struct ksmbd_session *sess = work->sess;
+ struct ksmbd_user *user = sess->user;
struct cred *cred;
struct group_info *gi;
unsigned int uid;
unsigned int gid;
+ int i;
- uid = user_uid(sess->user);
- gid = user_gid(sess->user);
+ uid = user_uid(user);
+ gid = user_gid(user);
if (share->force_uid != KSMBD_SHARE_INVALID_UID)
uid = share->force_uid;
if (share->force_gid != KSMBD_SHARE_INVALID_GID)
@@ -759,11 +761,18 @@ int __ksmbd_override_fsids(struct ksmbd_work *work,
cred->fsuid = make_kuid(&init_user_ns, uid);
cred->fsgid = make_kgid(&init_user_ns, gid);
- gi = groups_alloc(0);
+ gi = groups_alloc(user->ngroups);
if (!gi) {
abort_creds(cred);
return -ENOMEM;
}
+
+ for (i = 0; i < user->ngroups; i++)
+ gi->gid[i] = make_kgid(&init_user_ns, user->sgid[i]);
+
+ if (user->ngroups)
+ groups_sort(gi);
+
set_groups(cred, gi);
put_group_info(gi);
diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index 53bfcf57f167a..f0f93f76bc43d 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -120,6 +120,12 @@ static const struct nla_policy ksmbd_nl_policy[KSMBD_EVENT_MAX + 1] = {
},
[KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE] = {
},
+ [KSMBD_EVENT_LOGIN_REQUEST_EXT] = {
+ .len = sizeof(struct ksmbd_login_request),
+ },
+ [KSMBD_EVENT_LOGIN_RESPONSE_EXT] = {
+ .len = sizeof(struct ksmbd_login_response_ext),
+ },
};
static struct genl_ops ksmbd_genl_ops[] = {
@@ -187,6 +193,14 @@ static struct genl_ops ksmbd_genl_ops[] = {
.cmd = KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE,
.doit = handle_generic_event,
},
+ {
+ .cmd = KSMBD_EVENT_LOGIN_REQUEST_EXT,
+ .doit = handle_unsupported_event,
+ },
+ {
+ .cmd = KSMBD_EVENT_LOGIN_RESPONSE_EXT,
+ .doit = handle_generic_event,
+ },
};
static struct genl_family ksmbd_genl_family = {
@@ -198,7 +212,7 @@ static struct genl_family ksmbd_genl_family = {
.module = THIS_MODULE,
.ops = ksmbd_genl_ops,
.n_ops = ARRAY_SIZE(ksmbd_genl_ops),
- .resv_start_op = KSMBD_EVENT_SPNEGO_AUTHEN_RESPONSE + 1,
+ .resv_start_op = KSMBD_EVENT_LOGIN_RESPONSE_EXT + 1,
};
static void ksmbd_nl_init_fixup(void)
@@ -478,16 +492,24 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
{
unsigned int msg_sz = entry->msg_sz;
- if (entry->type == KSMBD_EVENT_RPC_REQUEST) {
+ switch (entry->type) {
+ case KSMBD_EVENT_RPC_REQUEST:
+ {
struct ksmbd_rpc_command *resp = entry->response;
msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;
- } else if (entry->type == KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST) {
+ break;
+ }
+ case KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST:
+ {
struct ksmbd_spnego_authen_response *resp = entry->response;
msg_sz = sizeof(struct ksmbd_spnego_authen_response) +
resp->session_key_len + resp->spnego_blob_len;
- } else if (entry->type == KSMBD_EVENT_SHARE_CONFIG_REQUEST) {
+ break;
+ }
+ case KSMBD_EVENT_SHARE_CONFIG_REQUEST:
+ {
struct ksmbd_share_config_response *resp = entry->response;
if (resp->payload_sz) {
@@ -497,6 +519,17 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
msg_sz = sizeof(struct ksmbd_share_config_response) +
resp->payload_sz;
}
+ break;
+ }
+ case KSMBD_EVENT_LOGIN_REQUEST_EXT:
+ {
+ struct ksmbd_login_response_ext *resp = entry->response;
+
+ if (resp->ngroups) {
+ msg_sz = sizeof(struct ksmbd_login_response_ext) +
+ resp->ngroups * sizeof(gid_t);
+ }
+ }
}
return entry->msg_sz != msg_sz ? -EINVAL : 0;
@@ -582,6 +615,29 @@ struct ksmbd_login_response *ksmbd_ipc_login_request(const char *account)
return resp;
}
+struct ksmbd_login_response_ext *ksmbd_ipc_login_request_ext(const char *account)
+{
+ struct ksmbd_ipc_msg *msg;
+ struct ksmbd_login_request *req;
+ struct ksmbd_login_response_ext *resp;
+
+ if (strlen(account) >= KSMBD_REQ_MAX_ACCOUNT_NAME_SZ)
+ return NULL;
+
+ msg = ipc_msg_alloc(sizeof(struct ksmbd_login_request));
+ if (!msg)
+ return NULL;
+
+ msg->type = KSMBD_EVENT_LOGIN_REQUEST_EXT;
+ req = (struct ksmbd_login_request *)msg->payload;
+ req->handle = ksmbd_acquire_id(&ipc_ida);
+ strscpy(req->account, account, KSMBD_REQ_MAX_ACCOUNT_NAME_SZ);
+ resp = ipc_msg_send_request(msg, req->handle);
+ ipc_msg_handle_free(req->handle);
+ ipc_msg_free(msg);
+ return resp;
+}
+
struct ksmbd_spnego_authen_response *
ksmbd_ipc_spnego_authen_request(const char *spnego_blob, int blob_len)
{
diff --git a/fs/smb/server/transport_ipc.h b/fs/smb/server/transport_ipc.h
index 5e5b90a0c1879..d9b6737f8cd03 100644
--- a/fs/smb/server/transport_ipc.h
+++ b/fs/smb/server/transport_ipc.h
@@ -12,6 +12,8 @@
struct ksmbd_login_response *
ksmbd_ipc_login_request(const char *account);
+struct ksmbd_login_response_ext *
+ksmbd_ipc_login_request_ext(const char *account);
struct ksmbd_session;
struct ksmbd_share_config;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 342/508] ksmbd: destroy async_ida in ksmbd_conn_free()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 341/508] ksmbd: add support for supplementary groups Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 343/508] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open Greg Kroah-Hartman
` (167 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit b32c8db48212a34998c36d0bbc05b29d5c407ef5 ]
When per-connection async_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from the connection teardown path but no matching
ida_destroy() was added. The connection is therefore freed with the
IDA's backing xarray still intact.
The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
connection is freed.
No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.
Fixes: d40012a83f87 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/connection.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
index a5209abb004a4..bbb0be5524dbe 100644
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -41,6 +41,15 @@ void ksmbd_conn_free(struct ksmbd_conn *conn)
kfree(conn->preauth_info);
kfree(conn->mechToken);
if (atomic_dec_and_test(&conn->refcnt)) {
+ /*
+ * async_ida is embedded in struct ksmbd_conn, so pair
+ * ida_destroy() with the final kfree() rather than with
+ * the unconditional field teardown above. This keeps
+ * the IDA valid for the entire lifetime of the struct,
+ * even while other refcount holders (oplock / vfs
+ * durable handles) still reference the connection.
+ */
+ ida_destroy(&conn->async_ida);
conn->transport->ops->free_transport(conn->transport);
kfree(conn);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 343/508] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 342/508] ksmbd: destroy async_ida in ksmbd_conn_free() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 344/508] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
` (166 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit 804054d19886ac6628883d82410f6ee42a818664 ]
ksmbd_lookup_fd_cguid() returns a ksmbd_file with its refcount
incremented via ksmbd_fp_get(). parse_durable_handle_context() in
the DURABLE_REQ_V2 case properly releases this reference on every
path inside the ClientGUID-match branch, either by calling
ksmbd_put_durable_fd() or by transferring ownership to dh_info->fp
for a successful reconnect. However, when an entry exists in the
global file table with the same CreateGuid but a different
ClientGUID, the code simply falls through to the new-open path
without dropping the reference obtained from ksmbd_lookup_fd_cguid().
Per MS-SMB2 section 3.3.5.9.10 ("Handling the
SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context"), the server
MUST locate an Open whose Open.CreateGuid matches the request's
CreateGuid AND whose Open.ClientGuid matches the ClientGuid of the
connection that received the request. If no such Open is found, the
server MUST continue with the normal open execution phase. A
CreateGuid hit with a ClientGUID mismatch is therefore the
"Open not found" case: proceeding with a new open is correct, but
the reference obtained purely as a side effect of the lookup must
not be leaked.
Repeated requests that hit this mismatch pin global_ft entries,
prevent __ksmbd_close_fd() from ever running for the corresponding
files, and defeat the durable scavenger, leading to long-lived
resource leaks.
Release the reference in the mismatch path and clear dh_info->fp so
subsequent logic does not mistake a non-matching lookup result for
a reconnect target.
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 6c41a67be725d..d68fe617369e0 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2827,6 +2827,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
dh_info->reconnected = true;
goto out;
}
+ ksmbd_put_durable_fd(dh_info->fp);
+ dh_info->fp = NULL;
}
if ((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) ||
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 344/508] ksmbd: scope conn->binding slowpath to bound sessions only
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 343/508] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 345/508] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
` (165 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit b0da97c034b6107d14e537e212d4ce8b22109a58 ]
When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.
Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.
The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_session.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index d0a13a5cccece..6c7fbd589087e 100644
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -323,8 +323,13 @@ struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn,
struct ksmbd_session *sess;
sess = ksmbd_session_lookup(conn, id);
- if (!sess && conn->binding)
+ if (!sess && conn->binding) {
sess = ksmbd_session_lookup_slowpath(id);
+ if (sess && !xa_load(&sess->ksmbd_chann_list, (long)conn)) {
+ ksmbd_user_session_put(sess);
+ sess = NULL;
+ }
+ }
if (sess && sess->state != SMB2_SESSION_VALID) {
ksmbd_user_session_put(sess);
sess = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 345/508] net/rds: zero per-item info buffer before handing it to visitors
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 344/508] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 346/508] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
` (164 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Sharath Srinivasan, Allison Henderson, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit c88eb7e8d8397a8c1db59c425332c5a30b2a1682 ]
rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a
caller-allocated on-stack u64 buffer to a per-connection visitor and
then copy the full item_len bytes back to user space via
rds_info_copy() regardless of how much of the buffer the visitor
actually wrote.
rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only
write a subset of their output struct when the underlying
rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl
and the two GIDs via explicit memsets). Several u32 fields
(max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size,
cache_allocs) and the 2-byte alignment hole between sl and
cache_allocs remain as whatever stack contents preceded the visitor
call and are then memcpy_to_user()'d out to user space.
struct rds_info_rdma_connection and struct rds6_info_rdma_connection
are the only rds_info_* structs in include/uapi/linux/rds.h that are
not marked __attribute__((packed)), so they have a real alignment
hole. The other info visitors (rds_conn_info_visitor,
rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of
their packed output struct today and are not known to be vulnerable,
but a future visitor that adds a conditional write-path would have
the same bug.
Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y:
a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB,
binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on
any netdev is sufficient), sendto()'s any peer on the same subnet
(fails cleanly but installs an rds_connection in the global hash in
RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS,
RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26
bytes of stack garbage including kernel text/data pointers:
0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2
8..39 00 ... gids (memset-zeroed)
40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr)
48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max)
56..59 01 00 08 00 rdma_mr_size (garbage)
60..61 00 00 tos, sl
62..63 00 00 alignment padding
64..67 18 00 00 00 cache_allocs (garbage)
Fix by zeroing the per-item buffer in both rds_for_each_conn_info()
and rds_walk_conn_path_info() before invoking the visitor. This
covers the IPv4/IPv6 IB visitors and hardens all current and future
visitors against the same class of bug.
No functional change for visitors that fully populate their output.
Changes in v2:
- retarget at the net tree (subject prefix "[PATCH net v2]",
net/rds: prefix in the title)
- pick up Reviewed-by tags from Sharath Srinivasan and
Allison Henderson
Fixes: ec16227e1414 ("RDS/IB: Infiniband transport")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Allison Henderson <achender@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Link: https://patch.msgid.link/20260418141047.3398203-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/connection.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/net/rds/connection.c b/net/rds/connection.c
index 98c0d5ff9de9c..cd41f83863c89 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -673,6 +673,13 @@ void rds_for_each_conn_info(struct socket *sock, unsigned int len,
i++, head++) {
hlist_for_each_entry_rcu(conn, head, c_hash_node) {
+ /* Zero the per-item buffer before handing it to the
+ * visitor so any field the visitor does not write -
+ * including implicit alignment padding - cannot leak
+ * stack contents to user space via rds_info_copy().
+ */
+ memset(buffer, 0, item_len);
+
/* XXX no c_lock usage.. */
if (!visitor(conn, buffer))
continue;
@@ -722,6 +729,13 @@ static void rds_walk_conn_path_info(struct socket *sock, unsigned int len,
*/
cp = conn->c_path;
+ /* Zero the per-item buffer for the same reason as
+ * rds_for_each_conn_info(): any byte the visitor
+ * does not write (including alignment padding) must
+ * not leak stack contents via rds_info_copy().
+ */
+ memset(buffer, 0, item_len);
+
/* XXX no cp_lock usage.. */
if (!visitor(cp, buffer))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 346/508] net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 345/508] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 347/508] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
` (163 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a6edf2cd4156b71e07258876b7626692e158f7e8 ]
hhf_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421143349.4052215-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_hhf.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c
index 83fc44f20e31c..67b555c02f2c0 100644
--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -198,7 +198,8 @@ static struct hh_flow_state *seek_list(const u32 hash,
return NULL;
list_del(&flow->flowchain);
kfree(flow);
- q->hh_flows_current_cnt--;
+ WRITE_ONCE(q->hh_flows_current_cnt,
+ q->hh_flows_current_cnt - 1);
} else if (flow->hash_id == hash) {
return flow;
}
@@ -226,7 +227,7 @@ static struct hh_flow_state *alloc_new_hh(struct list_head *head,
}
if (q->hh_flows_current_cnt >= q->hh_flows_limit) {
- q->hh_flows_overlimit++;
+ WRITE_ONCE(q->hh_flows_overlimit, q->hh_flows_overlimit + 1);
return NULL;
}
/* Create new entry. */
@@ -234,7 +235,7 @@ static struct hh_flow_state *alloc_new_hh(struct list_head *head,
if (!flow)
return NULL;
- q->hh_flows_current_cnt++;
+ WRITE_ONCE(q->hh_flows_current_cnt, q->hh_flows_current_cnt + 1);
INIT_LIST_HEAD(&flow->flowchain);
list_add_tail(&flow->flowchain, head);
@@ -309,7 +310,7 @@ static enum wdrr_bucket_idx hhf_classify(struct sk_buff *skb, struct Qdisc *sch)
return WDRR_BUCKET_FOR_NON_HH;
flow->hash_id = hash;
flow->hit_timestamp = now;
- q->hh_flows_total_cnt++;
+ WRITE_ONCE(q->hh_flows_total_cnt, q->hh_flows_total_cnt + 1);
/* By returning without updating counters in q->hhf_arrays,
* we implicitly implement "shielding" (see Optimization O1).
@@ -403,7 +404,7 @@ static int hhf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return NET_XMIT_SUCCESS;
prev_backlog = sch->qstats.backlog;
- q->drop_overlimit++;
+ WRITE_ONCE(q->drop_overlimit, q->drop_overlimit + 1);
/* Return Congestion Notification only if we dropped a packet from this
* bucket.
*/
@@ -678,10 +679,10 @@ static int hhf_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct hhf_sched_data *q = qdisc_priv(sch);
struct tc_hhf_xstats st = {
- .drop_overlimit = q->drop_overlimit,
- .hh_overlimit = q->hh_flows_overlimit,
- .hh_tot_count = q->hh_flows_total_cnt,
- .hh_cur_count = q->hh_flows_current_cnt,
+ .drop_overlimit = READ_ONCE(q->drop_overlimit),
+ .hh_overlimit = READ_ONCE(q->hh_flows_overlimit),
+ .hh_tot_count = READ_ONCE(q->hh_flows_total_cnt),
+ .hh_cur_count = READ_ONCE(q->hh_flows_current_cnt),
};
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 347/508] net/sched: sch_pie: annotate data-races in pie_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 346/508] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 348/508] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
` (162 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5154561d9b119f781249f8e845fecf059b38b483 ]
pie_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_pie_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142944.4009941-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/pie.h | 2 +-
net/sched/sch_pie.c | 38 +++++++++++++++++++-------------------
2 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/include/net/pie.h b/include/net/pie.h
index 01cbc66825a40..1f3db0c355149 100644
--- a/include/net/pie.h
+++ b/include/net/pie.h
@@ -104,7 +104,7 @@ static inline void pie_vars_init(struct pie_vars *vars)
vars->dq_tstamp = DTIME_INVALID;
vars->accu_prob = 0;
vars->dq_count = DQCOUNT_INVALID;
- vars->avg_dq_rate = 0;
+ WRITE_ONCE(vars->avg_dq_rate, 0);
}
static inline struct pie_skb_cb *get_pie_cb(const struct sk_buff *skb)
diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
index 48c5ab8ec143c..4c69b44fc3aa8 100644
--- a/net/sched/sch_pie.c
+++ b/net/sched/sch_pie.c
@@ -89,7 +89,7 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
bool enqueue = false;
if (unlikely(qdisc_qlen(sch) >= sch->limit)) {
- q->stats.overlimit++;
+ WRITE_ONCE(q->stats.overlimit, q->stats.overlimit + 1);
goto out;
}
@@ -101,7 +101,7 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* If packet is ecn capable, mark it if drop probability
* is lower than 10%, else drop it.
*/
- q->stats.ecn_mark++;
+ WRITE_ONCE(q->stats.ecn_mark, q->stats.ecn_mark + 1);
enqueue = true;
}
@@ -111,15 +111,15 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (!q->params.dq_rate_estimator)
pie_set_enqueue_time(skb);
- q->stats.packets_in++;
+ WRITE_ONCE(q->stats.packets_in, q->stats.packets_in + 1);
if (qdisc_qlen(sch) > q->stats.maxq)
- q->stats.maxq = qdisc_qlen(sch);
+ WRITE_ONCE(q->stats.maxq, qdisc_qlen(sch));
return qdisc_enqueue_tail(skb, sch);
}
out:
- q->stats.dropped++;
+ WRITE_ONCE(q->stats.dropped, q->stats.dropped + 1);
q->vars.accu_prob = 0;
return qdisc_drop(skb, sch, to_free);
}
@@ -260,11 +260,11 @@ void pie_process_dequeue(struct sk_buff *skb, struct pie_params *params,
count = count / dtime;
if (vars->avg_dq_rate == 0)
- vars->avg_dq_rate = count;
+ WRITE_ONCE(vars->avg_dq_rate, count);
else
- vars->avg_dq_rate =
+ WRITE_ONCE(vars->avg_dq_rate,
(vars->avg_dq_rate -
- (vars->avg_dq_rate >> 3)) + (count >> 3);
+ (vars->avg_dq_rate >> 3)) + (count >> 3));
/* If the queue has receded below the threshold, we hold
* on to the last drain rate calculated, else we reset
@@ -374,7 +374,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (delta > 0) {
/* prevent overflow */
if (vars->prob < oldprob) {
- vars->prob = MAX_PROB;
+ WRITE_ONCE(vars->prob, MAX_PROB);
/* Prevent normalization error. If probability is at
* maximum value already, we normalize it here, and
* skip the check to do a non-linear drop in the next
@@ -385,7 +385,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
} else {
/* prevent underflow */
if (vars->prob > oldprob)
- vars->prob = 0;
+ WRITE_ONCE(vars->prob, 0);
}
/* Non-linear drop in probability: Reduce drop probability quickly if
@@ -396,7 +396,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
/* Reduce drop probability to 98.4% */
vars->prob -= vars->prob / 64;
- vars->qdelay = qdelay;
+ WRITE_ONCE(vars->qdelay, qdelay);
vars->backlog_old = backlog;
/* We restart the measurement cycle if the following conditions are met
@@ -494,21 +494,21 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
struct pie_sched_data *q = qdisc_priv(sch);
struct tc_pie_xstats st = {
.prob = q->vars.prob << BITS_PER_BYTE,
- .delay = ((u32)PSCHED_TICKS2NS(q->vars.qdelay)) /
+ .delay = ((u32)PSCHED_TICKS2NS(READ_ONCE(q->vars.qdelay))) /
NSEC_PER_USEC,
- .packets_in = q->stats.packets_in,
- .overlimit = q->stats.overlimit,
- .maxq = q->stats.maxq,
- .dropped = q->stats.dropped,
- .ecn_mark = q->stats.ecn_mark,
+ .packets_in = READ_ONCE(q->stats.packets_in),
+ .overlimit = READ_ONCE(q->stats.overlimit),
+ .maxq = READ_ONCE(q->stats.maxq),
+ .dropped = READ_ONCE(q->stats.dropped),
+ .ecn_mark = READ_ONCE(q->stats.ecn_mark),
};
/* avg_dq_rate is only valid if dq_rate_estimator is enabled */
st.dq_rate_estimating = q->params.dq_rate_estimator;
/* unscale and return dq_rate in bytes per sec */
- if (q->params.dq_rate_estimator)
- st.avg_dq_rate = q->vars.avg_dq_rate *
+ if (st.dq_rate_estimating)
+ st.avg_dq_rate = READ_ONCE(q->vars.avg_dq_rate) *
(PSCHED_TICKS_PER_SEC) >> PIE_SCALE;
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 348/508] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 347/508] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 349/508] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
` (161 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit bbfaa73ea6871db03dc05d7f05f00557a8981f25 ]
fq_codel_dump_stats() acquires the qdisc spinlock a bit too late.
Move this acquisition before we fill st.qdisc_stats with live data.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142509.3967231-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_fq_codel.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 47b5a056165cb..056895df17854 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -568,6 +568,8 @@ static int fq_codel_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
};
struct list_head *pos;
+ sch_tree_lock(sch);
+
st.qdisc_stats.maxpacket = q->cstats.maxpacket;
st.qdisc_stats.drop_overlimit = q->drop_overlimit;
st.qdisc_stats.ecn_mark = q->cstats.ecn_mark;
@@ -576,7 +578,6 @@ static int fq_codel_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
st.qdisc_stats.memory_usage = q->memory_usage;
st.qdisc_stats.drop_overmemory = q->drop_overmemory;
- sch_tree_lock(sch);
list_for_each(pos, &q->new_flows)
st.qdisc_stats.new_flows_len++;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 349/508] net/sched: sch_red: annotate data-races in red_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 348/508] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 350/508] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
` (160 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a8f5192809caf636d05ba47c144f282cfd0e3839 ]
red_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_red_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142309.3964322-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_red.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index ea3580d1d19e8..5348b61053068 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -89,17 +89,20 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
case RED_PROB_MARK:
qdisc_qstats_overlimit(sch);
if (!red_use_ecn(q)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
if (INET_ECN_set_ce(skb)) {
- q->stats.prob_mark++;
+ WRITE_ONCE(q->stats.prob_mark,
+ q->stats.prob_mark + 1);
skb = tcf_qevent_handle(&q->qe_mark, sch, skb, to_free, &ret);
if (!skb)
return NET_XMIT_CN | ret;
} else if (!red_use_nodrop(q)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
@@ -109,17 +112,20 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
case RED_HARD_MARK:
qdisc_qstats_overlimit(sch);
if (red_use_harddrop(q) || !red_use_ecn(q)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
if (INET_ECN_set_ce(skb)) {
- q->stats.forced_mark++;
+ WRITE_ONCE(q->stats.forced_mark,
+ q->stats.forced_mark + 1);
skb = tcf_qevent_handle(&q->qe_mark, sch, skb, to_free, &ret);
if (!skb)
return NET_XMIT_CN | ret;
} else if (!red_use_nodrop(q)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
@@ -133,7 +139,8 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
sch->qstats.backlog += len;
sch->q.qlen++;
} else if (net_xmit_drop_count(ret)) {
- q->stats.pdrop++;
+ WRITE_ONCE(q->stats.pdrop,
+ q->stats.pdrop + 1);
qdisc_qstats_drop(sch);
}
return ret;
@@ -461,9 +468,13 @@ static int red_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_QDISC_RED,
&hw_stats_request);
}
- st.early = q->stats.prob_drop + q->stats.forced_drop;
- st.pdrop = q->stats.pdrop;
- st.marked = q->stats.prob_mark + q->stats.forced_mark;
+ st.early = READ_ONCE(q->stats.prob_drop) +
+ READ_ONCE(q->stats.forced_drop);
+
+ st.pdrop = READ_ONCE(q->stats.pdrop);
+
+ st.marked = READ_ONCE(q->stats.prob_mark) +
+ READ_ONCE(q->stats.forced_mark);
return gnet_stats_copy_app(d, &st, sizeof(st));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 350/508] net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 349/508] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 351/508] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
` (159 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ada03fdef82d3d7d2edb9dcd3acc91917675e48 ]
sfb_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_sfb_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260421141655.3953721-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 54 +++++++++++++++++++++++++++------------------
1 file changed, 32 insertions(+), 22 deletions(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index 1871a1c0224d4..ce67826fdf9b6 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -130,7 +130,7 @@ static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q)
sfbhash >>= SFB_BUCKET_SHIFT;
if (b[hash].qlen < 0xFFFF)
- b[hash].qlen++;
+ WRITE_ONCE(b[hash].qlen, b[hash].qlen + 1);
b += SFB_NUMBUCKETS; /* next level */
}
}
@@ -159,7 +159,7 @@ static void decrement_one_qlen(u32 sfbhash, u32 slot,
sfbhash >>= SFB_BUCKET_SHIFT;
if (b[hash].qlen > 0)
- b[hash].qlen--;
+ WRITE_ONCE(b[hash].qlen, b[hash].qlen - 1);
b += SFB_NUMBUCKETS; /* next level */
}
}
@@ -179,12 +179,12 @@ static void decrement_qlen(const struct sk_buff *skb, struct sfb_sched_data *q)
static void decrement_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
{
- b->p_mark = prob_minus(b->p_mark, q->decrement);
+ WRITE_ONCE(b->p_mark, prob_minus(b->p_mark, q->decrement));
}
static void increment_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
{
- b->p_mark = prob_plus(b->p_mark, q->increment);
+ WRITE_ONCE(b->p_mark, prob_plus(b->p_mark, q->increment));
}
static void sfb_zero_all_buckets(struct sfb_sched_data *q)
@@ -202,11 +202,14 @@ static u32 sfb_compute_qlen(u32 *prob_r, u32 *avgpm_r, const struct sfb_sched_da
const struct sfb_bucket *b = &q->bins[q->slot].bins[0][0];
for (i = 0; i < SFB_LEVELS * SFB_NUMBUCKETS; i++) {
- if (qlen < b->qlen)
- qlen = b->qlen;
- totalpm += b->p_mark;
- if (prob < b->p_mark)
- prob = b->p_mark;
+ u32 b_qlen = READ_ONCE(b->qlen);
+ u32 b_mark = READ_ONCE(b->p_mark);
+
+ if (qlen < b_qlen)
+ qlen = b_qlen;
+ totalpm += b_mark;
+ if (prob < b_mark)
+ prob = b_mark;
b++;
}
*prob_r = prob;
@@ -294,7 +297,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (unlikely(sch->q.qlen >= q->limit)) {
qdisc_qstats_overlimit(sch);
- q->stats.queuedrop++;
+ WRITE_ONCE(q->stats.queuedrop,
+ q->stats.queuedrop + 1);
goto drop;
}
@@ -347,7 +351,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (unlikely(minqlen >= q->max)) {
qdisc_qstats_overlimit(sch);
- q->stats.bucketdrop++;
+ WRITE_ONCE(q->stats.bucketdrop,
+ q->stats.bucketdrop + 1);
goto drop;
}
@@ -373,7 +378,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
}
if (sfb_rate_limit(skb, q)) {
qdisc_qstats_overlimit(sch);
- q->stats.penaltydrop++;
+ WRITE_ONCE(q->stats.penaltydrop,
+ q->stats.penaltydrop + 1);
goto drop;
}
goto enqueue;
@@ -388,14 +394,17 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
* In either case, we want to start dropping packets.
*/
if (r < (p_min - SFB_MAX_PROB / 2) * 2) {
- q->stats.earlydrop++;
+ WRITE_ONCE(q->stats.earlydrop,
+ q->stats.earlydrop + 1);
goto drop;
}
}
if (INET_ECN_set_ce(skb)) {
- q->stats.marked++;
+ WRITE_ONCE(q->stats.marked,
+ q->stats.marked + 1);
} else {
- q->stats.earlydrop++;
+ WRITE_ONCE(q->stats.earlydrop,
+ q->stats.earlydrop + 1);
goto drop;
}
}
@@ -408,7 +417,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
sch->q.qlen++;
increment_qlen(&cb, q);
} else if (net_xmit_drop_count(ret)) {
- q->stats.childdrop++;
+ WRITE_ONCE(q->stats.childdrop,
+ q->stats.childdrop + 1);
qdisc_qstats_drop(sch);
}
return ret;
@@ -597,12 +607,12 @@ static int sfb_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct sfb_sched_data *q = qdisc_priv(sch);
struct tc_sfb_xstats st = {
- .earlydrop = q->stats.earlydrop,
- .penaltydrop = q->stats.penaltydrop,
- .bucketdrop = q->stats.bucketdrop,
- .queuedrop = q->stats.queuedrop,
- .childdrop = q->stats.childdrop,
- .marked = q->stats.marked,
+ .earlydrop = READ_ONCE(q->stats.earlydrop),
+ .penaltydrop = READ_ONCE(q->stats.penaltydrop),
+ .bucketdrop = READ_ONCE(q->stats.bucketdrop),
+ .queuedrop = READ_ONCE(q->stats.queuedrop),
+ .childdrop = READ_ONCE(q->stats.childdrop),
+ .marked = READ_ONCE(q->stats.marked),
};
st.maxqlen = sfb_compute_qlen(&st.maxprob, &st.avgprob, q);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 351/508] net: dsa: realtek: rtl8365mb: fix mode mask calculation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 350/508] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 352/508] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
` (158 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdulkader Alrezej,
Mieczyslaw Nalewaj, Luiz Angelo Daros de Luca, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit 0c078021d3861966614d5e594ee03587f0c9e74d ]
The RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_MASK macro was shifting
the 4-bit mask (0xF) by only (_extint % 2) bits instead of
(_extint % 2) * 4. This caused the mask to overlap with the adjacent
nibble when configuring odd-numbered external interfaces, selecting
the wrong bits entirely.
Align the shift calculation with the existing ...MODE_OFFSET macro.
Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
Signed-off-by: Abdulkader Alrezej <alrazj.abdulkader@gmail.com>
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Reviewed-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Link: https://patch.msgid.link/400a6387-a444-4576-af6d-26be5410bce3@yahoo.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index 9d59d93807825..625d1d4d17a20 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -213,7 +213,7 @@
(_extint) == 2 ? RTL8365MB_DIGITAL_INTERFACE_SELECT_REG1 : \
0x0)
#define RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_MASK(_extint) \
- (0xF << (((_extint) % 2)))
+ (0xF << (((_extint) % 2) * 4))
#define RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_OFFSET(_extint) \
(((_extint) % 2) * 4)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 352/508] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 351/508] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 353/508] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
` (157 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit 4078c5611d7585548b249377ebd60c272e410490 ]
There is a mismatch between the passed arguments and the actual
nfp_encode_basic_qdr() function parameter names:
static int nfp_encode_basic_qdr(u64 addr, int dest_island, int cpp_tgt,
int mode, bool addr40, int isld1,
int isld0)
{
...
But "dest_island" and "cpp_tgt" are swapped at every call-site.
For example:
return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
mode, addr40, isld1, isld0);
As a result, nfp_encode_basic_qdr() receives "dest_island" as CPP target
type, which is always NFP_CPP_TARGET_QDR(2) for these calls, and "cpp_tgt"
as the destination island ID, which can accidentally match or be outside
the valid NFP_CPP_TARGET_* types (e.g. '-1' for any destination).
Since code already worked for years, also add extra pr_warn() to error
paths in nfp_encode_basic_qdr() to help identify any potential address
verification failures.
Detected using the static analysis tool - Svace.
Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Link: https://patch.msgid.link/20260422160536.61855-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/netronome/nfp/nfpcore/nfp_target.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
index 79470f198a62a..9cf19446657c6 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
@@ -435,12 +435,17 @@ static int nfp_encode_basic_qdr(u64 addr, int dest_island, int cpp_tgt,
/* Full Island ID and channel bits overlap? */
ret = nfp_decode_basic(addr, &v, cpp_tgt, mode, addr40, isld1, isld0);
- if (ret)
+ if (ret) {
+ pr_warn("%s: decode dest_island failed: %d\n", __func__, ret);
return ret;
+ }
/* The current address won't go where expected? */
- if (dest_island != -1 && dest_island != v)
+ if (dest_island != -1 && dest_island != v) {
+ pr_warn("%s: dest_island mismatch: current (%d) != decoded (%d)\n",
+ __func__, dest_island, v);
return -EINVAL;
+ }
/* If dest_island was -1, we don't care where it goes. */
return 0;
@@ -493,7 +498,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* the address but we can verify if the existing
* contents will point to a valid island.
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
iid_lsb = addr40 ? 34 : 26;
@@ -504,7 +509,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
return 0;
case 1:
if (cpp_tgt == NFP_CPP_TARGET_QDR && !addr40)
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
idx_lsb = addr40 ? 39 : 31;
@@ -530,7 +535,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* be set before hand and with them select an island.
* So we need to confirm that it's at least plausible.
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
/* Make sure we compare against isldN values
@@ -551,7 +556,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* iid<1> = addr<30> = channel<0>
* channel<1> = addr<31> = Index
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
isld[0] &= ~3;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 353/508] tipc: fix double-free in tipc_buf_append()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 352/508] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 354/508] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
` (156 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tung Nguyen, Lee Jones,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a ]
tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one. In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.
If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.
Fix this by checking if head now points to a newly allocated reassembled
skb. If it does, reassign *headbuf for later freeing operations.
Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb truesize and contents")
Suggested-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/msg.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 76284fc538ebd..b0bba0feef564 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -177,8 +177,20 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
if (fragid == LAST_FRAGMENT) {
TIPC_SKB_CB(head)->validated = 0;
- if (unlikely(!tipc_msg_validate(&head)))
+
+ /* If the reassembled skb has been freed in
+ * tipc_msg_validate() because of an invalid truesize,
+ * then head will point to a newly allocated reassembled
+ * skb, while *headbuf points to freed reassembled skb.
+ * In such cases, correct *headbuf for freeing the newly
+ * allocated reassembled skb later.
+ */
+ if (unlikely(!tipc_msg_validate(&head))) {
+ if (head != *headbuf)
+ *headbuf = head;
goto err;
+ }
+
*buf = head;
TIPC_SKB_CB(head)->tail = NULL;
*headbuf = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 354/508] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 353/508] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 355/508] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
` (155 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6985cb8e543ea90ba8ee,
Kohei Enju, Michael S. Tsirkin, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit e08a9fac5cf8c3fecf4755e7e3ac059f78b8f83d ]
syzbot reported "sleeping function called from invalid context" in
vhost_net_busy_poll().
Commit 030881372460 ("vhost_net: basic polling support") introduced a
busy-poll loop and preempt_{disable,enable}() around it, where each
iteration calls a sleepable function inside the loop.
The purpose of disabling preemption was to keep local_clock()-based
timeout accounting on a single CPU, rather than as a requirement of
busy-poll itself:
https://lore.kernel.org/1448435489-5949-4-git-send-email-jasowang@redhat.com
>From this perspective, migrate_disable() is sufficient here, so replace
preempt_disable() with migrate_disable(), avoiding sleepable accesses
from a preempt-disabled context.
Fixes: 030881372460 ("vhost_net: basic polling support")
Tested-by: syzbot+6985cb8e543ea90ba8ee@syzkaller.appspotmail.com
Reported-by: syzbot+6985cb8e543ea90ba8ee@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e6a414.050a0220.24bfd3.002d.GAE@google.com/T/
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/net.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 5ad237d77a9a9..b26d9a8e4e055 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -547,7 +547,7 @@ static void vhost_net_busy_poll(struct vhost_net *net,
busyloop_timeout = poll_rx ? rvq->busyloop_timeout:
tvq->busyloop_timeout;
- preempt_disable();
+ migrate_disable();
endtime = busy_clock() + busyloop_timeout;
while (vhost_can_busy_poll(endtime)) {
@@ -564,7 +564,7 @@ static void vhost_net_busy_poll(struct vhost_net *net,
cpu_relax();
}
- preempt_enable();
+ migrate_enable();
if (poll_rx || sock_has_rx_data(sock))
vhost_net_busy_poll_try_queue(net, vq);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 355/508] fs/adfs: validate nzones in adfs_validate_bblk()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 354/508] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 356/508] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
` (154 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bae Yeonju, Russell King (Oracle),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bae Yeonju <iwasbaeyz@gmail.com>
[ Upstream commit dd9d3e16c2d5fa166e13dce07413be51f42c8f5d ]
Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.
When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.
adfs_validate_dr0() already rejects nzones != 1 for old-format
images. Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.
Found by syzkaller.
Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/adfs/super.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index e8bfc38239cd5..76e37c6d4cad4 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -343,6 +343,9 @@ static int adfs_validate_bblk(struct super_block *sb, struct buffer_head *bh,
if (adfs_checkdiscrecord(dr))
return -EILSEQ;
+ if ((dr->nzones | dr->nzones_high << 8) == 0)
+ return -EILSEQ;
+
*drp = dr;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 356/508] rtc: abx80x: Disable alarm feature if no interrupt attached
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 355/508] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 357/508] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
` (153 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Pighin, Alexandre Belloni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Pighin (Nokia) <anthony.pighin@nokia.com>
[ Upstream commit 0fedce7244e4b85c049ce579c87e298a1b0b811d ]
Commit 795cda8338ea ("rtc: interface: Fix long-standing race when setting
alarm") exposed an issue where the rtc-abx80x driver does not clear the
alarm feature bit, but instead relies on the set_alarm operation to return
invalid.
For example, when a RTC_UIE_ON ioctl is handled, it should abort at the
feature validation. Instead, it proceeds to the rtc_timer_enqueue(),
which used to return an error from the set_alarm call. However,
following the race condition handling, which likely should not be
discarding predecing errors, a success condition is returned to the
ioctl() caller. This results in (for example):
hwclock: select() to /dev/rtc0 to wait for clock tick timed out
Notwithstanding the validity of the race condition handling, if an interrupt
wasn't specified, or could not be attached, the driver should clear the
alarm feature bit.
Fixes: 718a820a303c ("rtc: abx80x: add alarm support")
Signed-off-by: Anthony Pighin <anthony.pighin@nokia.com>
Link: https://patch.msgid.link/BN0PR08MB69510928028C933749F4139383D1A@BN0PR08MB6951.namprd08.prod.outlook.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-abx80x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/rtc/rtc-abx80x.c b/drivers/rtc/rtc-abx80x.c
index 3fee27914ba80..5f3a3e60a19d0 100644
--- a/drivers/rtc/rtc-abx80x.c
+++ b/drivers/rtc/rtc-abx80x.c
@@ -933,6 +933,8 @@ static int abx80x_probe(struct i2c_client *client)
client->irq = 0;
}
}
+ if (client->irq <= 0)
+ clear_bit(RTC_FEATURE_ALARM, priv->rtc->features);
err = rtc_add_group(priv->rtc, &rtc_calib_attr_group);
if (err) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 357/508] fbdev: offb: fix PCI device reference leak on probe failure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.6 356/508] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 358/508] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
` (152 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Ijae Kim, Taegyu Kim,
Yuho Choi, Helge Deller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
[ Upstream commit 869b93ba04088713596e68453c1146f52f713290 ]
offb_init_nodriver() gets a referenced PCI device with pci_get_device().
If pci_enable_device() fails, the function returns without dropping that
reference.
Release the PCI device reference before returning from the
pci_enable_device() failure path.
Fixes: 5bda8f7b5468 ("video: fbdev: offb: Call pci_enable_device() before using the PCI VGA device")
Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/offb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
index dcb1b81d35db5..0e81d68378935 100644
--- a/drivers/video/fbdev/offb.c
+++ b/drivers/video/fbdev/offb.c
@@ -643,8 +643,13 @@ static void offb_init_nodriver(struct platform_device *parent, struct device_nod
vid = be32_to_cpup(vidp);
did = be32_to_cpup(didp);
pdev = pci_get_device(vid, did, NULL);
- if (!pdev || pci_enable_device(pdev))
+ if (!pdev)
return;
+
+ if (pci_enable_device(pdev)) {
+ pci_dev_put(pdev);
+ return;
+ }
}
#endif
/* kludge for valkyrie */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 358/508] mailbox: mailbox-test: free channels on probe error
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 357/508] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 359/508] sched/psi: fix race between file release and pressure write Greg Kroah-Hartman
` (151 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c02053a9055d5fdfd32432287cca8958db1d5bc5 ]
On probe error, free the previously obtained channels. This not only
prevents a leak, but also UAF scenarios because the client structure
will be removed nonetheless because it was allocated with devm.
Link: https://sashiko.dev/#/patchset/20260327151217.5327-2-wsa%2Brenesas%40sang-engineering.com
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 6bdee87f30836..6d431a8b275c7 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -404,18 +404,27 @@ static int mbox_test_probe(struct platform_device *pdev)
if (tdev->rx_channel) {
tdev->rx_buffer = devm_kzalloc(&pdev->dev,
MBOX_MAX_MSG_LEN, GFP_KERNEL);
- if (!tdev->rx_buffer)
- return -ENOMEM;
+ if (!tdev->rx_buffer) {
+ ret = -ENOMEM;
+ goto err_free_chans;
+ }
}
ret = mbox_test_add_debugfs(pdev, tdev);
if (ret)
- return ret;
+ goto err_free_chans;
init_waitqueue_head(&tdev->waitq);
dev_info(&pdev->dev, "Successfully registered\n");
return 0;
+
+err_free_chans:
+ if (tdev->tx_channel)
+ mbox_free_channel(tdev->tx_channel);
+ if (tdev->rx_channel)
+ mbox_free_channel(tdev->rx_channel);
+ return ret;
}
static int mbox_test_remove(struct platform_device *pdev)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 359/508] sched/psi: fix race between file release and pressure write
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 358/508] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 360/508] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
` (150 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+33e571025d88efd1312c,
Edward Adam Davis, Chen Ridong, Tejun Heo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ]
A potential race condition exists between pressure write and cgroup file
release regarding the priv member of struct kernfs_open_file, which
triggers the uaf reported in [1].
Consider the following scenario involving execution on two separate CPUs:
CPU0 CPU1
==== ====
vfs_rmdir()
kernfs_iop_rmdir()
cgroup_rmdir()
cgroup_kn_lock_live()
cgroup_destroy_locked()
cgroup_addrm_files()
cgroup_rm_file()
kernfs_remove_by_name()
kernfs_remove_by_name_ns()
vfs_write() __kernfs_remove()
new_sync_write() kernfs_drain()
kernfs_fop_write_iter() kernfs_drain_open_files()
cgroup_file_write() kernfs_release_file()
pressure_write() cgroup_file_release()
ctx = of->priv;
kfree(ctx);
of->priv = NULL;
cgroup_kn_unlock()
cgroup_kn_lock_live()
cgroup_get(cgrp)
cgroup_kn_unlock()
if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv
The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
the memory deallocation of of->priv performed within cgroup_file_release().
However, the operations involving of->priv executed within pressure_write()
are not entirely covered by the protection of cgroup_mutex. Consequently,
if the code in pressure_write(), specifically the section handling the
ctx variable executes after cgroup_file_release() has completed, a uaf
vulnerability involving of->priv is triggered.
Therefore, the issue can be resolved by extending the scope of the
cgroup_mutex lock within pressure_write() to encompass all code paths
involving of->priv, thereby properly synchronizing the race condition
occurring between cgroup_file_release() and pressure_write().
And, if an live kn lock can be successfully acquired while executing
the pressure write operation, it indicates that the cgroup deletion
process has not yet reached its final stage; consequently, the priv
pointer within open_file cannot be NULL. Therefore, the operation to
retrieve the ctx value must be moved to a point *after* the live kn
lock has been successfully acquired.
In another situation, specifically after entering cgroup_kn_lock_live()
but before acquiring cgroup_mutex, there exists a different class of
race condition:
CPU0: write memory.pressure CPU1: write cgroup.pressure=0
=========================== =============================
kernfs_fop_write_iter()
kernfs_get_active_of(of)
pressure_write()
cgroup_kn_lock_live(memory.pressure)
cgroup_tryget(cgrp)
kernfs_break_active_protection(kn)
... blocks on cgroup_mutex
cgroup_pressure_write()
cgroup_kn_lock_live(cgroup.pressure)
cgroup_file_show(memory.pressure, false)
kernfs_show(false)
kernfs_drain_open_files()
cgroup_file_release(of)
kfree(ctx)
of->priv = NULL
cgroup_kn_unlock()
... acquires cgroup_mutex
ctx = of->priv; // may now be NULL
if (ctx->psi.trigger) // NULL dereference
Consequently, there is a possibility that of->priv is NULL, the pressure
write needs to check for this.
Now that the scope of the cgroup_mutex has been expanded, the original
explicit cgroup_get/put operations are no longer necessary, this is
because acquiring/releasing the live kn lock inherently executes a
cgroup get/put operation.
[1]
BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
Call Trace:
pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
Allocated by task 9352:
cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
do_dentry_open+0x83d/0x13e0 fs/open.c:949
Freed by task 9353:
cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
kernfs_release_file fs/kernfs/file.c:764 [inline]
kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
Fixes: 0e94682b73bf ("psi: introduce psi monitor")
Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cgroup.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index e787dc0eacd7d..97812c0b04dd6 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -3775,33 +3775,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v)
static ssize_t pressure_write(struct kernfs_open_file *of, char *buf,
size_t nbytes, enum psi_res res)
{
- struct cgroup_file_ctx *ctx = of->priv;
+ struct cgroup_file_ctx *ctx;
struct psi_trigger *new;
struct cgroup *cgrp;
struct psi_group *psi;
+ ssize_t ret = 0;
cgrp = cgroup_kn_lock_live(of->kn, false);
if (!cgrp)
return -ENODEV;
- cgroup_get(cgrp);
- cgroup_kn_unlock(of->kn);
+ ctx = of->priv;
+ if (!ctx) {
+ ret = -ENODEV;
+ goto out_unlock;
+ }
/* Allow only one trigger per file descriptor */
if (ctx->psi.trigger) {
- cgroup_put(cgrp);
- return -EBUSY;
+ ret = -EBUSY;
+ goto out_unlock;
}
psi = cgroup_psi(cgrp);
new = psi_trigger_create(psi, buf, res, of->file, of);
if (IS_ERR(new)) {
- cgroup_put(cgrp);
- return PTR_ERR(new);
+ ret = PTR_ERR(new);
+ goto out_unlock;
}
smp_store_release(&ctx->psi.trigger, new);
- cgroup_put(cgrp);
+
+out_unlock:
+ cgroup_kn_unlock(of->kn);
+ if (ret)
+ return ret;
return nbytes;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 360/508] cgroup/rdma: fix integer overflow in rdmacg_try_charge()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 359/508] sched/psi: fix race between file release and pressure write Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 361/508] mailbox: add sanity check for channel array Greg Kroah-Hartman
` (149 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, cuitao, Michal Koutný,
Tejun Heo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: cuitao <cuitao@kylinos.cn>
[ Upstream commit c802f460dd485c1332b5a35e7adcfb2bc22536a2 ]
The expression `rpool->resources[index].usage + 1` is computed in int
arithmetic before being assigned to s64 variable `new`. When usage equals
INT_MAX (the default "max" value), the addition overflows to INT_MIN.
This negative value then passes the `new > max` check incorrectly,
allowing a charge that should be rejected and corrupting usage to
negative.
Fix by casting usage to s64 before the addition so the arithmetic is
done in 64-bit.
Fixes: 39d3e7584a68 ("rdmacg: Added rdma cgroup controller")
Signed-off-by: cuitao <cuitao@kylinos.cn>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/rdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/rdma.c b/kernel/cgroup/rdma.c
index ef5878fb20057..d544a747f3954 100644
--- a/kernel/cgroup/rdma.c
+++ b/kernel/cgroup/rdma.c
@@ -283,7 +283,7 @@ int rdmacg_try_charge(struct rdma_cgroup **rdmacg,
ret = PTR_ERR(rpool);
goto err;
} else {
- new = rpool->resources[index].usage + 1;
+ new = (s64)rpool->resources[index].usage + 1;
if (new > rpool->resources[index].max) {
ret = -EAGAIN;
goto err;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 361/508] mailbox: add sanity check for channel array
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 360/508] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 362/508] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
` (148 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Geert Uytterhoeven,
Jassi Brar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c1aad75595fb67edc7fda8af249d3b886efa1be9 ]
Fail gracefully if there is no channel array attached to the mailbox
controller. Otherwise the later dereference will cause an OOPS which
might not be seen because mailbox controllers might instantiate very
early. Remove the comment explaining the obvious while here.
Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index b4d52b814055b..39269359e3a64 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -520,8 +520,7 @@ int mbox_controller_register(struct mbox_controller *mbox)
{
int i, txdone;
- /* Sanity check */
- if (!mbox || !mbox->dev || !mbox->ops || !mbox->num_chans)
+ if (!mbox || !mbox->dev || !mbox->ops || !mbox->chans || !mbox->num_chans)
return -EINVAL;
if (mbox->txdone_irq)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 362/508] mailbox: mailbox-test: dont free the reused channel
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 361/508] mailbox: add sanity check for channel array Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 363/508] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
` (147 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 88ebadbf0deefdaccdab868b44ff70a0a257f473 ]
The RX channel can be aliased to the TX channel if it has a different
MMIO. This special case needs to be handled when freeing the channels
otherwise a double-free occurs.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 6d431a8b275c7..c06d128c44764 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -422,7 +422,7 @@ static int mbox_test_probe(struct platform_device *pdev)
err_free_chans:
if (tdev->tx_channel)
mbox_free_channel(tdev->tx_channel);
- if (tdev->rx_channel)
+ if (tdev->rx_channel && tdev->rx_channel != tdev->tx_channel)
mbox_free_channel(tdev->rx_channel);
return ret;
}
@@ -435,7 +435,7 @@ static int mbox_test_remove(struct platform_device *pdev)
if (tdev->tx_channel)
mbox_free_channel(tdev->tx_channel);
- if (tdev->rx_channel)
+ if (tdev->rx_channel && tdev->rx_channel != tdev->tx_channel)
mbox_free_channel(tdev->rx_channel);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 363/508] mailbox: mailbox-test: initialize struct earlier
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 362/508] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 364/508] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
` (146 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit bbcf9af68bfedb3d9cc3c7eae62f5c844d8b78b9 ]
The waitqueue must be initialized before the debugfs files are created
because from that time, requests from userspace can already be made.
Similarily, drvdata and spinlock needs to be initialized before we
request the channel, otherwise dangling irqs might run into problems
like a NULL pointer exception.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index c06d128c44764..2c98c300ba33b 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -366,6 +366,12 @@ static int mbox_test_probe(struct platform_device *pdev)
if (!tdev)
return -ENOMEM;
+ tdev->dev = &pdev->dev;
+ spin_lock_init(&tdev->lock);
+ mutex_init(&tdev->mutex);
+ init_waitqueue_head(&tdev->waitq);
+ platform_set_drvdata(pdev, tdev);
+
/* It's okay for MMIO to be NULL */
tdev->tx_mmio = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
if (PTR_ERR(tdev->tx_mmio) == -EBUSY) {
@@ -395,12 +401,6 @@ static int mbox_test_probe(struct platform_device *pdev)
if (!tdev->rx_channel && (tdev->rx_mmio != tdev->tx_mmio))
tdev->rx_channel = tdev->tx_channel;
- tdev->dev = &pdev->dev;
- platform_set_drvdata(pdev, tdev);
-
- spin_lock_init(&tdev->lock);
- mutex_init(&tdev->mutex);
-
if (tdev->rx_channel) {
tdev->rx_buffer = devm_kzalloc(&pdev->dev,
MBOX_MAX_MSG_LEN, GFP_KERNEL);
@@ -414,7 +414,6 @@ static int mbox_test_probe(struct platform_device *pdev)
if (ret)
goto err_free_chans;
- init_waitqueue_head(&tdev->waitq);
dev_info(&pdev->dev, "Successfully registered\n");
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 364/508] mailbox: mailbox-test: make data_ready a per-instance variable
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 363/508] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 365/508] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
` (145 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 6e937f4e769e60947909e3525965f0137b9039e8 ]
While not the default case, multiple tests can be run simultaneously.
Then, data_ready being a global variable will be overwritten and the
per-instance lock will not help. Turn the global variable into a
per-instance one to avoid this problem.
Fixes: e339c80af95e ("mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 2c98c300ba33b..f2ed7f884a575 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -28,8 +28,6 @@
#define MBOX_HEXDUMP_MAX_LEN (MBOX_HEXDUMP_LINE_LEN * \
(MBOX_MAX_MSG_LEN / MBOX_BYTES_PER_LINE))
-static bool mbox_data_ready;
-
struct mbox_test_device {
struct device *dev;
void __iomem *tx_mmio;
@@ -42,6 +40,7 @@ struct mbox_test_device {
spinlock_t lock;
struct mutex mutex;
wait_queue_head_t waitq;
+ bool data_ready;
struct fasync_struct *async_queue;
struct dentry *root_debugfs_dir;
};
@@ -162,7 +161,7 @@ static bool mbox_test_message_data_ready(struct mbox_test_device *tdev)
unsigned long flags;
spin_lock_irqsave(&tdev->lock, flags);
- data_ready = mbox_data_ready;
+ data_ready = tdev->data_ready;
spin_unlock_irqrestore(&tdev->lock, flags);
return data_ready;
@@ -227,7 +226,7 @@ static ssize_t mbox_test_message_read(struct file *filp, char __user *userbuf,
*(touser + l) = '\0';
memset(tdev->rx_buffer, 0, MBOX_MAX_MSG_LEN);
- mbox_data_ready = false;
+ tdev->data_ready = false;
spin_unlock_irqrestore(&tdev->lock, flags);
@@ -297,7 +296,7 @@ static void mbox_test_receive_message(struct mbox_client *client, void *message)
message, MBOX_MAX_MSG_LEN);
memcpy(tdev->rx_buffer, message, MBOX_MAX_MSG_LEN);
}
- mbox_data_ready = true;
+ tdev->data_ready = true;
spin_unlock_irqrestore(&tdev->lock, flags);
wake_up_interruptible(&tdev->waitq);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 365/508] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 364/508] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 366/508] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
` (144 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 82323b1a7088b7a5c3e528a5d634bff447fa286f ]
submit_one_async_extent() calls btrfs_reserve_extent(), which decrements
bytes_may_use. If the call btrfs_create_io_em() fails, we jump to
out_free_reserve, which calls extent_clear_unlock_delalloc().
Because we're specifying EXTENT_DO_ACCOUNTING, i.e.
EXTENT_CLEAR_META_RESV | EXTENT_CLEAR_DATA_RESV, this decreases
bytes_may_use again. This can lead to problems later on, as an initial
write can fail only for the writeback to silently ENOSPC.
Fix this by replacing EXTENT_DO_ACCOUNTING with EXTENT_CLEAR_META_RESV.
This parallels a4fe134fc1d8eb ("btrfs: fix a double release on reserved
extents in cow_one_range()"), which is the same fix in cow_one_range().
Fixes: 151a41bc46df ("Btrfs: fix what bits we clear when erroring out from delalloc")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 46df425ab7bae..00cd932791c8d 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1209,7 +1209,7 @@ static void submit_one_async_extent(struct async_chunk *async_chunk,
extent_clear_unlock_delalloc(inode, start, end,
NULL, EXTENT_LOCKED | EXTENT_DELALLOC |
EXTENT_DELALLOC_NEW |
- EXTENT_DEFRAG | EXTENT_DO_ACCOUNTING,
+ EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV,
PAGE_UNLOCK | PAGE_START_WRITEBACK |
PAGE_END_WRITEBACK);
free_async_extent_pages(async_extent);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 366/508] tracing: branch: Fix inverted check on stat tracer registration
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 365/508] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 367/508] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
` (143 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Ingo Molnar,
Frederic Weisbecker, Breno Leitao, Masami Hiramatsu (Google),
Steven Rostedt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3b75dd76e64a04771861bb5647951c264919e563 ]
init_annotated_branch_stats() and all_annotated_branch_stats() check the
return value of register_stat_tracer() with "if (!ret)", but
register_stat_tracer() returns 0 on success and a negative errno on
failure. The inverted check causes the warning to be printed on every
successful registration, e.g.:
Warning: could not register annotated branches stats
while leaving real failures silent. The initcall also returned a
hard-coded 1 instead of the actual error.
Invert the check and propagate ret so that the warning fires on real
errors and the initcall reports the correct status.
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Link: https://patch.msgid.link/20260420-tracing-v1-1-d8f4cd0d6af1@debian.org
Fixes: 002bb86d8d42 ("tracing/ftrace: separate events tracing and stats tracing engine")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_branch.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace_branch.c b/kernel/trace/trace_branch.c
index e47fdb4c92fbc..30f72e0ecb5d4 100644
--- a/kernel/trace/trace_branch.c
+++ b/kernel/trace/trace_branch.c
@@ -379,10 +379,10 @@ __init static int init_annotated_branch_stats(void)
int ret;
ret = register_stat_tracer(&annotated_branch_stats);
- if (!ret) {
+ if (ret) {
printk(KERN_WARNING "Warning: could not register "
"annotated branches stats\n");
- return 1;
+ return ret;
}
return 0;
}
@@ -444,10 +444,10 @@ __init static int all_annotated_branch_stats(void)
int ret;
ret = register_stat_tracer(&all_branch_stats);
- if (!ret) {
+ if (ret) {
printk(KERN_WARNING "Warning: could not register "
"all branches stats\n");
- return 1;
+ return ret;
}
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 367/508] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 366/508] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 368/508] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
` (142 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Yunje Shin,
Chaitanya Kulkarni, Maurizio Lombardi, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
[ Upstream commit ea8e356acb165cb1fd75537a52e1f66e5e76c538 ]
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
Fixes: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec")
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Yunje Shin <ioerts@kookmin.ac.kr>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/tcp.c | 51 ++++++++++++++++++++++-----------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 4d1f260ae60ab..5f85c4a812abc 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -335,7 +335,7 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd)
static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);
-static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
+static int nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
{
struct bio_vec *iov = cmd->iov;
struct scatterlist *sg;
@@ -348,22 +348,19 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
offset = cmd->rbytes_done;
cmd->sg_idx = offset / PAGE_SIZE;
sg_offset = offset % PAGE_SIZE;
- if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
+ if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt)
+ return -EPROTO;
+
sg = &cmd->req.sg[cmd->sg_idx];
sg_remaining = cmd->req.sg_cnt - cmd->sg_idx;
while (length) {
- if (!sg_remaining) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
- if (!sg->length || sg->length <= sg_offset) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
+ if (!sg_remaining)
+ return -EPROTO;
+
+ if (!sg->length || sg->length <= sg_offset)
+ return -EPROTO;
+
u32 iov_len = min_t(u32, length, sg->length - sg_offset);
bvec_set_page(iov, sg_page(sg), iov_len,
@@ -378,6 +375,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
iov_iter_bvec(&cmd->recv_msg.msg_iter, ITER_DEST, cmd->iov,
nr_pages, cmd->pdu_len);
+ return 0;
}
static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue)
@@ -945,7 +943,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
return 0;
}
-static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
+static int nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
struct nvmet_tcp_cmd *cmd, struct nvmet_req *req)
{
size_t data_len = le32_to_cpu(req->cmd->common.dptr.sgl.length);
@@ -961,19 +959,23 @@ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
if (!nvme_is_write(cmd->req.cmd) || !data_len ||
data_len > cmd->req.port->inline_data_size) {
nvmet_prepare_receive_pdu(queue);
- return;
+ return 0;
}
ret = nvmet_tcp_map_data(cmd);
if (unlikely(ret)) {
pr_err("queue %d: failed to map data\n", queue->idx);
nvmet_tcp_fatal_error(queue);
- return;
+ return -EPROTO;
}
queue->rcv_state = NVMET_TCP_RECV_DATA;
- nvmet_tcp_build_pdu_iovec(cmd);
cmd->flags |= NVMET_TCP_F_INIT_FAILED;
+ ret = nvmet_tcp_build_pdu_iovec(cmd);
+ if (unlikely(ret))
+ pr_err("queue %d: failed to build PDU iovec\n", queue->idx);
+
+ return ret;
}
static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
@@ -1025,7 +1027,10 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
goto err_proto;
}
cmd->pdu_recv = 0;
- nvmet_tcp_build_pdu_iovec(cmd);
+ if (unlikely(nvmet_tcp_build_pdu_iovec(cmd))) {
+ pr_err("queue %d: failed to build PDU iovec\n", queue->idx);
+ goto err_proto;
+ }
queue->cmd = cmd;
queue->rcv_state = NVMET_TCP_RECV_DATA;
@@ -1088,8 +1093,7 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
req->cmd->common.opcode,
le32_to_cpu(req->cmd->common.dptr.sgl.length));
- nvmet_tcp_handle_req_failure(queue, queue->cmd, req);
- return 0;
+ return nvmet_tcp_handle_req_failure(queue, queue->cmd, req);
}
ret = nvmet_tcp_map_data(queue->cmd);
@@ -1106,8 +1110,11 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
if (nvmet_tcp_need_data_in(queue->cmd)) {
if (nvmet_tcp_has_inline_data(queue->cmd)) {
queue->rcv_state = NVMET_TCP_RECV_DATA;
- nvmet_tcp_build_pdu_iovec(queue->cmd);
- return 0;
+ ret = nvmet_tcp_build_pdu_iovec(queue->cmd);
+ if (unlikely(ret))
+ pr_err("queue %d: failed to build PDU iovec\n",
+ queue->idx);
+ return ret;
}
/* send back R2T */
nvmet_tcp_queue_response(&queue->cmd->req);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 368/508] netfilter: arp_tables: fix IEEE1394 ARP payload parsing
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 367/508] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 369/508] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
` (141 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 1e8e3f449b1e73b73a843257635b9c50f0cc0f0a ]
Weiming Shi says:
"arp_packet_match() unconditionally parses the ARP payload assuming two
hardware addresses are present (source and target). However,
IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address
field, and arp_hdr_len() already accounts for this by returning a
shorter length for ARPHRD_IEEE1394 devices.
As a result, on IEEE1394 interfaces arp_packet_match() advances past a
nonexistent target hardware address and reads the wrong bytes for both
the target device address comparison and the target IP address. This
causes arptables rules to match against garbage data, leading to
incorrect filtering decisions: packets that should be accepted may be
dropped and vice versa.
The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already
handles this correctly by skipping the target hardware address for
ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()."
Mangle the original patch to always return 0 (no match) in case user
matches on the target hardware address which is never present in
IEEE1394.
Note that this returns 0 (no match) for either normal and inverse match
because matching in the target hardware address in ARPHRD_IEEE1394 has
never been supported by arptables. This is intentional, matching on the
target hardware address should never evaluate true for ARPHRD_IEEE1394.
Moreover, adjust arpt_mangle to drop the packet too as AI suggests:
In arpt_mangle, the logic assumes a standard ARP layout. Because
IEEE1394 (FireWire) omits the target hardware address, the linear
pointer arithmetic miscalculates the offset for the target IP address.
This causes mangling operations to write to the wrong location, leading
to packet corruption. To ensure safety, this patch drops packets
(NF_DROP) when mangling is requested for these fields on IEEE1394
devices, as the current implementation cannot correctly map the FireWire
ARP payload.
This omits both mangling target hardware and IP address. Even if IP
address mangling should be possible in IEEE1394, this would require
to adjust arpt_mangle offset calculation, which has never been
supported.
Based on patch from Weiming Shi <bestswngs@gmail.com>.
Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arp_tables.c | 18 +++++++++++++++---
net/ipv4/netfilter/arpt_mangle.c | 8 ++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 14365b20f1c5c..564054123772a 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -110,13 +110,25 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
arpptr += dev->addr_len;
memcpy(&src_ipaddr, arpptr, sizeof(u32));
arpptr += sizeof(u32);
- tgt_devaddr = arpptr;
- arpptr += dev->addr_len;
+
+ if (IS_ENABLED(CONFIG_FIREWIRE_NET) && dev->type == ARPHRD_IEEE1394) {
+ if (unlikely(memchr_inv(arpinfo->tgt_devaddr.mask, 0,
+ sizeof(arpinfo->tgt_devaddr.mask))))
+ return 0;
+
+ tgt_devaddr = NULL;
+ } else {
+ tgt_devaddr = arpptr;
+ arpptr += dev->addr_len;
+ }
memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
- dev->addr_len)) ||
+ dev->addr_len)))
+ return 0;
+
+ if (tgt_devaddr &&
NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
dev->addr_len)))
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index a4e07e5e9c118..f65dd339208e8 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -40,6 +40,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
}
arpptr += pln;
if (mangle->flags & ARPT_MANGLE_TDEV) {
+ if (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&
+ skb->dev->type == ARPHRD_IEEE1394))
+ return NF_DROP;
+
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
return NF_DROP;
@@ -47,6 +51,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
}
arpptr += hln;
if (mangle->flags & ARPT_MANGLE_TIP) {
+ if (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&
+ skb->dev->type == ARPHRD_IEEE1394))
+ return NF_DROP;
+
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
return NF_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 369/508] nvme-pci: fix missed admin queue sq doorbell write
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 368/508] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 370/508] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG Greg Kroah-Hartman
` (140 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Kanchan Joshi,
Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 1cc4cdae2a3b7730d462d69e30f213fd2efe7807 ]
We can batch admin commands submitted through io_uring_cmd passthrough,
which means bd->last may be false and skips the doorbell write to
aggregate multiple commands per write. If a subsequent command can't be
dispatched for whatever reason, we have to provide the blk-mq ops'
commit_rqs callback in order to ensure we properly update the doorbell.
Fixes: 58e5bdeb9c2b ("nvme: enable uring-passthrough for admin commands")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 40d9be6468b5e..87d30aaa35f10 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1715,6 +1715,7 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid, bool polled)
static const struct blk_mq_ops nvme_mq_admin_ops = {
.queue_rq = nvme_queue_rq,
.complete = nvme_pci_complete_rq,
+ .commit_rqs = nvme_commit_rqs,
.init_hctx = nvme_admin_init_hctx,
.init_request = nvme_pci_init_request,
.timeout = nvme_timeout,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 370/508] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 369/508] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 371/508] drm/amdgpu: fix spelling typos Greg Kroah-Hartman
` (139 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
[ Upstream commit 0ef196a208385b7d7da79f411c161b04e97283e2 ]
There were multiple issues in that code.
First of all the order between the reset semaphore and the mm_lock was
wrong (e.g. copy_to_user) was called while holding the lock.
Then we allocated memory while holding the reset semaphore which is also
a pretty big bug and can deadlock.
Then we used down_read_trylock() instead of waiting for the reset to
finish.
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 9e823f307074 ("drm/amdgpu: Block MMR_READ IOCTL in reset")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 361b6e6b303d4b691f6c5974d3eaab67ca6dd90e)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 57 +++++++++++--------------
1 file changed, 24 insertions(+), 33 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
index 10730f256ae0f..4c678048be63b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -724,68 +724,59 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp)
? -EFAULT : 0;
}
case AMDGPU_INFO_READ_MMR_REG: {
- int ret = 0;
- unsigned int n, alloc_size;
- uint32_t *regs;
unsigned int se_num = (info->read_mmr_reg.instance >>
AMDGPU_INFO_MMR_SE_INDEX_SHIFT) &
AMDGPU_INFO_MMR_SE_INDEX_MASK;
unsigned int sh_num = (info->read_mmr_reg.instance >>
AMDGPU_INFO_MMR_SH_INDEX_SHIFT) &
AMDGPU_INFO_MMR_SH_INDEX_MASK;
-
- if (!down_read_trylock(&adev->reset_domain->sem))
- return -ENOENT;
+ unsigned int alloc_size;
+ uint32_t *regs;
+ int ret;
/* set full masks if the userspace set all bits
* in the bitfields
*/
- if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK) {
+ if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK)
se_num = 0xffffffff;
- } else if (se_num >= AMDGPU_GFX_MAX_SE) {
- ret = -EINVAL;
- goto out;
- }
+ else if (se_num >= AMDGPU_GFX_MAX_SE)
+ return -EINVAL;
- if (sh_num == AMDGPU_INFO_MMR_SH_INDEX_MASK) {
+ if (sh_num == AMDGPU_INFO_MMR_SH_INDEX_MASK)
sh_num = 0xffffffff;
- } else if (sh_num >= AMDGPU_GFX_MAX_SH_PER_SE) {
- ret = -EINVAL;
- goto out;
- }
+ else if (sh_num >= AMDGPU_GFX_MAX_SH_PER_SE)
+ return -EINVAL;
- if (info->read_mmr_reg.count > 128) {
- ret = -EINVAL;
- goto out;
- }
+ if (info->read_mmr_reg.count > 128)
+ return -EINVAL;
- regs = kmalloc_array(info->read_mmr_reg.count, sizeof(*regs), GFP_KERNEL);
- if (!regs) {
- ret = -ENOMEM;
- goto out;
- }
+ regs = kmalloc_array(info->read_mmr_reg.count, sizeof(*regs),
+ GFP_KERNEL);
+ if (!regs)
+ return -ENOMEM;
+ down_read(&adev->reset_domain->sem);
alloc_size = info->read_mmr_reg.count * sizeof(*regs);
-
amdgpu_gfx_off_ctrl(adev, false);
+ ret = 0;
for (i = 0; i < info->read_mmr_reg.count; i++) {
if (amdgpu_asic_read_register(adev, se_num, sh_num,
info->read_mmr_reg.dword_offset + i,
®s[i])) {
DRM_DEBUG_KMS("unallowed offset %#x\n",
info->read_mmr_reg.dword_offset + i);
- kfree(regs);
- amdgpu_gfx_off_ctrl(adev, true);
ret = -EFAULT;
- goto out;
+ break;
}
}
amdgpu_gfx_off_ctrl(adev, true);
- n = copy_to_user(out, regs, min(size, alloc_size));
- kfree(regs);
- ret = (n ? -EFAULT : 0);
-out:
up_read(&adev->reset_domain->sem);
+
+ if (!ret) {
+ ret = copy_to_user(out, regs, min(size, alloc_size))
+ ? -EFAULT : 0;
+ }
+ kfree(regs);
return ret;
}
case AMDGPU_INFO_DEV_INFO: {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 371/508] drm/amdgpu: fix spelling typos
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 370/508] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 372/508] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
` (138 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Demers, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Demers <alexandre.f.demers@gmail.com>
[ Upstream commit ce43abd7ec9464cf954f90e1c69e11768b02fa0a ]
Found some typos while exploring amdgpu code.
Signed-off-by: Alexandre Demers <alexandre.f.demers@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Stable-dep-of: 13e4cf116dbf ("drm/amdgpu/uvd3.1: Don't validate the firmware when already validated")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 2 +-
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 6 +++---
drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 3 ++-
drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 2 +-
4 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index 8cb192636368f..1584936f29510 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -264,7 +264,7 @@ void amdgpu_gmc_sysvm_location(struct amdgpu_device *adev, struct amdgpu_gmc *mc
* @adev: amdgpu device structure holding all necessary information
* @mc: memory controller structure holding memory information
*
- * Function will place try to place GART before or after VRAM.
+ * Function will try to place GART before or after VRAM.
* If GART size is bigger than space left then we ajust GART size.
* Thus function will never fails.
*/
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
index 1e0189f90fd6a..191057db58db3 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
@@ -98,7 +98,7 @@ static void uvd_v3_1_ring_emit_ib(struct amdgpu_ring *ring,
}
/**
- * uvd_v3_1_ring_emit_fence - emit an fence & trap command
+ * uvd_v3_1_ring_emit_fence - emit a fence & trap command
*
* @ring: amdgpu_ring pointer
* @addr: address
@@ -242,7 +242,7 @@ static void uvd_v3_1_mc_resume(struct amdgpu_device *adev)
uint64_t addr;
uint32_t size;
- /* programm the VCPU memory controller bits 0-27 */
+ /* program the VCPU memory controller bits 0-27 */
addr = (adev->uvd.inst->gpu_addr + AMDGPU_UVD_FIRMWARE_OFFSET) >> 3;
size = AMDGPU_UVD_FIRMWARE_SIZE(adev) >> 3;
WREG32(mmUVD_VCPU_CACHE_OFFSET0, addr);
@@ -416,7 +416,7 @@ static int uvd_v3_1_start(struct amdgpu_device *adev)
/* Set the write pointer delay */
WREG32(mmUVD_RBC_RB_WPTR_CNTL, 0);
- /* programm the 4GB memory segment for rptr and ring buffer */
+ /* Program the 4GB memory segment for rptr and ring buffer */
WREG32(mmUVD_LMI_EXT40_ADDR, upper_32_bits(ring->gpu_addr) |
(0x7 << 16) | (0x1 << 31));
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
index c108b83817951..01d8e7d2caf97 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
@@ -298,7 +298,7 @@ static int uvd_v4_2_start(struct amdgpu_device *adev)
/* enable VCPU clock */
WREG32(mmUVD_VCPU_CNTL, 1 << 9);
- /* disable interupt */
+ /* disable interrupt */
WREG32_P(mmUVD_MASTINT_EN, 0, ~(1 << 1));
#ifdef __BIG_ENDIAN
@@ -308,6 +308,7 @@ static int uvd_v4_2_start(struct amdgpu_device *adev)
#endif
WREG32(mmUVD_LMI_SWAP_CNTL, lmi_swap_cntl);
WREG32(mmUVD_MP_SWAP_CNTL, mp_swap_cntl);
+
/* initialize UVD memory controller */
WREG32(mmUVD_LMI_CTRL, 0x203108);
diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
index 67eb01fef789b..479eb9382c77e 100644
--- a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c
@@ -278,7 +278,7 @@ static int vce_v2_0_stop(struct amdgpu_device *adev)
int status;
if (vce_v2_0_lmi_clean(adev)) {
- DRM_INFO("vce is not idle \n");
+ DRM_INFO("VCE is not idle \n");
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 372/508] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 371/508] drm/amdgpu: fix spelling typos Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 373/508] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
` (137 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 13e4cf116dbf7a1fb8123a59bea2c098f30d3736 ]
UVD 3.1 firmware validation seems to always fail after
attempting it when it had already been validated.
(This works similarly with the VCE 1.0 as well.)
Don't attempt repeating the validation when it's already done.
This caused issues in situations when the system isn't able
to suspend the GPU properly and so the GPU isn't actually
powered down. Then amdgpu would fail when calling the IP
block resume function.
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/2887
Fixes: bb7978111dd3 ("drm/amdgpu: fix SI UVD firmware validate resume fail")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 889a2cfd889c4a4dd9d0c89ce9a8e60b78be71dd)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
index 191057db58db3..49a0d66d5b2c0 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
@@ -242,6 +242,10 @@ static void uvd_v3_1_mc_resume(struct amdgpu_device *adev)
uint64_t addr;
uint32_t size;
+ /* When the keyselect is already set, don't perturb it. */
+ if (RREG32(mmUVD_FW_START))
+ return;
+
/* program the VCPU memory controller bits 0-27 */
addr = (adev->uvd.inst->gpu_addr + AMDGPU_UVD_FIRMWARE_OFFSET) >> 3;
size = AMDGPU_UVD_FIRMWARE_SIZE(adev) >> 3;
@@ -284,6 +288,12 @@ static int uvd_v3_1_fw_validate(struct amdgpu_device *adev)
int i;
uint32_t keysel = adev->uvd.keyselect;
+ if (RREG32(mmUVD_FW_START) & UVD_FW_STATUS__PASS_MASK) {
+ dev_dbg(adev->dev, "UVD keyselect already set: 0x%x (on CPU: 0x%x)\n",
+ RREG32(mmUVD_FW_START), adev->uvd.keyselect);
+ return 0;
+ }
+
WREG32(mmUVD_FW_START, keysel);
for (i = 0; i < 10; ++i) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 373/508] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 372/508] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 374/508] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
` (136 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit fe2b84f9228e2a0903221a4d0d8c350b018e9c0c ]
This commit fixes amdgpu to work on the Radeon HD 7870 XT
which has never worked with the Linux open source drivers before.
Some boards have "harvested" chips, meaning that some parts of
the chip are disabled and fused, and it's sold for cheaper and
under a different marketing name.
On a harvested chip, any of the following can be disabled:
- CUs (Compute Units)
- RBs (Render Backend, aka. ROP)
- Memory channels (ie. the chip has a lower bandwidth)
- TCCs (ie. less L2 cache)
Handle chips with harvested TCCs by patching the registers
that configure how TCCs are mapped.
If some TCCs are disabled, we need to make sure that
the disabled TCCs are not used, and the remaining TCCs
are used optimally.
TCP_CHAN_STEER_LO/HI control which TCC is used by TCP channels.
TCP_ADDR_CONFIG.NUM_TCC_BANKS controls how many channels are used.
Note that the TCC configuration is highly relevant to performance.
Suboptimal configuration (eg. CHAN_STEER=0) can significantly
reduce gaming performance.
For optimal performance:
- Rely on the CHAN_STEER from the golden registers table,
only skip disabled TCCs but keep the mapping order.
- Limit NUM_TCC_BANKS to number of active TCCs to avoid thrashing,
which performs better than using the same TCC twice.
v2:
- Also consider CGTS_USER_TCC_DISABLE for disabled TCCs.
Link: https://bugs.freedesktop.org/show_bug.cgi?id=60879
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/2664
Fixes: 2cd46ad22383 ("drm/amdgpu: add graphic pipeline implementation for si v8")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 00218d15528fab9f6b31241fe5904eea4fcaa30d)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 66 +++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
index 34f9211b26793..d4f0437001089 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
@@ -1554,6 +1554,71 @@ static void gfx_v6_0_setup_spi(struct amdgpu_device *adev)
mutex_unlock(&adev->grbm_idx_mutex);
}
+/**
+ * gfx_v6_0_setup_tcc() - setup which TCCs are used
+ *
+ * @adev: amdgpu_device pointer
+ *
+ * Verify whether the current GPU has any TCCs disabled,
+ * which can happen when the GPU is harvested and some
+ * memory channels are disabled, reducing the memory bus width.
+ * For example, on the Radeon HD 7870 XT (Tahiti LE).
+ *
+ * If some TCCs are disabled, we need to make sure that
+ * the disabled TCCs are not used, and the remaining TCCs
+ * are used optimally.
+ *
+ * TCP_CHAN_STEER_LO/HI control which TCC is used by TCP channels.
+ * TCP_ADDR_CONFIG.NUM_TCC_BANKS controls how many channels are used.
+ *
+ * For optimal performance:
+ * - Rely on the CHAN_STEER from the golden registers table,
+ * only skip disabled TCCs but keep the mapping order.
+ * - Limit NUM_TCC_BANKS to number of active TCCs to avoid thrashing,
+ * which performs better than using the same TCC twice.
+ */
+static void gfx_v6_0_setup_tcc(struct amdgpu_device *adev)
+{
+ u32 i, tcc, tcp_addr_config, num_active_tcc = 0;
+ u64 chan_steer, patched_chan_steer = 0;
+ const u32 num_max_tcc = adev->gfx.config.max_texture_channel_caches;
+ const u32 dis_tcc_mask =
+ amdgpu_gfx_create_bitmask(num_max_tcc) &
+ (REG_GET_FIELD(RREG32(mmCGTS_TCC_DISABLE),
+ CGTS_TCC_DISABLE, TCC_DISABLE) |
+ REG_GET_FIELD(RREG32(mmCGTS_USER_TCC_DISABLE),
+ CGTS_USER_TCC_DISABLE, TCC_DISABLE));
+
+ /* When no TCC is disabled, the golden registers table already has optimal TCC setup */
+ if (!dis_tcc_mask)
+ return;
+
+ /* Each 4-bit nibble contains the index of a TCC used by all TCPs */
+ chan_steer = RREG32(mmTCP_CHAN_STEER_LO) | ((u64)RREG32(mmTCP_CHAN_STEER_HI) << 32ull);
+
+ /* Patch the TCP to TCC mapping to skip disabled TCCs */
+ for (i = 0; i < num_max_tcc; ++i) {
+ tcc = (chan_steer >> (u64)(4 * i)) & 0xf;
+
+ if (!((1 << tcc) & dis_tcc_mask)) {
+ /* Copy enabled TCC indices to the patched register value. */
+ patched_chan_steer |= (u64)tcc << (u64)(4 * num_active_tcc);
+ ++num_active_tcc;
+ }
+ }
+
+ WARN_ON(num_active_tcc != num_max_tcc - hweight32(dis_tcc_mask));
+
+ /* Patch number of TCCs used by TCPs */
+ tcp_addr_config = REG_SET_FIELD(RREG32(mmTCP_ADDR_CONFIG),
+ TCP_ADDR_CONFIG, NUM_TCC_BANKS,
+ num_active_tcc - 1);
+
+ WREG32(mmTCP_ADDR_CONFIG, tcp_addr_config);
+ WREG32(mmTCP_CHAN_STEER_HI, upper_32_bits(patched_chan_steer));
+ WREG32(mmTCP_CHAN_STEER_LO, lower_32_bits(patched_chan_steer));
+}
+
static void gfx_v6_0_config_init(struct amdgpu_device *adev)
{
adev->gfx.config.double_offchip_lds_buf = 0;
@@ -1712,6 +1777,7 @@ static void gfx_v6_0_constants_init(struct amdgpu_device *adev)
gfx_v6_0_tiling_mode_table_init(adev);
gfx_v6_0_setup_rb(adev);
+ gfx_v6_0_setup_tcc(adev);
gfx_v6_0_setup_spi(adev);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 374/508] netfilter: xt_policy: fix strict mode inbound policy matching
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 373/508] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 375/508] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
` (135 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Jiexun Wang, Ren Wei, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
[ Upstream commit 4b2b4d7d4e203c92db8966b163edfacb1f0e1e29 ]
match_policy_in() walks sec_path entries from the last transform to the
first one, but strict policy matching needs to consume info->pol[] in
the same forward order as the rule layout.
Derive the strict-match policy position from the number of transforms
already consumed so that multi-element inbound rules are matched
consistently.
Fixes: c4b885139203 ("[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index cb6e8279010a4..b5fa65558318f 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -63,7 +63,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
return 0;
for (i = sp->len - 1; i >= 0; i--) {
- pos = strict ? i - sp->len + 1 : 0;
+ pos = strict ? sp->len - i - 1 : 0;
if (pos >= info->len)
return 0;
e = &info->pol[pos];
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 375/508] netfilter: nf_conntrack_sip: dont use simple_strtoul
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 374/508] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 376/508] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
` (134 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Klaudia Kloc, Dawid Moczadło,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin, Jenny Guanni Qu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8cf6809cddcbe301aedfc6b51bcd4944d45795f6 ]
Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(),
and ct_sip_parse_request() with a new sip_parse_port() helper that
validates each digit against the buffer limit, eliminating the use of
simple_strtoul() which assumes NUL-terminated strings.
The previous code dereferenced pointers without bounds checks after
sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated
skb data. A port that reaches the buffer limit without a trailing
character is also rejected as malformed.
Also get rid of all simple_strtoul() usage in conntrack, prefer a
stricter version instead. There are intentional changes:
- Bail out if number is > UINT_MAX and indicate a failure, same for
too long sequences.
While we do accept 05535 as port 5535, we will not accept e.g.
'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261,
we should restrict this to not waste cycles when presented with
malformed packets with 64k '0' characters.
- Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch
'expire=' and 'rports='; both are expected to use base-10.
- In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k
range.
- epaddr_len now returns 0 if the port is invalid, as it already does
for invalid ip addresses. This is intentional. nf_conntrack_sip
performs lots of guesswork to find the right parts of the message
to parse. Being stricter could break existing setups.
Connection tracking helpers are designed to allow traffic to
pass, not to block it.
Based on an earlier patch from Jenny Guanni Qu <qguanni@gmail.com>.
Fixes: 05e3ced297fe ("[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_sip.c | 152 ++++++++++++++++++++++++-------
net/netfilter/nf_nat_sip.c | 1 +
2 files changed, 119 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index fda6fc1fc4c58..4b32ee408ea15 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -181,6 +181,57 @@ static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
return 1;
}
+/* Parse optional port number after IP address.
+ * Returns false on malformed input, true otherwise.
+ * If port is non-NULL, stores parsed port in network byte order.
+ * If no port is present, sets *port to default SIP port.
+ */
+static bool sip_parse_port(const char *dptr, const char **endp,
+ const char *limit, __be16 *port)
+{
+ unsigned int p = 0;
+ int len = 0;
+
+ if (dptr >= limit)
+ return false;
+
+ if (*dptr != ':') {
+ if (port)
+ *port = htons(SIP_PORT);
+ if (endp)
+ *endp = dptr;
+ return true;
+ }
+
+ dptr++; /* skip ':' */
+
+ while (dptr < limit && isdigit(*dptr)) {
+ p = p * 10 + (*dptr - '0');
+ dptr++;
+ len++;
+ if (len > 5) /* max "65535" */
+ return false;
+ }
+
+ if (len == 0)
+ return false;
+
+ /* reached limit while parsing port */
+ if (dptr >= limit)
+ return false;
+
+ if (p < 1024 || p > 65535)
+ return false;
+
+ if (port)
+ *port = htons(p);
+
+ if (endp)
+ *endp = dptr;
+
+ return true;
+}
+
/* skip ip address. returns its length. */
static int epaddr_len(const struct nf_conn *ct, const char *dptr,
const char *limit, int *shift)
@@ -193,11 +244,8 @@ static int epaddr_len(const struct nf_conn *ct, const char *dptr,
return 0;
}
- /* Port number */
- if (*dptr == ':') {
- dptr++;
- dptr += digits_len(ct, dptr, limit, shift);
- }
+ if (!sip_parse_port(dptr, &dptr, limit, NULL))
+ return 0;
return dptr - aux;
}
@@ -228,6 +276,51 @@ static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
return epaddr_len(ct, dptr, limit, shift);
}
+/* simple_strtoul stops after first non-number character.
+ * But as we're not dealing with c-strings, we can't rely on
+ * hitting \r,\n,\0 etc. before moving past end of buffer.
+ *
+ * This is a variant of simple_strtoul, but doesn't require
+ * a c-string.
+ *
+ * If value exceeds UINT_MAX, 0 is returned.
+ */
+static unsigned int sip_strtouint(const char *cp, unsigned int len, char **endp)
+{
+ const unsigned int max = sizeof("4294967295");
+ unsigned int olen = len;
+ const char *s = cp;
+ u64 result = 0;
+
+ if (len > max)
+ len = max;
+
+ while (olen > 0 && isdigit(*s)) {
+ unsigned int value;
+
+ if (len == 0)
+ goto err;
+
+ value = *s - '0';
+ result = result * 10 + value;
+
+ if (result > UINT_MAX)
+ goto err;
+ s++;
+ len--;
+ olen--;
+ }
+
+ if (endp)
+ *endp = (char *)s;
+
+ return result;
+err:
+ if (endp)
+ *endp = (char *)cp;
+ return 0;
+}
+
/* Parse a SIP request line of the form:
*
* Request-Line = Method SP Request-URI SP SIP-Version CRLF
@@ -241,7 +334,6 @@ int ct_sip_parse_request(const struct nf_conn *ct,
{
const char *start = dptr, *limit = dptr + datalen, *end;
unsigned int mlen;
- unsigned int p;
int shift = 0;
/* Skip method and following whitespace */
@@ -267,14 +359,8 @@ int ct_sip_parse_request(const struct nf_conn *ct,
if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
return -1;
- if (end < limit && *end == ':') {
- end++;
- p = simple_strtoul(end, (char **)&end, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
+ if (!sip_parse_port(end, &end, limit, port))
+ return -1;
if (end == dptr)
return 0;
@@ -509,7 +595,6 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
union nf_inet_addr *addr, __be16 *port)
{
const char *c, *limit = dptr + datalen;
- unsigned int p;
int ret;
ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
@@ -520,14 +605,8 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
return -1;
- if (*c == ':') {
- c++;
- p = simple_strtoul(c, (char **)&c, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
+ if (!sip_parse_port(c, &c, limit, port))
+ return -1;
if (dataoff)
*dataoff = c - dptr;
@@ -609,7 +688,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
return 0;
start += strlen(name);
- *val = simple_strtoul(start, &end, 0);
+ *val = sip_strtouint(start, limit - start, (char **)&end);
if (start == end)
return -1;
if (matchoff && matchlen) {
@@ -1065,6 +1144,8 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
mediaoff = sdpoff;
for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
+ char *end;
+
if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
&mediaoff, &medialen) <= 0)
@@ -1080,8 +1161,8 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
mediaoff += t->len;
medialen -= t->len;
- port = simple_strtoul(*dptr + mediaoff, NULL, 10);
- if (port == 0)
+ port = sip_strtouint(*dptr + mediaoff, *datalen - mediaoff, (char **)&end);
+ if (port == 0 || *dptr + mediaoff == end)
continue;
if (port < 1024 || port > 65535) {
nf_ct_helper_log(skb, ct, "wrong port %u", port);
@@ -1255,7 +1336,7 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
*/
if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
&matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+ expires = sip_strtouint(*dptr + matchoff, *datalen - matchoff, NULL);
ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
SIP_HDR_CONTACT, NULL,
@@ -1359,7 +1440,7 @@ static int process_register_response(struct sk_buff *skb, unsigned int protoff,
if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
&matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+ expires = sip_strtouint(*dptr + matchoff, *datalen - matchoff, NULL);
while (1) {
unsigned int c_expires = expires;
@@ -1419,10 +1500,12 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
unsigned int matchoff, matchlen, matchend;
unsigned int code, cseq, i;
+ char *end;
if (*datalen < strlen("SIP/2.0 200"))
return NF_ACCEPT;
- code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
+ code = sip_strtouint(*dptr + strlen("SIP/2.0 "),
+ *datalen - strlen("SIP/2.0 "), NULL);
if (!code) {
nf_ct_helper_log(skb, ct, "cannot get code");
return NF_DROP;
@@ -1433,8 +1516,8 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
nf_ct_helper_log(skb, ct, "cannot parse cseq");
return NF_DROP;
}
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq && *(*dptr + matchoff) != '0') {
+ cseq = sip_strtouint(*dptr + matchoff, *datalen - matchoff, (char **)&end);
+ if (*dptr + matchoff == end) {
nf_ct_helper_log(skb, ct, "cannot get cseq");
return NF_DROP;
}
@@ -1483,6 +1566,7 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
const struct sip_handler *handler;
+ char *end;
handler = &sip_handlers[i];
if (handler->request == NULL)
@@ -1499,8 +1583,8 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
nf_ct_helper_log(skb, ct, "cannot parse cseq");
return NF_DROP;
}
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq && *(*dptr + matchoff) != '0') {
+ cseq = sip_strtouint(*dptr + matchoff, *datalen - matchoff, (char **)&end);
+ if (*dptr + matchoff == end) {
nf_ct_helper_log(skb, ct, "cannot get cseq");
return NF_DROP;
}
@@ -1576,7 +1660,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
&matchoff, &matchlen) <= 0)
break;
- clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
+ clen = sip_strtouint(dptr + matchoff, datalen - matchoff, (char **)&end);
if (dptr + matchoff == end)
break;
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index c845b6d1a2bdf..9fbfc6bff0c22 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -246,6 +246,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
"rport=", &poff, &plen,
&n) > 0 &&
+ n >= 1024 && n <= 65535 &&
htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
__be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 376/508] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 375/508] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 377/508] drm/sysfb: ofdrm: fix PCI device reference leaks Greg Kroah-Hartman
` (133 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Madieu, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Madieu <john.madieu@gmail.com>
[ Upstream commit b4683a239a409d65f88052f5630c748a8ba070cd ]
rockchip_spi_isr() decides whether the current interrupt was the
cs-inactive event by reading IMR:
if (rs->cs_inactive &&
readl_relaxed(rs->regs + ROCKCHIP_SPI_IMR) & INT_CS_INACTIVE)
ctlr->target_abort(ctlr);
IMR is the interrupt mask register: it tells which sources are enabled,
not which one fired. In the PIO path, rockchip_spi_prepare_irq() enables
both INT_RF_FULL and INT_CS_INACTIVE in IMR when rs->cs_inactive is true:
if (rs->cs_inactive)
writel_relaxed(INT_RF_FULL | INT_CS_INACTIVE,
rs->regs + ROCKCHIP_SPI_IMR);
so the IMR check is always true once cs_inactive is enabled, and every
PIO interrupt - including normal RF_FULL completions - is dispatched to
ctlr->target_abort(), aborting the transfer. The bug is reachable on
ROCKCHIP_SPI_VER2_TYPE2 in target mode with a DMA-capable controller
when the transfer is short enough to fall back to PIO
(rockchip_spi_can_dma() returns false below fifo_len).
Read ISR (which is RISR masked by IMR) so the check actually reflects
which interrupt fired, and parenthesise the expression for clarity while
at it.
Fixes: 869f2c94db92 ("spi: rockchip: Stop spi slave dma receiver when cs inactive")
Signed-off-by: John Madieu <john.madieu@gmail.com>
Link: https://patch.msgid.link/20260425092936.2590132-2-john.madieu@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rockchip.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c
index 9e160cba1ff37..03a11aed055ee 100644
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -352,7 +352,8 @@ static irqreturn_t rockchip_spi_isr(int irq, void *dev_id)
struct rockchip_spi *rs = spi_controller_get_devdata(ctlr);
/* When int_cs_inactive comes, spi target abort */
- if (rs->cs_inactive && readl_relaxed(rs->regs + ROCKCHIP_SPI_IMR) & INT_CS_INACTIVE) {
+ if (rs->cs_inactive &&
+ (readl_relaxed(rs->regs + ROCKCHIP_SPI_ISR) & INT_CS_INACTIVE)) {
ctlr->target_abort(ctlr);
writel_relaxed(0, rs->regs + ROCKCHIP_SPI_IMR);
writel_relaxed(0xffffffff, rs->regs + ROCKCHIP_SPI_ICR);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 377/508] drm/sysfb: ofdrm: fix PCI device reference leaks
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 376/508] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 378/508] arm64/scs: Fix potential sign extension issue of advance_loc4 Greg Kroah-Hartman
` (132 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Ijae Kim, Taegyu Kim,
Yuho Choi, Thomas Zimmermann, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
[ Upstream commit 4aa8110000b0d215deef8eed283565dd0c1def88 ]
display_get_pci_dev_of() gets a referenced PCI device via
pci_get_device(). Drop that reference when pci_enable_device() fails and
release it during the managed teardown path after pci_disable_device().
Without that, ofdrm leaks the pci_dev reference on both the error path
and the normal cleanup path.
Fixes: c8a17756c425 ("drm/ofdrm: Add ofdrm for Open Firmware framebuffers")
Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260420002513.216-1-dbgh9129@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tiny/ofdrm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/tiny/ofdrm.c b/drivers/gpu/drm/tiny/ofdrm.c
index 2d999a0facdee..fe2d3b7c61258 100644
--- a/drivers/gpu/drm/tiny/ofdrm.c
+++ b/drivers/gpu/drm/tiny/ofdrm.c
@@ -351,6 +351,7 @@ static void ofdrm_pci_release(void *data)
struct pci_dev *pcidev = data;
pci_disable_device(pcidev);
+ pci_dev_put(pcidev);
}
static int ofdrm_device_init_pci(struct ofdrm_device *odev)
@@ -376,6 +377,7 @@ static int ofdrm_device_init_pci(struct ofdrm_device *odev)
if (ret) {
drm_err(dev, "pci_enable_device(%s) failed: %d\n",
dev_name(&pcidev->dev), ret);
+ pci_dev_put(pcidev);
return ret;
}
ret = devm_add_action_or_reset(&pdev->dev, ofdrm_pci_release, pcidev);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 378/508] arm64/scs: Fix potential sign extension issue of advance_loc4
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 377/508] drm/sysfb: ofdrm: fix PCI device reference leaks Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 379/508] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
` (131 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Guan, Catalin Marinas,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 4023b7424ecd5d38cc75b650d6c1bf630ef8cb40 ]
The expression (*opcode++ << 24) and exp * code_alignment_factor
may overflow signed int and becomes negative.
Fix this by casting each byte to u64 before shifting. Also fix
the misaligned break statement while we are here.
Example of the result can be seen here:
Link: https://godbolt.org/z/zhY8d3595
It maybe not a real problem, but could be a issue in future.
Fixes: d499e9627d70 ("arm64/scs: Fix handling of advance_loc4")
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/patch-scs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kernel/patch-scs.c b/arch/arm64/kernel/patch-scs.c
index 6d656179ea03b..d6e8ad142f75c 100644
--- a/arch/arm64/kernel/patch-scs.c
+++ b/arch/arm64/kernel/patch-scs.c
@@ -175,9 +175,9 @@ static int noinstr scs_handle_fde_frame(const struct eh_frame *frame,
loc += *opcode++ * code_alignment_factor;
loc += (*opcode++ << 8) * code_alignment_factor;
loc += (*opcode++ << 16) * code_alignment_factor;
- loc += (*opcode++ << 24) * code_alignment_factor;
+ loc += ((u64)*opcode++ << 24) * code_alignment_factor;
size -= 4;
- break;
+ break;
case DW_CFA_def_cfa:
case DW_CFA_offset_extended:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 379/508] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 378/508] arm64/scs: Fix potential sign extension issue of advance_loc4 Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 380/508] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
` (130 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daan De Meyer, Phillip Potter,
Martin K. Petersen, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daan De Meyer <daan@amutable.com>
[ Upstream commit 0898a817621a2f0cddca8122d9b974003fe5036d ]
The cdrom core never calls set_disk_ro() for a registered device, so
BLKROGET on a CD-ROM device always returns 0 (writable), even when the
drive has no write capabilities and writes will inevitably fail. This
causes problems for userspace that relies on BLKROGET to determine
whether a block device is read-only. For example, systemd's loop device
setup uses BLKROGET to decide whether to create a loop device with
LO_FLAGS_READ_ONLY. Without the read-only flag, writes pass through the
loop device to the CD-ROM and fail with I/O errors. systemd-fsck
similarly checks BLKROGET to decide whether to run fsck in no-repair
mode (-n).
The write-capability bits in cdi->mask come from two different sources:
CDC_DVD_RAM and CDC_CD_RW are populated by the driver from the MODE
SENSE capabilities page (page 0x2A) before register_cdrom() is called,
while CDC_MRW_W and CDC_RAM require the MMC GET CONFIGURATION command
and were only probed by cdrom_open_write() at device open time. This
meant that any attempt to compute the writable state from the full
mask at probe time was incorrect, because the GET CONFIGURATION bits
were still unset (and cdi->mask is initialized such that capabilities
are assumed present).
Fix this by factoring the GET CONFIGURATION probing out of
cdrom_open_write() into a new exported helper,
cdrom_probe_write_features(), and having sr call it from sr_probe()
right after get_capabilities() has populated the MODE SENSE bits.
register_cdrom() then calls set_disk_ro() based on the full
write-capability mask (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)
so the block layer reflects the drive's actual write support. The
feature queries used (CDF_MRW and CDF_RWRT via GET CONFIGURATION with
RT=00) report drive-level capabilities that are persistent across
media, so a single probe before register_cdrom() is sufficient and the
redundant probe at open time is dropped.
With set_disk_ro() now accurate, the long-vestigial cd->writeable flag
in sr can go: get_capabilities() used to set cd->writeable based on
the same four mask bits, but because CDC_MRW_W and CDC_RAM default to
"capability present" in cdi->mask and aren't touched by MODE SENSE,
the condition that gated cd->writeable was always true, making it
unconditionally 1. Replace the corresponding gate in sr_init_command()
with get_disk_ro(cd->disk), which turns a previously no-op check into
a real one and also catches kernel-internal bio writers that bypass
blkdev_write_iter()'s bdev_read_only() check.
The sd driver (SCSI disks) does not have this problem because it
checks the MODE SENSE Write Protect bit and calls set_disk_ro()
accordingly. The sr driver cannot use the same approach because the
MMC specification does not define the WP bit in the MODE SENSE
device-specific parameter byte for CD-ROM devices.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Daan De Meyer <daan@amutable.com>
Reviewed-by: Phillip Potter <phil@philpotter.co.uk>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
Link: https://patch.msgid.link/20260427210139.1400-2-phil@philpotter.co.uk
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cdrom/cdrom.c | 73 ++++++++++++++++++++++++++++---------------
drivers/scsi/sr.c | 11 ++-----
drivers/scsi/sr.h | 1 -
include/linux/cdrom.h | 1 +
4 files changed, 51 insertions(+), 35 deletions(-)
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 54b80911f3e28..2283fd91ff5f8 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -634,6 +634,16 @@ int register_cdrom(struct gendisk *disk, struct cdrom_device_info *cdi)
WARN_ON(!cdo->generic_packet);
+ /*
+ * Propagate the drive's write support to the block layer so BLKROGET
+ * reflects actual write capability. Drivers that use GET CONFIGURATION
+ * features (CDC_MRW_W, CDC_RAM) must have called
+ * cdrom_probe_write_features() before register_cdrom() so the mask is
+ * complete here.
+ */
+ set_disk_ro(disk, !CDROM_CAN(CDC_DVD_RAM | CDC_MRW_W | CDC_RAM |
+ CDC_CD_RW));
+
cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name);
mutex_lock(&cdrom_mutex);
list_add(&cdi->list, &cdrom_list);
@@ -748,6 +758,44 @@ static int cdrom_is_random_writable(struct cdrom_device_info *cdi, int *write)
return 0;
}
+/*
+ * Probe write-related MMC features via GET CONFIGURATION and update
+ * cdi->mask accordingly. Drivers that populate cdi->mask from the MODE SENSE
+ * capabilities page (e.g. sr) should call this after those MODE SENSE bits
+ * have been set but before register_cdrom(), so that the full set of
+ * write-capability bits is known by the time register_cdrom() decides on the
+ * initial read-only state of the disk.
+ */
+void cdrom_probe_write_features(struct cdrom_device_info *cdi)
+{
+ int mrw, mrw_write, ram_write;
+
+ mrw = 0;
+ if (!cdrom_is_mrw(cdi, &mrw_write))
+ mrw = 1;
+
+ if (CDROM_CAN(CDC_MO_DRIVE))
+ ram_write = 1;
+ else
+ (void) cdrom_is_random_writable(cdi, &ram_write);
+
+ if (mrw)
+ cdi->mask &= ~CDC_MRW;
+ else
+ cdi->mask |= CDC_MRW;
+
+ if (mrw_write)
+ cdi->mask &= ~CDC_MRW_W;
+ else
+ cdi->mask |= CDC_MRW_W;
+
+ if (ram_write)
+ cdi->mask &= ~CDC_RAM;
+ else
+ cdi->mask |= CDC_RAM;
+}
+EXPORT_SYMBOL(cdrom_probe_write_features);
+
static int cdrom_media_erasable(struct cdrom_device_info *cdi)
{
disc_information di;
@@ -900,33 +948,8 @@ static int cdrom_is_dvd_rw(struct cdrom_device_info *cdi)
*/
static int cdrom_open_write(struct cdrom_device_info *cdi)
{
- int mrw, mrw_write, ram_write;
int ret = 1;
- mrw = 0;
- if (!cdrom_is_mrw(cdi, &mrw_write))
- mrw = 1;
-
- if (CDROM_CAN(CDC_MO_DRIVE))
- ram_write = 1;
- else
- (void) cdrom_is_random_writable(cdi, &ram_write);
-
- if (mrw)
- cdi->mask &= ~CDC_MRW;
- else
- cdi->mask |= CDC_MRW;
-
- if (mrw_write)
- cdi->mask &= ~CDC_MRW_W;
- else
- cdi->mask |= CDC_MRW_W;
-
- if (ram_write)
- cdi->mask &= ~CDC_RAM;
- else
- cdi->mask |= CDC_RAM;
-
if (CDROM_CAN(CDC_MRW_W))
ret = cdrom_mrw_open_write(cdi);
else if (CDROM_CAN(CDC_DVD_RAM))
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index 07ef3db3d1a14..34f243fd2c589 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -395,7 +395,7 @@ static blk_status_t sr_init_command(struct scsi_cmnd *SCpnt)
switch (req_op(rq)) {
case REQ_OP_WRITE:
- if (!cd->writeable)
+ if (get_disk_ro(cd->disk))
goto out;
SCpnt->cmnd[0] = WRITE_10;
cd->cdi.media_written = 1;
@@ -670,6 +670,7 @@ static int sr_probe(struct device *dev)
error = -ENOMEM;
if (get_capabilities(cd))
goto fail_minor;
+ cdrom_probe_write_features(&cd->cdi);
sr_vendor_init(cd);
set_capacity(disk, cd->capacity);
@@ -888,14 +889,6 @@ static int get_capabilities(struct scsi_cd *cd)
/*else I don't think it can close its tray
cd->cdi.mask |= CDC_CLOSE_TRAY; */
- /*
- * if DVD-RAM, MRW-W or CD-RW, we are randomly writable
- */
- if ((cd->cdi.mask & (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)) !=
- (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)) {
- cd->writeable = 1;
- }
-
kfree(buffer);
return 0;
}
diff --git a/drivers/scsi/sr.h b/drivers/scsi/sr.h
index dc899277b3a44..2d92f9cb6fec7 100644
--- a/drivers/scsi/sr.h
+++ b/drivers/scsi/sr.h
@@ -35,7 +35,6 @@ typedef struct scsi_cd {
struct scsi_device *device;
unsigned int vendor; /* vendor code, see sr_vendor.c */
unsigned long ms_offset; /* for reading multisession-CD's */
- unsigned writeable : 1;
unsigned use:1; /* is this device still supportable */
unsigned xa_flag:1; /* CD has XA sectors ? */
unsigned readcd_known:1; /* drive supports READ_CD (0xbe) */
diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h
index fdfb61ccf55ae..b4f2b23744413 100644
--- a/include/linux/cdrom.h
+++ b/include/linux/cdrom.h
@@ -109,6 +109,7 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
extern unsigned int cdrom_check_events(struct cdrom_device_info *cdi,
unsigned int clearing);
+extern void cdrom_probe_write_features(struct cdrom_device_info *cdi);
extern int register_cdrom(struct gendisk *disk, struct cdrom_device_info *cdi);
extern void unregister_cdrom(struct cdrom_device_info *cdi);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 380/508] netdevsim: zero initialize struct iphdr in dummy sk_buff
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 379/508] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 381/508] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
` (129 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikola Z. Ivanov, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikola Z. Ivanov <zlatistiv@gmail.com>
[ Upstream commit 35eaa6d8d6c2ee65e96f507add856e0eacf24591 ]
Syzbot reports a KMSAN uninit-value originating from
nsim_dev_trap_skb_build, with the allocation also
being performed in the same function.
Fix this by calling skb_put_zero instead of skb_put to
guarantee zero initialization of the whole IP header.
Closes: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
Fixes: da58f90f11f5 ("netdevsim: Add devlink-trap support")
Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260426201434.742030-1-zlatistiv@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netdevsim/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index 2614d6509954c..daec92570c2e3 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -758,7 +758,7 @@ static struct sk_buff *nsim_dev_trap_skb_build(void)
skb->protocol = htons(ETH_P_IP);
skb_set_network_header(skb, skb->len);
- iph = skb_put(skb, sizeof(struct iphdr));
+ iph = skb_put_zero(skb, sizeof(struct iphdr));
iph->protocol = IPPROTO_UDP;
iph->saddr = in_aton("192.0.2.1");
iph->daddr = in_aton("198.51.100.1");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 381/508] net/sched: netem: fix probability gaps in 4-state loss model
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 380/508] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 382/508] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
` (128 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 732b463449fd0ef90acd13cda68eab1c91adb00c ]
The 4-state Markov chain in loss_4state() has gaps at the boundaries
between transition probability ranges. The comparisons use:
if (rnd < a4)
else if (a4 < rnd && rnd < a1 + a4)
When rnd equals a boundary value exactly, neither branch matches and
no state transition occurs. The redundant lower-bound check (a4 < rnd)
is already implied by being in the else branch.
Remove the unnecessary lower-bound comparisons so the ranges are
contiguous and every random value produces a transition, matching
the GI (General and Intuitive) loss model specification.
This bug goes back to original implementation of this model.
Fixes: 661b79725fea ("netem: revised correlated loss generator")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-2-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 7361f90c8c1a1..a1b2912e2b6c7 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -226,10 +226,10 @@ static bool loss_4state(struct netem_sched_data *q)
if (rnd < clg->a4) {
clg->state = LOST_IN_GAP_PERIOD;
return true;
- } else if (clg->a4 < rnd && rnd < clg->a1 + clg->a4) {
+ } else if (rnd < clg->a1 + clg->a4) {
clg->state = LOST_IN_BURST_PERIOD;
return true;
- } else if (clg->a1 + clg->a4 < rnd) {
+ } else {
clg->state = TX_IN_GAP_PERIOD;
}
@@ -246,9 +246,9 @@ static bool loss_4state(struct netem_sched_data *q)
case LOST_IN_BURST_PERIOD:
if (rnd < clg->a3)
clg->state = TX_IN_BURST_PERIOD;
- else if (clg->a3 < rnd && rnd < clg->a2 + clg->a3) {
+ else if (rnd < clg->a2 + clg->a3) {
clg->state = TX_IN_GAP_PERIOD;
- } else if (clg->a2 + clg->a3 < rnd) {
+ } else {
clg->state = LOST_IN_BURST_PERIOD;
return true;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 382/508] net/sched: netem: fix queue limit check to include reordered packets
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 381/508] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 383/508] net/sched: netem: only reseed PRNG when seed is explicitly provided Greg Kroah-Hartman
` (127 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 4185701fcce6b426b6c3630b25330dddd9c47b0d ]
The queue limit check in netem_enqueue() uses q->t_len which only
counts packets in the internal tfifo. Packets placed in sch->q by
the reorder path (__qdisc_enqueue_head) are not counted, allowing
the total queue occupancy to exceed sch->limit under reordering.
Include sch->q.qlen in the limit check.
Fixes: f8d4bc455047 ("net/sched: netem: account for backlog updates from child qdisc")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-3-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index a1b2912e2b6c7..b3af6a50b43be 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -522,7 +522,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
1 << get_random_u32_below(8);
}
- if (unlikely(q->t_len >= sch->limit)) {
+ if (unlikely(sch->q.qlen >= sch->limit)) {
/* re-link segs, so that qdisc_drop_all() frees them all */
skb->next = segs;
qdisc_drop_all(skb, sch, to_free);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 383/508] net/sched: netem: only reseed PRNG when seed is explicitly provided
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 382/508] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 384/508] net/sched: netem: validate slot configuration Greg Kroah-Hartman
` (126 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 986afaf809940577224a99c3a08d97a15eb37e93 ]
netem_change() unconditionally reseeds the PRNG on every tc change
command. If TCA_NETEM_PRNG_SEED is not specified, a new random seed
is generated, destroying reproducibility for users who set a
deterministic seed on a previous change.
Move the initial random seed generation to netem_init() and only
reseed in netem_change() when TCA_NETEM_PRNG_SEED is explicitly
provided by the user.
Fixes: 4072d97ddc44 ("netem: add prng attribute to netem_sched_data")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-4-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index b3af6a50b43be..e778eb1d1a510 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -1110,11 +1110,10 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
/* capping jitter to the range acceptable by tabledist() */
q->jitter = min_t(s64, abs(q->jitter), INT_MAX);
- if (tb[TCA_NETEM_PRNG_SEED])
+ if (tb[TCA_NETEM_PRNG_SEED]) {
q->prng.seed = nla_get_u64(tb[TCA_NETEM_PRNG_SEED]);
- else
- q->prng.seed = get_random_u64();
- prandom_seed_state(&q->prng.prng_state, q->prng.seed);
+ prandom_seed_state(&q->prng.prng_state, q->prng.seed);
+ }
unlock:
sch_tree_unlock(sch);
@@ -1137,6 +1136,9 @@ static int netem_init(struct Qdisc *sch, struct nlattr *opt,
return -EINVAL;
q->loss_model = CLG_RANDOM;
+ q->prng.seed = get_random_u64();
+ prandom_seed_state(&q->prng.prng_state, q->prng.seed);
+
ret = netem_change(sch, opt, extack);
if (ret)
pr_info("netem: change failed\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 384/508] net/sched: netem: validate slot configuration
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 383/508] net/sched: netem: only reseed PRNG when seed is explicitly provided Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 385/508] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
` (125 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 01801c359a74737b9b1aa28568b60374d857241a ]
Reject slot configurations that have no defensible meaning:
- negative min_delay or max_delay
- min_delay greater than max_delay
- negative dist_delay or dist_jitter
- negative max_packets or max_bytes
Negative or out-of-order delays underflow in get_slot_next(),
producing garbage intervals. Negative limits trip the per-slot
accounting (packets_left/bytes_left <= 0) on the first packet of
every slot, defeating the rate-limiting half of the slot feature.
Note that dist_jitter has been silently coerced to its absolute
value by get_slot() since the feature was introduced; rejecting
negatives here converts that silent coercion into -EINVAL. The
abs() can be removed in a follow-up.
Fixes: 836af83b54e3 ("netem: support delivering packets in delayed time slots")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-5-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index e778eb1d1a510..1bb399cf40328 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -825,6 +825,29 @@ static int get_dist_table(struct disttable **tbl, const struct nlattr *attr)
return 0;
}
+static int validate_slot(const struct nlattr *attr, struct netlink_ext_ack *extack)
+{
+ const struct tc_netem_slot *c = nla_data(attr);
+
+ if (c->min_delay < 0 || c->max_delay < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative slot delay");
+ return -EINVAL;
+ }
+ if (c->min_delay > c->max_delay) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "slot min delay greater than max delay");
+ return -EINVAL;
+ }
+ if (c->dist_delay < 0 || c->dist_jitter < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative dist delay");
+ return -EINVAL;
+ }
+ if (c->max_packets < 0 || c->max_bytes < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative slot limit");
+ return -EINVAL;
+ }
+ return 0;
+}
+
static void get_slot(struct netem_sched_data *q, const struct nlattr *attr)
{
const struct tc_netem_slot *c = nla_data(attr);
@@ -1038,6 +1061,12 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
goto table_free;
}
+ if (tb[TCA_NETEM_SLOT]) {
+ ret = validate_slot(tb[TCA_NETEM_SLOT], extack);
+ if (ret)
+ goto table_free;
+ }
+
sch_tree_lock(sch);
/* backup q->clg and q->loss_model */
old_clg = q->clg;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 385/508] net/sched: netem: fix slot delay calculation overflow
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 384/508] net/sched: netem: validate slot configuration Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 386/508] net/sched: netem: check for negative latency and jitter Greg Kroah-Hartman
` (124 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 51e94e1e2fef351c74d69eb53666df808d26af95 ]
get_slot_next() computes a random delay between min_delay and
max_delay using:
get_random_u32() * (max_delay - min_delay) >> 32
This overflows signed 64-bit arithmetic when the delay range exceeds
approximately 2.1 seconds (2^31 nanoseconds), producing a negative
result that effectively disables slot-based pacing. This is a
realistic configuration for WAN emulation (e.g., slot 1s 5s).
Use mul_u64_u32_shr() which handles the widening multiply without
overflow.
Fixes: 0a9fe5c375b5 ("netem: slotting with non-uniform distribution")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-6-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 1bb399cf40328..b632e6678881a 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -657,9 +657,8 @@ static void get_slot_next(struct netem_sched_data *q, u64 now)
if (!q->slot_dist)
next_delay = q->slot_config.min_delay +
- (get_random_u32() *
- (q->slot_config.max_delay -
- q->slot_config.min_delay) >> 32);
+ mul_u64_u32_shr(q->slot_config.max_delay - q->slot_config.min_delay,
+ get_random_u32(), 32);
else
next_delay = tabledist(q->slot_config.dist_delay,
(s32)(q->slot_config.dist_jitter),
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 386/508] net/sched: netem: check for negative latency and jitter
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 385/508] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 387/508] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
` (123 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 90be9fedb218ee95a1cf59050d1306fbfb0e8b87 ]
Reject requests with negative latency or jitter.
A negative value added to current timestamp (u64) wraps
to an enormous time_to_send, disabling dequeue.
The original UAPI used u32 for these values; the conversion to 64-bit
time values via TCA_NETEM_LATENCY64 and TCA_NETEM_JITTER64
allowed signed values to reach the kernel without validation.
Jitter is already silently clamped by an abs() in netem_change();
that abs() can be removed in a follow-up once this rejection is in
place.
Fixes: 99803171ef04 ("netem: add uapi to express delay and jitter in nanoseconds")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-7-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index b632e6678881a..f8c5c50618085 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -824,6 +824,16 @@ static int get_dist_table(struct disttable **tbl, const struct nlattr *attr)
return 0;
}
+static int validate_time(const struct nlattr *attr, const char *name,
+ struct netlink_ext_ack *extack)
+{
+ if (nla_get_s64(attr) < 0) {
+ NL_SET_ERR_MSG_ATTR_FMT(extack, attr, "negative %s", name);
+ return -EINVAL;
+ }
+ return 0;
+}
+
static int validate_slot(const struct nlattr *attr, struct netlink_ext_ack *extack)
{
const struct tc_netem_slot *c = nla_data(attr);
@@ -1066,6 +1076,18 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
goto table_free;
}
+ if (tb[TCA_NETEM_LATENCY64]) {
+ ret = validate_time(tb[TCA_NETEM_LATENCY64], "latency", extack);
+ if (ret)
+ goto table_free;
+ }
+
+ if (tb[TCA_NETEM_JITTER64]) {
+ ret = validate_time(tb[TCA_NETEM_JITTER64], "jitter", extack);
+ if (ret)
+ goto table_free;
+ }
+
sch_tree_lock(sch);
/* backup q->clg and q->loss_model */
old_clg = q->clg;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 387/508] net/sched: sch_choke: annotate data-races in choke_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 386/508] net/sched: netem: check for negative latency and jitter Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 388/508] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
` (122 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d3aeb889dcbd78e95f500d383799a23d949796e0 ]
choke_dump_stats() only runs with RTNL held.
It reads fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260423062839.2524324-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_choke.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
index a919591422085..b27da148ca744 100644
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -229,7 +229,7 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* Draw a packet at random from queue and compare flow */
if (choke_match_random(q, skb, &idx)) {
- q->stats.matched++;
+ WRITE_ONCE(q->stats.matched, q->stats.matched + 1);
choke_drop_by_idx(sch, idx, to_free);
goto congestion_drop;
}
@@ -241,11 +241,13 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
qdisc_qstats_overlimit(sch);
if (use_harddrop(q) || !use_ecn(q) ||
!INET_ECN_set_ce(skb)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
- q->stats.forced_mark++;
+ WRITE_ONCE(q->stats.forced_mark,
+ q->stats.forced_mark + 1);
} else if (++q->vars.qcount) {
if (red_mark_probability(p, &q->vars, q->vars.qavg)) {
q->vars.qcount = 0;
@@ -253,11 +255,13 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
qdisc_qstats_overlimit(sch);
if (!use_ecn(q) || !INET_ECN_set_ce(skb)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
- q->stats.prob_mark++;
+ WRITE_ONCE(q->stats.prob_mark,
+ q->stats.prob_mark + 1);
}
} else
q->vars.qR = red_random(p);
@@ -272,7 +276,7 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return NET_XMIT_SUCCESS;
}
- q->stats.pdrop++;
+ WRITE_ONCE(q->stats.pdrop, q->stats.pdrop + 1);
return qdisc_drop(skb, sch, to_free);
congestion_drop:
@@ -460,10 +464,12 @@ static int choke_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct choke_sched_data *q = qdisc_priv(sch);
struct tc_choke_xstats st = {
- .early = q->stats.prob_drop + q->stats.forced_drop,
- .marked = q->stats.prob_mark + q->stats.forced_mark,
- .pdrop = q->stats.pdrop,
- .matched = q->stats.matched,
+ .early = READ_ONCE(q->stats.prob_drop) +
+ READ_ONCE(q->stats.forced_drop),
+ .marked = READ_ONCE(q->stats.prob_mark) +
+ READ_ONCE(q->stats.forced_mark),
+ .pdrop = READ_ONCE(q->stats.pdrop),
+ .matched = READ_ONCE(q->stats.matched),
};
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 388/508] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 387/508] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 389/508] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
` (121 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 59b145771c7982cfe9020d4e9e22da92d6b5ae31 ]
fq_codel_dump_stats() acquires the qdisc spinlock a bit too late.
Move this acquisition before we fill tc_fq_pie_xstats with live data.
Alternative would be to add READ_ONCE() and WRITE_ONCE() annotations,
but the spinlock is needed anyway to scan q->new_flows and q->old_flows.
Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260423063527.2568262-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_fq_pie.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
index 607c580d75e4b..4bd5ca9acc53f 100644
--- a/net/sched/sch_fq_pie.c
+++ b/net/sched/sch_fq_pie.c
@@ -498,18 +498,19 @@ static int fq_pie_dump(struct Qdisc *sch, struct sk_buff *skb)
static int fq_pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct fq_pie_sched_data *q = qdisc_priv(sch);
- struct tc_fq_pie_xstats st = {
- .packets_in = q->stats.packets_in,
- .overlimit = q->stats.overlimit,
- .overmemory = q->overmemory,
- .dropped = q->stats.dropped,
- .ecn_mark = q->stats.ecn_mark,
- .new_flow_count = q->new_flow_count,
- .memory_usage = q->memory_usage,
- };
+ struct tc_fq_pie_xstats st = { 0 };
struct list_head *pos;
sch_tree_lock(sch);
+
+ st.packets_in = q->stats.packets_in;
+ st.overlimit = q->stats.overlimit;
+ st.overmemory = q->overmemory;
+ st.dropped = q->stats.dropped;
+ st.ecn_mark = q->stats.ecn_mark;
+ st.new_flow_count = q->new_flow_count;
+ st.memory_usage = q->memory_usage;
+
list_for_each(pos, &q->new_flows)
st.new_flows_len++;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 389/508] vrf: Fix a potential NPD when removing a port from a VRF
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 388/508] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 390/508] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
` (120 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoze Xie, Yifan Wu, Juefei Pu,
Yuan Tan, Ido Schimmel, David Ahern, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 2674d603a9e6970463b2b9ebcf8e31e90beae169 ]
RCU readers that identified a net device as a VRF port using
netif_is_l3_slave() assume that a subsequent call to
netdev_master_upper_dev_get_rcu() will return a VRF device. They then
continue to dereference its l3mdev operations.
This assumption is not always correct and can result in a NPD [1]. There
is no RCU synchronization when removing a port from a VRF, so it is
possible for an RCU reader to see a new master device (e.g., a bridge)
that does not have l3mdev operations.
Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE
flag. Skip this synchronization when a net device is removed from a VRF
as part of its deletion and when the VRF device itself is deleted. In
the latter case an RCU grace period will pass by the time RTNL is
released.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181)
[...]
Call Trace:
<TASK>
l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189)
__inet_bind (net/ipv4/af_inet.c:499 (discriminator 3))
inet_bind_sk (net/ipv4/af_inet.c:469)
__sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1))
__x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1))
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fixes: fdeea7be88b1 ("net: vrf: Set slave's private flag before linking")
Reported-by: Haoze Xie <royenheart@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Closes: https://lore.kernel.org/netdev/20260419145332.3988923-1-n05ec@lzu.edu.cn/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260423063607.1208202-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vrf.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 64114e98d75d0..9f7b05a010519 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -1126,6 +1126,7 @@ static int do_vrf_add_slave(struct net_device *dev, struct net_device *port_dev,
err:
port_dev->priv_flags &= ~IFF_L3MDEV_SLAVE;
+ synchronize_net();
return ret;
}
@@ -1145,10 +1146,16 @@ static int vrf_add_slave(struct net_device *dev, struct net_device *port_dev,
}
/* inverse of do_vrf_add_slave */
-static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
+static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev,
+ bool needs_sync)
{
netdev_upper_dev_unlink(port_dev, dev);
port_dev->priv_flags &= ~IFF_L3MDEV_SLAVE;
+ /* Make sure that concurrent RCU readers that identified the device
+ * as a VRF port see a VRF master or no master at all.
+ */
+ if (needs_sync)
+ synchronize_net();
cycle_netdev(port_dev, NULL);
@@ -1157,7 +1164,7 @@ static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
static int vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
{
- return do_vrf_del_slave(dev, port_dev);
+ return do_vrf_del_slave(dev, port_dev, true);
}
static void vrf_dev_uninit(struct net_device *dev)
@@ -1714,7 +1721,7 @@ static void vrf_dellink(struct net_device *dev, struct list_head *head)
struct list_head *iter;
netdev_for_each_lower_dev(dev, port_dev, iter)
- vrf_del_slave(dev, port_dev);
+ do_vrf_del_slave(dev, port_dev, false);
vrf_map_unregister_dev(dev);
@@ -1845,7 +1852,7 @@ static int vrf_device_event(struct notifier_block *unused,
goto out;
vrf_dev = netdev_master_upper_dev_get(dev);
- vrf_del_slave(vrf_dev, dev);
+ do_vrf_del_slave(vrf_dev, dev, false);
}
out:
return NOTIFY_DONE;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 390/508] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 389/508] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 391/508] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
` (119 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3f46c095ac0ca048cb71,
Andrew Lunn, Zhan Jun, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhan Jun <zhanjun@uniontech.com>
[ Upstream commit 23f0e34c64acba15cad4d23e50f41f533da195fa ]
syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()
when accessing skb->len for tx statistics after usb_submit_urb() has
been called:
BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760
drivers/net/usb/rtl8150.c:712
Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226
The URB completion handler write_bulk_callback() frees the skb via
dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU
in softirq context before usb_submit_urb() returns in the submitter,
so by the time the submitter reads skb->len the skb has already been
queued to the per-CPU completion_queue and freed by net_tx_action():
CPU A (xmit) CPU B (USB completion softirq)
------------ ------------------------------
dev->tx_skb = skb;
usb_submit_urb() --+
|-------> write_bulk_callback()
| dev_kfree_skb_irq(dev->tx_skb)
| net_tx_action()
| napi_skb_cache_put() <-- free
netdev->stats.tx_bytes |
+= skb->len; <-- UAF read
Fix it by caching skb->len before submitting the URB and using the
cached value when updating the tx_bytes counter.
The pre-existing tx_bytes semantics are preserved: the counter tracks
the original frame length (skb->len), not the ETH_ZLEN/USB-alignment
padded "count" value that is handed to the device. Changing that
would be a user-visible accounting change and is out of scope for
this UAF fix.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+3f46c095ac0ca048cb71@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e69ee7.050a0220.24bfd3.002b.GAE@google.com/
Closes: https://syzkaller.appspot.com/bug?extid=3f46c095ac0ca048cb71
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Zhan Jun <zhanjun@uniontech.com>
Link: https://patch.msgid.link/809895186B866C10+20260423004913.136655-1-zhangdandan@uniontech.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index e40b0669d9f4b..8700ae392b10a 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -685,6 +685,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
struct net_device *netdev)
{
rtl8150_t *dev = netdev_priv(netdev);
+ unsigned int skb_len;
int count, res;
/* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */
@@ -696,6 +697,8 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
return NETDEV_TX_OK;
}
+ skb_len = skb->len;
+
netif_stop_queue(netdev);
dev->tx_skb = skb;
usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2),
@@ -711,7 +714,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
}
} else {
netdev->stats.tx_packets++;
- netdev->stats.tx_bytes += skb->len;
+ netdev->stats.tx_bytes += skb_len;
netif_trans_update(netdev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 391/508] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 390/508] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 392/508] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
` (118 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Morduan Zang,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Morduan Zang <zhangdandan@uniontech.com>
[ Upstream commit adbe2cdf75461891e50dbe11896ac78e9af1f874 ]
When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run. The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:
dev->tx_skb = skb;
...
if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
...
/* no kfree_skb here */
}
return NETDEV_TX_OK;
This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.
Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
Link: https://patch.msgid.link/E7D3E1C013C5A859+20260424015517.9574-1-zhangdandan@uniontech.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 8700ae392b10a..647f28b367b99 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -712,6 +712,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
netdev->stats.tx_errors++;
netif_start_queue(netdev);
}
+ /*
+ * The URB was not submitted, so write_bulk_callback() will
+ * never run to free dev->tx_skb. Drop the skb here and
+ * clear tx_skb to avoid leaving a stale pointer.
+ */
+ dev->tx_skb = NULL;
+ dev_kfree_skb_any(skb);
} else {
netdev->stats.tx_packets++;
netdev->stats.tx_bytes += skb_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 392/508] NFC: trf7970a: Ignore antenna noise when checking for RF field
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 391/508] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 393/508] net/sched: taprio: fix NULL pointer dereference in class dump Greg Kroah-Hartman
` (117 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Geurts, Krzysztof Kozlowski,
Mark Greer, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Geurts <paul.geurts@prodrive-technologies.com>
[ Upstream commit a9bc28aa4e64320668131349436a650bf42591a5 ]
The main channel Received Signal Strength Indicator (RSSI) measurement
is used to determine whether an RF field is present or not. RSSI != 0
is interpreted as an RF Field is present. This does not take RF noise
and measurement inaccuracy into account, and results in false positives
in the field.
Define a noise level and make sure the RF field is only interpreted as
present when the RSSI is above the noise level.
Fixes: 851ee3cbf850 ("NFC: trf7970a: Don't turn on RF if there is already an RF field")
Signed-off-by: Paul Geurts <paul.geurts@prodrive-technologies.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Mark Greer <mgreer@animalcreek.com>
Link: https://patch.msgid.link/20260422100930.581237-1-paul.geurts@prodrive-technologies.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/trf7970a.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c
index 9e1a34e23af26..6b8311f526a5e 100644
--- a/drivers/nfc/trf7970a.c
+++ b/drivers/nfc/trf7970a.c
@@ -311,6 +311,7 @@
#define TRF7970A_RSSI_OSC_STATUS_RSSI_MASK (BIT(2) | BIT(1) | BIT(0))
#define TRF7970A_RSSI_OSC_STATUS_RSSI_X_MASK (BIT(5) | BIT(4) | BIT(3))
#define TRF7970A_RSSI_OSC_STATUS_RSSI_OSC_OK BIT(6)
+#define TRF7970A_RSSI_OSC_STATUS_RSSI_NOISE_LEVEL 1
#define TRF7970A_SPECIAL_FCN_REG1_COL_7_6 BIT(0)
#define TRF7970A_SPECIAL_FCN_REG1_14_ANTICOLL BIT(1)
@@ -1253,7 +1254,7 @@ static int trf7970a_is_rf_field(struct trf7970a *trf, bool *is_rf_field)
if (ret)
return ret;
- if (rssi & TRF7970A_RSSI_OSC_STATUS_RSSI_MASK)
+ if ((rssi & TRF7970A_RSSI_OSC_STATUS_RSSI_MASK) > TRF7970A_RSSI_OSC_STATUS_RSSI_NOISE_LEVEL)
*is_rf_field = true;
else
*is_rf_field = false;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 393/508] net/sched: taprio: fix NULL pointer dereference in class dump
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 392/508] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 394/508] neighbour: add RCU protection to neigh_tables[] Greg Kroah-Hartman
` (116 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 3d07ca5c0fae311226f737963984bd94bb159a87 ]
When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()
is called with new == NULL and stores NULL into q->qdiscs[cl - 1].
Subsequent RTM_GETTCLASS dump operations walk all classes via
taprio_walk() and call taprio_dump_class(), which calls taprio_leaf()
returning the NULL pointer, then dereferences it to read child->handle,
causing a kernel NULL pointer dereference.
The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel
with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user
namespaces enabled, an unprivileged local user can trigger a kernel
panic by creating a taprio qdisc inside a new network namespace,
grafting an explicit child qdisc, deleting it, and requesting a class
dump. The RTM_GETTCLASS dump itself requires no capability.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)
Call Trace:
<TASK>
tc_fill_tclass (net/sched/sch_api.c:1966)
qdisc_class_dump (net/sched/sch_api.c:2326)
taprio_walk (net/sched/sch_taprio.c:2514)
tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)
tc_dump_tclass_root (net/sched/sch_api.c:2370)
tc_dump_tclass (net/sched/sch_api.c:2431)
rtnl_dumpit (net/core/rtnetlink.c:6864)
netlink_dump (net/netlink/af_netlink.c:2325)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Fix this by substituting &noop_qdisc when new is NULL in
taprio_graft(), a common pattern used by other qdiscs (e.g.,
multiq_graft()) to ensure the q->qdiscs[] slots are never NULL.
This makes control-plane dump paths safe without requiring individual
NULL checks.
Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)
previously had explicit NULL guards that would drop/skip the packet
cleanly, update those checks to test for &noop_qdisc instead. Without
this, packets would reach taprio_enqueue_one() which increments the root
qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc
drops the packet but those counters are never rolled back, permanently
inflating the root qdisc's statistics.
After this change *old can be a valid qdisc, NULL, or &noop_qdisc.
Only call qdisc_put(*old) in the first case to avoid decreasing
noop_qdisc's refcount, which was never increased.
Fixes: 665338b2a7a0 ("net/sched: taprio: dump class stats for the actual q->qdiscs[]")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260422161958.2517539-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 6df93d5c2e9d9..c14f9e2d8dc51 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -644,7 +644,7 @@ static int taprio_enqueue(struct sk_buff *skb, struct Qdisc *sch,
queue = skb_get_queue_mapping(skb);
child = q->qdiscs[queue];
- if (unlikely(!child))
+ if (unlikely(child == &noop_qdisc))
return qdisc_drop(skb, sch, to_free);
if (taprio_skb_exceeds_queue_max_sdu(sch, skb)) {
@@ -727,7 +727,7 @@ static struct sk_buff *taprio_dequeue_from_txq(struct Qdisc *sch, int txq,
int len;
u8 tc;
- if (unlikely(!child))
+ if (unlikely(child == &noop_qdisc))
return NULL;
if (TXTIME_ASSIST_IS_ENABLED(q->flags))
@@ -2214,6 +2214,9 @@ static int taprio_graft(struct Qdisc *sch, unsigned long cl,
if (!dev_queue)
return -EINVAL;
+ if (!new)
+ new = &noop_qdisc;
+
if (dev->flags & IFF_UP)
dev_deactivate(dev);
@@ -2227,14 +2230,14 @@ static int taprio_graft(struct Qdisc *sch, unsigned long cl,
*old = q->qdiscs[cl - 1];
if (FULL_OFFLOAD_IS_ENABLED(q->flags)) {
WARN_ON_ONCE(dev_graft_qdisc(dev_queue, new) != *old);
- if (new)
+ if (new != &noop_qdisc)
qdisc_refcount_inc(new);
- if (*old)
+ if (*old && *old != &noop_qdisc)
qdisc_put(*old);
}
q->qdiscs[cl - 1] = new;
- if (new)
+ if (new != &noop_qdisc)
new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
if (dev->flags & IFF_UP)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 394/508] neighbour: add RCU protection to neigh_tables[]
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 393/508] net/sched: taprio: fix NULL pointer dereference in class dump Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 395/508] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
` (115 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f8f2eb9de69a1119117d198547c13d7a1123a5a9 ]
In order to remove RTNL protection from neightbl_dump_info()
and neigh_dump_info() later, we need to add
RCU protection to neigh_tables[].
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 4438113be604 ("neigh: let neigh_xmit take skb ownership")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index e6b36df482bc7..8f45692265ce3 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1774,7 +1774,7 @@ static void neigh_parms_destroy(struct neigh_parms *parms)
static struct lock_class_key neigh_table_proxy_queue_class;
-static struct neigh_table *neigh_tables[NEIGH_NR_TABLES] __read_mostly;
+static struct neigh_table __rcu *neigh_tables[NEIGH_NR_TABLES] __read_mostly;
void neigh_table_init(int index, struct neigh_table *tbl)
{
@@ -1831,13 +1831,19 @@ void neigh_table_init(int index, struct neigh_table *tbl)
tbl->last_flush = now;
tbl->last_rand = now + tbl->parms.reachable_time * 20;
- neigh_tables[index] = tbl;
+ rcu_assign_pointer(neigh_tables[index], tbl);
}
EXPORT_SYMBOL(neigh_table_init);
+/*
+ * Only called from ndisc_cleanup(), which means this is dead code
+ * because we no longer can unload IPv6 module.
+ */
int neigh_table_clear(int index, struct neigh_table *tbl)
{
- neigh_tables[index] = NULL;
+ RCU_INIT_POINTER(neigh_tables[index], NULL);
+ synchronize_rcu();
+
/* It is not clean... Fix it to unload IPv6 module safely */
cancel_delayed_work_sync(&tbl->managed_work);
cancel_delayed_work_sync(&tbl->gc_work);
@@ -1869,10 +1875,10 @@ static struct neigh_table *neigh_find_table(int family)
switch (family) {
case AF_INET:
- tbl = neigh_tables[NEIGH_ARP_TABLE];
+ tbl = rcu_dereference_rtnl(neigh_tables[NEIGH_ARP_TABLE]);
break;
case AF_INET6:
- tbl = neigh_tables[NEIGH_ND_TABLE];
+ tbl = rcu_dereference_rtnl(neigh_tables[NEIGH_ND_TABLE]);
break;
}
@@ -2338,7 +2344,7 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
ndtmsg = nlmsg_data(nlh);
for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
- tbl = neigh_tables[tidx];
+ tbl = rcu_dereference_rtnl(neigh_tables[tidx]);
if (!tbl)
continue;
if (ndtmsg->ndtm_family && tbl->family != ndtmsg->ndtm_family)
@@ -2526,7 +2532,7 @@ static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
struct neigh_parms *p;
- tbl = neigh_tables[tidx];
+ tbl = rcu_dereference_rtnl(neigh_tables[tidx]);
if (!tbl)
continue;
@@ -2887,7 +2893,7 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
s_t = cb->args[0];
for (t = 0; t < NEIGH_NR_TABLES; t++) {
- tbl = neigh_tables[t];
+ tbl = rcu_dereference_rtnl(neigh_tables[t]);
if (!tbl)
continue;
@@ -3151,14 +3157,15 @@ int neigh_xmit(int index, struct net_device *dev,
const void *addr, struct sk_buff *skb)
{
int err = -EAFNOSUPPORT;
+
if (likely(index < NEIGH_NR_TABLES)) {
struct neigh_table *tbl;
struct neighbour *neigh;
- tbl = neigh_tables[index];
- if (!tbl)
- goto out;
rcu_read_lock();
+ tbl = rcu_dereference(neigh_tables[index]);
+ if (!tbl)
+ goto out_unlock;
if (index == NEIGH_ARP_TABLE) {
u32 key = *((u32 *)addr);
@@ -3174,6 +3181,7 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
}
err = READ_ONCE(neigh->output)(neigh, skb);
+out_unlock:
rcu_read_unlock();
}
else if (index == NEIGH_LINK_TABLE) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 395/508] neigh: let neigh_xmit take skb ownership
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 394/508] neighbour: add RCU protection to neigh_tables[] Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 396/508] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
` (114 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Kuniyuki Iwashima,
Ido Schimmel, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 4438113be604ee67a7bf4f81da6e1cca41332ce4 ]
neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).
sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?
Assume full ownership and remove the last code path that doesn't
xmit or free skb.
Fixes: 4fd3d7d9e868 ("neigh: Add helper function neigh_xmit")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260424145843.74055-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 8f45692265ce3..bc9690a3d60e9 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3164,8 +3164,10 @@ int neigh_xmit(int index, struct net_device *dev,
rcu_read_lock();
tbl = rcu_dereference(neigh_tables[index]);
- if (!tbl)
- goto out_unlock;
+ if (!tbl) {
+ rcu_read_unlock();
+ goto out_kfree_skb;
+ }
if (index == NEIGH_ARP_TABLE) {
u32 key = *((u32 *)addr);
@@ -3181,7 +3183,6 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
}
err = READ_ONCE(neigh->output)(neigh, skb);
-out_unlock:
rcu_read_unlock();
}
else if (index == NEIGH_LINK_TABLE) {
@@ -3191,11 +3192,10 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
err = dev_queue_xmit(skb);
}
-out:
return err;
out_kfree_skb:
kfree_skb(skb);
- goto out;
+ return err;
}
EXPORT_SYMBOL(neigh_xmit);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 396/508] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 395/508] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 397/508] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
` (113 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c39f0bc03f84ba64c9144c95714df1dc36150f6d ]
At parsing UAC3 streams, we allocate a PD object at each time, and
either assign or free it. But there is a case where the PD object may
be leaked; namely, in __snd_usb_parse_audio_interface() loop, when an
audioformat shares the same endpoint with others, it's put to a link
and returns from snd_usb_add_audio_stream(), but the PD is forgotten
afterwards. Overall, the treatment of PD object in the parser code is
a bit flaky, and we should be more careful about the object ownership.
This patch tries to fix the above case and improve the code a bit.
The pd object is now managed with the auto-cleanup in the loop, and
the ownership is updated when the pd object gets assigned to the
stream, which guarantees the release of the leftover object.
Fixes: 7edf3b5e6a45 ("ALSA: usb-audio: AudioStreaming Power Domain parsing")
Link: https://patch.msgid.link/20260427151508.12544-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 +-
sound/usb/stream.c | 58 ++++++++++++++++++----------------------------
sound/usb/stream.h | 3 ++-
3 files changed, 25 insertions(+), 38 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 847878438b8b7..ed625d5bbe9ab 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -122,7 +122,7 @@ static int add_audio_stream_from_fixed_fmt(struct snd_usb_audio *chip,
snd_usb_audioformat_set_sync_ep(chip, fp);
- err = snd_usb_add_audio_stream(chip, stream, fp);
+ err = snd_usb_add_audio_stream(chip, stream, fp, NULL);
if (err < 0)
return err;
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 920a718f91e68..f964082da3a63 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -79,7 +79,7 @@ static void snd_usb_audio_pcm_free(struct snd_pcm *pcm)
static void snd_usb_init_substream(struct snd_usb_stream *as,
int stream,
struct audioformat *fp,
- struct snd_usb_power_domain *pd)
+ struct snd_usb_power_domain **pdptr)
{
struct snd_usb_substream *subs = &as->substream[stream];
@@ -105,10 +105,11 @@ static void snd_usb_init_substream(struct snd_usb_stream *as,
if (fp->channels > subs->channels_max)
subs->channels_max = fp->channels;
- if (pd) {
- subs->str_pd = pd;
+ if (pdptr && *pdptr) {
+ subs->str_pd = *pdptr;
+ *pdptr = NULL; /* assigned */
/* Initialize Power Domain to idle status D1 */
- snd_usb_power_domain_set(subs->stream->chip, pd,
+ snd_usb_power_domain_set(subs->stream->chip, subs->str_pd,
UAC3_PD_STATE_D1);
}
@@ -486,11 +487,14 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
* if not, create a new pcm stream. note, fp is added to the substream
* fmt_list and will be freed on the chip instance release. do not free
* fp or do remove it from the substream fmt_list to avoid double-free.
+ *
+ * pdptr is optional and can be NULL. When it's non-NULL and the PD gets
+ * assigned to the stream, *pdptr is cleared to NULL upon return.
*/
-static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp,
- struct snd_usb_power_domain *pd)
+int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
+ int stream,
+ struct audioformat *fp,
+ struct snd_usb_power_domain **pdptr)
{
struct snd_usb_stream *as;
@@ -523,7 +527,7 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
err = snd_pcm_new_stream(as->pcm, stream, 1);
if (err < 0)
return err;
- snd_usb_init_substream(as, stream, fp, pd);
+ snd_usb_init_substream(as, stream, fp, pdptr);
return add_chmap(as->pcm, stream, subs);
}
@@ -551,7 +555,7 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
else
strcpy(pcm->name, "USB Audio");
- snd_usb_init_substream(as, stream, fp, pd);
+ snd_usb_init_substream(as, stream, fp, pdptr);
/*
* Keep using head insertion for M-Audio Audiophile USB (tm) which has a
@@ -569,21 +573,6 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
return add_chmap(pcm, stream, &as->substream[stream]);
}
-int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp)
-{
- return __snd_usb_add_audio_stream(chip, stream, fp, NULL);
-}
-
-static int snd_usb_add_audio_stream_v3(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp,
- struct snd_usb_power_domain *pd)
-{
- return __snd_usb_add_audio_stream(chip, stream, fp, pd);
-}
-
static int parse_uac_endpoint_attributes(struct snd_usb_audio *chip,
struct usb_host_interface *alts,
int protocol, int iface_no)
@@ -1102,8 +1091,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
}
}
- if (pd)
- *pd_out = pd;
+ *pd_out = pd;
return fp;
}
@@ -1118,7 +1106,6 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
struct usb_interface_descriptor *altsd;
int i, altno, err, stream;
struct audioformat *fp = NULL;
- struct snd_usb_power_domain *pd = NULL;
bool set_iface_first;
int num, protocol;
@@ -1160,6 +1147,12 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
if (snd_usb_apply_interface_quirk(chip, iface_no, altno))
continue;
+ /* pd may be allocated at snd_usb_get_audioformat_uac3() and
+ * assigned at snd_usb_add_audio_stream(); otherwise it'll be
+ * freed automatically by cleanup at each loop.
+ */
+ struct snd_usb_power_domain *pd __free(kfree) = NULL;
+
/*
* Roland audio streaming interfaces are marked with protocols
* 0/1/2, but are UAC 1 compatible.
@@ -1215,23 +1208,16 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
*has_non_pcm = true;
if ((fp->fmt_type == UAC_FORMAT_TYPE_I) == non_pcm) {
audioformat_free(fp);
- kfree(pd);
fp = NULL;
- pd = NULL;
continue;
}
snd_usb_audioformat_set_sync_ep(chip, fp);
dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
- if (protocol == UAC_VERSION_3)
- err = snd_usb_add_audio_stream_v3(chip, stream, fp, pd);
- else
- err = snd_usb_add_audio_stream(chip, stream, fp);
-
+ err = snd_usb_add_audio_stream(chip, stream, fp, &pd);
if (err < 0) {
audioformat_free(fp);
- kfree(pd);
return err;
}
diff --git a/sound/usb/stream.h b/sound/usb/stream.h
index d92e18d5818fe..61b9a133da018 100644
--- a/sound/usb/stream.h
+++ b/sound/usb/stream.h
@@ -7,7 +7,8 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
int stream,
- struct audioformat *fp);
+ struct audioformat *fp,
+ struct snd_usb_power_domain **pdptr);
#endif /* __USBAUDIO_STREAM_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 397/508] net: mctp i2c: check length before marking flow active
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 396/508] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 398/508] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
` (112 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William A. Kennington III,
Jeremy Kerr, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: William A. Kennington III <william@wkennington.com>
[ Upstream commit 4ca07b9239bd0478ae586632a2ed72be37ed8407 ]
Currently, mctp_i2c_get_tx_flow_state() is called before the packet length
sanity check. This function marks a new flow as active in the MCTP core.
If the sanity check fails, mctp_i2c_xmit() returns early without calling
mctp_i2c_lock_nest(). This results in a mismatched locking state: the
flow is active, but the I2C bus lock was never acquired for it.
When the flow is later released, mctp_i2c_release_flow() will see the
active state and queue an unlock marker. The TX thread will then
decrement midev->i2c_lock_count from 0, causing it to underflow to -1.
This underflow permanently breaks the driver's locking logic, allowing
future transmissions to occur without holding the I2C bus lock, leading
to bus collisions and potential hardware hangs.
Move the mctp_i2c_get_tx_flow_state() call to after the length sanity
check to ensure we only transition the flow state if we are actually
going to proceed with the transmission and locking.
Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
Signed-off-by: William A. Kennington III <william@wkennington.com>
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260423074741.201460-1-william@wkennington.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-i2c.c | 4 ++--
net/sched/cls_flower.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index 1a7e7397ba75c..8f0b4eb5b6f89 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -461,8 +461,6 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb)
u8 *pecp;
int rc;
- fs = mctp_i2c_get_tx_flow_state(midev, skb);
-
hdr = (void *)skb_mac_header(skb);
/* Sanity check that packet contents matches skb length,
* and can't exceed MCTP_I2C_BUFSZ
@@ -474,6 +472,8 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb)
return;
}
+ fs = mctp_i2c_get_tx_flow_state(midev, skb);
+
if (skb_tailroom(skb) >= 1) {
/* Linear case with space, we can just append the PEC */
skb_put(skb, 1);
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index b00e491e8130d..07259b403e108 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -549,6 +549,7 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
struct netlink_ext_ack *extack)
{
struct cls_fl_head *head = fl_head_dereference(tp);
+ struct fl_flow_mask *mask;
*last = false;
@@ -565,11 +566,12 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
list_del_rcu(&f->list);
spin_unlock(&tp->lock);
- *last = fl_mask_put(head, f->mask);
+ mask = f->mask;
if (!tc_skip_hw(f->flags))
fl_hw_destroy_filter(tp, f, rtnl_held, extack);
tcf_unbind_filter(tp, &f->res);
__fl_put(f);
+ *last = fl_mask_put(head, mask);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 398/508] net: phy: dp83869: fix setting CLK_O_SEL field.
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 397/508] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 399/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings Greg Kroah-Hartman
` (111 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Schocher, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Schocher <hs@nabladev.com>
[ Upstream commit 46f74a3f7d57d9cc0110b09cbc8163fa0a01afa2 ]
Table 7-121 in datasheet says we have to set register 0xc6
to value 0x10 before CLK_O_SEL can be modified. No more infos
about this field found in datasheet. With this fix, setting
of CLK_O_SEL field in IO_MUX_CFG register worked through dts
property "ti,clk-output-sel" on a DP83869HMRGZR.
Signed-off-by: Heiko Schocher <hs@nabladev.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 01db923e8377 ("net: phy: dp83869: Add TI dp83869 phy")
Link: https://patch.msgid.link/20260425031339.3318-1-hs@nabladev.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/dp83869.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c
index 5f056d7db83ee..760785160ab49 100644
--- a/drivers/net/phy/dp83869.c
+++ b/drivers/net/phy/dp83869.c
@@ -31,6 +31,7 @@
#define DP83869_RGMIICTL 0x0032
#define DP83869_STRAP_STS1 0x006e
#define DP83869_RGMIIDCTL 0x0086
+#define DP83869_ANA_PLL_PROG_PI 0x00c6
#define DP83869_RXFCFG 0x0134
#define DP83869_RXFPMD1 0x0136
#define DP83869_RXFPMD2 0x0137
@@ -814,12 +815,22 @@ static int dp83869_config_init(struct phy_device *phydev)
dp83869_config_port_mirroring(phydev);
/* Clock output selection if muxing property is set */
- if (dp83869->clk_output_sel != DP83869_CLK_O_SEL_REF_CLK)
+ if (dp83869->clk_output_sel != DP83869_CLK_O_SEL_REF_CLK) {
+ /*
+ * Table 7-121 in datasheet says we have to set register 0xc6
+ * to value 0x10 before CLK_O_SEL can be modified.
+ */
+ ret = phy_write_mmd(phydev, DP83869_DEVADDR,
+ DP83869_ANA_PLL_PROG_PI, 0x10);
+ if (ret)
+ return ret;
+
ret = phy_modify_mmd(phydev,
DP83869_DEVADDR, DP83869_IO_MUX_CFG,
DP83869_IO_MUX_CFG_CLK_O_SEL_MASK,
dp83869->clk_output_sel <<
DP83869_IO_MUX_CFG_CLK_O_SEL_SHIFT);
+ }
if (phy_interface_is_rgmii(phydev)) {
ret = phy_write_mmd(phydev, DP83869_DEVADDR, DP83869_RGMIIDCTL,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 399/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 398/508] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 400/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 " Greg Kroah-Hartman
` (110 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 8d80b293b41fcb5e9396db93e788b0f4ebcbafb7 ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: 1b61de45dfaf ("drm/amdgpu: add initial VCN2.0 support (v2)")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e2b5499fca55f1a32960a311bbb62e35891eaf73)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
index 2505951ad06a0..1a9c8e9e854df 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
@@ -2014,6 +2014,7 @@ static const struct amd_ip_funcs vcn_v2_0_ip_funcs = {
static const struct amdgpu_ring_funcs vcn_v2_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0xf,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v2_0_dec_ring_get_rptr,
.get_wptr = vcn_v2_0_dec_ring_get_wptr,
@@ -2045,6 +2046,7 @@ static const struct amdgpu_ring_funcs vcn_v2_0_enc_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v2_0_enc_ring_get_rptr,
.get_wptr = vcn_v2_0_enc_ring_get_wptr,
.set_wptr = vcn_v2_0_enc_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 400/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 399/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 401/508] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 " Greg Kroah-Hartman
` (109 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 4f317863a3ab212a027d8c8c3cc3af4e3fb95704 ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: 28c17d72072b ("drm/amdgpu: add VCN2.5 basic supports")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit efc9dd5590894109bce9a0bfe1fa5592dd6b20b1)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
index 6fbea38f4d3e1..fa0459ed079ca 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
@@ -1573,6 +1573,7 @@ static void vcn_v2_5_dec_ring_set_wptr(struct amdgpu_ring *ring)
static const struct amdgpu_ring_funcs vcn_v2_5_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0xf,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v2_5_dec_ring_get_rptr,
.get_wptr = vcn_v2_5_dec_ring_get_wptr,
@@ -1673,6 +1674,7 @@ static const struct amdgpu_ring_funcs vcn_v2_5_enc_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v2_5_enc_ring_get_rptr,
.get_wptr = vcn_v2_5_enc_ring_get_wptr,
.set_wptr = vcn_v2_5_enc_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 401/508] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 400/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 " Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 402/508] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring Greg Kroah-Hartman
` (108 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit f1e5a6660d7cbf006079126d9babbf0ccf538c6b ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: cf14826cdfb5 ("drm/amdgpu: add VCN3.0 support for Sienna_Cichlid")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 663bed3c7b8b9a7624b0d95d300ddae034ad0614)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
index c9345da548a61..37b93af917fe2 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
@@ -1737,6 +1737,7 @@ static const struct amdgpu_ring_funcs vcn_v3_0_dec_sw_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0x3f,
.nop = VCN_DEC_SW_CMD_NO_OP,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v3_0_dec_ring_get_rptr,
.get_wptr = vcn_v3_0_dec_ring_get_wptr,
@@ -1918,6 +1919,7 @@ static int vcn_v3_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p,
static const struct amdgpu_ring_funcs vcn_v3_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0xf,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v3_0_dec_ring_get_rptr,
.get_wptr = vcn_v3_0_dec_ring_get_wptr,
@@ -2019,6 +2021,7 @@ static const struct amdgpu_ring_funcs vcn_v3_0_enc_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v3_0_enc_ring_get_rptr,
.get_wptr = vcn_v3_0_enc_ring_get_wptr,
.set_wptr = vcn_v3_0_enc_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 402/508] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 401/508] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 " Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 403/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring Greg Kroah-Hartman
` (107 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 4532b52b34e4e4310386e6fdf6a643368599f522 ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: b889ef4ac988 ("drm/amdgpu/vcn: add vcn support for VCN4_0_3")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ff1a5a125c5a70c328806b9bc01d7d942cf3f9aa)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
index d1141a9baa916..3379469ab04c1 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
@@ -1423,6 +1423,7 @@ static const struct amdgpu_ring_funcs vcn_v4_0_3_unified_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v4_0_3_unified_ring_get_rptr,
.get_wptr = vcn_v4_0_3_unified_ring_get_wptr,
.set_wptr = vcn_v4_0_3_unified_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 403/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 402/508] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 404/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring Greg Kroah-Hartman
` (106 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit e5f612dc91650561fe2b5b76dd6d2898ec9ad480 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: 6ac27241106b ("drm/amdgpu: add JPEG v2.0 function supports")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 96179da0c6b059eb31706a0abe8dd6381c533143)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
index fbe57499495ec..c2b9829c12fd9 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
@@ -764,6 +764,7 @@ static const struct amd_ip_funcs jpeg_v2_0_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v2_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v2_0_dec_ring_get_rptr,
.get_wptr = jpeg_v2_0_dec_ring_get_wptr,
.set_wptr = jpeg_v2_0_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 404/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 403/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 405/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring Greg Kroah-Hartman
` (105 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 79405e774ede411c6b47ed41c651e40b92de64a2 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: 14f43e8f88c5 ("drm/amdgpu: move JPEG2.5 out from VCN2.5")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3216a7f4e2642bda5fd14f57586e835ae9202587)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
index aadb74de52bcf..1d2e5201bbca1 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
@@ -657,6 +657,7 @@ static const struct amd_ip_funcs jpeg_v2_6_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v2_5_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v2_5_dec_ring_get_rptr,
.get_wptr = jpeg_v2_5_dec_ring_get_wptr,
.set_wptr = jpeg_v2_5_dec_ring_set_wptr,
@@ -686,6 +687,7 @@ static const struct amdgpu_ring_funcs jpeg_v2_5_dec_ring_vm_funcs = {
static const struct amdgpu_ring_funcs jpeg_v2_6_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v2_5_dec_ring_get_rptr,
.get_wptr = jpeg_v2_5_dec_ring_get_wptr,
.set_wptr = jpeg_v2_5_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 405/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 404/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 406/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring Greg Kroah-Hartman
` (104 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit a2baf12eec41f246689e6a3f8619af1200031576 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: dfd57dbf44dd ("drm/amdgpu: add JPEG3.0 support for Sienna_Cichlid")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4d7d774f100efb5089c86a1fb8c5bf47c63fc9ef)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
index df4440c21bbf4..f587664cf31a7 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
@@ -562,6 +562,7 @@ static const struct amd_ip_funcs jpeg_v3_0_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v3_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v3_0_dec_ring_get_rptr,
.get_wptr = jpeg_v3_0_dec_ring_get_wptr,
.set_wptr = jpeg_v3_0_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 406/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 405/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 407/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring Greg Kroah-Hartman
` (103 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit e7e90b5839aeb8805ec83bb4da610b8dab8e184d ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: b13111de32a9 ("drm/amdgpu/jpeg: add jpeg support for VCN4_0_0")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8d0cac9478a3f046279c657d6a2545de49ae675a)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
index 3eb3dcd56b579..9d4eb9c8885f1 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
@@ -722,6 +722,7 @@ static const struct amd_ip_funcs jpeg_v4_0_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v4_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v4_0_dec_ring_get_rptr,
.get_wptr = jpeg_v4_0_dec_ring_get_wptr,
.set_wptr = jpeg_v4_0_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 407/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 406/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 408/508] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
` (102 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 83e37c0987ca92f9e87789b46dd311dcf5a4a6c8 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: e684e654eba9 ("drm/amdgpu/jpeg: add jpeg support for VCN4_0_3")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2f6afc97d259d530f4f86c7743efbc573a8da927)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
index 78aaaee492e11..210177c738554 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
@@ -1054,6 +1054,7 @@ static const struct amd_ip_funcs jpeg_v4_0_3_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v4_0_3_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v4_0_3_dec_ring_get_rptr,
.get_wptr = jpeg_v4_0_3_dec_ring_get_wptr,
.set_wptr = jpeg_v4_0_3_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 408/508] ASoC: codecs: ab8500: Fix casting of private data
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 407/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 409/508] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
` (101 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt,
Uwe Kleine-König , Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
[ Upstream commit a201aef1a88b675e9eb8487e27d14e2eef3cef80 ]
ab8500_filter_controls[i].private_value is initialized using
.private_value = (unsigned long)&(struct filter_control)
{.count = xcount, .min = xmin, .max = xmax}
thus it's a pointer to a struct filter_control casted to unsigned long.
So to get back that pointer .private_data must be cast back, not its
address.
Fixes: 679d7abdc754 ("ASoC: codecs: Add AB8500 codec-driver")
Signed-off-by: Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20260428192255.2294705-2-u.kleine-koenig@baylibre.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ab8500-codec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/soc/codecs/ab8500-codec.c b/sound/soc/codecs/ab8500-codec.c
index 68342917419e4..42e448978c4a0 100644
--- a/sound/soc/codecs/ab8500-codec.c
+++ b/sound/soc/codecs/ab8500-codec.c
@@ -2496,13 +2496,13 @@ static int ab8500_codec_probe(struct snd_soc_component *component)
return status;
}
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_ANC_FIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_ANC_FIR].private_value;
drvdata->anc_fir_values = (long *)fc->value;
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_ANC_IIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_ANC_IIR].private_value;
drvdata->anc_iir_values = (long *)fc->value;
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_SID_FIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_SID_FIR].private_value;
drvdata->sid_fir_values = (long *)fc->value;
snd_soc_dapm_disable_pin(dapm, "ANC Configure Input");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 409/508] netfilter: skip recording stale or retransmitted INIT
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 408/508] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 410/508] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
` (100 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Florian Westphal, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 576a5d2bad4814c881a829576b1261b9b8159d2b ]
An INIT whose init_tag matches the peer's vtag does not provide new state
information. It indicates either:
- a stale INIT (after INIT-ACK has already been seen on the same side), or
- a retransmitted INIT (after INIT has already been recorded on the same
side).
In both cases, the INIT must not update ct->proto.sctp.init[] state, since
it does not advance the handshake tracking and may otherwise corrupt
INIT/INIT-ACK validation logic.
Allow INIT processing only when the conntrack entry is newly created
(SCTP_CONNTRACK_NONE), or when the init_tag differs from the stored peer
vtag.
Note it skips the check for the ct with old_state SCTP_CONNTRACK_NONE in
nf_conntrack_sctp_packet(), as it is just created in sctp_new() where it
set ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag.
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/ee56c3e416452b2a40589a2a85245ac2ad5e9f4b.1777214801.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_proto_sctp.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index fabb2c1ca00ab..0dd55d3fba38d 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -471,9 +471,13 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
if (!ih)
goto out_unlock;
- if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
- ct->proto.sctp.init[!dir] = 0;
- ct->proto.sctp.init[dir] = 1;
+ /* Do not record INIT matching peer vtag (stale or retransmitted INIT). */
+ if (old_state == SCTP_CONNTRACK_NONE ||
+ ct->proto.sctp.vtag[!dir] != ih->init_tag) {
+ if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
+ ct->proto.sctp.init[!dir] = 0;
+ ct->proto.sctp.init[dir] = 1;
+ }
pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir);
ct->proto.sctp.vtag[!dir] = ih->init_tag;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 410/508] sctp: discard stale INIT after handshake completion
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 409/508] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 411/508] ipv4: rename and move ip_route_output_tunnel() Greg Kroah-Hartman
` (99 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 8a92cb475ca90d84db769e4d4383e631ace0d6e5 ]
After an association reaches ESTABLISHED, the peer’s init_tag is already
known from the handshake. Any subsequent INIT with the same init_tag is
not a valid restart, but a delayed or duplicate INIT.
Drop such INIT chunks in sctp_sf_do_unexpected_init() instead of
processing them as new association attempts.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/5788c76c1ee122a3ed00189e88dcf9df1fba226c.1777214801.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index e0e626dc79535..5e9449b0c7907 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1555,6 +1555,12 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
/* Tag the variable length parameters. */
chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
+ if (asoc->state >= SCTP_STATE_ESTABLISHED) {
+ /* Discard INIT matching peer vtag after handshake completion (stale INIT). */
+ if (ntohl(chunk->subh.init_hdr->init_tag) == asoc->peer.i.init_tag)
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ }
+
/* Verify the INIT chunk before processing it. */
err_chunk = NULL;
if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 411/508] ipv4: rename and move ip_route_output_tunnel()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 410/508] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 412/508] ipv4: remove "proto" argument from udp_tunnel_dst_lookup() Greg Kroah-Hartman
` (98 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit bf3fcbf7e7a08015d3b169bad6281b29d45c272d ]
At the moment ip_route_output_tunnel() is used only by bareudp.
Ideally, other UDP tunnel implementations should use it, but to do so
the function needs to accept new parameters that are specific for UDP
tunnels, such as the ports.
Prepare for these changes by renaming the function to
udp_tunnel_dst_lookup() and move it to file
net/ipv4/udp_tunnel_core.c.
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 8 +++----
include/net/route.h | 6 -----
include/net/udp_tunnel.h | 6 +++++
net/ipv4/route.c | 48 --------------------------------------
net/ipv4/udp_tunnel_core.c | 48 ++++++++++++++++++++++++++++++++++++++
5 files changed, 58 insertions(+), 58 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index cfbc0240126ef..bbc246d27f88a 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -325,8 +325,8 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
if (!sock)
return -ESHUTDOWN;
- rt = ip_route_output_tunnel(skb, dev, bareudp->net, &saddr, info,
- IPPROTO_UDP, use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr, info,
+ IPPROTO_UDP, use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -505,8 +505,8 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct rtable *rt;
__be32 saddr;
- rt = ip_route_output_tunnel(skb, dev, bareudp->net, &saddr,
- info, IPPROTO_UDP, use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr,
+ info, IPPROTO_UDP, use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
diff --git a/include/net/route.h b/include/net/route.h
index 27c17aff0bbe1..22d8095a3a81e 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -136,12 +136,6 @@ static inline struct rtable *__ip_route_output_key(struct net *net,
struct rtable *ip_route_output_flow(struct net *, struct flowi4 *flp,
const struct sock *sk);
-struct rtable *ip_route_output_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache);
-
struct dst_entry *ipv4_blackhole_route(struct net *net,
struct dst_entry *dst_orig);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index 0e6eb40cd7778..42a03485c5975 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -161,6 +161,12 @@ int udp_tunnel6_xmit_skb(struct dst_entry *dst, struct sock *sk,
void udp_tunnel_sock_release(struct socket *sock);
+struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net, __be32 *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol, bool use_cache);
+
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
int md_size);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 55ea367f95b3b..f134c59f839e2 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2918,54 +2918,6 @@ struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4,
}
EXPORT_SYMBOL_GPL(ip_route_output_flow);
-struct rtable *ip_route_output_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache)
-{
-#ifdef CONFIG_DST_CACHE
- struct dst_cache *dst_cache;
-#endif
- struct rtable *rt = NULL;
- struct flowi4 fl4;
- __u8 tos;
-
-#ifdef CONFIG_DST_CACHE
- dst_cache = (struct dst_cache *)&info->dst_cache;
- if (use_cache) {
- rt = dst_cache_get_ip4(dst_cache, saddr);
- if (rt)
- return rt;
- }
-#endif
- memset(&fl4, 0, sizeof(fl4));
- fl4.flowi4_mark = skb->mark;
- fl4.flowi4_proto = protocol;
- fl4.daddr = info->key.u.ipv4.dst;
- fl4.saddr = info->key.u.ipv4.src;
- tos = info->key.tos;
- fl4.flowi4_tos = RT_TOS(tos);
-
- rt = ip_route_output_key(net, &fl4);
- if (IS_ERR(rt)) {
- netdev_dbg(dev, "no route to %pI4\n", &fl4.daddr);
- return ERR_PTR(-ENETUNREACH);
- }
- if (rt->dst.dev == dev) { /* is this necessary? */
- netdev_dbg(dev, "circular route to %pI4\n", &fl4.daddr);
- ip_rt_put(rt);
- return ERR_PTR(-ELOOP);
- }
-#ifdef CONFIG_DST_CACHE
- if (use_cache)
- dst_cache_set_ip4(dst_cache, &rt->dst, fl4.saddr);
-#endif
- *saddr = fl4.saddr;
- return rt;
-}
-EXPORT_SYMBOL_GPL(ip_route_output_tunnel);
-
/* called with rcu_read_lock held */
static int rt_fill_info(struct net *net, __be32 dst, __be32 src,
struct rtable *rt, u32 table_id, dscp_t dscp,
diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
index 1e7e4aecdc48a..96f93f92b6ced 100644
--- a/net/ipv4/udp_tunnel_core.c
+++ b/net/ipv4/udp_tunnel_core.c
@@ -204,4 +204,52 @@ struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
}
EXPORT_SYMBOL_GPL(udp_tun_rx_dst);
+struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net, __be32 *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol, bool use_cache)
+{
+#ifdef CONFIG_DST_CACHE
+ struct dst_cache *dst_cache;
+#endif
+ struct rtable *rt = NULL;
+ struct flowi4 fl4;
+ __u8 tos;
+
+#ifdef CONFIG_DST_CACHE
+ dst_cache = (struct dst_cache *)&info->dst_cache;
+ if (use_cache) {
+ rt = dst_cache_get_ip4(dst_cache, saddr);
+ if (rt)
+ return rt;
+ }
+#endif
+ memset(&fl4, 0, sizeof(fl4));
+ fl4.flowi4_mark = skb->mark;
+ fl4.flowi4_proto = protocol;
+ fl4.daddr = info->key.u.ipv4.dst;
+ fl4.saddr = info->key.u.ipv4.src;
+ tos = info->key.tos;
+ fl4.flowi4_tos = RT_TOS(tos);
+
+ rt = ip_route_output_key(net, &fl4);
+ if (IS_ERR(rt)) {
+ netdev_dbg(dev, "no route to %pI4\n", &fl4.daddr);
+ return ERR_PTR(-ENETUNREACH);
+ }
+ if (rt->dst.dev == dev) { /* is this necessary? */
+ netdev_dbg(dev, "circular route to %pI4\n", &fl4.daddr);
+ ip_rt_put(rt);
+ return ERR_PTR(-ELOOP);
+ }
+#ifdef CONFIG_DST_CACHE
+ if (use_cache)
+ dst_cache_set_ip4(dst_cache, &rt->dst, fl4.saddr);
+#endif
+ *saddr = fl4.saddr;
+ return rt;
+}
+EXPORT_SYMBOL_GPL(udp_tunnel_dst_lookup);
+
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 412/508] ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 411/508] ipv4: rename and move ip_route_output_tunnel() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 413/508] ipv4: add new arguments to udp_tunnel_dst_lookup() Greg Kroah-Hartman
` (97 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit 78f3655adcb52412275f282267ee771421731632 ]
The function is now UDP-specific, the protocol is always IPPROTO_UDP.
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 4 ++--
include/net/udp_tunnel.h | 2 +-
net/ipv4/udp_tunnel_core.c | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index bbc246d27f88a..1a9a43ed462a8 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -326,7 +326,7 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
return -ESHUTDOWN;
rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr, info,
- IPPROTO_UDP, use_cache);
+ use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -506,7 +506,7 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
__be32 saddr;
rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr,
- info, IPPROTO_UDP, use_cache);
+ info, use_cache);
if (IS_ERR(rt))
return PTR_ERR(rt);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index 42a03485c5975..fd664b2001053 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -165,7 +165,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
struct net *net, __be32 *saddr,
const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache);
+ bool use_cache);
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
index 96f93f92b6ced..9b0cfd72d5fda 100644
--- a/net/ipv4/udp_tunnel_core.c
+++ b/net/ipv4/udp_tunnel_core.c
@@ -208,7 +208,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
struct net *net, __be32 *saddr,
const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache)
+ bool use_cache)
{
#ifdef CONFIG_DST_CACHE
struct dst_cache *dst_cache;
@@ -227,7 +227,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
#endif
memset(&fl4, 0, sizeof(fl4));
fl4.flowi4_mark = skb->mark;
- fl4.flowi4_proto = protocol;
+ fl4.flowi4_proto = IPPROTO_UDP;
fl4.daddr = info->key.u.ipv4.dst;
fl4.saddr = info->key.u.ipv4.src;
tos = info->key.tos;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 413/508] ipv4: add new arguments to udp_tunnel_dst_lookup()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 412/508] ipv4: remove "proto" argument from udp_tunnel_dst_lookup() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 414/508] ipv6: rename and move ip6_dst_lookup_tunnel() Greg Kroah-Hartman
` (96 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit 72fc68c6356b663a8763f02d9b0ec773d59a4949 ]
We want to make the function more generic so that it can be used by
other UDP tunnel implementations such as geneve and vxlan. To do that,
add the following arguments:
- source and destination UDP port;
- ifindex of the output interface, needed by vxlan;
- the tos, because in some cases it is not taken from struct
ip_tunnel_info (for example, when it's inherited from the inner
packet);
- the dst cache, because not all tunnel types (e.g. vxlan) want to
use the one from struct ip_tunnel_info.
With these parameters, the function no longer needs the full struct
ip_tunnel_info as argument and we can pass only the relevant part of
it (struct ip_tunnel_key).
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 11 +++++++----
include/net/udp_tunnel.h | 8 +++++---
net/ipv4/udp_tunnel_core.c | 26 +++++++++++++-------------
3 files changed, 25 insertions(+), 20 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 1a9a43ed462a8..385cc386ecaee 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -325,8 +325,10 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
if (!sock)
return -ESHUTDOWN;
- rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr, info,
- use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, 0, &saddr, &info->key,
+ 0, 0, key->tos,
+ use_cache ?
+ (struct dst_cache *)&info->dst_cache : NULL);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -505,8 +507,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct rtable *rt;
__be32 saddr;
- rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, &saddr,
- info, use_cache);
+ rt = udp_tunnel_dst_lookup(skb, dev, bareudp->net, 0, &saddr,
+ &info->key, 0, 0, info->key.tos,
+ use_cache ? &info->dst_cache : NULL);
if (IS_ERR(rt))
return PTR_ERR(rt);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index fd664b2001053..a8ff2613fabc2 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -163,9 +163,11 @@ void udp_tunnel_sock_release(struct socket *sock);
struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- bool use_cache);
+ struct net *net, int oif,
+ __be32 *saddr,
+ const struct ip_tunnel_key *key,
+ __be16 sport, __be16 dport, u8 tos,
+ struct dst_cache *dst_cache);
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
index 9b0cfd72d5fda..494685e828563 100644
--- a/net/ipv4/udp_tunnel_core.c
+++ b/net/ipv4/udp_tunnel_core.c
@@ -206,31 +206,31 @@ EXPORT_SYMBOL_GPL(udp_tun_rx_dst);
struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
struct net_device *dev,
- struct net *net, __be32 *saddr,
- const struct ip_tunnel_info *info,
- bool use_cache)
+ struct net *net, int oif,
+ __be32 *saddr,
+ const struct ip_tunnel_key *key,
+ __be16 sport, __be16 dport, u8 tos,
+ struct dst_cache *dst_cache)
{
-#ifdef CONFIG_DST_CACHE
- struct dst_cache *dst_cache;
-#endif
struct rtable *rt = NULL;
struct flowi4 fl4;
- __u8 tos;
#ifdef CONFIG_DST_CACHE
- dst_cache = (struct dst_cache *)&info->dst_cache;
- if (use_cache) {
+ if (dst_cache) {
rt = dst_cache_get_ip4(dst_cache, saddr);
if (rt)
return rt;
}
#endif
+
memset(&fl4, 0, sizeof(fl4));
fl4.flowi4_mark = skb->mark;
fl4.flowi4_proto = IPPROTO_UDP;
- fl4.daddr = info->key.u.ipv4.dst;
- fl4.saddr = info->key.u.ipv4.src;
- tos = info->key.tos;
+ fl4.flowi4_oif = oif;
+ fl4.daddr = key->u.ipv4.dst;
+ fl4.saddr = key->u.ipv4.src;
+ fl4.fl4_dport = dport;
+ fl4.fl4_sport = sport;
fl4.flowi4_tos = RT_TOS(tos);
rt = ip_route_output_key(net, &fl4);
@@ -244,7 +244,7 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
return ERR_PTR(-ELOOP);
}
#ifdef CONFIG_DST_CACHE
- if (use_cache)
+ if (dst_cache)
dst_cache_set_ip4(dst_cache, &rt->dst, fl4.saddr);
#endif
*saddr = fl4.saddr;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 414/508] ipv6: rename and move ip6_dst_lookup_tunnel()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 413/508] ipv4: add new arguments to udp_tunnel_dst_lookup() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 415/508] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
` (95 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Nault, Beniamino Galvani,
David Ahern, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <b.galvani@gmail.com>
[ Upstream commit fc47e86dbfb75a864c0c9dd8e78affb6506296bb ]
At the moment ip6_dst_lookup_tunnel() is used only by bareudp.
Ideally, other UDP tunnel implementations should use it, but to do so
the function needs to accept new parameters that are specific for UDP
tunnels, such as the ports.
Prepare for these changes by renaming the function to
udp_tunnel6_dst_lookup() and move it to file
net/ipv6/ip6_udp_tunnel.c.
This is similar to what already done for IPv4 in commit bf3fcbf7e7a0
("ipv4: rename and move ip_route_output_tunnel()").
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Beniamino Galvani <b.galvani@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: aa6c6d9ee064 ("bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 10 +++---
include/net/ipv6.h | 6 ----
include/net/udp_tunnel.h | 7 ++++
net/ipv6/ip6_output.c | 68 --------------------------------------
net/ipv6/ip6_udp_tunnel.c | 69 +++++++++++++++++++++++++++++++++++++++
5 files changed, 81 insertions(+), 79 deletions(-)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 385cc386ecaee..150049d9a81a7 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -393,8 +393,8 @@ static int bareudp6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
if (!sock)
return -ESHUTDOWN;
- dst = ip6_dst_lookup_tunnel(skb, dev, bareudp->net, sock, &saddr, info,
- IPPROTO_UDP, use_cache);
+ dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, &saddr, info,
+ IPPROTO_UDP, use_cache);
if (IS_ERR(dst))
return PTR_ERR(dst);
@@ -520,9 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct in6_addr saddr;
struct socket *sock = rcu_dereference(bareudp->sock);
- dst = ip6_dst_lookup_tunnel(skb, dev, bareudp->net, sock,
- &saddr, info, IPPROTO_UDP,
- use_cache);
+ dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock,
+ &saddr, info, IPPROTO_UDP,
+ use_cache);
if (IS_ERR(dst))
return PTR_ERR(dst);
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index d98f5390ffad3..3645776d71c9c 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -1133,12 +1133,6 @@ struct dst_entry *ip6_dst_lookup_flow(struct net *net, const struct sock *sk, st
struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
const struct in6_addr *final_dst,
bool connected);
-struct dst_entry *ip6_dst_lookup_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net, struct socket *sock,
- struct in6_addr *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol, bool use_cache);
struct dst_entry *ip6_blackhole_route(struct net *net,
struct dst_entry *orig_dst);
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index a8ff2613fabc2..6818a59a1ebcb 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -168,6 +168,13 @@ struct rtable *udp_tunnel_dst_lookup(struct sk_buff *skb,
const struct ip_tunnel_key *key,
__be16 sport, __be16 dport, u8 tos,
struct dst_cache *dst_cache);
+struct dst_entry *udp_tunnel6_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net,
+ struct socket *sock,
+ struct in6_addr *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol, bool use_cache);
struct metadata_dst *udp_tun_rx_dst(struct sk_buff *skb, unsigned short family,
__be16 flags, __be64 tunnel_id,
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index a824c707dffff..710aadbb2e267 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1307,74 +1307,6 @@ struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
}
EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
-/**
- * ip6_dst_lookup_tunnel - perform route lookup on tunnel
- * @skb: Packet for which lookup is done
- * @dev: Tunnel device
- * @net: Network namespace of tunnel device
- * @sock: Socket which provides route info
- * @saddr: Memory to store the src ip address
- * @info: Tunnel information
- * @protocol: IP protocol
- * @use_cache: Flag to enable cache usage
- * This function performs a route lookup on a tunnel
- *
- * It returns a valid dst pointer and stores src address to be used in
- * tunnel in param saddr on success, else a pointer encoded error code.
- */
-
-struct dst_entry *ip6_dst_lookup_tunnel(struct sk_buff *skb,
- struct net_device *dev,
- struct net *net,
- struct socket *sock,
- struct in6_addr *saddr,
- const struct ip_tunnel_info *info,
- u8 protocol,
- bool use_cache)
-{
- struct dst_entry *dst = NULL;
-#ifdef CONFIG_DST_CACHE
- struct dst_cache *dst_cache;
-#endif
- struct flowi6 fl6;
- __u8 prio;
-
-#ifdef CONFIG_DST_CACHE
- dst_cache = (struct dst_cache *)&info->dst_cache;
- if (use_cache) {
- dst = dst_cache_get_ip6(dst_cache, saddr);
- if (dst)
- return dst;
- }
-#endif
- memset(&fl6, 0, sizeof(fl6));
- fl6.flowi6_mark = skb->mark;
- fl6.flowi6_proto = protocol;
- fl6.daddr = info->key.u.ipv6.dst;
- fl6.saddr = info->key.u.ipv6.src;
- prio = info->key.tos;
- fl6.flowlabel = ip6_make_flowinfo(prio, info->key.label);
-
- dst = ipv6_stub->ipv6_dst_lookup_flow(net, sock->sk, &fl6,
- NULL);
- if (IS_ERR(dst)) {
- netdev_dbg(dev, "no route to %pI6\n", &fl6.daddr);
- return ERR_PTR(-ENETUNREACH);
- }
- if (dst->dev == dev) { /* is this necessary? */
- netdev_dbg(dev, "circular route to %pI6\n", &fl6.daddr);
- dst_release(dst);
- return ERR_PTR(-ELOOP);
- }
-#ifdef CONFIG_DST_CACHE
- if (use_cache)
- dst_cache_set_ip6(dst_cache, dst, &fl6.saddr);
-#endif
- *saddr = fl6.saddr;
- return dst;
-}
-EXPORT_SYMBOL_GPL(ip6_dst_lookup_tunnel);
-
static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src,
gfp_t gfp)
{
diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c
index cdc4d4ee24206..7aef559e60ec5 100644
--- a/net/ipv6/ip6_udp_tunnel.c
+++ b/net/ipv6/ip6_udp_tunnel.c
@@ -1,3 +1,4 @@
+
// SPDX-License-Identifier: GPL-2.0-only
#include <linux/module.h>
#include <linux/errno.h>
@@ -111,4 +112,72 @@ int udp_tunnel6_xmit_skb(struct dst_entry *dst, struct sock *sk,
}
EXPORT_SYMBOL_GPL(udp_tunnel6_xmit_skb);
+/**
+ * udp_tunnel6_dst_lookup - perform route lookup on UDP tunnel
+ * @skb: Packet for which lookup is done
+ * @dev: Tunnel device
+ * @net: Network namespace of tunnel device
+ * @sock: Socket which provides route info
+ * @saddr: Memory to store the src ip address
+ * @info: Tunnel information
+ * @protocol: IP protocol
+ * @use_cache: Flag to enable cache usage
+ * This function performs a route lookup on a UDP tunnel
+ *
+ * It returns a valid dst pointer and stores src address to be used in
+ * tunnel in param saddr on success, else a pointer encoded error code.
+ */
+
+struct dst_entry *udp_tunnel6_dst_lookup(struct sk_buff *skb,
+ struct net_device *dev,
+ struct net *net,
+ struct socket *sock,
+ struct in6_addr *saddr,
+ const struct ip_tunnel_info *info,
+ u8 protocol,
+ bool use_cache)
+{
+ struct dst_entry *dst = NULL;
+#ifdef CONFIG_DST_CACHE
+ struct dst_cache *dst_cache;
+#endif
+ struct flowi6 fl6;
+ __u8 prio;
+
+#ifdef CONFIG_DST_CACHE
+ dst_cache = (struct dst_cache *)&info->dst_cache;
+ if (use_cache) {
+ dst = dst_cache_get_ip6(dst_cache, saddr);
+ if (dst)
+ return dst;
+ }
+#endif
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_mark = skb->mark;
+ fl6.flowi6_proto = protocol;
+ fl6.daddr = info->key.u.ipv6.dst;
+ fl6.saddr = info->key.u.ipv6.src;
+ prio = info->key.tos;
+ fl6.flowlabel = ip6_make_flowinfo(prio, info->key.label);
+
+ dst = ipv6_stub->ipv6_dst_lookup_flow(net, sock->sk, &fl6,
+ NULL);
+ if (IS_ERR(dst)) {
+ netdev_dbg(dev, "no route to %pI6\n", &fl6.daddr);
+ return ERR_PTR(-ENETUNREACH);
+ }
+ if (dst->dev == dev) { /* is this necessary? */
+ netdev_dbg(dev, "circular route to %pI6\n", &fl6.daddr);
+ dst_release(dst);
+ return ERR_PTR(-ELOOP);
+ }
+#ifdef CONFIG_DST_CACHE
+ if (use_cache)
+ dst_cache_set_ip6(dst_cache, dst, &fl6.saddr);
+#endif
+ *saddr = fl6.saddr;
+ return dst;
+}
+EXPORT_SYMBOL_GPL(udp_tunnel6_dst_lookup);
+
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 415/508] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 414/508] ipv6: rename and move ip6_dst_lookup_tunnel() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 416/508] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
` (94 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit aa6c6d9ee064aabfede4402fd1283424e649ca19 ]
bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.
Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260426165350.1663137-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 150049d9a81a7..b181c03368153 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -520,6 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct in6_addr saddr;
struct socket *sock = rcu_dereference(bareudp->sock);
+ if (!sock)
+ return -ESHUTDOWN;
+
dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock,
&saddr, info, IPPROTO_UDP,
use_cache);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 416/508] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 415/508] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 417/508] net: netconsole: move newline trimming to function Greg Kroah-Hartman
` (93 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a6c95b833dc17e84d16a8ac0f40fd0931616a52d ]
cake_dump_stats() runs without qdisc spinlock being held.
In this final patch, I add READ_ONCE()/WRITE_ONCE() annotations
for cparams.target and cparams.interval.
Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: "Toke Høiland-Jørgensen" <toke@toke.dk>
Link: https://patch.msgid.link/20260427083606.459355-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 55e8b682ec14c..0b85971165d2a 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -2314,10 +2314,11 @@ static void cake_set_rate(struct cake_tin_data *b, u64 rate, u32 mtu,
byte_target_ns = (byte_target * rate_ns) >> rate_shft;
- b->cparams.target = max((byte_target_ns * 3) / 2, target_ns);
- b->cparams.interval = max(rtt_est_ns +
- b->cparams.target - target_ns,
- b->cparams.target * 2);
+ WRITE_ONCE(b->cparams.target,
+ max((byte_target_ns * 3) / 2, target_ns));
+ WRITE_ONCE(b->cparams.interval,
+ max(rtt_est_ns + b->cparams.target - target_ns,
+ b->cparams.target * 2));
b->cparams.mtu_time = byte_target_ns;
b->cparams.p_inc = 1 << 24; /* 1/256 */
b->cparams.p_dec = 1 << 20; /* 1/4096 */
@@ -2931,9 +2932,9 @@ static int cake_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
PUT_TSTAT_U32(BACKLOG_BYTES, b->tin_backlog);
PUT_TSTAT_U32(TARGET_US,
- ktime_to_us(ns_to_ktime(b->cparams.target)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->cparams.target))));
PUT_TSTAT_U32(INTERVAL_US,
- ktime_to_us(ns_to_ktime(b->cparams.interval)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->cparams.interval))));
PUT_TSTAT_U32(SENT_PACKETS, b->packets);
PUT_TSTAT_U32(DROPPED_PACKETS, b->tin_dropped);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 417/508] net: netconsole: move newline trimming to function
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.6 416/508] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 418/508] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
` (92 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wood, David S. Miller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wood <thepacketgeek@gmail.com>
[ Upstream commit ae001dc67907618423fd15bbab2014308c00ad0b ]
Move newline trimming logic from `dev_name_store()` to a new function
(trim_newline()) for shared use in netconsole.c
Signed-off-by: Matthew Wood <thepacketgeek@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 92ceb7bff62c ("netconsole: propagate device name truncation in dev_name_store()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netconsole.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index 9c2e71b9c0324..2045872de5328 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -272,6 +272,16 @@ static struct netconsole_target *to_target(struct config_item *item)
NULL;
}
+/* Get rid of possible trailing newline, returning the new length */
+static void trim_newline(char *s, size_t maxlen)
+{
+ size_t len;
+
+ len = strnlen(s, maxlen);
+ if (s[len - 1] == '\n')
+ s[len - 1] = '\0';
+}
+
/*
* Attribute operations for netconsole_target.
*/
@@ -466,7 +476,6 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
size_t count)
{
struct netconsole_target *nt = to_target(item);
- size_t len;
mutex_lock(&dynamic_netconsole_mutex);
if (nt->enabled) {
@@ -477,11 +486,7 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
}
strscpy(nt->np.dev_name, buf, IFNAMSIZ);
-
- /* Get rid of possible trailing newline from echo(1) */
- len = strnlen(nt->np.dev_name, IFNAMSIZ);
- if (nt->np.dev_name[len - 1] == '\n')
- nt->np.dev_name[len - 1] = '\0';
+ trim_newline(nt->np.dev_name, IFNAMSIZ);
mutex_unlock(&dynamic_netconsole_mutex);
return strnlen(buf, count);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 418/508] netconsole: propagate device name truncation in dev_name_store()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 417/508] net: netconsole: move newline trimming to function Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 419/508] ALSA: hda/conexant: fix some typos Greg Kroah-Hartman
` (91 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 92ceb7bff62c2606f664c204750eca0b85d44112 ]
dev_name_store() calls strscpy(nt->np.dev_name, buf, IFNAMSIZ) without
checking the return value. If userspace writes an interface name longer
than IFNAMSIZ - 1, strscpy() silently truncates and returns -E2BIG, but
the function ignores it and reports a fully successful write back to
userspace.
If a real interface happens to match the truncated name, netconsole will
bind to the wrong device on the next enable, sending kernel logs and
panic output to an unintended network segment with no indication to
userspace that anything was rewritten.
Reject writes whose length cannot fit in nt->np.dev_name up front:
if (count >= IFNAMSIZ)
return -ENAMETOOLONG;
This is not a big deal of a problem, but, it is still the correct
approach.
Fixes: 0bcc1816188e57 ("[NET] netconsole: Support dynamic reconfiguration using configfs")
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260427-netconsole_ai_fixes-v2-3-59965f29d9cc@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netconsole.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index 2045872de5328..f58643bdafc5c 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -476,6 +476,13 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
size_t count)
{
struct netconsole_target *nt = to_target(item);
+ size_t len = count;
+
+ /* Account for a trailing newline appended by tools like echo */
+ if (len && buf[len - 1] == '\n')
+ len--;
+ if (len >= IFNAMSIZ)
+ return -ENAMETOOLONG;
mutex_lock(&dynamic_netconsole_mutex);
if (nt->enabled) {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 419/508] ALSA: hda/conexant: fix some typos
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 418/508] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 420/508] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 Greg Kroah-Hartman
` (90 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oldherl Oh, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oldherl Oh <me@oldherl.one>
[ Upstream commit 73253f2fd1d0a44708735c842e37163712e3f03b ]
Fix some typos in patch_conexant.c
Signed-off-by: Oldherl Oh <me@oldherl.one>
Link: https://patch.msgid.link/20240930084132.3373750-1-me@oldherl.one
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: b0e2333a2311 ("ALSA: hda/conexant: Fix missing error check for jack detection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 355b26583eb4e..08e2c836fd07e 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -166,18 +166,18 @@ static void cxt_init_gpio_led(struct hda_codec *codec)
static void cx_fixup_headset_recog(struct hda_codec *codec)
{
- unsigned int mic_persent;
+ unsigned int mic_present;
/* fix some headset type recognize fail issue, such as EDIFIER headset */
- /* set micbiasd output current comparator threshold from 66% to 55%. */
+ /* set micbias output current comparator threshold from 66% to 55%. */
snd_hda_codec_write(codec, 0x1c, 0, 0x320, 0x010);
- /* set OFF voltage for DFET from -1.2V to -0.8V, set headset micbias registor
+ /* set OFF voltage for DFET from -1.2V to -0.8V, set headset micbias register
* value adjustment trim from 2.2K ohms to 2.0K ohms.
*/
snd_hda_codec_write(codec, 0x1c, 0, 0x3b0, 0xe10);
/* fix reboot headset type recognize fail issue */
- mic_persent = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
- if (mic_persent & AC_PINSENSE_PRESENCE)
+ mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
+ if (mic_present & AC_PINSENSE_PRESENCE)
/* enable headset mic VREF */
snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x24);
else
@@ -247,9 +247,9 @@ static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_
{
unsigned int mic_present;
- /* In cx8070 and sn6140, the node 16 can only be config to headphone or disabled,
- * the node 19 can only be config to microphone or disabled.
- * Check hp&mic tag to process headset pulgin&plugout.
+ /* In cx8070 and sn6140, the node 16 can only be configured to headphone or disabled,
+ * the node 19 can only be configured to microphone or disabled.
+ * Check hp&mic tag to process headset plugin & plugout.
*/
mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
if (!(mic_present & AC_PINSENSE_PRESENCE)) /* mic plugout */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 420/508] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 419/508] ALSA: hda/conexant: fix some typos Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 421/508] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
` (89 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
[ Upstream commit 7f4c540e0859e2025675d2c5c5c6ab88eaf817e2 ]
Due to changes in the manufacturer's plan, all 0x14f11f86 will be
named CX11880, and 0x14f11f87 will be named SN6140
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Link: https://patch.msgid.link/20250616074331.581309-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: b0e2333a2311 ("ALSA: hda/conexant: Fix missing error check for jack detection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 08e2c836fd07e..abcad66356d59 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -42,7 +42,7 @@ struct conexant_spec {
unsigned int gpio_led;
unsigned int gpio_mute_led_mask;
unsigned int gpio_mic_led_mask;
- bool is_cx8070_sn6140;
+ bool is_cx11880_sn6140;
};
@@ -195,7 +195,7 @@ static int cx_auto_init(struct hda_codec *codec)
cxt_init_gpio_led(codec);
snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT);
- if (spec->is_cx8070_sn6140)
+ if (spec->is_cx11880_sn6140)
cx_fixup_headset_recog(codec);
return 0;
@@ -247,7 +247,7 @@ static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_
{
unsigned int mic_present;
- /* In cx8070 and sn6140, the node 16 can only be configured to headphone or disabled,
+ /* In cx11880 and sn6140, the node 16 can only be configured to headphone or disabled,
* the node 19 can only be configured to microphone or disabled.
* Check hp&mic tag to process headset plugin & plugout.
*/
@@ -1197,11 +1197,11 @@ static int patch_conexant_auto(struct hda_codec *codec)
codec->spec = spec;
codec->patch_ops = cx_auto_patch_ops;
- /* init cx8070/sn6140 flag and reset headset_present_flag */
+ /* init cx11880/sn6140 flag and reset headset_present_flag */
switch (codec->core.vendor_id) {
case 0x14f11f86:
case 0x14f11f87:
- spec->is_cx8070_sn6140 = true;
+ spec->is_cx11880_sn6140 = true;
snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref);
break;
}
@@ -1289,7 +1289,7 @@ static int patch_conexant_auto(struct hda_codec *codec)
*/
static const struct hda_device_id snd_hda_id_conexant[] = {
- HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f11f86, "CX11880", patch_conexant_auto),
HDA_CODEC_ENTRY(0x14f11f87, "SN6140", patch_conexant_auto),
HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto),
HDA_CODEC_ENTRY(0x14f120d0, "CX11970", patch_conexant_auto),
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 421/508] ALSA: hda/conexant: Fix missing error check for jack detection
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 420/508] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 422/508] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
` (88 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
[ Upstream commit b0e2333a231107adedd38c6fcfe1adc6162716fc ]
In cx_probe(), the return value of snd_hda_jack_detect_enable_callback()
is ignored. This function returns a pointer, and if it fails (e.g., due
to memory allocation failure), it returns an error pointer which must
be checked using IS_ERR().
If the registration fails, the driver continues to probe, but the jack
detection callback will not be registered. This can lead to a kernel
crash later when the driver attempts to handle jack events or accesses
the uninitialized structure.
Check the return value using IS_ERR() and propagate the error via
PTR_ERR() to the probe caller.
Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140")
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Link: https://patch.msgid.link/20260428080450.108801-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index abcad66356d59..f6e563e03edf2 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -1186,6 +1186,7 @@ static void add_cx5051_fake_mutes(struct hda_codec *codec)
static int patch_conexant_auto(struct hda_codec *codec)
{
struct conexant_spec *spec;
+ struct hda_jack_callback *callback;
int err;
codec_info(codec, "%s: BIOS auto-probing.\n", codec->core.chip_name);
@@ -1202,7 +1203,12 @@ static int patch_conexant_auto(struct hda_codec *codec)
case 0x14f11f86:
case 0x14f11f87:
spec->is_cx11880_sn6140 = true;
- snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref);
+ callback = snd_hda_jack_detect_enable_callback(codec, 0x19,
+ cx_update_headset_mic_vref);
+ if (IS_ERR(callback)) {
+ err = PTR_ERR(callback);
+ goto error;
+ }
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 422/508] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 421/508] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 423/508] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
` (87 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moritz Klammler,
Sebastian Andrzej Siewior, Thomas Gleixner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit bc7304f3ae20972d11db6e0b1b541c63feda5f05 ]
During wait-requeue-pi (task A) and requeue-PI (task B) the following
race can happen:
Task A Task B
futex_wait_requeue_pi()
futex_setup_timer()
futex_do_wait()
futex_requeue()
CLASS(hb, hb1)(&key1);
CLASS(hb, hb2)(&key2);
*timeout*
futex_requeue_pi_wakeup_sync()
requeue_state = Q_REQUEUE_PI_IGNORE
*blocks on hb->lock*
futex_proxy_trylock_atomic()
futex_requeue_pi_prepare()
Q_REQUEUE_PI_IGNORE => -EAGAIN
double_unlock_hb(hb1, hb2)
*retry*
Task B acquires both hb locks and attempts to acquire the PI-lock of the
top most waiter (task B). Task A is leaving early due to a signal/
timeout and started removing itself from the queue. It updates its
requeue_state but can not remove it from the list because this requires
the hb lock which is owned by task B.
Usually task A is able to swoop the lock after task B unlocked it.
However if task B is of higher priority then task A may not be able to
wake up in time and acquire the lock before task B gets it again.
Especially on a UP system where A is never scheduled.
As a result task A blocks on the lock and task B busy loops, trying to
make progress but live locks the system instead. Tragic.
This can be fixed by removing the top most waiter from the list in this
case. This allows task B to grab the next top waiter (if any) in the
next iteration and make progress.
Remove the top most waiter if futex_requeue_pi_prepare() fails.
Let the waiter conditionally remove itself from the list in
handle_early_requeue_pi_wakeup().
Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT")
Reported-by: Moritz Klammler <Moritz.Klammler@ferchau.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260428103425.dywXyPd3@linutronix.de
Closes: https://lore.kernel.org/all/VE1PR06MB6894BE61C173D802365BE19DFF4CA@VE1PR06MB6894.eurprd06.prod.outlook.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/futex/requeue.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
index 7e43839ca7b05..60b08247b07dd 100644
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -307,8 +307,11 @@ futex_proxy_trylock_atomic(u32 __user *pifutex, struct futex_hash_bucket *hb1,
return -EINVAL;
/* Ensure that this does not race against an early wakeup */
- if (!futex_requeue_pi_prepare(top_waiter, NULL))
+ if (!futex_requeue_pi_prepare(top_waiter, NULL)) {
+ plist_del(&top_waiter->list, &hb1->chain);
+ futex_hb_waiters_dec(hb1);
return -EAGAIN;
+ }
/*
* Try to take the lock for top_waiter and set the FUTEX_WAITERS bit
@@ -707,10 +710,12 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
/*
* We were woken prior to requeue by a timeout or a signal.
- * Unqueue the futex_q and determine which it was.
+ * Conditionally unqueue the futex_q and determine which it was.
*/
- plist_del(&q->list, &hb->chain);
- futex_hb_waiters_dec(hb);
+ if (!plist_node_empty(&q->list)) {
+ plist_del(&q->list, &hb->chain);
+ futex_hb_waiters_dec(hb);
+ }
/* Handle spurious wakeups gracefully */
ret = -EWOULDBLOCK;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 423/508] drm/amd/display: Allow DCE link encoder without AUX registers
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 422/508] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 424/508] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
` (86 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit ac27e3f99035f132f23bc0409d0e57f11f054c70 ]
Allow constructing the DCE link encoder without DDC,
which means the AUX registers array will be NULL.
This is necessary to support embedded connectors without DDC.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 87f30b101af62590faf6020d106da07efdda199b)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
index 0a33f8f117e92..623abdf7065e7 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
@@ -989,7 +989,9 @@ void dce110_link_encoder_hw_init(
ASSERT(result == BP_RESULT_OK);
}
- aux_initialize(enc110);
+
+ if (enc110->aux_regs)
+ aux_initialize(enc110);
/* reinitialize HPD.
* hpd_initialize() will pass DIG_FE id to HW context.
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 424/508] drm/amd/display: Read EDID from VBIOS embedded panel info
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 423/508] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 425/508] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner Greg Kroah-Hartman
` (85 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 9ea16f64189bf7b6ba50fc7f0325b3c1f836d105 ]
Some board manufacturers hardcode the EDID for the embedded
panel in the VBIOS. This EDID should be used when the panel
doesn't have a DDC.
For reference, see the legacy non-DC display code:
amdgpu_atombios_encoder_get_lcd_info()
This is necessary to support embedded connectors without DDC.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit eb105e63b474c11ef6a84a1c6b18100d851ff364)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/bios/bios_parser.c | 62 +++++++++++++++++++
.../display/include/grph_object_ctrl_defs.h | 4 ++
2 files changed, 66 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
index 684b005f564c4..ac2a71e80723d 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
@@ -1220,6 +1220,60 @@ static enum bp_result bios_parser_get_embedded_panel_info(
return BP_RESULT_FAILURE;
}
+static enum bp_result get_embedded_panel_extra_info(
+ struct bios_parser *bp,
+ struct embedded_panel_info *info,
+ const uint32_t table_offset)
+{
+ uint8_t *record = bios_get_image(&bp->base, table_offset, 1);
+ ATOM_PANEL_RESOLUTION_PATCH_RECORD *panel_res_record;
+ ATOM_FAKE_EDID_PATCH_RECORD *fake_edid_record;
+
+ while (*record != ATOM_RECORD_END_TYPE) {
+ switch (*record) {
+ case LCD_MODE_PATCH_RECORD_MODE_TYPE:
+ record += sizeof(ATOM_PATCH_RECORD_MODE);
+ break;
+ case LCD_RTS_RECORD_TYPE:
+ record += sizeof(ATOM_LCD_RTS_RECORD);
+ break;
+ case LCD_CAP_RECORD_TYPE:
+ record += sizeof(ATOM_LCD_MODE_CONTROL_CAP);
+ break;
+ case LCD_FAKE_EDID_PATCH_RECORD_TYPE:
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ if (fake_edid_record->ucFakeEDIDLength == 128)
+ info->fake_edid_size =
+ fake_edid_record->ucFakeEDIDLength;
+ else
+ info->fake_edid_size =
+ fake_edid_record->ucFakeEDIDLength * 128;
+
+ info->fake_edid = fake_edid_record->ucFakeEDIDString;
+
+ record += struct_size(fake_edid_record,
+ ucFakeEDIDString,
+ info->fake_edid_size);
+ } else {
+ /* empty fake edid record must be 3 bytes long */
+ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+ info->panel_width_mm = panel_res_record->usHSize;
+ info->panel_height_mm = panel_res_record->usVSize;
+ record += sizeof(ATOM_PANEL_RESOLUTION_PATCH_RECORD);
+ break;
+ default:
+ return BP_RESULT_BADBIOSTABLE;
+ }
+ }
+
+ return BP_RESULT_OK;
+}
+
static enum bp_result get_embedded_panel_info_v1_2(
struct bios_parser *bp,
struct embedded_panel_info *info)
@@ -1336,6 +1390,10 @@ static enum bp_result get_embedded_panel_info_v1_2(
if (ATOM_PANEL_MISC_API_ENABLED & lvds->ucLVDS_Misc)
info->lcd_timing.misc_info.API_ENABLED = true;
+ if (lvds->usExtInfoTableOffset)
+ return get_embedded_panel_extra_info(bp, info,
+ le16_to_cpu(lvds->usExtInfoTableOffset) + DATA_TABLES(LCD_Info));
+
return BP_RESULT_OK;
}
@@ -1461,6 +1519,10 @@ static enum bp_result get_embedded_panel_info_v1_3(
(uint32_t) (ATOM_PANEL_MISC_V13_GREY_LEVEL &
lvds->ucLCD_Misc) >> ATOM_PANEL_MISC_V13_GREY_LEVEL_SHIFT;
+ if (lvds->usExtInfoTableOffset)
+ return get_embedded_panel_extra_info(bp, info,
+ le16_to_cpu(lvds->usExtInfoTableOffset) + DATA_TABLES(LCD_Info));
+
return BP_RESULT_OK;
}
diff --git a/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h b/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
index 813463ffe15c5..8e776c90d21bf 100644
--- a/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
+++ b/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
@@ -153,6 +153,10 @@ struct embedded_panel_info {
uint32_t drr_enabled;
uint32_t min_drr_refresh_rate;
bool realtek_eDPToLVDS;
+ uint16_t panel_width_mm;
+ uint16_t panel_height_mm;
+ uint16_t fake_edid_size;
+ const uint8_t *fake_edid;
};
struct dc_firmware_info {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 425/508] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 424/508] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 426/508] net: bonding: add broadcast_neighbor option for 802.3ad Greg Kroah-Hartman
` (84 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jones Syue, Hangbin Liu, Jiri Pirko,
Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jones Syue 薛懷宗 <jonessyue@qnap.com>
[ Upstream commit 4440873f3655325f849366d75382aa05d09b5575 ]
Replace macro MAC_ADDRESS_EQUAL() for null_mac_addr checking with inline
function__agg_has_partner(). When MAC_ADDRESS_EQUAL() is verifiying
aggregator's partner mac addr with null_mac_addr, means that seeing if
aggregator has a valid partner or not. Using __agg_has_partner() makes it
more clear to understand.
In ad_port_selection_logic(), since aggregator->partner_system and
port->partner_oper.system has been compared first as a prerequisite, it is
safe to replace the upcoming MAC_ADDRESS_EQUAL() for null_mac_addr checking
with __agg_has_partner().
Delete null_mac_addr, which is not required anymore in bond_3ad.c, since
all references to it are gone.
Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Link: https://lore.kernel.org/r/SI2PR04MB5097BCA8FF2A2F03D9A5A3EEDC5A2@SI2PR04MB5097.apcprd04.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index d02a91cefec89..4c2560ae8866a 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -82,10 +82,6 @@ enum ad_link_speed_type {
#define MAC_ADDRESS_EQUAL(A, B) \
ether_addr_equal_64bits((const u8 *)A, (const u8 *)B)
-static const u8 null_mac_addr[ETH_ALEN + 2] __long_aligned = {
- 0, 0, 0, 0, 0, 0
-};
-
static const u16 ad_ticks_per_sec = 1000 / AD_TIMER_INTERVAL;
static const int ad_delta_in_ticks = (AD_TIMER_INTERVAL * HZ) / 1000;
@@ -1592,7 +1588,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
(aggregator->partner_system_priority == port->partner_oper.system_priority) &&
(aggregator->partner_oper_aggregator_key == port->partner_oper.key)
) &&
- ((!MAC_ADDRESS_EQUAL(&(port->partner_oper.system), &(null_mac_addr)) && /* partner answers */
+ ((__agg_has_partner(aggregator) && /* partner answers */
!aggregator->is_individual) /* but is not individual OR */
)
) {
@@ -2042,9 +2038,7 @@ static void ad_enable_collecting(struct port *port)
*/
static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
{
- if (port->aggregator &&
- !MAC_ADDRESS_EQUAL(&port->aggregator->partner_system,
- &(null_mac_addr))) {
+ if (port->aggregator && __agg_has_partner(port->aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling distributing on port %d (LAG %d)\n",
port->actor_port_number,
@@ -2084,9 +2078,7 @@ static void ad_enable_collecting_distributing(struct port *port,
static void ad_disable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator &&
- !MAC_ADDRESS_EQUAL(&(port->aggregator->partner_system),
- &(null_mac_addr))) {
+ if (port->aggregator && __agg_has_partner(port->aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling port %d (LAG %d)\n",
port->actor_port_number,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 426/508] net: bonding: add broadcast_neighbor option for 802.3ad
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 425/508] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 427/508] bonding: add support for per-port LACP actor priority Greg Kroah-Hartman
` (83 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jay Vosburgh, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
Jonathan Corbet, Andrew Lunn, Steven Rostedt, Masami Hiramatsu,
Mathieu Desnoyers, Nikolay Aleksandrov, Tonghao Zhang,
Zengbing Tu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tonghao Zhang <tonghao@bamaicloud.com>
[ Upstream commit ce7a381697cb3958ffe0b45e5028ac69444e9288 ]
Stacking technology is a type of technology used to expand ports on
Ethernet switches. It is widely used as a common access method in
large-scale Internet data center architectures. Years of practice
have proved that stacking technology has advantages and disadvantages
in high-reliability network architecture scenarios. For instance,
in stacking networking arch, conventional switch system upgrades
require multiple stacked devices to restart at the same time.
Therefore, it is inevitable that the business will be interrupted
for a while. It is for this reason that "no-stacking" in data centers
has become a trend. Additionally, when the stacking link connecting
the switches fails or is abnormal, the stack will split. Although it is
not common, it still happens in actual operation. The problem is that
after the split, it is equivalent to two switches with the same
configuration appearing in the network, causing network configuration
conflicts and ultimately interrupting the services carried by the
stacking system.
To improve network stability, "non-stacking" solutions have been
increasingly adopted, particularly by public cloud providers and
tech companies like Alibaba, Tencent, and Didi. "non-stacking" is
a method of mimicing switch stacking that convinces a LACP peer,
bonding in this case, connected to a set of "non-stacked" switches
that all of its ports are connected to a single switch
(i.e., LACP aggregator), as if those switches were stacked. This
enables the LACP peer's ports to aggregate together, and requires
(a) special switch configuration, described in the linked article,
and (b) modifications to the bonding 802.3ad (LACP) mode to send
all ARP/ND packets across all ports of the active aggregator.
Note that, with multiple aggregators, the current broadcast mode
logic will send only packets to the selected aggregator(s).
+-----------+ +-----------+
| switch1 | | switch2 |
+-----------+ +-----------+
^ ^
| |
+-----------------+
| bond4 lacp |
+-----------------+
| |
| NIC1 | NIC2
+-----------------+
| server |
+-----------------+
- https://www.ruijie.com/fr-fr/support/tech-gallery/de-stack-data-center-network-architecture/
Cc: Jay Vosburgh <jv@jvosburgh.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Tonghao Zhang <tonghao@bamaicloud.com>
Signed-off-by: Zengbing Tu <tuzengbing@didiglobal.com>
Link: https://patch.msgid.link/84d0a044514157bb856a10b6d03a1028c4883561.1751031306.git.tonghao@bamaicloud.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/networking/bonding.rst | 6 +++
drivers/net/bonding/bond_main.c | 66 +++++++++++++++++++++++++---
drivers/net/bonding/bond_options.c | 42 ++++++++++++++++++
include/net/bond_options.h | 1 +
include/net/bonding.h | 3 ++
5 files changed, 112 insertions(+), 6 deletions(-)
diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst
index e774b48de9f51..1a9439488c531 100644
--- a/Documentation/networking/bonding.rst
+++ b/Documentation/networking/bonding.rst
@@ -562,6 +562,12 @@ lacp_rate
The default is slow.
+broadcast_neighbor
+
+ Option specifying whether to broadcast ARP/ND packets to all
+ active slaves. This option has no effect in modes other than
+ 802.3ad mode. The default is off (0).
+
max_bonds
Specifies the number of bonding devices to create for this
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 8d481a6495e89..70718bf6e716c 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -211,6 +211,8 @@ atomic_t netpoll_block_tx = ATOMIC_INIT(0);
unsigned int bond_net_id __read_mostly;
+DEFINE_STATIC_KEY_FALSE(bond_bcast_neigh_enabled);
+
static const struct flow_dissector_key flow_keys_bonding_keys[] = {
{
.key_id = FLOW_DISSECTOR_KEY_CONTROL,
@@ -4397,6 +4399,9 @@ static int bond_open(struct net_device *bond_dev)
bond_for_each_slave(bond, slave, iter)
dev_mc_add(slave->dev, lacpdu_mcast_addr);
+
+ if (bond->params.broadcast_neighbor)
+ static_branch_inc(&bond_bcast_neigh_enabled);
}
if (bond_mode_can_use_xmit_hash(bond))
@@ -4420,6 +4425,10 @@ static int bond_close(struct net_device *bond_dev)
if (bond_is_lb(bond))
bond_alb_deinitialize(bond);
+ if (BOND_MODE(bond) == BOND_MODE_8023AD &&
+ bond->params.broadcast_neighbor)
+ static_branch_dec(&bond_bcast_neigh_enabled);
+
if (bond_uses_primary(bond)) {
rcu_read_lock();
slave = rcu_dereference(bond->curr_active_slave);
@@ -5256,6 +5265,37 @@ static struct slave *bond_xdp_xmit_3ad_xor_slave_get(struct bonding *bond,
return slaves->arr[hash % count];
}
+static bool bond_should_broadcast_neighbor(struct sk_buff *skb,
+ struct net_device *dev)
+{
+ struct bonding *bond = netdev_priv(dev);
+ struct {
+ struct ipv6hdr ip6;
+ struct icmp6hdr icmp6;
+ } *combined, _combined;
+
+ if (!static_branch_unlikely(&bond_bcast_neigh_enabled))
+ return false;
+
+ if (!bond->params.broadcast_neighbor)
+ return false;
+
+ if (skb->protocol == htons(ETH_P_ARP))
+ return true;
+
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+ combined = skb_header_pointer(skb, skb_mac_header_len(skb),
+ sizeof(_combined),
+ &_combined);
+ if (combined && combined->ip6.nexthdr == NEXTHDR_ICMP &&
+ (combined->icmp6.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION ||
+ combined->icmp6.icmp6_type == NDISC_NEIGHBOUR_ADVERTISEMENT))
+ return true;
+ }
+
+ return false;
+}
+
/* Use this Xmit function for 3AD as well as XOR modes. The current
* usable slave array is formed in the control path. The xmit function
* just calculates hash and sends the packet out.
@@ -5275,17 +5315,27 @@ static netdev_tx_t bond_3ad_xor_xmit(struct sk_buff *skb,
return bond_tx_drop(dev, skb);
}
-/* in broadcast mode, we send everything to all usable interfaces. */
+/* in broadcast mode, we send everything to all or usable slave interfaces.
+ * under rcu_read_lock when this function is called.
+ */
static netdev_tx_t bond_xmit_broadcast(struct sk_buff *skb,
- struct net_device *bond_dev)
+ struct net_device *bond_dev,
+ bool all_slaves)
{
struct bonding *bond = netdev_priv(bond_dev);
- struct slave *slave = NULL;
- struct list_head *iter;
+ struct bond_up_slave *slaves;
bool xmit_suc = false;
bool skb_used = false;
+ int slaves_count, i;
- bond_for_each_slave_rcu(bond, slave, iter) {
+ if (all_slaves)
+ slaves = rcu_dereference(bond->all_slaves);
+ else
+ slaves = rcu_dereference(bond->usable_slaves);
+
+ slaves_count = slaves ? READ_ONCE(slaves->count) : 0;
+ for (i = 0; i < slaves_count; i++) {
+ struct slave *slave = slaves->arr[i];
struct sk_buff *skb2;
if (!(bond_slave_is_up(slave) && slave->link == BOND_LINK_UP))
@@ -5523,10 +5573,13 @@ static netdev_tx_t __bond_start_xmit(struct sk_buff *skb, struct net_device *dev
case BOND_MODE_ACTIVEBACKUP:
return bond_xmit_activebackup(skb, dev);
case BOND_MODE_8023AD:
+ if (bond_should_broadcast_neighbor(skb, dev))
+ return bond_xmit_broadcast(skb, dev, false);
+ fallthrough;
case BOND_MODE_XOR:
return bond_3ad_xor_xmit(skb, dev);
case BOND_MODE_BROADCAST:
- return bond_xmit_broadcast(skb, dev);
+ return bond_xmit_broadcast(skb, dev, true);
case BOND_MODE_ALB:
return bond_alb_xmit(skb, dev);
case BOND_MODE_TLB:
@@ -6426,6 +6479,7 @@ static int __init bond_check_params(struct bond_params *params)
eth_zero_addr(params->ad_actor_system);
params->ad_user_port_key = ad_user_port_key;
params->coupled_control = 1;
+ params->broadcast_neighbor = 0;
if (packets_per_slave > 0) {
params->reciprocal_packets_per_slave =
reciprocal_value(packets_per_slave);
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index b823425ad7f69..fe955ba5c9685 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -87,6 +87,8 @@ static int bond_option_missed_max_set(struct bonding *bond,
const struct bond_opt_value *newval);
static int bond_option_coupled_control_set(struct bonding *bond,
const struct bond_opt_value *newval);
+static int bond_option_broadcast_neigh_set(struct bonding *bond,
+ const struct bond_opt_value *newval);
static const struct bond_opt_value bond_mode_tbl[] = {
{ "balance-rr", BOND_MODE_ROUNDROBIN, BOND_VALFLAG_DEFAULT},
@@ -240,6 +242,12 @@ static const struct bond_opt_value bond_coupled_control_tbl[] = {
{ NULL, -1, 0},
};
+static const struct bond_opt_value bond_broadcast_neigh_tbl[] = {
+ { "off", 0, BOND_VALFLAG_DEFAULT},
+ { "on", 1, 0},
+ { NULL, -1, 0}
+};
+
static const struct bond_option bond_opts[BOND_OPT_LAST] = {
[BOND_OPT_MODE] = {
.id = BOND_OPT_MODE,
@@ -513,6 +521,14 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = {
.flags = BOND_OPTFLAG_IFDOWN,
.values = bond_coupled_control_tbl,
.set = bond_option_coupled_control_set,
+ },
+ [BOND_OPT_BROADCAST_NEIGH] = {
+ .id = BOND_OPT_BROADCAST_NEIGH,
+ .name = "broadcast_neighbor",
+ .desc = "Broadcast neighbor packets to all active slaves",
+ .unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)),
+ .values = bond_broadcast_neigh_tbl,
+ .set = bond_option_broadcast_neigh_set,
}
};
@@ -894,6 +910,13 @@ static int bond_option_mode_set(struct bonding *bond,
bond->params.arp_validate = BOND_ARP_VALIDATE_NONE;
bond->params.mode = newval->value;
+ /* When changing mode, the bond device is down, we may reduce
+ * the bond_bcast_neigh_enabled in bond_close() if broadcast_neighbor
+ * enabled in 8023ad mode. Therefore, only clear broadcast_neighbor
+ * to 0.
+ */
+ bond->params.broadcast_neighbor = 0;
+
if (bond->dev->reg_state == NETREG_REGISTERED) {
bool update = false;
@@ -1843,3 +1866,22 @@ static int bond_option_coupled_control_set(struct bonding *bond,
bond->params.coupled_control = newval->value;
return 0;
}
+
+static int bond_option_broadcast_neigh_set(struct bonding *bond,
+ const struct bond_opt_value *newval)
+{
+ if (bond->params.broadcast_neighbor == newval->value)
+ return 0;
+
+ bond->params.broadcast_neighbor = newval->value;
+ if (bond->dev->flags & IFF_UP) {
+ if (bond->params.broadcast_neighbor)
+ static_branch_inc(&bond_bcast_neigh_enabled);
+ else
+ static_branch_dec(&bond_bcast_neigh_enabled);
+ }
+
+ netdev_dbg(bond->dev, "Setting broadcast_neighbor to %s (%llu)\n",
+ newval->string, newval->value);
+ return 0;
+}
diff --git a/include/net/bond_options.h b/include/net/bond_options.h
index 18687ccf06383..022b122a9fb61 100644
--- a/include/net/bond_options.h
+++ b/include/net/bond_options.h
@@ -77,6 +77,7 @@ enum {
BOND_OPT_NS_TARGETS,
BOND_OPT_PRIO,
BOND_OPT_COUPLED_CONTROL,
+ BOND_OPT_BROADCAST_NEIGH,
BOND_OPT_LAST
};
diff --git a/include/net/bonding.h b/include/net/bonding.h
index 66940d41d4854..0d9c1eb40d12b 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -115,6 +115,8 @@ static inline int is_netpoll_tx_blocked(struct net_device *dev)
#define is_netpoll_tx_blocked(dev) (0)
#endif
+DECLARE_STATIC_KEY_FALSE(bond_bcast_neigh_enabled);
+
struct bond_params {
int mode;
int xmit_policy;
@@ -149,6 +151,7 @@ struct bond_params {
struct in6_addr ns_targets[BOND_MAX_NS_TARGETS];
#endif
int coupled_control;
+ int broadcast_neighbor;
/* 2 bytes of padding : see ether_addr_equal_64bits() */
u8 ad_actor_system[ETH_ALEN + 2];
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 427/508] bonding: add support for per-port LACP actor priority
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 426/508] net: bonding: add broadcast_neighbor option for 802.3ad Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 428/508] bonding: print churn state via netlink Greg Kroah-Hartman
` (82 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 6b6dc81ee7e8ca87c71a533e1d69cf96a4f1e986 ]
Introduce a new netlink attribute 'actor_port_prio' to allow setting
the LACP actor port priority on a per-slave basis. This extends the
existing bonding infrastructure to support more granular control over
LACP negotiations.
The priority value is embedded in LACPDU packets and will be used by
subsequent patches to influence aggregator selection policies.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20250902064501.360822-2-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/networking/bonding.rst | 9 +++++++
drivers/net/bonding/bond_3ad.c | 4 ++++
drivers/net/bonding/bond_netlink.c | 16 +++++++++++++
drivers/net/bonding/bond_options.c | 36 ++++++++++++++++++++++++++++
include/net/bond_3ad.h | 1 +
include/net/bond_options.h | 1 +
include/uapi/linux/if_link.h | 1 +
7 files changed, 68 insertions(+)
diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst
index 1a9439488c531..94ef39457a622 100644
--- a/Documentation/networking/bonding.rst
+++ b/Documentation/networking/bonding.rst
@@ -193,6 +193,15 @@ ad_actor_sys_prio
This parameter has effect only in 802.3ad mode and is available through
SysFs interface.
+actor_port_prio
+
+ In an AD system, this specifies the port priority. The allowed range
+ is 1 - 65535. If the value is not specified, it takes 255 as the
+ default value.
+
+ This parameter has effect only in 802.3ad mode and is available through
+ netlink interface.
+
ad_actor_system
In an AD system, this specifies the mac-address for the actor in
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index 4c2560ae8866a..a897836ad21a3 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -436,6 +436,7 @@ static void __ad_actor_update_port(struct port *port)
port->actor_system = BOND_AD_INFO(bond).system.sys_mac_addr;
port->actor_system_priority = BOND_AD_INFO(bond).system.sys_priority;
+ port->actor_port_priority = SLAVE_AD_INFO(port->slave)->port_priority;
}
/* Conversions */
@@ -2195,6 +2196,9 @@ void bond_3ad_bind_slave(struct slave *slave)
ad_initialize_port(port, &bond->params);
+ /* Port priority is initialized. Update it to slave's ad info */
+ SLAVE_AD_INFO(slave)->port_priority = port->actor_port_priority;
+
port->slave = slave;
port->actor_port_number = SLAVE_AD_INFO(slave)->id;
/* key is determined according to the link speed, duplex and
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index aebc814ad495d..7e47d405d74aa 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -28,6 +28,7 @@ static size_t bond_get_slave_size(const struct net_device *bond_dev,
nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE */
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE */
nla_total_size(sizeof(s32)) + /* IFLA_BOND_SLAVE_PRIO */
+ nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_ACTOR_PORT_PRIO */
0;
}
@@ -76,6 +77,10 @@ static int bond_fill_slave_info(struct sk_buff *skb,
ad_port->partner_oper.port_state))
goto nla_put_failure;
}
+
+ if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
+ SLAVE_AD_INFO(slave)->port_priority))
+ goto nla_put_failure;
}
return 0;
@@ -128,6 +133,7 @@ static const struct nla_policy bond_policy[IFLA_BOND_MAX + 1] = {
static const struct nla_policy bond_slave_policy[IFLA_BOND_SLAVE_MAX + 1] = {
[IFLA_BOND_SLAVE_QUEUE_ID] = { .type = NLA_U16 },
[IFLA_BOND_SLAVE_PRIO] = { .type = NLA_S32 },
+ [IFLA_BOND_SLAVE_ACTOR_PORT_PRIO] = { .type = NLA_U16 },
};
static int bond_validate(struct nlattr *tb[], struct nlattr *data[],
@@ -178,6 +184,16 @@ static int bond_slave_changelink(struct net_device *bond_dev,
return err;
}
+ if (data[IFLA_BOND_SLAVE_ACTOR_PORT_PRIO]) {
+ u16 ad_prio = nla_get_u16(data[IFLA_BOND_SLAVE_ACTOR_PORT_PRIO]);
+
+ bond_opt_slave_initval(&newval, &slave_dev, ad_prio);
+ err = __bond_opt_set(bond, BOND_OPT_ACTOR_PORT_PRIO, &newval,
+ data[IFLA_BOND_SLAVE_ACTOR_PORT_PRIO], extack);
+ if (err)
+ return err;
+ }
+
return 0;
}
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index fe955ba5c9685..f4ad0fc624c98 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -79,6 +79,8 @@ static int bond_option_tlb_dynamic_lb_set(struct bonding *bond,
const struct bond_opt_value *newval);
static int bond_option_ad_actor_sys_prio_set(struct bonding *bond,
const struct bond_opt_value *newval);
+static int bond_option_actor_port_prio_set(struct bonding *bond,
+ const struct bond_opt_value *newval);
static int bond_option_ad_actor_system_set(struct bonding *bond,
const struct bond_opt_value *newval);
static int bond_option_ad_user_port_key_set(struct bonding *bond,
@@ -223,6 +225,13 @@ static const struct bond_opt_value bond_ad_actor_sys_prio_tbl[] = {
{ NULL, -1, 0},
};
+static const struct bond_opt_value bond_actor_port_prio_tbl[] = {
+ { "minval", 0, BOND_VALFLAG_MIN},
+ { "maxval", 65535, BOND_VALFLAG_MAX},
+ { "default", 255, BOND_VALFLAG_DEFAULT},
+ { NULL, -1, 0},
+};
+
static const struct bond_opt_value bond_ad_user_port_key_tbl[] = {
{ "minval", 0, BOND_VALFLAG_MIN | BOND_VALFLAG_DEFAULT},
{ "maxval", 1023, BOND_VALFLAG_MAX},
@@ -484,6 +493,13 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = {
.values = bond_ad_actor_sys_prio_tbl,
.set = bond_option_ad_actor_sys_prio_set,
},
+ [BOND_OPT_ACTOR_PORT_PRIO] = {
+ .id = BOND_OPT_ACTOR_PORT_PRIO,
+ .name = "actor_port_prio",
+ .unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)),
+ .values = bond_actor_port_prio_tbl,
+ .set = bond_option_actor_port_prio_set,
+ },
[BOND_OPT_AD_ACTOR_SYSTEM] = {
.id = BOND_OPT_AD_ACTOR_SYSTEM,
.name = "ad_actor_system",
@@ -1819,6 +1835,26 @@ static int bond_option_ad_actor_sys_prio_set(struct bonding *bond,
return 0;
}
+static int bond_option_actor_port_prio_set(struct bonding *bond,
+ const struct bond_opt_value *newval)
+{
+ struct slave *slave;
+
+ slave = bond_slave_get_rtnl(newval->slave_dev);
+ if (!slave) {
+ netdev_dbg(bond->dev, "%s called on NULL slave\n", __func__);
+ return -ENODEV;
+ }
+
+ netdev_dbg(newval->slave_dev, "Setting actor_port_prio to %llu\n",
+ newval->value);
+
+ SLAVE_AD_INFO(slave)->port_priority = newval->value;
+ bond_3ad_update_ad_actor_settings(bond);
+
+ return 0;
+}
+
static int bond_option_ad_actor_system_set(struct bonding *bond,
const struct bond_opt_value *newval)
{
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index 078e16d2512a5..84fe87314bd9c 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -271,6 +271,7 @@ struct ad_slave_info {
struct port port; /* 802.3ad port structure */
struct bond_3ad_stats stats;
u16 id;
+ u16 port_priority;
};
static inline const char *bond_3ad_churn_desc(churn_state_t state)
diff --git a/include/net/bond_options.h b/include/net/bond_options.h
index 022b122a9fb61..e6eedf23aea1a 100644
--- a/include/net/bond_options.h
+++ b/include/net/bond_options.h
@@ -78,6 +78,7 @@ enum {
BOND_OPT_PRIO,
BOND_OPT_COUPLED_CONTROL,
BOND_OPT_BROADCAST_NEIGH,
+ BOND_OPT_ACTOR_PORT_PRIO,
BOND_OPT_LAST
};
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 6750911da4f06..3533368f16472 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -979,6 +979,7 @@ enum {
IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
IFLA_BOND_SLAVE_PRIO,
+ IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
__IFLA_BOND_SLAVE_MAX,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 428/508] bonding: print churn state via netlink
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 427/508] bonding: add support for per-port LACP actor priority Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 429/508] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
` (81 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 4916f2e2f3fc9aef289fcd07949301e5c29094c2 ]
Currently, the churn state is printed only in sysfs. Add netlink support
so users could get the state via netlink.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260224020215.6012-1-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_netlink.c | 9 +++++++++
include/uapi/linux/if_link.h | 2 ++
2 files changed, 11 insertions(+)
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 7e47d405d74aa..086233dce9c8d 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -29,6 +29,8 @@ static size_t bond_get_slave_size(const struct net_device *bond_dev,
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE */
nla_total_size(sizeof(s32)) + /* IFLA_BOND_SLAVE_PRIO */
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_ACTOR_PORT_PRIO */
+ nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE */
+ nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE */
0;
}
@@ -76,6 +78,13 @@ static int bond_fill_slave_info(struct sk_buff *skb,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
ad_port->partner_oper.port_state))
goto nla_put_failure;
+
+ if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
+ ad_port->sm_churn_actor_state))
+ goto nla_put_failure;
+ if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
+ ad_port->sm_churn_partner_state))
+ goto nla_put_failure;
}
if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 3533368f16472..7c1fb14197024 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -980,6 +980,8 @@ enum {
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
IFLA_BOND_SLAVE_PRIO,
IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
+ IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
+ IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
__IFLA_BOND_SLAVE_MAX,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 429/508] bonding: 3ad: implement proper RCU rules for port->aggregator
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 428/508] bonding: print churn state via netlink Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 430/508] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
` (80 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9bb2ff2a4ab9e17307e1,
Eric Dumazet, Jay Vosburgh, Andrew Lunn, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c4f050ce06c56cfb5993268af4a5cb66ed1cd04e ]
syzbot found a data-race in bond_3ad_get_active_agg_info /
bond_3ad_state_machine_handler [1] which hints at lack of proper
RCU implementation.
Add __rcu qualifier to port->aggregator, and add proper RCU API.
[1]
BUG: KCSAN: data-race in bond_3ad_get_active_agg_info / bond_3ad_state_machine_handler
write to 0xffff88813cf5c4b0 of 8 bytes by task 36 on cpu 0:
ad_port_selection_logic drivers/net/bonding/bond_3ad.c:1659 [inline]
bond_3ad_state_machine_handler+0x9d5/0x2d60 drivers/net/bonding/bond_3ad.c:2569
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3385
worker_thread+0x58a/0x780 kernel/workqueue.c:3466
kthread+0x22a/0x280 kernel/kthread.c:436
ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read to 0xffff88813cf5c4b0 of 8 bytes by task 22063 on cpu 1:
__bond_3ad_get_active_agg_info drivers/net/bonding/bond_3ad.c:2858 [inline]
bond_3ad_get_active_agg_info+0x8c/0x230 drivers/net/bonding/bond_3ad.c:2881
bond_fill_info+0xe0f/0x10f0 drivers/net/bonding/bond_netlink.c:853
rtnl_link_info_fill net/core/rtnetlink.c:906 [inline]
rtnl_link_fill+0x1d7/0x4e0 net/core/rtnetlink.c:927
rtnl_fill_ifinfo+0xf8e/0x1380 net/core/rtnetlink.c:2168
rtmsg_ifinfo_build_skb+0x11c/0x1b0 net/core/rtnetlink.c:4453
rtmsg_ifinfo_event net/core/rtnetlink.c:4486 [inline]
rtmsg_ifinfo+0x6d/0x110 net/core/rtnetlink.c:4495
__dev_notify_flags+0x76/0x390 net/core/dev.c:9790
netif_change_flags+0xac/0xd0 net/core/dev.c:9823
do_setlink+0x905/0x2950 net/core/rtnetlink.c:3180
rtnl_group_changelink net/core/rtnetlink.c:3813 [inline]
__rtnl_newlink net/core/rtnetlink.c:3981 [inline]
rtnl_newlink+0xf55/0x1400 net/core/rtnetlink.c:4109
rtnetlink_rcv_msg+0x64b/0x720 net/core/rtnetlink.c:6995
netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:7022
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x5a8/0x680 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x5c8/0x6f0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x563/0x5b0 net/socket.c:2698
___sys_sendmsg+0x195/0x1e0 net/socket.c:2752
__sys_sendmsg net/socket.c:2784 [inline]
__do_sys_sendmsg net/socket.c:2789 [inline]
__se_sys_sendmsg net/socket.c:2787 [inline]
__x64_sys_sendmsg+0xd4/0x160 net/socket.c:2787
x64_sys_call+0x194c/0x3020 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x0000000000000000 -> 0xffff88813cf5c400
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 22063 Comm: syz.0.31122 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Fixes: 47e91f56008b ("bonding: use RCU protection for 3ad xmit path")
Reported-by: syzbot+9bb2ff2a4ab9e17307e1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69f0a82f.050a0220.3aadc4.0000.GAE@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jay Vosburgh <jv@jvosburgh.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Link: https://patch.msgid.link/20260428123207.3809211-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 109 ++++++++++++++-----------
drivers/net/bonding/bond_main.c | 8 +-
drivers/net/bonding/bond_netlink.c | 16 ++--
drivers/net/bonding/bond_procfs.c | 3 +-
drivers/net/bonding/bond_sysfs_slave.c | 17 ++--
include/net/bond_3ad.h | 2 +-
6 files changed, 89 insertions(+), 66 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index a897836ad21a3..d1da96f3efd40 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -991,6 +991,7 @@ static int ad_marker_send(struct port *port, struct bond_marker *marker)
static void ad_mux_machine(struct port *port, bool *update_slave_arr)
{
struct bonding *bond = __get_bond_by_port(port);
+ struct aggregator *aggregator;
mux_states_t last_state;
/* keep current State Machine state to compare later if it was
@@ -998,6 +999,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
*/
last_state = port->sm_mux_state;
+ aggregator = rcu_dereference(port->aggregator);
if (port->sm_vars & AD_PORT_BEGIN) {
port->sm_mux_state = AD_MUX_DETACHED;
} else {
@@ -1017,7 +1019,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* cycle to update ready variable, we check
* READY_N and update READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
port->sm_mux_state = AD_MUX_DETACHED;
break;
}
@@ -1032,7 +1034,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* update ready variable, we check READY_N and update
* READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
/* if the wait_while_timer expired, and the port is
* in READY state, move to ATTACHED state
@@ -1048,7 +1050,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
if ((port->sm_vars & AD_PORT_SELECTED) &&
(port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) &&
!__check_agg_selection_timer(port)) {
- if (port->aggregator->is_active) {
+ if (aggregator->is_active) {
int state = AD_MUX_COLLECTING_DISTRIBUTING;
if (!bond->params.coupled_control)
@@ -1064,9 +1066,9 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* cycle to update ready variable, we check
* READY_N and update READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
port->sm_mux_state = AD_MUX_DETACHED;
- } else if (port->aggregator->is_active) {
+ } else if (aggregator->is_active) {
port->actor_oper_port_state |=
LACP_STATE_SYNCHRONIZATION;
}
@@ -1077,7 +1079,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* sure that a collecting distributing
* port in an active aggregator is enabled
*/
- if (port->aggregator->is_active &&
+ if (aggregator->is_active &&
!__port_is_collecting_distributing(port)) {
__enable_port(port);
*update_slave_arr = true;
@@ -1096,7 +1098,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
*/
struct slave *slave = port->slave;
- if (port->aggregator->is_active &&
+ if (aggregator->is_active &&
bond_is_slave_rx_disabled(slave)) {
ad_enable_collecting(port);
*update_slave_arr = true;
@@ -1116,8 +1118,8 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* sure that a collecting distributing
* port in an active aggregator is enabled
*/
- if (port->aggregator &&
- port->aggregator->is_active &&
+ if (aggregator &&
+ aggregator->is_active &&
!__port_is_collecting_distributing(port)) {
__enable_port(port);
*update_slave_arr = true;
@@ -1149,7 +1151,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
port->sm_mux_timer_counter = __ad_timer_to_ticks(AD_WAIT_WHILE_TIMER, 0);
break;
case AD_MUX_ATTACHED:
- if (port->aggregator->is_active)
+ if (aggregator->is_active)
port->actor_oper_port_state |=
LACP_STATE_SYNCHRONIZATION;
else
@@ -1522,9 +1524,9 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
bond = __get_bond_by_port(port);
/* if the port is connected to other aggregator, detach it */
- if (port->aggregator) {
+ temp_aggregator = rcu_dereference(port->aggregator);
+ if (temp_aggregator) {
/* detach the port from its former aggregator */
- temp_aggregator = port->aggregator;
for (curr_port = temp_aggregator->lag_ports; curr_port;
last_port = curr_port,
curr_port = curr_port->next_port_in_aggregator) {
@@ -1547,7 +1549,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
/* clear the port's relations to this
* aggregator
*/
- port->aggregator = NULL;
+ RCU_INIT_POINTER(port->aggregator, NULL);
port->next_port_in_aggregator = NULL;
port->actor_port_aggregator_identifier = 0;
@@ -1570,7 +1572,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
port->slave->bond->dev->name,
port->slave->dev->name,
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ temp_aggregator->aggregator_identifier);
}
}
/* search on all aggregators for a suitable aggregator for this port */
@@ -1594,15 +1596,15 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
)
) {
/* attach to the founded aggregator */
- port->aggregator = aggregator;
+ rcu_assign_pointer(port->aggregator, aggregator);
port->actor_port_aggregator_identifier =
- port->aggregator->aggregator_identifier;
+ aggregator->aggregator_identifier;
port->next_port_in_aggregator = aggregator->lag_ports;
- port->aggregator->num_of_ports++;
+ aggregator->num_of_ports++;
aggregator->lag_ports = port;
slave_dbg(bond->dev, slave->dev, "Port %d joined LAG %d (existing LAG)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
/* mark this port as selected */
port->sm_vars |= AD_PORT_SELECTED;
@@ -1617,39 +1619,40 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
if (!found) {
if (free_aggregator) {
/* assign port a new aggregator */
- port->aggregator = free_aggregator;
port->actor_port_aggregator_identifier =
- port->aggregator->aggregator_identifier;
+ free_aggregator->aggregator_identifier;
/* update the new aggregator's parameters
* if port was responsed from the end-user
*/
if (port->actor_oper_port_key & AD_DUPLEX_KEY_MASKS)
/* if port is full duplex */
- port->aggregator->is_individual = false;
+ free_aggregator->is_individual = false;
else
- port->aggregator->is_individual = true;
+ free_aggregator->is_individual = true;
- port->aggregator->actor_admin_aggregator_key =
+ free_aggregator->actor_admin_aggregator_key =
port->actor_admin_port_key;
- port->aggregator->actor_oper_aggregator_key =
+ free_aggregator->actor_oper_aggregator_key =
port->actor_oper_port_key;
- port->aggregator->partner_system =
+ free_aggregator->partner_system =
port->partner_oper.system;
- port->aggregator->partner_system_priority =
+ free_aggregator->partner_system_priority =
port->partner_oper.system_priority;
- port->aggregator->partner_oper_aggregator_key = port->partner_oper.key;
- port->aggregator->receive_state = 1;
- port->aggregator->transmit_state = 1;
- port->aggregator->lag_ports = port;
- port->aggregator->num_of_ports++;
+ free_aggregator->partner_oper_aggregator_key = port->partner_oper.key;
+ free_aggregator->receive_state = 1;
+ free_aggregator->transmit_state = 1;
+ free_aggregator->lag_ports = port;
+ free_aggregator->num_of_ports++;
+
+ rcu_assign_pointer(port->aggregator, free_aggregator);
/* mark this port as selected */
port->sm_vars |= AD_PORT_SELECTED;
slave_dbg(bond->dev, port->slave->dev, "Port %d joined LAG %d (new LAG)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ free_aggregator->aggregator_identifier);
} else {
slave_err(bond->dev, port->slave->dev,
"Port %d did not find a suitable aggregator\n",
@@ -1661,13 +1664,12 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
* in all aggregator's ports, else set ready=FALSE in all
* aggregator's ports
*/
- __set_agg_ports_ready(port->aggregator,
- __agg_ports_are_ready(port->aggregator));
+ aggregator = rcu_dereference(port->aggregator);
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
- aggregator = __get_first_agg(port);
- ad_agg_selection_logic(aggregator, update_slave_arr);
+ ad_agg_selection_logic(__get_first_agg(port), update_slave_arr);
- if (!port->aggregator->is_active)
+ if (!aggregator->is_active)
port->actor_oper_port_state &= ~LACP_STATE_SYNCHRONIZATION;
}
@@ -2021,13 +2023,15 @@ static void ad_initialize_port(struct port *port, const struct bond_params *bond
*/
static void ad_enable_collecting(struct port *port)
{
- if (port->aggregator->is_active) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator->is_active) {
struct slave *slave = port->slave;
slave_dbg(slave->bond->dev, slave->dev,
"Enabling collecting on port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__enable_collecting_port(port);
}
}
@@ -2039,11 +2043,13 @@ static void ad_enable_collecting(struct port *port)
*/
static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
{
- if (port->aggregator && __agg_has_partner(port->aggregator)) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator && __agg_has_partner(aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling distributing on port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__disable_distributing_port(port);
/* Slave array needs an update */
*update_slave_arr = true;
@@ -2060,11 +2066,13 @@ static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
static void ad_enable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator->is_active) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator->is_active) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Enabling port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__enable_port(port);
/* Slave array needs update */
*update_slave_arr = true;
@@ -2079,11 +2087,13 @@ static void ad_enable_collecting_distributing(struct port *port,
static void ad_disable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator && __agg_has_partner(port->aggregator)) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator && __agg_has_partner(aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__disable_port(port);
/* Slave array needs an update */
*update_slave_arr = true;
@@ -2323,7 +2333,7 @@ void bond_3ad_unbind_slave(struct slave *slave)
*/
for (temp_port = aggregator->lag_ports; temp_port;
temp_port = temp_port->next_port_in_aggregator) {
- temp_port->aggregator = new_aggregator;
+ rcu_assign_pointer(temp_port->aggregator, new_aggregator);
temp_port->actor_port_aggregator_identifier = new_aggregator->aggregator_identifier;
}
@@ -2792,15 +2802,16 @@ int bond_3ad_set_carrier(struct bonding *bond)
int __bond_3ad_get_active_agg_info(struct bonding *bond,
struct ad_info *ad_info)
{
- struct aggregator *aggregator = NULL;
+ struct aggregator *aggregator = NULL, *tmp;
struct list_head *iter;
struct slave *slave;
struct port *port;
bond_for_each_slave_rcu(bond, slave, iter) {
port = &(SLAVE_AD_INFO(slave)->port);
- if (port->aggregator && port->aggregator->is_active) {
- aggregator = port->aggregator;
+ tmp = rcu_dereference(port->aggregator);
+ if (tmp && tmp->is_active) {
+ aggregator = tmp;
break;
}
}
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 70718bf6e716c..029a7f001dd8a 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1394,7 +1394,7 @@ static void bond_poll_controller(struct net_device *bond_dev)
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
struct aggregator *agg =
- SLAVE_AD_INFO(slave)->port.aggregator;
+ rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (agg &&
agg->aggregator_identifier != ad_info.aggregator_id)
@@ -5196,15 +5196,16 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
spin_unlock_bh(&bond->mode_lock);
agg_id = ad_info.aggregator_id;
}
+ rcu_read_lock();
bond_for_each_slave(bond, slave, iter) {
if (skipslave == slave)
continue;
all_slaves->arr[all_slaves->count++] = slave;
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
- struct aggregator *agg;
+ const struct aggregator *agg;
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (!agg || agg->aggregator_identifier != agg_id)
continue;
}
@@ -5216,6 +5217,7 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
usable_slaves->arr[usable_slaves->count++] = slave;
}
+ rcu_read_unlock();
bond_set_slave_arr(bond, usable_slaves, all_slaves);
return ret;
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 086233dce9c8d..0eaf4b0e06ffb 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -65,27 +65,29 @@ static int bond_fill_slave_info(struct sk_buff *skb,
const struct port *ad_port;
ad_port = &SLAVE_AD_INFO(slave)->port;
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
+ rcu_read_lock();
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (agg) {
if (nla_put_u16(skb, IFLA_BOND_SLAVE_AD_AGGREGATOR_ID,
agg->aggregator_identifier))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb,
IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE,
ad_port->actor_oper_port_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u16(skb,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
ad_port->partner_oper.port_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
ad_port->sm_churn_actor_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
ad_port->sm_churn_partner_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
}
+ rcu_read_unlock();
if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
SLAVE_AD_INFO(slave)->port_priority))
@@ -94,6 +96,8 @@ static int bond_fill_slave_info(struct sk_buff *skb,
return 0;
+nla_put_failure_rcu:
+ rcu_read_unlock();
nla_put_failure:
return -EMSGSIZE;
}
diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c
index 43be458422b3f..bc919814eb504 100644
--- a/drivers/net/bonding/bond_procfs.c
+++ b/drivers/net/bonding/bond_procfs.c
@@ -187,6 +187,7 @@ static void bond_info_show_master(struct seq_file *seq)
}
}
+/* Note: runs under rcu_read_lock() */
static void bond_info_show_slave(struct seq_file *seq,
const struct slave *slave)
{
@@ -213,7 +214,7 @@ static void bond_info_show_slave(struct seq_file *seq,
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
const struct port *port = &SLAVE_AD_INFO(slave)->port;
- const struct aggregator *agg = port->aggregator;
+ const struct aggregator *agg = rcu_dereference(port->aggregator);
if (agg) {
seq_printf(seq, "Aggregator ID: %d\n",
diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
index 313866f2c0e49..75df3e21b804d 100644
--- a/drivers/net/bonding/bond_sysfs_slave.c
+++ b/drivers/net/bonding/bond_sysfs_slave.c
@@ -62,10 +62,15 @@ static ssize_t ad_aggregator_id_show(struct slave *slave, char *buf)
const struct aggregator *agg;
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
- if (agg)
- return sysfs_emit(buf, "%d\n",
- agg->aggregator_identifier);
+ rcu_read_lock();
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
+ if (agg) {
+ ssize_t res = sysfs_emit(buf, "%d\n",
+ agg->aggregator_identifier);
+ rcu_read_unlock();
+ return res;
+ }
+ rcu_read_unlock();
}
return sysfs_emit(buf, "N/A\n");
@@ -78,7 +83,7 @@ static ssize_t ad_actor_oper_port_state_show(struct slave *slave, char *buf)
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
ad_port = &SLAVE_AD_INFO(slave)->port;
- if (ad_port->aggregator)
+ if (rcu_access_pointer(ad_port->aggregator))
return sysfs_emit(buf, "%u\n",
ad_port->actor_oper_port_state);
}
@@ -93,7 +98,7 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
ad_port = &SLAVE_AD_INFO(slave)->port;
- if (ad_port->aggregator)
+ if (rcu_access_pointer(ad_port->aggregator))
return sysfs_emit(buf, "%u\n",
ad_port->partner_oper.port_state);
}
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index 84fe87314bd9c..728aec9bda4a4 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -239,7 +239,7 @@ typedef struct port {
churn_state_t sm_churn_actor_state;
churn_state_t sm_churn_partner_state;
struct slave *slave; /* pointer to the bond slave that this port belongs to */
- struct aggregator *aggregator; /* pointer to an aggregator that this port related to */
+ struct aggregator __rcu *aggregator; /* pointer to an aggregator that this port related to */
struct port *next_port_in_aggregator; /* Next port on the linked list of the parent aggregator */
u32 transaction_id; /* continuous number for identification of Marker PDU's; */
struct lacpdu lacpdu; /* the lacpdu that will be sent for this port */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 430/508] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 429/508] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 431/508] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
` (79 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Simon Horman, Przemek Kitszel, Jacob Keller,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 70d62b669f1f9080a25278fc90b64309f4ae8959 ]
Rename the IAVF_VLAN_IS_NEW state to IAVF_VLAN_ADDING to better
describe what the state represents: an ADD request has been sent to
the PF and is waiting for a response.
This is a pure rename with no behavioral change, preparing for a
cleanup of the VLAN filter state machine.
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-1-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: f2ce65b9b917 ("iavf: stop removing VLAN filters from PF on interface down")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 2 +-
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index 431d9d62c8c66..c09ec8cc1e9fb 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -158,7 +158,7 @@ struct iavf_vlan {
enum iavf_vlan_state_t {
IAVF_VLAN_INVALID,
IAVF_VLAN_ADD, /* filter needs to be added */
- IAVF_VLAN_IS_NEW, /* filter is new, wait for PF answer */
+ IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */
IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index b95a4f903204b..bc8285f77a7be 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -637,7 +637,7 @@ static void iavf_vlan_add_reject(struct iavf_adapter *adapter)
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_IS_NEW) {
+ if (f->state == IAVF_VLAN_ADDING) {
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
@@ -702,7 +702,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
if (f->state == IAVF_VLAN_ADD) {
vvfl->vlan_id[i] = f->vlan.vid;
i++;
- f->state = IAVF_VLAN_IS_NEW;
+ f->state = IAVF_VLAN_ADDING;
if (i == count)
break;
}
@@ -763,7 +763,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
vlan->tpid = f->vlan.tpid;
i++;
- f->state = IAVF_VLAN_IS_NEW;
+ f->state = IAVF_VLAN_ADDING;
}
}
@@ -2520,7 +2520,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry(f, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_IS_NEW)
+ if (f->state == IAVF_VLAN_ADDING)
f->state = IAVF_VLAN_ACTIVE;
}
spin_unlock_bh(&adapter->mac_vlan_list_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 431/508] iavf: stop removing VLAN filters from PF on interface down
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 430/508] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 432/508] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
` (78 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Simon Horman, Przemek Kitszel, Jacob Keller,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit f2ce65b9b917474a1a6ce68d357e15fac2aca0f2 ]
When a VF goes down, the driver currently sends DEL_VLAN to the PF for
every VLAN filter (ACTIVE -> DISABLE -> send DEL -> INACTIVE), then
re-adds them all on UP (INACTIVE -> ADD -> send ADD -> ADDING ->
ACTIVE). This round-trip is unnecessary because:
1. The PF disables the VF's queues via VIRTCHNL_OP_DISABLE_QUEUES,
which already prevents all RX/TX traffic regardless of VLAN filter
state.
2. The VLAN filters remaining in PF HW while the VF is down is
harmless - packets matching those filters have nowhere to go with
queues disabled.
3. The DEL+ADD cycle during down/up creates race windows where the
VLAN filter list is incomplete. With spoofcheck enabled, the PF
enables TX VLAN filtering on the first non-zero VLAN add, blocking
traffic for any VLANs not yet re-added.
Remove the entire DISABLE/INACTIVE state machinery:
- Remove IAVF_VLAN_DISABLE and IAVF_VLAN_INACTIVE enum values
- Remove iavf_restore_filters() and its call from iavf_open()
- Remove VLAN filter handling from iavf_clear_mac_vlan_filters(),
rename it to iavf_clear_mac_filters()
- Remove DEL_VLAN_FILTER scheduling from iavf_down()
- Remove all DISABLE/INACTIVE handling from iavf_del_vlans()
VLAN filters now stay ACTIVE across down/up cycles. Only explicit
user removal (ndo_vlan_rx_kill_vid) or PF/VF reset triggers VLAN
filter deletion/re-addition.
Fixes: ed1f5b58ea01 ("i40evf: remove VLAN filters on close")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-2-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 6 +--
drivers/net/ethernet/intel/iavf/iavf_main.c | 39 ++-----------------
.../net/ethernet/intel/iavf/iavf_virtchnl.c | 33 +++-------------
3 files changed, 12 insertions(+), 66 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index c09ec8cc1e9fb..d1f39befc8b8c 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -159,10 +159,8 @@ enum iavf_vlan_state_t {
IAVF_VLAN_INVALID,
IAVF_VLAN_ADD, /* filter needs to be added */
IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
- IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
- IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */
- IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */
- IAVF_VLAN_REMOVE, /* filter needs to be removed from list */
+ IAVF_VLAN_ACTIVE, /* PF confirmed, filter is in HW */
+ IAVF_VLAN_REMOVE, /* filter queued for DEL from PF */
};
struct iavf_vlan_filter {
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 02e07fe6a0528..c7fecd7261140 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -846,27 +846,6 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
-/**
- * iavf_restore_filters
- * @adapter: board private structure
- *
- * Restore existing non MAC filters when VF netdev comes back up
- **/
-static void iavf_restore_filters(struct iavf_adapter *adapter)
-{
- struct iavf_vlan_filter *f;
-
- /* re-add all VLAN filters */
- spin_lock_bh(&adapter->mac_vlan_list_lock);
-
- list_for_each_entry(f, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_INACTIVE)
- f->state = IAVF_VLAN_ADD;
- }
-
- spin_unlock_bh(&adapter->mac_vlan_list_lock);
- adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
-}
/**
* iavf_get_num_vlans_added - get number of VLANs added
@@ -1289,13 +1268,12 @@ static void iavf_up_complete(struct iavf_adapter *adapter)
}
/**
- * iavf_clear_mac_vlan_filters - Remove mac and vlan filters not sent to PF
- * yet and mark other to be removed.
+ * iavf_clear_mac_filters - Remove MAC filters not sent to PF yet and mark
+ * others to be removed.
* @adapter: board private structure
**/
-static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
+static void iavf_clear_mac_filters(struct iavf_adapter *adapter)
{
- struct iavf_vlan_filter *vlf, *vlftmp;
struct iavf_mac_filter *f, *ftmp;
spin_lock_bh(&adapter->mac_vlan_list_lock);
@@ -1314,11 +1292,6 @@ static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
}
}
- /* disable all VLAN filters */
- list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list,
- list)
- vlf->state = IAVF_VLAN_DISABLE;
-
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
@@ -1414,7 +1387,7 @@ void iavf_down(struct iavf_adapter *adapter)
iavf_napi_disable_all(adapter);
iavf_irq_disable(adapter);
- iavf_clear_mac_vlan_filters(adapter);
+ iavf_clear_mac_filters(adapter);
iavf_clear_cloud_filters(adapter);
iavf_clear_fdir_filters(adapter);
iavf_clear_adv_rss_conf(adapter);
@@ -1429,8 +1402,6 @@ void iavf_down(struct iavf_adapter *adapter)
*/
if (!list_empty(&adapter->mac_filter_list))
adapter->aq_required |= IAVF_FLAG_AQ_DEL_MAC_FILTER;
- if (!list_empty(&adapter->vlan_filter_list))
- adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
if (!list_empty(&adapter->cloud_filter_list))
adapter->aq_required |= IAVF_FLAG_AQ_DEL_CLOUD_FILTER;
if (!list_empty(&adapter->fdir_list_head))
@@ -4295,8 +4266,6 @@ static int iavf_open(struct net_device *netdev)
spin_unlock_bh(&adapter->mac_vlan_list_lock);
- /* Restore filters that were removed with IFF_DOWN */
- iavf_restore_filters(adapter);
iavf_restore_fdir_filters(adapter);
iavf_configure(adapter);
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index bc8285f77a7be..1d03cc452df2c 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -800,22 +800,12 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- /* since VLAN capabilities are not allowed, we dont want to send
- * a VLAN delete request because it will most likely fail and
- * create unnecessary errors/noise, so just free the VLAN
- * filters marked for removal to enable bailing out before
- * sending a virtchnl message
- */
if (f->state == IAVF_VLAN_REMOVE &&
!VLAN_FILTERING_ALLOWED(adapter)) {
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
- } else if (f->state == IAVF_VLAN_DISABLE &&
- !VLAN_FILTERING_ALLOWED(adapter)) {
- f->state = IAVF_VLAN_INACTIVE;
- } else if (f->state == IAVF_VLAN_REMOVE ||
- f->state == IAVF_VLAN_DISABLE) {
+ } else if (f->state == IAVF_VLAN_REMOVE) {
count++;
}
}
@@ -847,13 +837,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl->vsi_id = adapter->vsi_res->vsi_id;
vvfl->num_elements = count;
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_DISABLE) {
- vvfl->vlan_id[i] = f->vlan.vid;
- f->state = IAVF_VLAN_INACTIVE;
- i++;
- if (i == count)
- break;
- } else if (f->state == IAVF_VLAN_REMOVE) {
+ if (f->state == IAVF_VLAN_REMOVE) {
vvfl->vlan_id[i] = f->vlan.vid;
list_del(&f->list);
kfree(f);
@@ -894,8 +878,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
vvfl_v2->num_elements = count;
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_DISABLE ||
- f->state == IAVF_VLAN_REMOVE) {
+ if (f->state == IAVF_VLAN_REMOVE) {
struct virtchnl_vlan_supported_caps *filtering_support =
&adapter->vlan_v2_caps.filtering.filtering_support;
struct virtchnl_vlan *vlan;
@@ -909,13 +892,9 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vlan->tci = f->vlan.vid;
vlan->tpid = f->vlan.tpid;
- if (f->state == IAVF_VLAN_DISABLE) {
- f->state = IAVF_VLAN_INACTIVE;
- } else {
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
- }
+ list_del(&f->list);
+ kfree(f);
+ adapter->num_vlan_filters--;
i++;
if (i == count)
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 432/508] iavf: wait for PF confirmation before removing VLAN filters
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 431/508] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 433/508] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
` (77 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Przemek Kitszel, Jacob Keller, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit bbcbe4ed70dea948849549af7edf44bd42bbd695 ]
The VLAN filter DELETE path was asymmetric with the ADD path: ADD
waits for PF confirmation (ADD -> ADDING -> ACTIVE), but DELETE
immediately frees the filter struct after sending the DEL message
without waiting for the PF response.
This is problematic because:
- If the PF rejects the DEL, the filter remains in HW but the driver
has already freed the tracking structure, losing sync.
- Race conditions between DEL pending and other operations
(add, reset) cannot be properly resolved if the filter struct
is already gone.
Add IAVF_VLAN_REMOVING state to make the DELETE path symmetric:
REMOVE -> REMOVING (send DEL) -> PF confirms -> kfree
-> PF rejects -> ACTIVE
In iavf_del_vlans(), transition filters from REMOVE to REMOVING
instead of immediately freeing them. The new DEL completion handler
in iavf_virtchnl_completion() frees filters on success or reverts
them to ACTIVE on error.
Update iavf_add_vlan() to handle the REMOVING state: if a DEL is
pending and the user re-adds the same VLAN, queue it for ADD so
it gets re-programmed after the PF processes the DEL.
The !VLAN_FILTERING_ALLOWED early-exit path still frees filters
directly since no PF message is sent in that case.
Also update iavf_del_vlan() to skip filters already in REMOVING
state: DEL has been sent to PF and the completion handler will
free the filter when PF confirms. Without this guard, the sequence
DEL(pending) -> user-del -> second DEL could cause the PF to return
an error for the second DEL (filter already gone), causing the
completion handler to incorrectly revert a deleted filter back to
ACTIVE.
Fixes: 968996c070ef ("iavf: Fix VLAN_V2 addition/rejection")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-3-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 1 +
drivers/net/ethernet/intel/iavf/iavf_main.c | 13 ++++---
.../net/ethernet/intel/iavf/iavf_virtchnl.c | 37 +++++++++++++------
3 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index d1f39befc8b8c..c9553fa475ae1 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -161,6 +161,7 @@ enum iavf_vlan_state_t {
IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
IAVF_VLAN_ACTIVE, /* PF confirmed, filter is in HW */
IAVF_VLAN_REMOVE, /* filter queued for DEL from PF */
+ IAVF_VLAN_REMOVING, /* DEL sent to PF, waiting for response */
};
struct iavf_vlan_filter {
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index c7fecd7261140..b9b855a35fc85 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -802,10 +802,10 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
adapter->num_vlan_filters++;
iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
} else if (f->state == IAVF_VLAN_REMOVE) {
- /* Re-add the filter since we cannot tell whether the
- * pending delete has already been processed by the PF.
- * A duplicate add is harmless.
- */
+ /* DEL not yet sent to PF, cancel it */
+ f->state = IAVF_VLAN_ACTIVE;
+ } else if (f->state == IAVF_VLAN_REMOVING) {
+ /* DEL already sent to PF, re-add after completion */
f->state = IAVF_VLAN_ADD;
iavf_schedule_aq_request(adapter,
IAVF_FLAG_AQ_ADD_VLAN_FILTER);
@@ -836,11 +836,14 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
- } else {
+ } else if (f->state != IAVF_VLAN_REMOVING) {
f->state = IAVF_VLAN_REMOVE;
iavf_schedule_aq_request(adapter,
IAVF_FLAG_AQ_DEL_VLAN_FILTER);
}
+ /* If REMOVING, DEL is already sent to PF; completion
+ * handler will free the filter when PF confirms.
+ */
}
spin_unlock_bh(&adapter->mac_vlan_list_lock);
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 1d03cc452df2c..4a197bc4b86a7 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -836,12 +836,10 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl->vsi_id = adapter->vsi_res->vsi_id;
vvfl->num_elements = count;
- list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_REMOVE) {
vvfl->vlan_id[i] = f->vlan.vid;
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
+ f->state = IAVF_VLAN_REMOVING;
i++;
if (i == count)
break;
@@ -877,7 +875,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
vvfl_v2->num_elements = count;
- list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_REMOVE) {
struct virtchnl_vlan_supported_caps *filtering_support =
&adapter->vlan_v2_caps.filtering.filtering_support;
@@ -892,9 +890,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vlan->tci = f->vlan.vid;
vlan->tpid = f->vlan.tpid;
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
+ f->state = IAVF_VLAN_REMOVING;
i++;
if (i == count)
break;
@@ -2019,10 +2015,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
ether_addr_copy(adapter->hw.mac.addr, netdev->dev_addr);
wake_up(&adapter->vc_waitqueue);
break;
- case VIRTCHNL_OP_DEL_VLAN:
- dev_err(&adapter->pdev->dev, "Failed to delete VLAN filter, error %s\n",
- iavf_stat_str(&adapter->hw, v_retval));
- break;
case VIRTCHNL_OP_DEL_ETH_ADDR:
dev_err(&adapter->pdev->dev, "Failed to delete MAC filter, error %s\n",
iavf_stat_str(&adapter->hw, v_retval));
@@ -2505,6 +2497,27 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
break;
+ case VIRTCHNL_OP_DEL_VLAN:
+ case VIRTCHNL_OP_DEL_VLAN_V2: {
+ struct iavf_vlan_filter *f, *ftmp;
+
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list,
+ list) {
+ if (f->state == IAVF_VLAN_REMOVING) {
+ if (v_retval) {
+ /* PF rejected DEL, keep filter */
+ f->state = IAVF_VLAN_ACTIVE;
+ } else {
+ list_del(&f->list);
+ kfree(f);
+ adapter->num_vlan_filters--;
+ }
+ }
+ }
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+ }
+ break;
case VIRTCHNL_OP_ENABLE_VLAN_STRIPPING:
/* PF enabled vlan strip on this VF.
* Update netdev->features if needed to be in sync with ethtool.
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 433/508] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 432/508] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 434/508] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
` (76 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Przemek Kitszel, Jacob Keller, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 34d33313b52eeac3a97ad2e3176d523ec70d9283 ]
The V1 ADD_VLAN opcode had no success handler; filters sent via V1
stayed in ADDING state permanently. Add a fallthrough case so V1
filters also transition ADDING -> ACTIVE on PF confirmation.
Critically, add an `if (v_retval) break` guard: the error switch in
iavf_virtchnl_completion() does NOT return after handling errors,
it falls through to the success switch. Without this guard, a
PF-rejected ADD would incorrectly mark ADDING filters as ACTIVE,
creating a driver/HW mismatch where the driver believes the filter
is installed but the PF never accepted it.
For V2, this is harmless: iavf_vlan_add_reject() in the error
block already kfree'd all ADDING filters, so the success handler
finds nothing to transition.
Fixes: 968996c070ef ("iavf: Fix VLAN_V2 addition/rejection")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-4-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 4a197bc4b86a7..b6bc5609e118c 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -2486,9 +2486,13 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_unlock_bh(&adapter->adv_rss_lock);
}
break;
+ case VIRTCHNL_OP_ADD_VLAN:
case VIRTCHNL_OP_ADD_VLAN_V2: {
struct iavf_vlan_filter *f;
+ if (v_retval)
+ break;
+
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_ADDING)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 434/508] ice: fix NULL pointer dereference in ice_reset_all_vfs()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 433/508] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 435/508] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
` (75 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Rafal Romanowski,
Jacob Keller, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 54ef02487914c24170c7e1c061e45212dc55365e ]
ice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().
When the VSI rebuild fails (e.g. during NVM firmware update via
nvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,
leaving txq_map and rxq_map as NULL. The subsequent unconditional call
to ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in
ice_ena_vf_q_mappings() when it accesses vsi->txq_map[0].
The single-VF reset path in ice_reset_vf() already handles this
correctly by checking the return value of ice_vf_reconfig_vsi() and
skipping ice_vf_post_vsi_rebuild() on failure.
Apply the same pattern to ice_reset_all_vfs(): check the return value
of ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and
ice_eswitch_attach_vf() on failure. The VF is left safely disabled
(ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can
be recovered via a VFLR triggered by a PCI reset of the VF
(sysfs reset or driver rebind).
Note that this patch does not prevent the VF VSI rebuild from failing
during NVM update — the underlying cause is firmware being in a
transitional state while the EMP reset is processed, which can cause
Admin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This
patch only prevents the subsequent NULL pointer dereference that
crashes the kernel when the rebuild does fail.
crash> bt
PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5"
#0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee
#1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba
#2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540
#3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda
#4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997
#5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595
#6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2
[exception RIP: ice_ena_vf_q_mappings+0x79]
RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206
RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000
RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040
R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000
R13: 0000000000000010 R14: R15:
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]
#8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]
#9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]
#10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4
#11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de
#12 [ff72159bcfe5bf18] kthread at ffffffffaa946663
#13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9
The panic occurs attempting to dereference the NULL pointer in RDX at
ice_sriov.c:294, which loads vsi->txq_map (offset 0x4b8 in ice_vsi).
The faulting VSI is an allocated slab object but not fully initialized
after a failed ice_vsi_rebuild():
crash> struct ice_vsi 0xff34c9efc27d4828
netdev = 0x0,
rx_rings = 0x0,
tx_rings = 0x0,
q_vectors = 0x0,
txq_map = 0x0,
rxq_map = 0x0,
alloc_txq = 0x10,
num_txq = 0x10,
alloc_rxq = 0x10,
num_rxq = 0x10,
The nvmupdate64e process was performing NVM firmware update:
crash> bt 0xff34c9edd1a30000
PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e"
#0 [ff72159bcd617618] __schedule at ffffffffab5333f8
#4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]
#5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]
#6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]
#7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]
#8 [ff72159bcd6178b8] ice_read_flat_nvm at ffffffffc0a4034c [ice]
#9 [ff72159bcd617918] ice_devlink_nvm_snapshot at ffffffffc0a6ffa5 [ice]
dmesg:
ice 0000:13:00.0: firmware recommends not updating fw.mgmt, as it
may result in a downgrade. continuing anyways
ice 0000:13:00.1: ice_init_nvm failed -5
ice 0000:13:00.1: Rebuild failed, unload and reload driver
Fixes: 12bb018c538c ("ice: Refactor VF reset")
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-5-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
index 58f9ac81dfbb2..1463fee451efc 100644
--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
@@ -787,7 +787,12 @@ void ice_reset_all_vfs(struct ice_pf *pf)
ice_vf_ctrl_invalidate_vsi(vf);
ice_vf_pre_vsi_rebuild(vf);
- ice_vf_rebuild_vsi(vf);
+ if (ice_vf_rebuild_vsi(vf)) {
+ dev_err(dev, "VF %u VSI rebuild failed, leaving VF disabled\n",
+ vf->vf_id);
+ mutex_unlock(&vf->cfg_lock);
+ continue;
+ }
ice_vf_post_vsi_rebuild(vf);
mutex_unlock(&vf->cfg_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 435/508] net: tls: fix strparser anchor skb leak on offload RX setup failure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 434/508] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 436/508] sfc: fix error code in efx_devlink_info_running_versions() Greg Kroah-Hartman
` (74 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Vadim Fedorenko,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 58689498ca3384851145a754dbb1d8ed1cf9fb54 ]
When tls_set_device_offload_rx() fails at tls_dev_add(), the error path
calls tls_sw_free_resources_rx() to clean up the SW context that was
initialized by tls_set_sw_offload(). This function calls
tls_sw_release_resources_rx() (which stops the strparser via
tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),
but never frees the anchor skb that was allocated by alloc_skb(0) in
tls_strp_init().
Note that tls_sw_free_resources_rx() is exclusively used for this
"failed to start offload" code path, there's no other caller.
The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use
the standard strparser"), because the standard strparser doesn't try
to pre-allocate an skb.
The normal close path in tls_sk_proto_close() handles cleanup by calling
tls_sw_strparser_done() (which calls tls_strp_done()) after dropping
the socket lock, because tls_strp_done() does cancel_work_sync() and
the strparser work handler takes the socket lock.
Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260428231559.1358502-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls.h | 1 +
net/tls/tls_strp.c | 6 ++++++
net/tls/tls_sw.c | 4 ++++
3 files changed, 11 insertions(+)
diff --git a/net/tls/tls.h b/net/tls/tls.h
index a3c5c5a59fda6..718508e923eec 100644
--- a/net/tls/tls.h
+++ b/net/tls/tls.h
@@ -183,6 +183,7 @@ int tls_strp_dev_init(void);
void tls_strp_dev_exit(void);
void tls_strp_done(struct tls_strparser *strp);
+void __tls_strp_done(struct tls_strparser *strp);
void tls_strp_stop(struct tls_strparser *strp);
int tls_strp_init(struct tls_strparser *strp, struct sock *sk);
void tls_strp_data_ready(struct tls_strparser *strp);
diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
index ae723cd6af397..7d85feebdfd93 100644
--- a/net/tls/tls_strp.c
+++ b/net/tls/tls_strp.c
@@ -623,6 +623,12 @@ void tls_strp_done(struct tls_strparser *strp)
WARN_ON(!strp->stopped);
cancel_work_sync(&strp->work);
+ __tls_strp_done(strp);
+}
+
+/* For setup error paths where the strparser was initialized but never armed. */
+void __tls_strp_done(struct tls_strparser *strp)
+{
tls_strp_anchor_free(strp);
}
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index d86a487065e92..937aa78eed0e4 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2595,8 +2595,12 @@ void tls_sw_free_ctx_rx(struct tls_context *tls_ctx)
void tls_sw_free_resources_rx(struct sock *sk)
{
struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct tls_sw_context_rx *ctx;
+
+ ctx = tls_sw_ctx_rx(tls_ctx);
tls_sw_release_resources_rx(sk);
+ __tls_strp_done(&ctx->strp);
tls_sw_free_ctx_rx(tls_ctx);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 436/508] sfc: fix error code in efx_devlink_info_running_versions()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 435/508] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 437/508] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
` (73 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Edward Cree,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit 051ffb001b8a232cfa6e72f38bb5f51c4270a60b ]
Return -EIO if efx_mcdi_rpc() doesn't return enough space.
Fixes: 14743ddd2495 ("sfc: add devlink info support for ef100")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
Link: https://patch.msgid.link/afGpsbLRHL4_H0KS@stanley.mountain
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/sfc/efx_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/sfc/efx_devlink.c b/drivers/net/ethernet/sfc/efx_devlink.c
index 3cd750820fdde..d5a4b3cf94544 100644
--- a/drivers/net/ethernet/sfc/efx_devlink.c
+++ b/drivers/net/ethernet/sfc/efx_devlink.c
@@ -530,7 +530,7 @@ static int efx_devlink_info_running_versions(struct efx_nic *efx,
if (rc || outlength < MC_CMD_GET_VERSION_OUT_LEN) {
netif_err(efx, drv, efx->net_dev,
"mcdi MC_CMD_GET_VERSION failed\n");
- return rc;
+ return rc ?: -EIO;
}
/* Handle previous output */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 437/508] net/sched: cls_flower: revert unintended changes
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 436/508] sfc: fix error code in efx_devlink_info_running_versions() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 438/508] ntfs: ->d_compare() must not block Greg Kroah-Hartman
` (72 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 1e01abec856593e02cd69fd95b784c10dd46880c ]
While applying the blamed commit 4ca07b9239bd ("net: mctp i2c: check
length before marking flow active"), I unintentionally included
unrelated and unacceptable changes.
Revert them.
Fixes: 4ca07b9239bd ("net: mctp i2c: check length before marking flow active")
Reported-by: Jeremy Kerr <jk@codeconstruct.com.au>
Closes: https://lore.kernel.org/netdev/bd8704fe0bd53e278add5cde4873256656623e2e.camel@codeconstruct.com.au/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Link: https://patch.msgid.link/043026a53ff84da88b17648c4b0d17f0331749cb.1777447863.git.pabeni@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_flower.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 07259b403e108..b00e491e8130d 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -549,7 +549,6 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
struct netlink_ext_ack *extack)
{
struct cls_fl_head *head = fl_head_dereference(tp);
- struct fl_flow_mask *mask;
*last = false;
@@ -566,12 +565,11 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
list_del_rcu(&f->list);
spin_unlock(&tp->lock);
- mask = f->mask;
+ *last = fl_mask_put(head, f->mask);
if (!tc_skip_hw(f->flags))
fl_hw_destroy_filter(tp, f, rtnl_held, extack);
tcf_unbind_filter(tp, &f->res);
__fl_put(f);
- *last = fl_mask_put(head, mask);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 438/508] ntfs: ->d_compare() must not block
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 437/508] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 439/508] Revert "crypto: nx - fix context leak in nx842_crypto_free_ctx" Greg Kroah-Hartman
` (71 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Li hongliang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit ca2a04e84af79596e5cd9cfe697d5122ec39c8ce ]
... so don't use __getname() there. Switch it (and ntfs_d_hash(), while
we are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash()
almost certainly can do with smaller allocations, but let ntfs folks
deal with that - keep the allocation size as-is for now.
Stop abusing names_cachep in ntfs, period - various uses of that thing
in there have nothing to do with pathnames; just use k[mz]alloc() and
be done with that. For now let's keep sizes as-in, but AFAICS none of
the users actually want PATH_MAX.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Li hongliang <1468888505@139.com>
---
fs/ntfs3/dir.c | 5 ++---
fs/ntfs3/fsntfs.c | 4 ++--
fs/ntfs3/inode.c | 13 ++++++-------
fs/ntfs3/namei.c | 17 ++++++++---------
fs/ntfs3/xattr.c | 5 ++---
5 files changed, 20 insertions(+), 24 deletions(-)
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index 6b93c909bdc9e..894fd44164b48 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -425,8 +425,7 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx)
if (!dir_emit_dots(file, ctx))
return 0;
- /* Allocate PATH_MAX bytes. */
- name = __getname();
+ name = kmalloc(PATH_MAX, GFP_KERNEL);
if (!name)
return -ENOMEM;
@@ -504,7 +503,7 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx)
out:
- __putname(name);
+ kfree(name);
put_indx_node(node);
if (err == 1) {
diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index e17d4c1ba06f0..a38547bd12bb4 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -2666,7 +2666,7 @@ int ntfs_set_label(struct ntfs_sb_info *sbi, u8 *label, int len)
struct ntfs_inode *ni = sbi->volume.ni;
const u8 max_ulen = 0x80; /* TODO: use attrdef to get maximum length */
/* Allocate PATH_MAX bytes. */
- struct cpu_str *uni = __getname();
+ struct cpu_str *uni = kmalloc(PATH_MAX, GFP_KERNEL);
if (!uni)
return -ENOMEM;
@@ -2709,6 +2709,6 @@ int ntfs_set_label(struct ntfs_sb_info *sbi, u8 *label, int len)
err = _ni_write_inode(&ni->vfs_inode, 0);
out:
- __putname(uni);
+ kfree(uni);
return err;
}
\ No newline at end of file
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index ce381eafd084e..787e15ba0ca40 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -1327,7 +1327,7 @@ struct inode *ntfs_create_inode(struct mnt_idmap *idmap, struct inode *dir,
fa |= FILE_ATTRIBUTE_READONLY;
/* Allocate PATH_MAX bytes. */
- new_de = kmem_cache_zalloc(names_cachep, GFP_KERNEL);
+ new_de = kzalloc(PATH_MAX, GFP_KERNEL);
if (!new_de) {
err = -ENOMEM;
goto out1;
@@ -1733,7 +1733,7 @@ struct inode *ntfs_create_inode(struct mnt_idmap *idmap, struct inode *dir,
ntfs_mark_rec_free(sbi, ino, false);
out2:
- __putname(new_de);
+ kfree(new_de);
kfree(rp);
out1:
@@ -1756,7 +1756,7 @@ int ntfs_link_inode(struct inode *inode, struct dentry *dentry)
struct NTFS_DE *de;
/* Allocate PATH_MAX bytes. */
- de = kmem_cache_zalloc(names_cachep, GFP_KERNEL);
+ de = kzalloc(PATH_MAX, GFP_KERNEL);
if (!de)
return -ENOMEM;
@@ -1770,7 +1770,7 @@ int ntfs_link_inode(struct inode *inode, struct dentry *dentry)
err = ni_add_name(ntfs_i(d_inode(dentry->d_parent)), ni, de);
out:
- __putname(de);
+ kfree(de);
return err;
}
@@ -1793,8 +1793,7 @@ int ntfs_unlink_inode(struct inode *dir, const struct dentry *dentry)
if (ntfs_is_meta_file(sbi, ni->mi.rno))
return -EINVAL;
- /* Allocate PATH_MAX bytes. */
- de = kmem_cache_zalloc(names_cachep, GFP_KERNEL);
+ de = kzalloc(PATH_MAX, GFP_KERNEL);
if (!de)
return -ENOMEM;
@@ -1830,7 +1829,7 @@ int ntfs_unlink_inode(struct inode *dir, const struct dentry *dentry)
out:
ni_unlock(ni);
- __putname(de);
+ kfree(de);
return err;
}
diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c
index f5901c23ab937..1b0c075c14853 100644
--- a/fs/ntfs3/namei.c
+++ b/fs/ntfs3/namei.c
@@ -68,7 +68,7 @@ static struct dentry *ntfs_lookup(struct inode *dir, struct dentry *dentry,
u32 flags)
{
struct ntfs_inode *ni = ntfs_i(dir);
- struct cpu_str *uni = __getname();
+ struct cpu_str *uni = kmalloc(PATH_MAX, GFP_KERNEL);
struct inode *inode;
int err;
@@ -85,7 +85,7 @@ static struct dentry *ntfs_lookup(struct inode *dir, struct dentry *dentry,
inode = dir_search_u(dir, uni, NULL);
ni_unlock(ni);
}
- __putname(uni);
+ kfree(uni);
}
/*
@@ -304,8 +304,7 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir,
return err;
}
- /* Allocate PATH_MAX bytes. */
- de = __getname();
+ de = kmalloc(PATH_MAX, GFP_KERNEL);
if (!de)
return -ENOMEM;
@@ -350,7 +349,7 @@ static int ntfs_rename(struct mnt_idmap *idmap, struct inode *dir,
ni_unlock(ni);
ni_unlock(dir_ni);
out:
- __putname(de);
+ kfree(de);
return err;
}
@@ -497,7 +496,7 @@ static int ntfs_d_hash(const struct dentry *dentry, struct qstr *name)
/*
* Try slow way with current upcase table
*/
- uni = kmem_cache_alloc(names_cachep, GFP_NOWAIT);
+ uni = kmalloc(PATH_MAX, GFP_NOWAIT);
if (!uni)
return -ENOMEM;
@@ -519,7 +518,7 @@ static int ntfs_d_hash(const struct dentry *dentry, struct qstr *name)
err = 0;
out:
- kmem_cache_free(names_cachep, uni);
+ kfree(uni);
return err;
}
@@ -558,7 +557,7 @@ static int ntfs_d_compare(const struct dentry *dentry, unsigned int len1,
* Try slow way with current upcase table
*/
sbi = dentry->d_sb->s_fs_info;
- uni1 = __getname();
+ uni1 = kmalloc(PATH_MAX, GFP_NOWAIT);
if (!uni1)
return -ENOMEM;
@@ -588,7 +587,7 @@ static int ntfs_d_compare(const struct dentry *dentry, unsigned int len1,
ret = !ntfs_cmp_names_cpu(uni1, uni2, sbi->upcase, false) ? 0 : 1;
out:
- __putname(uni1);
+ kfree(uni1);
return ret;
}
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 72bceb8cd164b..a03b4bce5fbfd 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -551,8 +551,7 @@ struct posix_acl *ntfs_get_acl(struct mnt_idmap *idmap, struct dentry *dentry,
int err;
void *buf;
- /* Allocate PATH_MAX bytes. */
- buf = __getname();
+ buf = kmalloc(PATH_MAX, GFP_KERNEL);
if (!buf)
return ERR_PTR(-ENOMEM);
@@ -583,7 +582,7 @@ struct posix_acl *ntfs_get_acl(struct mnt_idmap *idmap, struct dentry *dentry,
if (!IS_ERR(acl))
set_cached_acl(inode, type, acl);
- __putname(buf);
+ kfree(buf);
return acl;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 439/508] Revert "crypto: nx - fix context leak in nx842_crypto_free_ctx"
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 438/508] ntfs: ->d_compare() must not block Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 440/508] Revert "crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx" Greg Kroah-Hartman
` (70 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit b94588f5a69718be2c942f4a851125f655e4e819.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/nx/nx-842.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c
index 8b1dc05df8c8d..1f5005fcd69a9 100644
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -115,7 +115,10 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
ctx->sbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
- nx842_crypto_free_ctx(ctx);
+ kfree(ctx->wmem);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
+ kfree(ctx);
return ERR_PTR(-ENOMEM);
}
@@ -130,7 +133,6 @@ void nx842_crypto_free_ctx(void *p)
kfree(ctx->wmem);
free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
- kfree(ctx);
}
EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 440/508] Revert "crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx"
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 439/508] Revert "crypto: nx - fix context leak in nx842_crypto_free_ctx" Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 441/508] Revert "crypto: nx - Migrate to scomp API" Greg Kroah-Hartman
` (69 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 6923cde8dc1d501e79b312139819c88b54463803.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/nx/nx-842.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c
index 1f5005fcd69a9..b950fcce8a9be 100644
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
kfree(ctx->wmem);
- free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
- free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
+ free_page((unsigned long)ctx->sbounce);
+ free_page((unsigned long)ctx->dbounce);
kfree(ctx);
return ERR_PTR(-ENOMEM);
}
@@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p)
struct nx842_crypto_ctx *ctx = p;
kfree(ctx->wmem);
- free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
- free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
+ free_page((unsigned long)ctx->sbounce);
+ free_page((unsigned long)ctx->dbounce);
}
EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 441/508] Revert "crypto: nx - Migrate to scomp API"
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 440/508] Revert "crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx" Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 442/508] smb: client: correctly handle ErrorContextData as a flexible array Greg Kroah-Hartman
` (68 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 268ae55a4c4fbff3ff54f92a4642f497da814f49.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/nx/nx-842.c | 33 ++++++++++++---------------
drivers/crypto/nx/nx-842.h | 15 ++++++------
drivers/crypto/nx/nx-common-powernv.c | 31 +++++++++++++------------
drivers/crypto/nx/nx-common-pseries.c | 33 ++++++++++++++-------------
4 files changed, 54 insertions(+), 58 deletions(-)
diff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c
index b950fcce8a9be..82214cde2bcd9 100644
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -101,13 +101,9 @@ static int update_param(struct nx842_crypto_param *p,
return 0;
}
-void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
+int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver)
{
- struct nx842_crypto_ctx *ctx;
-
- ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
- if (!ctx)
- return ERR_PTR(-ENOMEM);
+ struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
spin_lock_init(&ctx->lock);
ctx->driver = driver;
@@ -118,23 +114,22 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
- kfree(ctx);
- return ERR_PTR(-ENOMEM);
+ return -ENOMEM;
}
- return ctx;
+ return 0;
}
-EXPORT_SYMBOL_GPL(nx842_crypto_alloc_ctx);
+EXPORT_SYMBOL_GPL(nx842_crypto_init);
-void nx842_crypto_free_ctx(void *p)
+void nx842_crypto_exit(struct crypto_tfm *tfm)
{
- struct nx842_crypto_ctx *ctx = p;
+ struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
}
-EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
+EXPORT_SYMBOL_GPL(nx842_crypto_exit);
static void check_constraints(struct nx842_constraints *c)
{
@@ -251,11 +246,11 @@ static int compress(struct nx842_crypto_ctx *ctx,
return update_param(p, slen, dskip + dlen);
}
-int nx842_crypto_compress(struct crypto_scomp *tfm,
+int nx842_crypto_compress(struct crypto_tfm *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen, void *pctx)
+ u8 *dst, unsigned int *dlen)
{
- struct nx842_crypto_ctx *ctx = pctx;
+ struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
struct nx842_crypto_header *hdr =
container_of(&ctx->header,
struct nx842_crypto_header, hdr);
@@ -436,11 +431,11 @@ static int decompress(struct nx842_crypto_ctx *ctx,
return update_param(p, slen + padding, dlen);
}
-int nx842_crypto_decompress(struct crypto_scomp *tfm,
+int nx842_crypto_decompress(struct crypto_tfm *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen, void *pctx)
+ u8 *dst, unsigned int *dlen)
{
- struct nx842_crypto_ctx *ctx = pctx;
+ struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
struct nx842_crypto_header *hdr;
struct nx842_crypto_param p;
struct nx842_constraints c = *ctx->driver->constraints;
diff --git a/drivers/crypto/nx/nx-842.h b/drivers/crypto/nx/nx-842.h
index 58137ffd3835b..25fa70b2112cf 100644
--- a/drivers/crypto/nx/nx-842.h
+++ b/drivers/crypto/nx/nx-842.h
@@ -3,6 +3,7 @@
#ifndef __NX_842_H__
#define __NX_842_H__
+#include <crypto/algapi.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
@@ -100,8 +101,6 @@
#define LEN_ON_SIZE(pa, size) ((size) - ((pa) & ((size) - 1)))
#define LEN_ON_PAGE(pa) LEN_ON_SIZE(pa, PAGE_SIZE)
-struct crypto_scomp;
-
static inline unsigned long nx842_get_pa(void *addr)
{
if (!is_vmalloc_addr(addr))
@@ -180,13 +179,13 @@ struct nx842_crypto_ctx {
struct nx842_driver *driver;
};
-void *nx842_crypto_alloc_ctx(struct nx842_driver *driver);
-void nx842_crypto_free_ctx(void *ctx);
-int nx842_crypto_compress(struct crypto_scomp *tfm,
+int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver);
+void nx842_crypto_exit(struct crypto_tfm *tfm);
+int nx842_crypto_compress(struct crypto_tfm *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen, void *ctx);
-int nx842_crypto_decompress(struct crypto_scomp *tfm,
+ u8 *dst, unsigned int *dlen);
+int nx842_crypto_decompress(struct crypto_tfm *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen, void *ctx);
+ u8 *dst, unsigned int *dlen);
#endif /* __NX_842_H__ */
diff --git a/drivers/crypto/nx/nx-common-powernv.c b/drivers/crypto/nx/nx-common-powernv.c
index fd0a98b2fb1b2..8c859872c1839 100644
--- a/drivers/crypto/nx/nx-common-powernv.c
+++ b/drivers/crypto/nx/nx-common-powernv.c
@@ -9,7 +9,6 @@
#include "nx-842.h"
-#include <crypto/internal/scompress.h>
#include <linux/timer.h>
#include <asm/prom.h>
@@ -1032,21 +1031,23 @@ static struct nx842_driver nx842_powernv_driver = {
.decompress = nx842_powernv_decompress,
};
-static void *nx842_powernv_crypto_alloc_ctx(void)
+static int nx842_powernv_crypto_init(struct crypto_tfm *tfm)
{
- return nx842_crypto_alloc_ctx(&nx842_powernv_driver);
+ return nx842_crypto_init(tfm, &nx842_powernv_driver);
}
-static struct scomp_alg nx842_powernv_alg = {
- .base.cra_name = "842",
- .base.cra_driver_name = "842-nx",
- .base.cra_priority = 300,
- .base.cra_module = THIS_MODULE,
-
- .alloc_ctx = nx842_powernv_crypto_alloc_ctx,
- .free_ctx = nx842_crypto_free_ctx,
- .compress = nx842_crypto_compress,
- .decompress = nx842_crypto_decompress,
+static struct crypto_alg nx842_powernv_alg = {
+ .cra_name = "842",
+ .cra_driver_name = "842-nx",
+ .cra_priority = 300,
+ .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
+ .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
+ .cra_module = THIS_MODULE,
+ .cra_init = nx842_powernv_crypto_init,
+ .cra_exit = nx842_crypto_exit,
+ .cra_u = { .compress = {
+ .coa_compress = nx842_crypto_compress,
+ .coa_decompress = nx842_crypto_decompress } }
};
static __init int nx_compress_powernv_init(void)
@@ -1106,7 +1107,7 @@ static __init int nx_compress_powernv_init(void)
nx842_powernv_exec = nx842_exec_vas;
}
- ret = crypto_register_scomp(&nx842_powernv_alg);
+ ret = crypto_register_alg(&nx842_powernv_alg);
if (ret) {
nx_delete_coprocs();
return ret;
@@ -1127,7 +1128,7 @@ static void __exit nx_compress_powernv_exit(void)
if (!nx842_ct)
vas_unregister_api_powernv();
- crypto_unregister_scomp(&nx842_powernv_alg);
+ crypto_unregister_alg(&nx842_powernv_alg);
nx_delete_coprocs();
}
diff --git a/drivers/crypto/nx/nx-common-pseries.c b/drivers/crypto/nx/nx-common-pseries.c
index 0d26aafd08863..7e98f174f69b9 100644
--- a/drivers/crypto/nx/nx-common-pseries.c
+++ b/drivers/crypto/nx/nx-common-pseries.c
@@ -11,7 +11,6 @@
#include <asm/vio.h>
#include <asm/hvcall.h>
#include <asm/vas.h>
-#include <crypto/internal/scompress.h>
#include "nx-842.h"
#include "nx_csbcpb.h" /* struct nx_csbcpb */
@@ -1009,21 +1008,23 @@ static struct nx842_driver nx842_pseries_driver = {
.decompress = nx842_pseries_decompress,
};
-static void *nx842_pseries_crypto_alloc_ctx(void)
+static int nx842_pseries_crypto_init(struct crypto_tfm *tfm)
{
- return nx842_crypto_alloc_ctx(&nx842_pseries_driver);
+ return nx842_crypto_init(tfm, &nx842_pseries_driver);
}
-static struct scomp_alg nx842_pseries_alg = {
- .base.cra_name = "842",
- .base.cra_driver_name = "842-nx",
- .base.cra_priority = 300,
- .base.cra_module = THIS_MODULE,
-
- .alloc_ctx = nx842_pseries_crypto_alloc_ctx,
- .free_ctx = nx842_crypto_free_ctx,
- .compress = nx842_crypto_compress,
- .decompress = nx842_crypto_decompress,
+static struct crypto_alg nx842_pseries_alg = {
+ .cra_name = "842",
+ .cra_driver_name = "842-nx",
+ .cra_priority = 300,
+ .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
+ .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
+ .cra_module = THIS_MODULE,
+ .cra_init = nx842_pseries_crypto_init,
+ .cra_exit = nx842_crypto_exit,
+ .cra_u = { .compress = {
+ .coa_compress = nx842_crypto_compress,
+ .coa_decompress = nx842_crypto_decompress } }
};
static int nx842_probe(struct vio_dev *viodev,
@@ -1071,7 +1072,7 @@ static int nx842_probe(struct vio_dev *viodev,
if (ret)
goto error;
- ret = crypto_register_scomp(&nx842_pseries_alg);
+ ret = crypto_register_alg(&nx842_pseries_alg);
if (ret) {
dev_err(&viodev->dev, "could not register comp alg: %d\n", ret);
goto error;
@@ -1119,7 +1120,7 @@ static void nx842_remove(struct vio_dev *viodev)
if (caps_feat)
sysfs_remove_group(&viodev->dev.kobj, &nxcop_caps_attr_group);
- crypto_unregister_scomp(&nx842_pseries_alg);
+ crypto_unregister_alg(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
@@ -1251,7 +1252,7 @@ static void __exit nx842_pseries_exit(void)
vas_unregister_api_pseries();
- crypto_unregister_scomp(&nx842_pseries_alg);
+ crypto_unregister_alg(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 442/508] smb: client: correctly handle ErrorContextData as a flexible array
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 441/508] Revert "crypto: nx - Migrate to scomp API" Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 443/508] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
` (67 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liang Jie, Tom Talpey, Steve French,
Alva Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liang Jie <liangjie@lixiang.com>
[ Upstream commit 215b7f9ecb8d7c14d56febdcdd246f3579c32aba ]
The `smb2_symlink_err_rsp` structure was previously defined with
`ErrorContextData` as a single `__u8` byte. However, the `ErrorContextData`
field is intended to be a variable-length array based on `ErrorDataLength`.
This mismatch leads to incorrect pointer arithmetic and potential memory
access issues when processing error contexts.
Updates the `ErrorContextData` field to be a flexible array
(`__u8 ErrorContextData[]`). Additionally, it modifies the corresponding
casts in the `symlink_data()` function to properly handle the flexible
array, ensuring correct memory calculations and data handling.
These changes improve the robustness of SMB2 symlink error processing.
Signed-off-by: Liang Jie <liangjie@lixiang.com>
Suggested-by: Tom Talpey <tom@talpey.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ Remove the __counted_by_le annotation in v6.6. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2file.c | 4 ++--
fs/smb/client/smb2pdu.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
index 4e7d5c612256d..3a5b62b298063 100644
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -42,14 +42,14 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
end = (struct smb2_error_context_rsp *)((u8 *)err + iov->iov_len);
do {
if (le32_to_cpu(p->ErrorId) == SMB2_ERROR_ID_DEFAULT) {
- sym = (struct smb2_symlink_err_rsp *)&p->ErrorContextData;
+ sym = (struct smb2_symlink_err_rsp *)p->ErrorContextData;
break;
}
cifs_dbg(FYI, "%s: skipping unhandled error context: 0x%x\n",
__func__, le32_to_cpu(p->ErrorId));
len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
- p = (struct smb2_error_context_rsp *)((u8 *)&p->ErrorContextData + len);
+ p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
} while (p < end);
} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
iov->iov_len >= SMB2_SYMLINK_STRUCT_SIZE) {
diff --git a/fs/smb/client/smb2pdu.h b/fs/smb/client/smb2pdu.h
index 076d9e83e1a04..2eb15f3a7fe66 100644
--- a/fs/smb/client/smb2pdu.h
+++ b/fs/smb/client/smb2pdu.h
@@ -79,7 +79,7 @@ struct smb2_symlink_err_rsp {
struct smb2_error_context_rsp {
__le32 ErrorDataLength;
__le32 ErrorId;
- __u8 ErrorContextData; /* ErrorDataLength long array */
+ __u8 ErrorContextData[];
} __packed;
/* ErrorId values */
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 443/508] smb: client: fix OOB reads parsing symlink error response
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 442/508] smb: client: correctly handle ErrorContextData as a flexible array Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 444/508] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
` (66 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ronnie Sahlberg, Shyam Prasad N,
Tom Talpey, Bharath SM, linux-cifs, samba-technical, stable,
Paulo Alcantara (Red Hat), Steve French, Alva Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 3df690bba28edec865cf7190be10708ad0ddd67e ]
When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.
symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0. When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it. When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.
smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base. That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorContextCount == 0.
With at least one error context the symlink data sits 8 bytes deeper,
and each skipped non-matching context shifts it further by 8 +
ALIGN(ErrorDataLength, 8). The check is too short, allowing the
substitute name read to run past iov_len. The out-of-bound heap bytes
are UTF-16-decoded into the symlink target and returned to userspace via
readlink(2).
Fix this all up by making the loops test require the full context header
to fit, rejecting sym if its header runs past end, and bound the
substitute name against the actual position of sym->PathBuffer rather
than a fixed offset.
Because sub_offs and sub_len are 16bits, the pointer math will not
overflow here with the new greater-than.
Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Bharath SM <bharathsm@microsoft.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: stable <stable@kernel.org>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2file.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
index 3a5b62b298063..044512b77448c 100644
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -27,10 +27,11 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
{
struct smb2_err_rsp *err = iov->iov_base;
struct smb2_symlink_err_rsp *sym = ERR_PTR(-EINVAL);
+ u8 *end = (u8 *)err + iov->iov_len;
u32 len;
if (err->ErrorContextCount) {
- struct smb2_error_context_rsp *p, *end;
+ struct smb2_error_context_rsp *p;
len = (u32)err->ErrorContextCount * (offsetof(struct smb2_error_context_rsp,
ErrorContextData) +
@@ -39,8 +40,7 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
return ERR_PTR(-EINVAL);
p = (struct smb2_error_context_rsp *)err->ErrorData;
- end = (struct smb2_error_context_rsp *)((u8 *)err + iov->iov_len);
- do {
+ while ((u8 *)p + sizeof(*p) <= end) {
if (le32_to_cpu(p->ErrorId) == SMB2_ERROR_ID_DEFAULT) {
sym = (struct smb2_symlink_err_rsp *)p->ErrorContextData;
break;
@@ -50,14 +50,16 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
- } while (p < end);
+ }
} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
iov->iov_len >= SMB2_SYMLINK_STRUCT_SIZE) {
sym = (struct smb2_symlink_err_rsp *)err->ErrorData;
}
- if (!IS_ERR(sym) && (le32_to_cpu(sym->SymLinkErrorTag) != SYMLINK_ERROR_TAG ||
- le32_to_cpu(sym->ReparseTag) != IO_REPARSE_TAG_SYMLINK))
+ if (!IS_ERR(sym) &&
+ ((u8 *)sym + sizeof(*sym) > end ||
+ le32_to_cpu(sym->SymLinkErrorTag) != SYMLINK_ERROR_TAG ||
+ le32_to_cpu(sym->ReparseTag) != IO_REPARSE_TAG_SYMLINK))
sym = ERR_PTR(-EINVAL);
return sym;
@@ -82,8 +84,10 @@ int smb2_parse_symlink_response(struct cifs_sb_info *cifs_sb, const struct kvec
print_len = le16_to_cpu(sym->PrintNameLength);
print_offs = le16_to_cpu(sym->PrintNameOffset);
- if (iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + sub_offs + sub_len ||
- iov->iov_len < SMB2_SYMLINK_STRUCT_SIZE + print_offs + print_len)
+ if ((char *)sym->PathBuffer + sub_offs + sub_len >
+ (char *)iov->iov_base + iov->iov_len ||
+ (char *)sym->PathBuffer + print_offs + print_len >
+ (char *)iov->iov_base + iov->iov_len)
return -EINVAL;
return smb2_parse_native_symlink(path,
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 444/508] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 443/508] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 445/508] net: bcmgenet: Initialize u64 stats seq counter Greg Kroah-Hartman
` (65 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c ]
The bounce buffers are allocated with __get_free_pages() using
BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error
path and nx842_crypto_free_ctx() release the buffers with free_page().
Use free_pages() with the matching order instead.
Fixes: ed70b479c2c0 ("crypto: nx - add hardware 842 crypto comp alg")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/nx/nx-842.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c
index 82214cde2bcd9..3b82b6f67f8c4 100644
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver)
ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
return -ENOMEM;
}
@@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm)
struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
}
EXPORT_SYMBOL_GPL(nx842_crypto_exit);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 445/508] net: bcmgenet: Initialize u64 stats seq counter
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 444/508] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 446/508] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
` (64 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Ryo Takakura,
Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryo Takakura <ryotkkr98@gmail.com>
[ Upstream commit ffc2c8c4a714df53a715827d6334ab9474424f6a ]
Initialize u64 stats as it uses seq counter on 32bit machines
as suggested by lockdep below.
[ 1.830953][ T1] INFO: trying to register non-static key.
[ 1.830993][ T1] The code is fine but needs lockdep annotation, or maybe
[ 1.831027][ T1] you didn't initialize this object before use?
[ 1.831057][ T1] turning off the locking correctness validator.
[ 1.831090][ T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc2-v7l+ #1 PREEMPT
[ 1.831097][ T1] Tainted: [W]=WARN
[ 1.831099][ T1] Hardware name: BCM2711
[ 1.831101][ T1] Call trace:
[ 1.831104][ T1] unwind_backtrace from show_stack+0x18/0x1c
[ 1.831120][ T1] show_stack from dump_stack_lvl+0x8c/0xcc
[ 1.831129][ T1] dump_stack_lvl from register_lock_class+0x9e8/0x9fc
[ 1.831141][ T1] register_lock_class from __lock_acquire+0x420/0x22c0
[ 1.831154][ T1] __lock_acquire from lock_acquire+0x130/0x3f8
[ 1.831166][ T1] lock_acquire from bcmgenet_get_stats64+0x4a4/0x4c8
[ 1.831176][ T1] bcmgenet_get_stats64 from dev_get_stats+0x4c/0x408
[ 1.831184][ T1] dev_get_stats from rtnl_fill_stats+0x38/0x120
[ 1.831193][ T1] rtnl_fill_stats from rtnl_fill_ifinfo+0x7f8/0x1890
[ 1.831203][ T1] rtnl_fill_ifinfo from rtmsg_ifinfo_build_skb+0xd0/0x138
[ 1.831214][ T1] rtmsg_ifinfo_build_skb from rtmsg_ifinfo+0x48/0x8c
[ 1.831225][ T1] rtmsg_ifinfo from register_netdevice+0x8c0/0x95c
[ 1.831237][ T1] register_netdevice from register_netdev+0x28/0x40
[ 1.831247][ T1] register_netdev from bcmgenet_probe+0x690/0x6bc
[ 1.831255][ T1] bcmgenet_probe from platform_probe+0x64/0xbc
[ 1.831263][ T1] platform_probe from really_probe+0xd0/0x2d4
[ 1.831269][ T1] really_probe from __driver_probe_device+0x90/0x1a4
[ 1.831273][ T1] __driver_probe_device from driver_probe_device+0x38/0x11c
[ 1.831278][ T1] driver_probe_device from __driver_attach+0x9c/0x18c
[ 1.831282][ T1] __driver_attach from bus_for_each_dev+0x84/0xd4
[ 1.831291][ T1] bus_for_each_dev from bus_add_driver+0xd4/0x1f4
[ 1.831303][ T1] bus_add_driver from driver_register+0x88/0x120
[ 1.831312][ T1] driver_register from do_one_initcall+0x78/0x360
[ 1.831320][ T1] do_one_initcall from kernel_init_freeable+0x2bc/0x314
[ 1.831331][ T1] kernel_init_freeable from kernel_init+0x1c/0x144
[ 1.831339][ T1] kernel_init from ret_from_fork+0x14/0x20
[ 1.831344][ T1] Exception stack(0xf082dfb0 to 0xf082dff8)
[ 1.831349][ T1] dfa0: 00000000 00000000 00000000 00000000
[ 1.831353][ T1] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 1.831356][ T1] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
Fixes: 59aa6e3072aa ("net: bcmgenet: switch to use 64bit statistics")
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Ryo Takakura <ryotkkr98@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250702092417.46486-1-ryotkkr98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index e08abde4685ac..d9bd011e0d7c8 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -4084,6 +4084,12 @@ static int bcmgenet_probe(struct platform_device *pdev)
for (i = 0; i <= priv->hw_params->rx_queues; i++)
priv->rx_rings[i].rx_max_coalesced_frames = 1;
+ /* Initialize u64 stats seq counter for 32bit machines */
+ for (i = 0; i <= priv->hw_params->rx_queues; i++)
+ u64_stats_init(&priv->rx_rings[i].stats64.syncp);
+ for (i = 0; i <= priv->hw_params->tx_queues; i++)
+ u64_stats_init(&priv->tx_rings[i].stats64.syncp);
+
/* libphy will determine the link state */
netif_carrier_off(dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 446/508] net: bcmgenet: fix leaking free_bds
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 445/508] net: bcmgenet: Initialize u64 stats seq counter Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 447/508] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
` (63 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 3f3168300efb839028328d720ab3962f91d6a0d0 ]
While reclaiming the tx queue we fast forward the write pointer to
drop any data in flight. These dropped frames are not added back
to the pool of free bds. We also need to tell the netdev that we
are dropping said data.
Fixes: f1bacae8b655 ("net: bcmgenet: support reclaiming unsent Tx packets")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-3-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index d9bd011e0d7c8..d1f5ae56fa417 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1942,6 +1942,7 @@ static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
drop = (ring->prod_index - ring->c_index) & DMA_C_INDEX_MASK;
released += drop;
ring->prod_index = ring->c_index & DMA_C_INDEX_MASK;
+ ring->free_bds += drop;
while (drop--) {
cb_ptr = bcmgenet_put_txcb(priv, ring);
skb = cb_ptr->skb;
@@ -1953,6 +1954,7 @@ static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
}
if (skb)
dev_consume_skb_any(skb);
+ netdev_tx_reset_queue(netdev_get_tx_queue(dev, ring->index));
bcmgenet_tdma_ring_writel(priv, ring->index,
ring->prod_index, TDMA_PROD_INDEX);
wr_ptr = ring->write_ptr * WORDS_PER_BD(priv);
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 447/508] ksmbd: validate response sizes in ipc_validate_msg()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 446/508] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 448/508] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
` (62 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit d6a6aa81eac2c9bff66dc6e191179cb69a14426b ]
ipc_validate_msg() computes the expected message size for each
response type by adding (or multiplying) attacker-controlled fields
from the daemon response to a fixed struct size in unsigned int
arithmetic. Three cases can overflow:
KSMBD_EVENT_RPC_REQUEST:
msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;
KSMBD_EVENT_SHARE_CONFIG_REQUEST:
msg_sz = sizeof(struct ksmbd_share_config_response) +
resp->payload_sz;
KSMBD_EVENT_LOGIN_REQUEST_EXT:
msg_sz = sizeof(struct ksmbd_login_response_ext) +
resp->ngroups * sizeof(gid_t);
resp->payload_sz is __u32 and resp->ngroups is __s32. Each addition
can wrap in unsigned int; the multiplication by sizeof(gid_t) mixes
signed and size_t, so a negative ngroups is converted to SIZE_MAX
before the multiply. A wrapped value of msg_sz that happens to
equal entry->msg_sz bypasses the size check on the next line, and
downstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,
kmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the
unverified length.
Use check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST
paths to detect integer overflow without constraining functional
payload size; userspace ksmbd-tools grows NDR responses in 4096-byte
chunks for calls like NetShareEnumAll, so a hard transport cap is
unworkable on the response side. For LOGIN_REQUEST_EXT, reject
resp->ngroups outside the signed [0, NGROUPS_MAX] range up front and
report the error from ipc_validate_msg() so it fires at the IPC
boundary; with that bound the subsequent multiplication and addition
stay well below UINT_MAX. The now-redundant ngroups check and
pr_err in ksmbd_alloc_user() are removed.
This is the response-side analogue of aab98e2dbd64 ("ksmbd: fix
integer overflows on 32 bit systems"), which hardened the request
side.
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Fixes: a77e0e02af1c ("ksmbd: add support for supplementary groups")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_config.c | 6 ------
fs/smb/server/transport_ipc.c | 16 +++++++++++++---
2 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/fs/smb/server/mgmt/user_config.c b/fs/smb/server/mgmt/user_config.c
index 421a4a95e216a..e9b3a8e049668 100644
--- a/fs/smb/server/mgmt/user_config.c
+++ b/fs/smb/server/mgmt/user_config.c
@@ -56,12 +56,6 @@ struct ksmbd_user *ksmbd_alloc_user(struct ksmbd_login_response *resp,
goto err_free;
if (resp_ext) {
- if (resp_ext->ngroups > NGROUPS_MAX) {
- pr_err("ngroups(%u) from login response exceeds max groups(%d)\n",
- resp_ext->ngroups, NGROUPS_MAX);
- goto err_free;
- }
-
user->sgid = kmemdup(resp_ext->____payload,
resp_ext->ngroups * sizeof(gid_t),
GFP_KERNEL);
diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index f0f93f76bc43d..554a6c92a1ccb 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -13,6 +13,7 @@
#include <net/genetlink.h>
#include <linux/socket.h>
#include <linux/workqueue.h>
+#include <linux/overflow.h>
#include "vfs_cache.h"
#include "transport_ipc.h"
@@ -497,7 +498,9 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
{
struct ksmbd_rpc_command *resp = entry->response;
- msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz;
+ if (check_add_overflow(sizeof(struct ksmbd_rpc_command),
+ resp->payload_sz, &msg_sz))
+ return -EINVAL;
break;
}
case KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST:
@@ -516,8 +519,9 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
if (resp->payload_sz < resp->veto_list_sz)
return -EINVAL;
- msg_sz = sizeof(struct ksmbd_share_config_response) +
- resp->payload_sz;
+ if (check_add_overflow(sizeof(struct ksmbd_share_config_response),
+ resp->payload_sz, &msg_sz))
+ return -EINVAL;
}
break;
}
@@ -526,6 +530,12 @@ static int ipc_validate_msg(struct ipc_msg_table_entry *entry)
struct ksmbd_login_response_ext *resp = entry->response;
if (resp->ngroups) {
+ if (resp->ngroups < 0 ||
+ resp->ngroups > NGROUPS_MAX) {
+ pr_err("ngroups(%d) from login response exceeds max groups(%d)\n",
+ resp->ngroups, NGROUPS_MAX);
+ return -EINVAL;
+ }
msg_sz = sizeof(struct ksmbd_login_response_ext) +
resp->ngroups * sizeof(gid_t);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 448/508] net/sched: sch_pie: annotate more data-races in pie_dump_stats()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 447/508] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 449/508] netconsole: avoid out-of-bounds access on empty string in trim_newline() Greg Kroah-Hartman
` (61 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6d4106e8df94c0c52cf3ca6a6a0d01567fb3844e ]
My prior patch missed few READ_ONCE()/WRITE_ONCE() annotations.
Fixes: 5154561d9b11 ("net/sched: sch_pie: annotate data-races in pie_dump_stats()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430080056.35104-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_pie.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
index 4c69b44fc3aa8..6ca4dd77a29c7 100644
--- a/net/sched/sch_pie.c
+++ b/net/sched/sch_pie.c
@@ -212,16 +212,14 @@ void pie_process_dequeue(struct sk_buff *skb, struct pie_params *params,
* packet timestamp.
*/
if (!params->dq_rate_estimator) {
- vars->qdelay = now - pie_get_enqueue_time(skb);
+ WRITE_ONCE(vars->qdelay,
+ backlog ? now - pie_get_enqueue_time(skb) : 0);
if (vars->dq_tstamp != DTIME_INVALID)
dtime = now - vars->dq_tstamp;
vars->dq_tstamp = now;
- if (backlog == 0)
- vars->qdelay = 0;
-
if (dtime == 0)
return;
@@ -369,7 +367,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (qdelay > (PSCHED_NS2TICKS(250 * NSEC_PER_MSEC)))
delta += MAX_PROB / (100 / 2);
- vars->prob += delta;
+ WRITE_ONCE(vars->prob, vars->prob + delta);
if (delta > 0) {
/* prevent overflow */
@@ -394,7 +392,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (qdelay == 0 && qdelay_old == 0 && update_prob)
/* Reduce drop probability to 98.4% */
- vars->prob -= vars->prob / 64;
+ WRITE_ONCE(vars->prob, vars->prob - vars->prob / 64);
WRITE_ONCE(vars->qdelay, qdelay);
vars->backlog_old = backlog;
@@ -493,7 +491,7 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct pie_sched_data *q = qdisc_priv(sch);
struct tc_pie_xstats st = {
- .prob = q->vars.prob << BITS_PER_BYTE,
+ .prob = READ_ONCE(q->vars.prob) << BITS_PER_BYTE,
.delay = ((u32)PSCHED_TICKS2NS(READ_ONCE(q->vars.qdelay))) /
NSEC_PER_USEC,
.packets_in = READ_ONCE(q->stats.packets_in),
@@ -504,7 +502,7 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
};
/* avg_dq_rate is only valid if dq_rate_estimator is enabled */
- st.dq_rate_estimating = q->params.dq_rate_estimator;
+ st.dq_rate_estimating = READ_ONCE(q->params.dq_rate_estimator);
/* unscale and return dq_rate in bytes per sec */
if (st.dq_rate_estimating)
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 449/508] netconsole: avoid out-of-bounds access on empty string in trim_newline()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 448/508] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 450/508] bonding: fix NULL pointer dereference in actor_port_prio setting Greg Kroah-Hartman
` (60 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Gustavo Luiz Duarte,
Simon Horman, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 7079c8c13f2d33992bc846240517d88f4ab07781 ]
trim_newline() unconditionally dereferences s[len - 1] after computing
len = strnlen(s, maxlen). When the string is empty, len is 0 and the
expression underflows to s[(size_t)-1], reading (and potentially
writing) one byte before the buffer.
The two callers feed trim_newline() with the result of strscpy() from
configfs store callbacks (dev_name_store, userdatum_value_store).
configfs guarantees count >= 1 reaches the callback, but the byte
itself can be NUL: a userspace write(fd, "\0", 1) leaves the
destination empty after strscpy() and triggers the underflow. The OOB
write only fires if the adjacent byte happens to be '\n', so this is
not a security issue, but the access is undefined behaviour either way.
This pattern is commonly flagged by LLM-based code reviewers. While it
is not a security fix, the underlying access is undefined behaviour and
the change is small and self-contained, so it is a reasonable candidate
for the stable trees.
Guard the dereference on a non-zero length.
Fixes: ae001dc67907 ("net: netconsole: move newline trimming to function")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Gustavo Luiz Duarte <gustavold@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260420-netcons_trim_newline-v1-1-dc35889aeedf@debian.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netconsole.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index f58643bdafc5c..fffffa3658d22 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -278,6 +278,8 @@ static void trim_newline(char *s, size_t maxlen)
size_t len;
len = strnlen(s, maxlen);
+ if (!len)
+ return;
if (s[len - 1] == '\n')
s[len - 1] = '\0';
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 450/508] bonding: fix NULL pointer dereference in actor_port_prio setting
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 449/508] netconsole: avoid out-of-bounds access on empty string in trim_newline() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 451/508] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
` (59 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liang Li, Hangbin Liu,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 067bf016e99ad72aa4ff869d6dec1fd62a9c6202 ]
Liang reported an issue where setting a slave’s actor_port_prio to
predefined values such as 0, 255, or 65535 would cause a system crash.
The problem occurs because in bond_opt_parse(), when the provided value
matches a predefined table entry, the function returns that table entry,
which does not contain slave information. Later, in
bond_option_actor_port_prio_set(), calling bond_slave_get_rtnl() leads
to a NULL pointer dereference.
Since actor_port_prio is defined as a u16 and initialized to the default
value of 255 in ad_initialize_port(), there is no need for the
bond_actor_port_prio_tbl. Using the BOND_OPTFLAG_RAWVAL flag is sufficient.
Fixes: 6b6dc81ee7e8 ("bonding: add support for per-port LACP actor priority")
Reported-by: Liang Li <liali@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20251105072620.164841-1-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_options.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index f4ad0fc624c98..5b6c01b31f985 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -225,13 +225,6 @@ static const struct bond_opt_value bond_ad_actor_sys_prio_tbl[] = {
{ NULL, -1, 0},
};
-static const struct bond_opt_value bond_actor_port_prio_tbl[] = {
- { "minval", 0, BOND_VALFLAG_MIN},
- { "maxval", 65535, BOND_VALFLAG_MAX},
- { "default", 255, BOND_VALFLAG_DEFAULT},
- { NULL, -1, 0},
-};
-
static const struct bond_opt_value bond_ad_user_port_key_tbl[] = {
{ "minval", 0, BOND_VALFLAG_MIN | BOND_VALFLAG_DEFAULT},
{ "maxval", 1023, BOND_VALFLAG_MAX},
@@ -497,7 +490,7 @@ static const struct bond_option bond_opts[BOND_OPT_LAST] = {
.id = BOND_OPT_ACTOR_PORT_PRIO,
.name = "actor_port_prio",
.unsuppmodes = BOND_MODE_ALL_EX(BIT(BOND_MODE_8023AD)),
- .values = bond_actor_port_prio_tbl,
+ .flags = BOND_OPTFLAG_RAWVAL,
.set = bond_option_actor_port_prio_set,
},
[BOND_OPT_AD_ACTOR_SYSTEM] = {
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 451/508] crypto: af_alg - Cap AEAD AD length to 0x80000000
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 450/508] bonding: fix NULL pointer dereference in actor_port_prio setting Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 452/508] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
` (58 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yiming Qian, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit e4c06479d7059888adf2f22bc1ebcf053bf691a2 upstream.
In order to prevent arithmetic overflows when checking the TX
buffer size, cap the associated data length to 0x80000000.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/af_alg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -585,6 +585,8 @@ static int af_alg_cmsg_send(struct msghd
if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
return -EINVAL;
con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
+ if (con->aead_assoclen >= 0x80000000u)
+ return -EINVAL;
break;
default:
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 452/508] i40e: Cleanup PTP pins on probe failure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 451/508] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 453/508] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Greg Kroah-Hartman
` (57 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Matt Vollrath,
Paul Menzel, Aleksandr Loktionov, Sunitha Mekala, Jacob Keller,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
commit 678b713ece1e853f11e670a84cb887c35e1381b7 upstream.
PTP pin structs are allocated early in probe, but never cleaned up.
Fix this by calling i40e_ptp_free_pins in the error path.
To support this, i40e_ptp_free_pins is added to the header and
pin_config is correctly nullified after being freed.
This has been an issue since i40e_ptp_alloc_pins was introduced.
Fixes: 1050713026a08 ("i40e: add support for PTP external synchronization clock")
Reported-by: Kohei Enju <kohei@enjuk.jp>
Cc: stable@vger.kernel.org
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Kohei Enju <kohei@enjuk.jp>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-2-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/i40e/i40e.h | 1 +
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 ++-
3 files changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/i40e/i40e.h
+++ b/drivers/net/ethernet/intel/i40e/i40e.h
@@ -1262,6 +1262,7 @@ void i40e_ptp_restore_hw_time(struct i40
void i40e_ptp_init(struct i40e_pf *pf);
void i40e_ptp_stop(struct i40e_pf *pf);
int i40e_ptp_alloc_pins(struct i40e_pf *pf);
+void i40e_ptp_free_pins(struct i40e_pf *pf);
int i40e_update_adq_vsi_queues(struct i40e_vsi *vsi, int vsi_offset);
int i40e_is_vsi_uplink_mode_veb(struct i40e_vsi *vsi);
int i40e_get_partition_bw_setting(struct i40e_pf *pf);
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -16300,6 +16300,7 @@ err_vsis:
i40e_clear_interrupt_scheme(pf);
kfree(pf->vsi);
err_switch_setup:
+ i40e_ptp_free_pins(pf);
i40e_reset_interrupt_capability(pf);
timer_shutdown_sync(&pf->service_timer);
err_mac_addr:
--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
@@ -937,12 +937,13 @@ int i40e_ptp_get_ts_config(struct i40e_p
*
* Release memory allocated for PTP pins.
**/
-static void i40e_ptp_free_pins(struct i40e_pf *pf)
+void i40e_ptp_free_pins(struct i40e_pf *pf)
{
if (i40e_is_ptp_pin_dev(&pf->hw)) {
kfree(pf->ptp_pins);
kfree(pf->ptp_caps.pin_config);
pf->ptp_pins = NULL;
+ pf->ptp_caps.pin_config = NULL;
}
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 453/508] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 452/508] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 454/508] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
` (56 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Breno Leitao, Tejun Heo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 0143033dc22cdff912cfc13419f5db92fea3b4cb upstream.
For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
failure it returns the error directly, bypassing the enomem: label
which holds the only free_percpu(wq->cpu_pwq) in this function.
The caller's error path kfree()s wq without touching wq->cpu_pwq,
leaking one percpu pointer table (nr_cpu_ids * sizeof(void *) bytes) per
failed call.
If kmemleak is enabled, we can see:
unreferenced object (percpu) 0xc0fffa5b121048 (size 8):
comm "insmod", pid 776, jiffies 4294682844
backtrace (crc 0):
pcpu_alloc_noprof+0x665/0xac0
__alloc_workqueue+0x33f/0xa20
alloc_workqueue_noprof+0x60/0x100
Route the error through the existing enomem: cleanup and any error
before this one.
Cc: stable@kernel.org
Fixes: 636b927eba5b ("workqueue: Make unbound workqueues to use per-cpu pool_workqueues")
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/workqueue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4683,7 +4683,9 @@ static int alloc_and_link_pwqs(struct wo
if (ret)
kthread_flush_worker(pwq_release_worker);
- return ret;
+ if (ret)
+ goto enomem;
+ return 0;
enomem:
if (wq->cpu_pwq) {
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 454/508] netfilter: nf_conntrack_sip: get helper before allocating expectation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 453/508] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 455/508] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
` (55 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiasong, Pablo Neira Ayuso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
commit eb6317739b1ea3ab28791e1f91b24781905fa815 upstream.
process_register_request() allocates an expectation and then checks
whether a conntrack helper is available. If helper lookup fails, the
function returns early and the allocated expectation is left behind.
Reorder the code to fetch and validate helper before calling
nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
path while preserving existing behavior.
Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_sip.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1367,6 +1367,10 @@ static int process_register_request(stru
goto store_cseq;
}
+ helper = rcu_dereference(nfct_help(ct)->helper);
+ if (!helper)
+ return NF_DROP;
+
exp = nf_ct_expect_alloc(ct);
if (!exp) {
nf_ct_helper_log(skb, ct, "cannot alloc expectation");
@@ -1377,10 +1381,6 @@ static int process_register_request(stru
if (sip_direct_signalling)
saddr = &ct->tuplehash[!dir].tuple.src.u3;
- helper = rcu_dereference(nfct_help(ct)->helper);
- if (!helper)
- return NF_DROP;
-
nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
saddr, &daddr, proto, NULL, &port);
exp->timeout.expires = sip_timeout * HZ;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 455/508] audit: fix incorrect inheritable capability in CAPSET records
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 454/508] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 456/508] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
` (54 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Robaina, Sergio Correia,
Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergio Correia <scorreia@redhat.com>
commit e4a640475e43f406fdfd56d370b1f34b0cbbc18d upstream.
__audit_log_capset() records the effective capability set into the
inheritable field due to a copy-paste error. Every CAPSET audit
record therefore reports cap_pi (process inheritable) with the value
of cap_effective instead of cap_inheritable.
This silently corrupts audit data used for compliance and forensic
analysis: an attacker who modifies inheritable capabilities to
prepare for a privilege-escalating exec would have the change masked
in the audit trail.
The bug has been present since the original introduction of CAPSET
audit records in 2008.
Cc: stable@vger.kernel.org
Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2845,7 +2845,7 @@ void __audit_log_capset(const struct cre
context->capset.pid = task_tgid_nr(current);
context->capset.cap.effective = new->cap_effective;
- context->capset.cap.inheritable = new->cap_effective;
+ context->capset.cap.inheritable = new->cap_inheritable;
context->capset.cap.permitted = new->cap_permitted;
context->capset.cap.ambient = new->cap_ambient;
context->type = AUDIT_CAPSET;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 456/508] netfilter: nft_ct: fix missing expect put in obj eval
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 455/508] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 457/508] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
` (53 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiasong, Pablo Neira Ayuso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
commit 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 upstream.
nft_ct_expect_obj_eval() allocates an expectation and may call
nf_ct_expect_related(), but never drops its local reference.
Add nf_ct_expect_put(exp) before return to balance allocation.
Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_ct.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1363,6 +1363,8 @@ static void nft_ct_expect_obj_eval(struc
if (nf_ct_expect_related(exp, 0) != 0)
regs->verdict.code = NF_DROP;
+
+ nf_ct_expect_put(exp);
}
static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 457/508] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 456/508] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 458/508] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
` (52 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zoran Ilievski, Sukhdeep Singh,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zoran Ilievski <goodboy@rexbytes.com>
commit 2c308cf34284420963607d677d576a2b4124d8bd upstream.
The shutdown handler aq_pci_shutdown() unconditionally calls
pci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when
wake-on-LAN has been configured. While aq_nic_shutdown() correctly
programs the NIC firmware via aq_nic_set_power() to listen for magic
packets, the PCI subsystem will not propagate the resulting PME wake
event from D3, so the system never wakes after poweroff.
WOL from suspend (S3) is unaffected because aq_suspend_common() does
not touch pci_wake_from_d3() and relies on the PM core's wake
configuration via device_may_wakeup().
This affects all atlantic-supported NICs (AQC107/108/111/112/113);
users have reported that WOL works if the atlantic driver is never
loaded, but breaks once it has run its shutdown path.
Pass the configured WOL state to pci_wake_from_d3() instead of a
literal false, so the PCI PME_En bit is preserved when the user has
armed WOL via ethtool.
Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback")
Cc: stable@vger.kernel.org
Signed-off-by: Zoran Ilievski <goodboy@rexbytes.com>
Reviewed-by: Sukhdeep Singh <sukhdeeps@marvell.com>
Link: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
@@ -374,7 +374,7 @@ static void aq_pci_shutdown(struct pci_d
pci_disable_device(pdev);
if (system_state == SYSTEM_POWER_OFF) {
- pci_wake_from_d3(pdev, false);
+ pci_wake_from_d3(pdev, self->aq_hw->aq_nic_cfg->wol);
pci_set_power_state(pdev, PCI_D3hot);
}
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 458/508] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 457/508] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 459/508] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
` (51 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Robaina, Sergio Correia,
Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergio Correia <scorreia@redhat.com>
commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream.
AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
allows a process with CAP_AUDIT_CONTROL to modify directory tree
watches and equivalence mappings even when the audit configuration
has been locked, undermining the purpose of the lock.
Add AUDIT_LOCKED checks to both commands.
Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1427,6 +1427,8 @@ static int audit_receive_msg(struct sk_b
err = audit_list_rules_send(skb, seq);
break;
case AUDIT_TRIM:
+ if (audit_enabled == AUDIT_LOCKED)
+ return -EPERM;
audit_trim_trees();
audit_log_common_recv_msg(audit_context(), &ab,
AUDIT_CONFIG_CHANGE);
@@ -1439,6 +1441,8 @@ static int audit_receive_msg(struct sk_b
size_t msglen = data_len;
char *old, *new;
+ if (audit_enabled == AUDIT_LOCKED)
+ return -EPERM;
err = -EINVAL;
if (msglen < 2 * sizeof(u32))
break;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 459/508] KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 458/508] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 460/508] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
` (50 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aaron Sacks, Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Sacks <contact@xchglabs.com>
commit 577a8d3bae0531f0e5ccfac919cd8192f920a804 upstream.
kvm_reset_dirty_gfn() guards the gfn range with
if (!memslot || (offset + __fls(mask)) >= memslot->npages)
return;
but offset is u64 and the addition is unchecked. The check can be
silently bypassed by a u64 wrap.
The dirty ring backing those entries is MAP_SHARED at
KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the
slot and offset fields of any entry between when the kernel pushes
them and when KVM_RESET_DIRTY_RINGS consumes them. On reset,
kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds
them straight back into this check; only the flags handshake is
treated as the handover, the slot/offset payload is taken on trust.
Crafting two entries
entry[i].offset = 0xffffffffffffffc1
entry[i+1].offset = 0
makes the coalescing loop in kvm_dirty_ring_reset() compute
delta = (s64)(0 - 0xffffffffffffffc1) = 63
which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the
existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn()
call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;
the sum is 0 in u64 and the bounds check passes.
That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()
unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() ==
true, i.e. shadow paging, any VM that has allocated shadow roots, or
a write-tracked slot -- it reaches gfn_to_rmap(), which indexes
slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an
out-of-bounds load of a kvm_rmap_head, followed by a conditional
clear of PT_WRITABLE_MASK in whatever the loaded pointer points at.
The path is reachable from any process holding /dev/kvm.
Range-check offset on its own first, so the addition cannot wrap.
memslot->npages is bounded well below U64_MAX, so once offset <
npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG)
stays in range.
Fixes: fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking")
Cc: stable@vger.kernel.org
Signed-off-by: Aaron Sacks <contact@xchglabs.com>
Link: https://patch.msgid.link/20260512060742.1628959-1-contact@xchglabs.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/dirty_ring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/virt/kvm/dirty_ring.c
+++ b/virt/kvm/dirty_ring.c
@@ -63,7 +63,8 @@ static void kvm_reset_dirty_gfn(struct k
memslot = id_to_memslot(__kvm_memslots(kvm, as_id), id);
- if (!memslot || (offset + __fls(mask)) >= memslot->npages)
+ if (!memslot || offset >= memslot->npages ||
+ offset + __fls(mask) >= memslot->npages)
return;
KVM_MMU_LOCK(kvm);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 460/508] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 459/508] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 461/508] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
` (49 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Christian Borntraeger, Matthew Rosato
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 16d990a15491cf76cd6eef0846e1b4100e63261a upstream.
kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and
aen_host_forward() index the GAIT by manually multiplying the index
with sizeof(struct zpci_gaite).
Since aift->gait is already a struct zpci_gaite pointer, this
double-scales the offset, accessing element aisb*16 instead of aisb.
This causes out-of-bounds accesses when aisb >= 32 (with
ZPCI_NR_DEVICES=512)
Fix by removing the erroneous sizeof multiplication.
Fixes: 3c5a1b6f0a18 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding")
Fixes: 73f91b004321 ("KVM: s390: pci: enable host forwarding of Adapter Event Notifications")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kvm/interrupt.c | 3 +--
arch/s390/kvm/pci.c | 6 ++----
2 files changed, 3 insertions(+), 6 deletions(-)
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -3329,8 +3329,7 @@ static void aen_host_forward(unsigned lo
struct zpci_gaite *gaite;
struct kvm *kvm;
- gaite = (struct zpci_gaite *)aift->gait +
- (si * sizeof(struct zpci_gaite));
+ gaite = aift->gait + si;
if (gaite->count == 0)
return;
if (gaite->aisb != 0)
--- a/arch/s390/kvm/pci.c
+++ b/arch/s390/kvm/pci.c
@@ -292,8 +292,7 @@ static int kvm_s390_pci_aif_enable(struc
phys_to_virt(fib->fmt0.aibv));
spin_lock_irq(&aift->gait_lock);
- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
- sizeof(struct zpci_gaite));
+ gaite = aift->gait + zdev->aisb;
/* If assist not requested, host will get all alerts */
if (assist)
@@ -359,8 +358,7 @@ static int kvm_s390_pci_aif_disable(stru
if (zdev->kzdev->fib.fmt0.aibv == 0)
goto out;
spin_lock_irq(&aift->gait_lock);
- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
- sizeof(struct zpci_gaite));
+ gaite = aift->gait + zdev->aisb;
isc = gaite->gisc;
gaite->count--;
if (gaite->count == 0) {
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 461/508] KVM: x86: Fix Xen hypercall tracepoint argument assignment
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 460/508] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 462/508] netfilter: nf_tables: unconditionally bump set->nelems before insertion Greg Kroah-Hartman
` (48 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ma, Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 2b72f1674e427c56e3772c5ccf785fdda2138820 upstream.
TRACE_EVENT(kvm_xen_hypercall) stores a5 in __entry->a4 instead of
__entry->a5.
That overwrites the recorded a4 argument and leaves a5 unset in the
trace entry. Fix the typo so both arguments are captured correctly.
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Link: https://patch.msgid.link/20260512015313.1685784-1-maqianga@uniontech.com/
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/trace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -140,7 +140,7 @@ TRACE_EVENT(kvm_xen_hypercall,
__entry->a2 = a2;
__entry->a3 = a3;
__entry->a4 = a4;
- __entry->a4 = a5;
+ __entry->a5 = a5;
),
TP_printk("cpl %d nr 0x%lx a0 0x%lx a1 0x%lx a2 0x%lx a3 0x%lx a4 0x%lx a5 %lx",
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 462/508] netfilter: nf_tables: unconditionally bump set->nelems before insertion
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 461/508] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 463/508] ASoC: SOF: Intel: hda-dai: remove dspless special case Greg Kroah-Hartman
` (47 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inseo An, Pablo Neira Ayuso,
Florian Westphal, Li hongliang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit def602e498a4f951da95c95b1b8ce8ae68aa733a ]
In case that the set is full, a new element gets published then removed
without waiting for the RCU grace period, while RCU reader can be
walking over it already.
To address this issue, add the element transaction even if set is full,
but toggle the set_full flag to report -ENFILE so the abort path safely
unwinds the set to its previous state.
As for element updates, decrement set->nelems to restore it.
A simpler fix is to call synchronize_rcu() in the error path.
However, with a large batch adding elements to already maxed-out set,
this could cause noticeable slowdown of such batches.
Fixes: 35d0ac9070ef ("netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL")
Reported-by: Inseo An <y0un9sa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Minor conflict resolved. ]
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a0914a92e07dd..6fc88bf511092 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6803,6 +6803,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
struct nft_data_desc desc;
enum nft_registers dreg;
struct nft_trans *trans;
+ bool set_full = false;
u64 timeout;
u64 expiration;
int err, i;
@@ -7095,10 +7096,18 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
if (err < 0)
goto err_elem_free;
+ if (!(flags & NFT_SET_ELEM_CATCHALL)) {
+ unsigned int max = nft_set_maxsize(set), nelems;
+
+ nelems = atomic_inc_return(&set->nelems);
+ if (nelems > max)
+ set_full = true;
+ }
+
trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
if (trans == NULL) {
err = -ENOMEM;
- goto err_elem_free;
+ goto err_set_size;
}
ext->genmask = nft_genmask_cur(ctx->net);
@@ -7130,23 +7139,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
goto err_element_clash;
}
- if (!(flags & NFT_SET_ELEM_CATCHALL)) {
- unsigned int max = nft_set_maxsize(set);
-
- if (!atomic_add_unless(&set->nelems, 1, max)) {
- err = -ENFILE;
- goto err_set_full;
- }
- }
-
nft_trans_elem(trans) = elem;
nft_trans_commit_list_add_tail(ctx->net, trans);
- return 0;
-err_set_full:
- nft_setelem_remove(ctx->net, set, &elem);
+ return set_full ? -ENFILE : 0;
+
err_element_clash:
kfree(trans);
+err_set_size:
+ if (!(flags & NFT_SET_ELEM_CATCHALL))
+ atomic_dec(&set->nelems);
err_elem_free:
nf_tables_set_elem_destroy(ctx, set, elem.priv);
err_parse_data:
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 463/508] ASoC: SOF: Intel: hda-dai: remove dspless special case
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 462/508] netfilter: nf_tables: unconditionally bump set->nelems before insertion Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 464/508] ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio Greg Kroah-Hartman
` (46 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart,
Péter Ujfalusi, Bard Liao, Mark Brown, Alva Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
[ Upstream commit daa09d0615ce9c781777802874cffa4380f883c3 ]
The existing code forces a parameter to be NULL but that parameter is
not used yet. Remove the special case in preparation for additional
changes.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://msgid.link/r/20240213101247.28887-9-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-dai.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c
index 19ec1a45737ea..f5bfa17bf6505 100644
--- a/sound/soc/sof/intel/hda-dai.c
+++ b/sound/soc/sof/intel/hda-dai.c
@@ -83,12 +83,8 @@ hda_dai_get_ops(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai
sdev = widget_to_sdev(w);
- /*
- * The swidget parameter of hda_select_dai_widget_ops() is ignored in
- * case of DSPless mode
- */
if (sdev->dspless_mode_selected)
- return hda_select_dai_widget_ops(sdev, NULL);
+ return hda_select_dai_widget_ops(sdev, swidget);
sdai = swidget->private;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 464/508] ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 463/508] ASoC: SOF: Intel: hda-dai: remove dspless special case Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 465/508] ASoC: SOF: Intel: hda: Fix NULL pointer dereference Greg Kroah-Hartman
` (45 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart,
Péter Ujfalusi, Bard Liao, Mark Brown, Alva Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
[ Upstream commit 2065610b5ddd5b58eed1dc3b3c3db27a26ebd4b6 ]
For SoundWire/ALH, we need to have a dai configured, but we don't want
to send a DMA_TLV to firmware. Add additional code branches.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://msgid.link/r/20240213101247.28887-16-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-dai.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c
index f5bfa17bf6505..1fe7cce160913 100644
--- a/sound/soc/sof/intel/hda-dai.c
+++ b/sound/soc/sof/intel/hda-dai.c
@@ -83,6 +83,11 @@ hda_dai_get_ops(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai
sdev = widget_to_sdev(w);
+ if (!swidget) {
+ dev_err(sdev->dev, "%s: swidget is NULL\n", __func__);
+ return NULL;
+ }
+
if (sdev->dspless_mode_selected)
return hda_select_dai_widget_ops(sdev, swidget);
@@ -364,8 +369,11 @@ static int non_hda_dai_hw_params(struct snd_pcm_substream *substream,
return ret;
}
- /* get stream_id */
sdev = widget_to_sdev(w);
+ if (sdev->dspless_mode_selected)
+ goto skip_tlv;
+
+ /* get stream_id */
hext_stream = ops->get_hext_stream(sdev, cpu_dai, substream);
if (!hext_stream) {
@@ -398,6 +406,7 @@ static int non_hda_dai_hw_params(struct snd_pcm_substream *substream,
dma_config->dma_stream_channel_map.device_count = 0; /* mapping not used */
dma_config->dma_priv_config_size = 0;
+skip_tlv:
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 465/508] ASoC: SOF: Intel: hda: Fix NULL pointer dereference
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 464/508] ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 466/508] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
` (44 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjani Sridharan, Bard Liao,
Liam Girdwood, Mateusz Redzynia, Peter Ujfalusi, Mark Brown,
Alva Lan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
[ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]
If there's a mismatch between the DAI links in the machine driver and
the topology, it is possible that the playback/capture widget is not
set, especially in the case of loopback capture for echo reference
where we use the dummy DAI link. Return the error when the widget is not
set to avoid a null pointer dereference like below when the topology is
broken.
RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Mateusz Redzynia <mateuszx.redzynia@intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20260204081833.16630-10-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-dai.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c
index 1fe7cce160913..a3d0b6d721aaf 100644
--- a/sound/soc/sof/intel/hda-dai.c
+++ b/sound/soc/sof/intel/hda-dai.c
@@ -77,12 +77,22 @@ static const struct hda_dai_widget_dma_ops *
hda_dai_get_ops(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai)
{
struct snd_soc_dapm_widget *w = snd_soc_dai_get_widget(cpu_dai, substream->stream);
- struct snd_sof_widget *swidget = w->dobj.private;
+ struct snd_sof_widget *swidget;
struct snd_sof_dev *sdev;
struct snd_sof_dai *sdai;
- sdev = widget_to_sdev(w);
+ /*
+ * this is unlikely if the topology and the machine driver DAI links match.
+ * But if there's a missing DAI link in topology, this will prevent a NULL pointer
+ * dereference later on.
+ */
+ if (!w) {
+ dev_err(cpu_dai->dev, "%s: widget is NULL\n", __func__);
+ return NULL;
+ }
+ sdev = widget_to_sdev(w);
+ swidget = w->dobj.private;
if (!swidget) {
dev_err(sdev->dev, "%s: swidget is NULL\n", __func__);
return NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 511+ messages in thread
* [PATCH 6.6 466/508] smb/client: fix possible infinite loop and oob read in symlink_data()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 465/508] ASoC: SOF: Intel: hda: Fix NULL pointer dereference Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 467/508] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
` (43 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Ye Bin, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 7d9a7f1f96cd617ee9e75bb22217c709038e26b8 upstream.
On 32-bit architectures, the infinite loop is as follows:
len = p->ErrorDataLength == 0xfffffff8
u8 *next = p->ErrorContextData + len
next == p
On 32-bit architectures, the out-of-bounds read is as follows:
len = p->ErrorDataLength == 0xfffffff0
u8 *next = p->ErrorContextData + len
next == (u8 *)p - 8
Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: stable@vger.kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2file.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -49,6 +49,9 @@ static struct smb2_symlink_err_rsp *syml
__func__, le32_to_cpu(p->ErrorId));
len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
+ if (len > end - ((u8 *)p + sizeof(*p)))
+ return ERR_PTR(-EINVAL);
+
p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
}
} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 467/508] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 466/508] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 468/508] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans Greg Kroah-Hartman
` (42 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DeepChirp, Chaitanya Kumar Borah,
Suraj Kandpal, Tvrtko Ursulin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
commit 1ae15b6c7965d137eef21f2cc7d367b29cb88369 upstream.
For RGB, set dynamic_range to CTA or VESA based on
crtc_state->limited_color_range so sinks apply correct
quantization. YCbCr remains limited (CTA) range.
(DP v1.4, Table 5-1)
v2:
- Added Reported-by and Tested-by tags
v3:
- Add back YCbCr comment(Suraj)
Cc: stable@vger.kernel.org #v5.8+
Reported-by: DeepChirp <DeepChirp@outlook.com>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15874
Tested-by: DeepChirp <DeepChirp@outlook.com>
Fixes: 9799c4c3b76e ("drm/i915/dp: Add compute routine for DP VSC SDP")
Assisted-by: GitHub-Copilot:GPT-5.4
Signed-off-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260505090920.2479112-1-chaitanya.kumar.borah@intel.com
(cherry picked from commit 38e10ddae6f8d42a2e8437fcd25a1cac51106c64)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_dp.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -2029,8 +2029,13 @@ static void intel_dp_compute_vsc_colorim
drm_WARN_ON(&dev_priv->drm,
vsc->bpc == 6 && vsc->pixelformat != DP_PIXELFORMAT_RGB);
- /* all YCbCr are always limited range */
- vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
+ /* All YCbCr formats are always limited range. */
+ if (vsc->pixelformat == DP_PIXELFORMAT_RGB)
+ vsc->dynamic_range = crtc_state->limited_color_range ?
+ DP_DYNAMIC_RANGE_CTA : DP_DYNAMIC_RANGE_VESA;
+ else
+ vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
+
vsc->content_type = DP_CONTENT_TYPE_NOT_DEFINED;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 468/508] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 467/508] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 469/508] ALSA: usb-audio: Bound MIDI " Greg Kroah-Hartman
` (41 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 918be519c7876329e1b6e2ea1c59f0b75e792dca upstream.
The USB MIDI 2.0 endpoint parser has the same descriptor walking
pattern as the legacy MIDI parser. It validates bLength against
bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the
remaining bytes in the endpoint-extra scan.
A malformed device can therefore make later baAssoGrpTrmBlkID[] reads
consume bytes past the walked descriptor.
Reject zero-length and overlong descriptors while walking endpoint
extras.
Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-2-329d7348160e@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi2.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/sound/usb/midi2.c
+++ b/sound/usb/midi2.c
@@ -504,15 +504,17 @@ static void *find_usb_ms_endpoint_descri
while (extralen > 3) {
struct usb_ms_endpoint_descriptor *ms_ep =
(struct usb_ms_endpoint_descriptor *)extra;
+ int length = ms_ep->bLength;
- if (ms_ep->bLength > 3 &&
+ if (!length || length > extralen)
+ break;
+
+ if (length > 3 &&
ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
ms_ep->bDescriptorSubtype == subtype)
return ms_ep;
- if (!extra[0])
- break;
- extralen -= extra[0];
- extra += extra[0];
+ extralen -= length;
+ extra += length;
}
return NULL;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 469/508] ALSA: usb-audio: Bound MIDI endpoint descriptor scans
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 468/508] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 470/508] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
` (40 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit d6854daa67be623860f4e1873fd3d3c275aba4ed upstream.
snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
descriptor size before using baAssocJackID[], but the descriptor walker can
still return a class-specific endpoint descriptor whose bLength exceeds the
remaining bytes in the endpoint-extra scan.
That leaves later flexible-array reads bounded by bLength, but not by the
remaining bytes in the endpoint-extra scan.
Stop walking when bLength is zero or
extends past the remaining endpoint-extra scan.
Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1974,15 +1974,17 @@ static struct usb_ms_endpoint_descriptor
while (extralen > 3) {
struct usb_ms_endpoint_descriptor *ms_ep =
(struct usb_ms_endpoint_descriptor *)extra;
+ int length = ms_ep->bLength;
- if (ms_ep->bLength > 3 &&
+ if (!length || length > extralen)
+ break;
+
+ if (length > 3 &&
ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
return ms_ep;
- if (!extra[0])
- break;
- extralen -= extra[0];
- extra += extra[0];
+ extralen -= length;
+ extra += length;
}
return NULL;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 470/508] ceph: fix a buffer leak in __ceph_setxattr()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 469/508] ALSA: usb-audio: Bound MIDI " Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 471/508] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
` (39 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, Alex Markuze,
Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
commit 5d3cc36b4e77a27ce7b686b7c59c7072bcb3fa8e upstream.
The old_blob in __ceph_setxattr() can store
ci->i_xattrs.prealloc_blob value during the retry.
However, it is never called the ceph_buffer_put()
for the old_blob object. This patch fixes the issue of
the buffer leak.
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/xattr.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1279,6 +1279,7 @@ retry:
do_sync:
spin_unlock(&ci->i_ceph_lock);
+ ceph_buffer_put(old_blob);
do_sync_unlocked:
if (lock_snap_rwsem)
up_read(&mdsc->snap_rwsem);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 471/508] io-wq: check that the predecessor is hashed in io_wq_remove_pending()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 470/508] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 472/508] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
` (38 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicholas Carlini, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Carlini <nicholas@carlini.com>
commit d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc upstream.
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled
work was the tail of its hash bucket. When doing this, it checks whether
the preceding entry in acct->work_list has the same hash value, but
never checks that the predecessor is hashed at all. io_get_work_hash()
is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash
bits are never set for non-hashed work, so it returns 0. Thus, when a
hashed bucket-0 work is cancelled while a non-hashed work is its list
predecessor, the check spuriously passes and a pointer to the non-hashed
io_kiocb is stored in wq->hash_tail[0].
Because non-hashed work is dequeued via the fast path in
io_get_next_work(), which never touches hash_tail[], the stale pointer
is never cleared. Therefore, after the non-hashed io_kiocb completes and
is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The
io_wq is per-task (tctx->io_wq) and survives ring open/close, so the
dangling pointer persists for the lifetime of the task; the next hashed
bucket-0 enqueue dereferences it in io_wq_insert_work() and
wq_list_add_after() writes through freed memory.
Add the missing io_wq_is_hashed() check so a non-hashed predecessor
never inherits a hash_tail[] slot.
Cc: stable@vger.kernel.org
Fixes: 204361a77f40 ("io-wq: fix hang after cancelling pending hashed work")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io-wq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -1046,7 +1046,8 @@ static inline void io_wq_remove_pending(
if (io_wq_is_hashed(work) && work == wq->hash_tail[hash]) {
if (prev)
prev_work = container_of(prev, struct io_wq_work, list);
- if (prev_work && io_get_work_hash(prev_work) == hash)
+ if (prev_work && io_wq_is_hashed(prev_work) &&
+ io_get_work_hash(prev_work) == hash)
wq->hash_tail[hash] = prev_work;
else
wq->hash_tail[hash] = NULL;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 472/508] powerpc/warp: Fix error handling in pika_dtm_thread
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 471/508] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 473/508] netfs: fix error handling in netfs_extract_user_iter() Greg Kroah-Hartman
` (37 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Christophe Leroy,
Madhavan Srinivasan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 108d7f951271cbd36ca36efc5e5d106966f5180c upstream.
pika_dtm_thread() acquires client through of_find_i2c_device_by_node()
but fails to release it in error handling path. This could result in a
reference count leak, preventing proper cleanup and potentially
leading to resource exhaustion. Add put_device() to release the
reference in the error handling path.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 3984114f0562 ("powerpc/warp: Platform fix for i2c change")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251116024411.21968-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/44x/warp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/powerpc/platforms/44x/warp.c
+++ b/arch/powerpc/platforms/44x/warp.c
@@ -292,6 +292,8 @@ static int pika_dtm_thread(void __iomem
schedule_timeout(HZ);
}
+ put_device(&client->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 473/508] netfs: fix error handling in netfs_extract_user_iter()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 472/508] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 474/508] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
` (36 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaoli Feng,
Paulo Alcantara (Red Hat), David Howells, netfs, linux-cifs,
linux-fsdevel, Christian Brauner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 0aad5704c6b4d14007d4eab15883e8524e4310f4 upstream.
In netfs_extract_user_iter(), if iov_iter_extract_pages() failed to
extract user pages, bail out on -ENOMEM, otherwise return the error
code only if @npages == 0, allowing short DIO reads and writes to be
issued.
This fixes mmapstress02 from LTP tests against CIFS.
Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into a BVEC iterator")
Reported-by: Xiaoli Feng <xifeng@redhat.com>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-10-dhowells@redhat.com
Cc: netfs@lists.linux.dev
Cc: stable@vger.kernel.org
Cc: linux-cifs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/netfs/iterator.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/fs/netfs/iterator.c
+++ b/fs/netfs/iterator.c
@@ -22,7 +22,7 @@
*
* Extract the page fragments from the given amount of the source iterator and
* build up a second iterator that refers to all of those bits. This allows
- * the original iterator to disposed of.
+ * the original iterator to be disposed of.
*
* @extraction_flags can have ITER_ALLOW_P2PDMA set to request peer-to-peer DMA be
* allowed on the pages extracted.
@@ -67,8 +67,8 @@ ssize_t netfs_extract_user_iter(struct i
ret = iov_iter_extract_pages(orig, &pages, count,
max_pages - npages, extraction_flags,
&offset);
- if (ret < 0) {
- pr_err("Couldn't get user pages (rc=%zd)\n", ret);
+ if (unlikely(ret <= 0)) {
+ ret = ret ?: -EIO;
break;
}
@@ -97,6 +97,13 @@ ssize_t netfs_extract_user_iter(struct i
npages += cur_npages;
}
+ if (ret < 0 && (ret == -ENOMEM || npages == 0)) {
+ for (i = 0; i < npages; i++)
+ unpin_user_page(bv[i].bv_page);
+ kvfree(bv);
+ return ret;
+ }
+
iov_iter_bvec(new, orig->data_source, bv, npages, orig_len - count);
return npages;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 474/508] libceph: Fix potential out-of-bounds access in osdmap_decode()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 473/508] netfs: fix error handling in netfs_extract_user_iter() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 475/508] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
` (35 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 35d0ed82d03e5ee77ea4f31f20e29562a7721649 upstream.
When decoding osd_state and osd_weight from an incoming osdmap in
osdmap_decode(), both are decoded for each osd, i.e., map->max_osd
times. The ceph_decode_need() check only accounts for
sizeof(*map->osd_weight) once. This can potentially result in an
out-of-bounds memory access if the incoming message is corrupted such
that the max_osd value exceeds the actual content of the osdmap message.
This patch fixes the issue by changing the corresponding part in the
ceph_decode_need() check to account for
map->max_osd*sizeof(*map->osd_weight).
Cc: stable@vger.kernel.org
Fixes: dcbc919a5dc8 ("libceph: switch osdmap decoding to use ceph_decode_entity_addr")
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1703,7 +1703,7 @@ static int osdmap_decode(void **p, void
ceph_decode_need(p, end, 3*sizeof(u32) +
map->max_osd*(struct_v >= 5 ? sizeof(u32) :
sizeof(u8)) +
- sizeof(*map->osd_weight), e_inval);
+ map->max_osd*sizeof(*map->osd_weight), e_inval);
if (ceph_decode_32(p) != map->max_osd)
goto e_inval;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 475/508] libceph: Fix potential null-ptr-deref in decode_choose_args()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 474/508] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 476/508] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
` (34 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf upstream.
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an
array of max_buckets CRUSH buckets is decoded, where some indices may
not refer to actual buckets and are therefore set to NULL. The received
CRUSH map may optionally contain choose_args that get decoded in
decode_choose_args(). When decoding a crush_choose_arg_map, a series of
choose_args for different buckets is decoded, with the bucket_index
being read from the incoming message. It is only checked that the bucket
index does not exceed max_buckets, but not that it doesn't point to an
index with a NULL bucket. If a (potentially corrupted) message contains
a crush_choose_arg_map including such a bucket_index, a null pointer
dereference may occur in the subsequent processing when attempting to
access the bucket with the given index.
This patch fixes the issue by extending the affected check. Now, it is
only attempted to access the bucket if it is not NULL.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -390,7 +390,8 @@ static int decode_choose_args(void **p,
goto fail;
if (arg->ids_size &&
- arg->ids_size != c->buckets[bucket_index]->size)
+ (!c->buckets[bucket_index] ||
+ arg->ids_size != c->buckets[bucket_index]->size))
goto e_inval;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 476/508] libceph: Fix potential out-of-bounds access in crush_decode()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 475/508] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 477/508] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
` (33 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 4c79fc2d598694bda845b46229c9d48b65042970 upstream.
A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.
This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/crush/crush.c | 6 +-----
net/ceph/osdmap.c | 4 ++++
2 files changed, 5 insertions(+), 5 deletions(-)
--- a/net/ceph/crush/crush.c
+++ b/net/ceph/crush/crush.c
@@ -47,7 +47,6 @@ int crush_get_bucket_item_weight(const s
void crush_destroy_bucket_uniform(struct crush_bucket_uniform *b)
{
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_list(struct crush_bucket_list *b)
@@ -55,14 +54,12 @@ void crush_destroy_bucket_list(struct cr
kfree(b->item_weights);
kfree(b->sum_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_tree(struct crush_bucket_tree *b)
{
kfree(b->h.items);
kfree(b->node_weights);
- kfree(b);
}
void crush_destroy_bucket_straw(struct crush_bucket_straw *b)
@@ -70,14 +67,12 @@ void crush_destroy_bucket_straw(struct c
kfree(b->straws);
kfree(b->item_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_straw2(struct crush_bucket_straw2 *b)
{
kfree(b->item_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket(struct crush_bucket *b)
@@ -99,6 +94,7 @@ void crush_destroy_bucket(struct crush_b
crush_destroy_bucket_straw2((struct crush_bucket_straw2 *)b);
break;
}
+ kfree(b);
}
/**
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -518,6 +518,10 @@ static struct crush_map *crush_decode(vo
b->id = ceph_decode_32(p);
b->type = ceph_decode_16(p);
b->alg = ceph_decode_8(p);
+ if (b->alg != alg) {
+ b->alg = 0;
+ goto bad;
+ }
b->hash = ceph_decode_8(p);
b->weight = ceph_decode_32(p);
b->size = ceph_decode_32(p);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 477/508] libceph: handle rbtree insertion error in decode_choose_args()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.6 476/508] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 478/508] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
` (32 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit d289478cfc0bcf81c7914200d6abdcb78bd04ded upstream.
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. The received CRUSH map may optionally contain
choose_args that get decoded in decode_choose_args(). In this function,
num_choose_arg_maps is read from the message, and a corresponding number
of crush_choose_arg_maps gets decoded afterwards. Each
crush_choose_arg_map has a choose_args_index, which serves as the key
when inserting it into the choose_args rbtree of the decoded crush_map.
If a (potentially corrupted) message contains two crush_choose_arg_maps
with the same index, the assertion in insert_choose_arg_map() triggers a
kernel BUG when trying to insert the second crush_choose_arg_map.
This patch fixes the issue by switching to the non-asserting rbtree
insertion function and rejecting the message if the insertion fails.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -395,7 +395,10 @@ static int decode_choose_args(void **p,
goto e_inval;
}
- insert_choose_arg_map(&c->choose_args, arg_map);
+ if (!__insert_choose_arg_map(&c->choose_args, arg_map)) {
+ ret = -EEXIST;
+ goto fail;
+ }
}
return 0;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 478/508] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 477/508] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 479/508] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
` (31 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naval Alcalá, Lu Baolu,
Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naval Alcalá <ari@naval.cat>
commit 2cda2e10dc8343ae01eae9e999a876b7e7d37861 upstream.
Intel Q35 integrated graphics (8086:29b2) exhibits broken DMAR
behaviour similar to other G4x/GM45 devices for which DMAR is
already disabled via quirks.
When DMAR is enabled, the system may hard lock up during boot or
early device initialization, requiring a reset.
Add the missing PCI ID to the existing quirk list to disable
DMAR for this device.
Fixes: 1f76249cc3be ("iommu/vt-d: Declare Broadwell igfx dmar support snafu")
Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=201185
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216064
Signed-off-by: Naval Alcalá <ari@naval.cat>
Link: https://lore.kernel.org/r/20260410161622.13549-1-ari@naval.cat
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -4851,6 +4851,9 @@ static void quirk_iommu_igfx(struct pci_
dmar_map_gfx = 0;
}
+/* Q35 integrated gfx dmar support is totally busted. */
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x29b2, quirk_iommu_igfx);
+
/* G4x/GM45 integrated gfx dmar support is totally busted. */
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_igfx);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_igfx);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 479/508] drm/i915: skip __i915_request_skip() for already signaled requests
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 478/508] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 480/508] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
` (30 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Brzezinka, Krzysztof Karas,
Andi Shyti, Tvrtko Ursulin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
commit 4cfe4c0efbdcde742a47813180cc69b132d7598e upstream.
After a GPU reset the HWSP is zeroed, so previously completed
requests appear incomplete. If such a request is picked up during
reset_rewind() and marked guilty, i915_request_set_error_once()
returns early (fence already signaled), leaving fence.error without
a fatal error code. The subsequent __i915_request_skip() then hits:
```
GEM_BUG_ON(!fatal_error(rq->fence.error))
```
Fixes a kernel BUG observed on Sandy Bridge (Gen6) during
heartbeat-triggered engine resets.
```
kernel BUG at drivers/gpu/drm/i915/i915_request.c:556!
RIP: __i915_request_skip+0x15e/0x1d0 [i915]
...
__i915_request_reset+0x212/0xa70 [i915]
reset_rewind+0xe4/0x280 [i915]
intel_gt_reset+0x30d/0x5b0 [i915]
heartbeat+0x516/0x530 [i915]
```
Guard __i915_request_skip() with i915_request_signaled(), if the
fence is already signaled, the ring content is committed and there
is nothing left to skip.
Fixes: 36e191f0644b ("drm/i915: Apply i915_request_skip() on submission")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/13729
Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Cc: stable@vger.kernel.org # v5.7+
Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/fe76921d35b6ae85aa651822726d0d9815aa5362.1776339012.git.sebastian.brzezinka@intel.com
(cherry picked from commit 5ba54393dcd7adf75a9f39f5a933b1538349cad5)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gt/intel_reset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/gt/intel_reset.c
+++ b/drivers/gpu/drm/i915/gt/intel_reset.c
@@ -134,7 +134,8 @@ void __i915_request_reset(struct i915_re
rcu_read_lock(); /* protect the GEM context */
if (guilty) {
i915_request_set_error_once(rq, -EIO);
- __i915_request_skip(rq);
+ if (!i915_request_signaled(rq))
+ __i915_request_skip(rq);
banned = mark_guilty(rq);
} else {
i915_request_set_error_once(rq, -EAGAIN);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 480/508] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 479/508] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 481/508] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
` (29 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gyeyoung Baek, Adrián Larumbe,
Boris Brezillon, Steven Price
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gyeyoung Baek <gye976@gmail.com>
commit 459d75523b71c0ec254d153d8850d0b7008af396 upstream.
dma_resv_wait_timeout() returns a positive 'remaining jiffies' value
on success, 0 on timeout, and -errno on failure.
panfrost_ioctl_wait_bo() returns this 'long' result from an int-typed
ioctl handler, so positive values reach userspace as bogus errors.
Explicitly set ret to 0 on the success path.
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Cc: stable@vger.kernel.org
Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
Reviewed-by: Adrián Larumbe <adrian.larumbe@collabora.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Link: https://patch.msgid.link/fe33f82fded7be1c18e2e0eb2db451d5a738cf39.1776581974.git.gye976@gmail.com
Signed-off-by: Steven Price <steven.price@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panfrost/panfrost_drv.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
+++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
@@ -324,6 +324,8 @@ panfrost_ioctl_wait_bo(struct drm_device
true, timeout);
if (!ret)
ret = timeout ? -ETIMEDOUT : -EBUSY;
+ else if (ret > 0)
+ ret = 0;
drm_gem_object_put(gem_obj);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 481/508] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 480/508] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 482/508] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
` (28 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Patrik Jakobsson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 950953f774b3f69da6f413e045ef075e1f3da2df upstream.
Make sure to drop the reference taken to the I2C adapter (and its
module) when setting up HDMI to allow the adapter to be deregistered.
Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
Cc: stable@vger.kernel.org # 3.3
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
@@ -579,6 +579,7 @@ static int oaktrail_hdmi_get_modes(struc
} else {
edid = (struct edid *)raw_edid;
/* FIXME ? edid = drm_get_edid(connector, i2c_adap); */
+ i2c_put_adapter(i2c_adap);
}
if (edid) {
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 482/508] drm/gma500/oaktrail_lvds: fix hang on init failure
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 481/508] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 483/508] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
` (27 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Patrik Jakobsson, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 657a091ab6d01d0091b77660c75cfed573c9a53e upstream.
The LVDS init code looks up an I2C adapter using i2c_get_adapter() and
tries to read the EDID before falling back to allocating and registering
its own adapter.
The error handling does not separate these cases so on a late init
failure it will try to deregister and free also an adapter that had
previously been registered. Since i2c_get_adapter() takes another
reference to the adapter, deregistration hangs indefinitely while
waiting for the reference to be released.
Fix this by only destroying adapters allocated during LVDS init on
errors.
Fixes: a57ebfc0b4da ("drm/gma500: Make oaktrail lvds use ddc adapter from drm_connector")
Cc: stable@vger.kernel.org # 6.0
Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_lvds.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/gma500/oaktrail_lvds.c
+++ b/drivers/gpu/drm/gma500/oaktrail_lvds.c
@@ -294,7 +294,7 @@ void oaktrail_lvds_init(struct drm_devic
{
struct gma_encoder *gma_encoder;
struct gma_connector *gma_connector;
- struct gma_i2c_chan *ddc_bus;
+ struct gma_i2c_chan *ddc_bus = NULL;
struct drm_connector *connector;
struct drm_encoder *encoder;
struct drm_psb_private *dev_priv = to_drm_psb_private(dev);
@@ -422,7 +422,8 @@ out:
err_unlock:
mutex_unlock(&dev->mode_config.mutex);
- gma_i2c_destroy(to_gma_i2c_chan(connector->ddc));
+ if (!IS_ERR_OR_NULL(ddc_bus))
+ gma_i2c_destroy(ddc_bus);
drm_encoder_cleanup(encoder);
err_connector_cleanup:
drm_connector_cleanup(connector);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 483/508] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 482/508] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 484/508] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
` (26 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Patrik Jakobsson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 84d1c9b416d54afe760ca4c378bd95c89261254c upstream.
The LVDS init code looks up an I2C adapter using i2c_get_adapter() and
tries to read the EDID before falling back to allocating and registering
its own adapter.
Make sure to drop the references taken by i2c_get_adapter() when falling
back to allocating an adapter as well as on late errors to allow the
looked up adapter to be deregistered.
Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
Cc: stable@vger.kernel.org # 3.3
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_lvds.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/gma500/oaktrail_lvds.c
+++ b/drivers/gpu/drm/gma500/oaktrail_lvds.c
@@ -368,6 +368,8 @@ void oaktrail_lvds_init(struct drm_devic
if (edid == NULL && dev_priv->lpc_gpio_base) {
ddc_bus = oaktrail_lvds_i2c_init(dev);
if (!IS_ERR(ddc_bus)) {
+ if (i2c_adap)
+ i2c_put_adapter(i2c_adap);
i2c_adap = &ddc_bus->base;
edid = drm_get_edid(connector, i2c_adap);
}
@@ -424,6 +426,8 @@ err_unlock:
mutex_unlock(&dev->mode_config.mutex);
if (!IS_ERR_OR_NULL(ddc_bus))
gma_i2c_destroy(ddc_bus);
+ else if (i2c_adap)
+ i2c_put_adapter(i2c_adap);
drm_encoder_cleanup(encoder);
err_connector_cleanup:
drm_connector_cleanup(connector);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 484/508] pmdomain: core: Fix detach procedure for virtual devices in genpd
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 483/508] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 485/508] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() Greg Kroah-Hartman
` (25 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Geert Uytterhoeven, Ulf Hansson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit 26735dfdd8930d9ef1fa92e590a9bf77726efdf6 ]
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),
genpd calls pm_runtime_enable() for the corresponding virtual device that
it registers. While this avoids boilerplate code in drivers, there is no
corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd,
while runtime PM remains enabled for them, which is not how things are
designed to work. In worst cases it may lead to critical errors, like a
NULL pointer dereference bug in genpd_runtime_suspend(), which was recently
reported. For another case, we may end up keeping an unnecessary vote for a
performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable()
in genpd_dev_pm_detach().
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Closes: https://lore.kernel.org/all/CAMuHMdWapT40hV3c+CSBqFOW05aWcV1a6v_NiJYgoYi0i9_PDQ@mail.gmail.com/
Fixes: 3c095f32a92b ("PM / Domains: Add support for multi PM domains per device to genpd")
Cc: stable@vger.kernel.org
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/domain.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -2676,6 +2676,7 @@ static struct bus_type genpd_bus_type =
static void genpd_dev_pm_detach(struct device *dev, bool power_off)
{
struct generic_pm_domain *pd;
+ bool is_virt_dev;
unsigned int i;
int ret = 0;
@@ -2685,6 +2686,13 @@ static void genpd_dev_pm_detach(struct d
dev_dbg(dev, "removing from PM domain %s\n", pd->name);
+ /* Check if the device was created by genpd at attach. */
+ is_virt_dev = dev->bus == &genpd_bus_type;
+
+ /* Disable runtime PM if we enabled it at attach. */
+ if (is_virt_dev)
+ pm_runtime_disable(dev);
+
/* Drop the default performance state */
if (dev_gpd_data(dev)->default_pstate) {
dev_pm_genpd_set_performance_state(dev, 0);
@@ -2710,7 +2718,7 @@ static void genpd_dev_pm_detach(struct d
genpd_queue_power_off_work(pd);
/* Unregister the device if it was created by genpd. */
- if (dev->bus == &genpd_bus_type)
+ if (is_virt_dev)
device_unregister(dev);
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 485/508] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 484/508] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 486/508] btrfs: fix double free in create_space_info_sub_group() error path Greg Kroah-Hartman
` (24 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Filipe Manana,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 771af6ff72e0ed0eb8bf97e5ae4fa5094e0c5d1d ]
We don't need it since we can grab fs_info from the given space_info.
So remove the fs_info argument.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: a7449edf9614 ("btrfs: fix double free in create_space_info_sub_group() error path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/space-info.c | 4 ++--
fs/btrfs/sysfs.c | 5 ++---
fs/btrfs/sysfs.h | 3 +--
3 files changed, 5 insertions(+), 7 deletions(-)
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -262,7 +262,7 @@ static int create_space_info_sub_group(s
sub_group->parent = parent;
sub_group->subgroup_id = id;
- ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group);
+ ret = btrfs_sysfs_add_space_info_type(sub_group);
if (ret) {
kfree(sub_group);
parent->sub_group[index] = NULL;
@@ -291,7 +291,7 @@ static int create_space_info(struct btrf
goto out_free;
}
- ret = btrfs_sysfs_add_space_info_type(info, space_info);
+ ret = btrfs_sysfs_add_space_info_type(space_info);
if (ret)
return ret;
--- a/fs/btrfs/sysfs.c
+++ b/fs/btrfs/sysfs.c
@@ -1674,13 +1674,12 @@ static const char *alloc_name(struct btr
* Create a sysfs entry for a space info type at path
* /sys/fs/btrfs/UUID/allocation/TYPE
*/
-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
- struct btrfs_space_info *space_info)
+int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info)
{
int ret;
ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype,
- fs_info->space_info_kobj, "%s",
+ space_info->fs_info->space_info_kobj, "%s",
alloc_name(space_info));
if (ret) {
kobject_put(&space_info->kobj);
--- a/fs/btrfs/sysfs.h
+++ b/fs/btrfs/sysfs.h
@@ -27,8 +27,7 @@ void __cold btrfs_exit_sysfs(void);
int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info);
void btrfs_sysfs_remove_mounted(struct btrfs_fs_info *fs_info);
void btrfs_sysfs_add_block_group_type(struct btrfs_block_group *cache);
-int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info,
- struct btrfs_space_info *space_info);
+int btrfs_sysfs_add_space_info_type(struct btrfs_space_info *space_info);
void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info);
void btrfs_sysfs_update_devid(struct btrfs_device *device);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 486/508] btrfs: fix double free in create_space_info_sub_group() error path
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 485/508] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 487/508] eventfs: Use list_add_tail_rcu() for SRCU-protected children list Greg Kroah-Hartman
` (23 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Guangshuo Li,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit a7449edf96143f192606ec8647e3167e1ecbd728 ]
When kobject_init_and_add() fails, the call chain is:
create_space_info_sub_group()
-> btrfs_sysfs_add_space_info_type()
-> kobject_init_and_add()
-> failure
-> kobject_put(&sub_group->kobj)
-> space_info_release()
-> kfree(sub_group)
Then control returns to create_space_info_sub_group(), where:
btrfs_sysfs_add_space_info_type() returns error
-> kfree(sub_group)
Thus, sub_group is freed twice.
Keep parent->sub_group[index] = NULL for the failure path, but after
btrfs_sysfs_add_space_info_type() has called kobject_put(), let the
kobject release callback handle the cleanup.
Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group")
CC: stable@vger.kernel.org # 6.18+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/space-info.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -263,10 +263,8 @@ static int create_space_info_sub_group(s
sub_group->subgroup_id = id;
ret = btrfs_sysfs_add_space_info_type(sub_group);
- if (ret) {
- kfree(sub_group);
+ if (ret)
parent->sub_group[index] = NULL;
- }
return ret;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 487/508] eventfs: Use list_add_tail_rcu() for SRCU-protected children list
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 486/508] btrfs: fix double free in create_space_info_sub_group() error path Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 488/508] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
` (22 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Steven Rostedt,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit f67950b2887fa10df50c4317a1fe98a65bc6875b ]
Commit d2603279c7d6 ("eventfs: Use list_del_rcu() for SRCU protected
list variable") converted the removal side to pair with the
list_for_each_entry_srcu() walker in eventfs_iterate(). The insertion
in eventfs_create_dir() was left as a plain list_add_tail(), which on
weakly-ordered architectures can expose a new entry to the SRCU reader
before its list pointers and fields are observable.
Use list_add_tail_rcu() so the publication pairs with the existing
list_del_rcu() and list_for_each_entry_srcu().
Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260418152251.199343-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[ adapted scoped_guard(mutex, &eventfs_mutex) block to explicit mutex_lock()/mutex_unlock() pair ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/tracefs/event_inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/tracefs/event_inode.c
+++ b/fs/tracefs/event_inode.c
@@ -802,7 +802,7 @@ struct eventfs_inode *eventfs_create_dir
mutex_lock(&eventfs_mutex);
if (!parent->is_freed)
- list_add_tail(&ei->list, &parent->children);
+ list_add_tail_rcu(&ei->list, &parent->children);
mutex_unlock(&eventfs_mutex);
/* Was the parent freed? */
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 488/508] drm/v3d: Reject empty multisync extension to prevent infinite loop
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 487/508] eventfs: Use list_add_tail_rcu() for SRCU-protected children list Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 489/508] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
` (21 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ashutosh Desai, Maíra Canal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
v3d_get_extensions() walks a userspace-provided singly-linked list of
ioctl extensions without any bound on the chain length. A local user
can craft a self-referential extension (ext->next == &ext) with zero
in_sync_count and out_sync_count, which bypasses the existing duplicate-
extension guard:
if (se->in_sync_count || se->out_sync_count)
return -EINVAL;
The guard never fires because v3d_get_multisync_post_deps() returns
immediately when count is zero, leaving both fields at zero on every
iteration. The result is an infinite loop in kernel context, blocking
the calling thread and pegging a CPU core indefinitely.
Fix this by rejecting a multisync extension where both in_sync_count
and out_sync_count are zero in v3d_get_multisync_submit_deps(). An
empty multisync carries no synchronization information and serves no
useful purpose, so returning -EINVAL for such an extension is the
correct defense against this attack vector.
Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support")
Cc: stable@vger.kernel.org
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
(cherry picked from commit fb44d589bf3148e13452185a6e772a7efbf2d684)
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_gem.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/v3d/v3d_gem.c
+++ b/drivers/gpu/drm/v3d/v3d_gem.c
@@ -597,6 +597,11 @@ v3d_get_multisync_submit_deps(struct drm
if (multisync.pad)
return -EINVAL;
+ if (!multisync.in_sync_count && !multisync.out_sync_count) {
+ DRM_DEBUG("Empty multisync extension\n");
+ return -EINVAL;
+ }
+
ret = v3d_get_multisync_post_deps(file_priv, data, multisync.out_sync_count,
multisync.out_syncs);
if (ret)
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 489/508] smb: client: Use FullSessionKey for AES-256 encryption key derivation
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 488/508] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 490/508] btrfs: use inode already stored in local variable at btrfs_rmdir() Greg Kroah-Hartman
` (20 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Piyush Sachdeva,
Piyush Sachdeva, Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piyush Sachdeva <s.piyush1024@gmail.com>
[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ]
When Kerberos authentication is used with AES-256 encryption (AES-256-CCM
or AES-256-GCM), the SMB3 encryption and decryption keys must be derived
using the full session key (Session.FullSessionKey) rather than just the
first 16 bytes (Session.SessionKey).
Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and
Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey
must be set to the full cryptographic key from the GSS authentication
context. The encryption and decryption key derivation (SMBC2SCipherKey,
SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The
signing key derivation continues to use Session.SessionKey (first 16
bytes) in all cases.
Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the
HMAC-SHA256 key input length for all derivations. When Kerberos with
AES-256 provides a 32-byte session key, the KDF for encryption/decryption
was using only the first 16 bytes, producing keys that did not match the
server's, causing mount failures with sec=krb5 and require_gcm_256=1.
Add a full_key_size parameter to generate_key() and pass the appropriate
size from generate_smb3signingkey():
- Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes)
- Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16
Also fix cifs_dump_full_key() to report the actual session key length for
AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools
like Wireshark receive the correct key for decryption.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Piyush Sachdeva <psachdeva@microsoft.com>
Signed-off-by: Piyush Sachdeva <s.piyush1024@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ adapted upstream's void/hmac_sha256_init_usingrawkey-based generate_key() to 6.12's int-return crypto_shash_* form while threading full_key_size through all callers. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/ioctl.c | 2 +-
fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++-------
2 files changed, 26 insertions(+), 8 deletions(-)
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -280,7 +280,7 @@ search_end:
break;
case SMB2_ENCRYPTION_AES256_CCM:
case SMB2_ENCRYPTION_AES256_GCM:
- out.session_key_length = CIFS_SESS_KEY_SIZE;
+ out.session_key_length = ses->auth_key.len;
out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE;
break;
default:
--- a/fs/smb/client/smb2transport.c
+++ b/fs/smb/client/smb2transport.c
@@ -334,7 +334,8 @@ out:
}
static int generate_key(struct cifs_ses *ses, struct kvec label,
- struct kvec context, __u8 *key, unsigned int key_size)
+ struct kvec context, __u8 *key, unsigned int key_size,
+ unsigned int full_key_size)
{
unsigned char zero = 0x0;
__u8 i[4] = {0, 0, 0, 1};
@@ -355,7 +356,7 @@ static int generate_key(struct cifs_ses
}
rc = crypto_shash_setkey(server->secmech.hmacsha256->tfm,
- ses->auth_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
+ ses->auth_key.response, full_key_size);
if (rc) {
cifs_server_dbg(VFS, "%s: Could not set with session key\n", __func__);
goto smb3signkey_ret;
@@ -430,6 +431,7 @@ generate_smb3signingkey(struct cifs_ses
struct TCP_Server_Info *server,
const struct derivation_triplet *ptriplet)
{
+ unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE;
int rc;
bool is_binding = false;
int chan_index = 0;
@@ -464,17 +466,31 @@ generate_smb3signingkey(struct cifs_ses
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
ses->chans[chan_index].signkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
} else {
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
ses->smb3signingkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
+ /*
+ * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey
+ * (first 16 bytes). Encryption/decryption keys use
+ * Session.FullSessionKey when dialect is 3.1.1 and cipher is
+ * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey.
+ */
+
+ if (server->dialect == SMB311_PROT_ID &&
+ (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
+ server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ full_key_size = ses->auth_key.len;
+
/* safe to access primary channel, since it will never go away */
spin_lock(&ses->chan_lock);
memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey,
@@ -484,13 +500,15 @@ generate_smb3signingkey(struct cifs_ses
rc = generate_key(ses, ptriplet->encryption.label,
ptriplet->encryption.context,
ses->smb3encryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
rc = generate_key(ses, ptriplet->decryption.label,
ptriplet->decryption.context,
ses->smb3decryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
}
@@ -505,7 +523,7 @@ generate_smb3signingkey(struct cifs_ses
&ses->Suid);
cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type);
cifs_dbg(VFS, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);
+ (int)ses->auth_key.len, ses->auth_key.response);
cifs_dbg(VFS, "Signing Key %*ph\n",
SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);
if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 490/508] btrfs: use inode already stored in local variable at btrfs_rmdir()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 489/508] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 491/508] btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() Greg Kroah-Hartman
` (19 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Qu Wenruo,
Filipe Manana, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 9f82a4ed34d870b5719f9b95f7da4f74d3325a6f ]
There's no need to call d_inode(dentry) when calling btrfs_unlink_inode()
since we have already stored that in a local inode variable. So just use
the local variable to make the code less verbose.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 999757231c49 ("btrfs: fix missing last_unlink_trans update when removing a directory")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4681,8 +4681,7 @@ static int btrfs_rmdir(struct inode *dir
goto out;
/* now the directory is empty */
- ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)),
- &fname.disk_name);
+ ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(inode), &fname.disk_name);
if (!ret)
btrfs_i_size_write(BTRFS_I(inode), 0);
out:
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 491/508] btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 490/508] btrfs: use inode already stored in local variable at btrfs_rmdir() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 492/508] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
` (18 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Qu Wenruo,
Filipe Manana, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 98060e1611177ddc842601a58258876ab435fdbf ]
Almost everywhere we want to use a btrfs inode and therefore we have a
lot of calls to BTRFS_I(), making the code more verbose. Instead use btrfs
inode local variables to avoid so much use of BTRFS_I().
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 999757231c49 ("btrfs: fix missing last_unlink_trans update when removing a directory")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4623,32 +4623,33 @@ out_up_write:
return ret;
}
-static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+static int btrfs_rmdir(struct inode *vfs_dir, struct dentry *dentry)
{
- struct inode *inode = d_inode(dentry);
- struct btrfs_fs_info *fs_info = BTRFS_I(inode)->root->fs_info;
+ struct btrfs_inode *dir = BTRFS_I(vfs_dir);
+ struct btrfs_inode *inode = BTRFS_I(d_inode(dentry));
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
int ret = 0;
struct btrfs_trans_handle *trans;
struct fscrypt_name fname;
- if (inode->i_size > BTRFS_EMPTY_DIR_SIZE)
+ if (inode->vfs_inode.i_size > BTRFS_EMPTY_DIR_SIZE)
return -ENOTEMPTY;
- if (btrfs_ino(BTRFS_I(inode)) == BTRFS_FIRST_FREE_OBJECTID) {
+ if (btrfs_ino(inode) == BTRFS_FIRST_FREE_OBJECTID) {
if (unlikely(btrfs_fs_incompat(fs_info, EXTENT_TREE_V2))) {
btrfs_err(fs_info,
"extent tree v2 doesn't support snapshot deletion yet");
return -EOPNOTSUPP;
}
- return btrfs_delete_subvolume(BTRFS_I(dir), dentry);
+ return btrfs_delete_subvolume(dir, dentry);
}
- ret = fscrypt_setup_filename(dir, &dentry->d_name, 1, &fname);
+ ret = fscrypt_setup_filename(vfs_dir, &dentry->d_name, 1, &fname);
if (ret)
return ret;
/* This needs to handle no-key deletions later on */
- trans = __unlink_start_trans(BTRFS_I(dir));
+ trans = __unlink_start_trans(dir);
if (IS_ERR(trans)) {
ret = PTR_ERR(trans);
goto out_notrans;
@@ -4668,22 +4669,22 @@ static int btrfs_rmdir(struct inode *dir
* This is because we can't unlink other roots when replaying the dir
* deletes for directory foo.
*/
- if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
- btrfs_record_snapshot_destroy(trans, BTRFS_I(dir));
+ if (inode->last_unlink_trans >= trans->transid)
+ btrfs_record_snapshot_destroy(trans, dir);
- if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
- ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+ if (unlikely(btrfs_ino(inode) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+ ret = btrfs_unlink_subvol(trans, dir, dentry);
goto out;
}
- ret = btrfs_orphan_add(trans, BTRFS_I(inode));
+ ret = btrfs_orphan_add(trans, inode);
if (ret)
goto out;
/* now the directory is empty */
- ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(inode), &fname.disk_name);
+ ret = btrfs_unlink_inode(trans, dir, inode, &fname.disk_name);
if (!ret)
- btrfs_i_size_write(BTRFS_I(inode), 0);
+ btrfs_i_size_write(inode, 0);
out:
btrfs_end_transaction(trans);
out_notrans:
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 492/508] btrfs: fix missing last_unlink_trans update when removing a directory
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 491/508] btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 493/508] RDMA/mana: Validate rx_hash_key_len Greg Kroah-Hartman
` (17 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Slava0135, Filipe Manana,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 999757231c49376cd1a37308d2c8c4c9932571e1 ]
When removing a directory we are not updating its last_unlink_trans field,
which can result in incorrect fsync behaviour in case some one fsyncs the
directory after it was removed because it's holding a file descriptor on
it.
Example scenario:
mkdir /mnt/dir1
mkdir /mnt/dir1/dir2
mkdir /mnt/dir3
sync -f /mnt
# Do some change to the directory and fsync it.
chmod 700 /mnt/dir1
xfs_io -c fsync /mnt/dir1
# Move dir2 out of dir1 so that dir1 becomes empty.
mv /mnt/dir1/dir2 /mnt/dir3/
open fd on /mnt/dir1
call rmdir(2) on path "/mnt/dir1"
fsync fd
<trigger power failure>
When attempting to mount the filesystem, the log replay will fail with
an -EIO error and dmesg/syslog has the following:
[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650
[445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm
[445771.627912] BTRFS info (device dm-0): start tree-log replay
[445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5
[445771.629453] memcg:ffff89f400351b00
[445771.629892] aops:btree_aops [btrfs] ino:1
[445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8
[445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00
[445771.635029] page dumped because: eb page dump
[445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir
[445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5
[445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087
[445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[445771.638097] inode generation 3 transid 9 size 16 nbytes 16384
[445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.638100] rdev 0 sequence 2 flags 0x0
[445771.638102] atime 1775744884.0
[445771.660056] ctime 1775744885.645502983
[445771.660058] mtime 1775744885.645502983
[445771.660060] otime 1775744884.0
[445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[445771.660064] index 0 name_len 2
[445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34
[445771.660068] location key (259 1 0) type 2
[445771.660070] transid 9 data_len 0 name_len 4
[445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34
[445771.660076] location key (257 1 0) type 2
[445771.660077] transid 9 data_len 0 name_len 4
[445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[445771.660079] location key (257 1 0) type 2
[445771.660080] transid 9 data_len 0 name_len 4
[445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34
[445771.660082] location key (259 1 0) type 2
[445771.660083] transid 9 data_len 0 name_len 4
[445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160
[445771.660086] inode generation 9 transid 9 size 8 nbytes 0
[445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0
[445771.660088] rdev 0 sequence 2 flags 0x0
[445771.660089] atime 1775744885.641174097
[445771.660090] ctime 1775744885.645502983
[445771.660091] mtime 1775744885.645502983
[445771.660105] otime 1775744885.641174097
[445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14
[445771.660107] index 2 name_len 4
[445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34
[445771.660109] location key (258 1 0) type 2
[445771.660110] transid 9 data_len 0 name_len 4
[445771.660111] item 9 key (257 DIR_INDEX 2) itemoff 15733 itemsize 34
[445771.660112] location key (258 1 0) type 2
[445771.660113] transid 9 data_len 0 name_len 4
[445771.660114] item 10 key (258 INODE_ITEM 0) itemoff 15573 itemsize 160
[445771.660115] inode generation 9 transid 10 size 0 nbytes 0
[445771.660116] block group 0 mode 40755 links 2 uid 0 gid 0
[445771.660117] rdev 0 sequence 0 flags 0x0
[445771.660118] atime 1775744885.645502983
[445771.660119] ctime 1775744885.645502983
[445771.660120] mtime 1775744885.645502983
[445771.660121] otime 1775744885.645502983
[445771.660122] item 11 key (258 INODE_REF 257) itemoff 15559 itemsize 14
[445771.660123] index 2 name_len 4
[445771.660124] item 12 key (258 INODE_REF 259) itemoff 15545 itemsize 14
[445771.660125] index 2 name_len 4
[445771.660126] item 13 key (259 INODE_ITEM 0) itemoff 15385 itemsize 160
[445771.660127] inode generation 9 transid 10 size 8 nbytes 0
[445771.660128] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.660129] rdev 0 sequence 1 flags 0x0
[445771.660130] atime 1775744885.645502983
[445771.660130] ctime 1775744885.645502983
[445771.660131] mtime 1775744885.645502983
[445771.660132] otime 1775744885.645502983
[445771.660133] item 14 key (259 INODE_REF 256) itemoff 15371 itemsize 14
[445771.660134] index 3 name_len 4
[445771.660135] item 15 key (259 DIR_ITEM 2676584006) itemoff 15337 itemsize 34
[445771.660136] location key (258 1 0) type 2
[445771.660137] transid 10 data_len 0 name_len 4
[445771.660138] item 16 key (259 DIR_INDEX 2) itemoff 15303 itemsize 34
[445771.660139] location key (258 1 0) type 2
[445771.660140] transid 10 data_len 0 name_len 4
[445771.660144] BTRFS error (device dm-0): block=30408704 write time tree block corruption detected
[445771.661650] ------------[ cut here ]------------
[445771.662358] WARNING: fs/btrfs/disk-io.c:326 at btree_csum_one_bio+0x217/0x230 [btrfs], CPU#8: mount/3581087
[445771.663588] Modules linked in: btrfs f2fs xfs (...)
[445771.671229] CPU: 8 UID: 0 PID: 3581087 Comm: mount Tainted: G W 7.0.0-rc6-btrfs-next-230+ #2 PREEMPT(full)
[445771.672575] Tainted: [W]=WARN
[445771.672987] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[445771.674460] RIP: 0010:btree_csum_one_bio+0x217/0x230 [btrfs]
[445771.675222] Code: 89 44 24 (...)
[445771.677364] RSP: 0018:ffffd23882247660 EFLAGS: 00010246
[445771.678029] RAX: 0000000000000000 RBX: ffff89f6c51d1a90 RCX: 0000000000000000
[445771.678975] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff89f406020000
[445771.679983] RBP: ffff89f821204000 R08: 0000000000000000 R09: 00000000ffefffff
[445771.680905] R10: ffffd23882247448 R11: 0000000000000003 R12: ffffd23882247668
[445771.681978] R13: ffff89f458e40fc0 R14: ffff89f737f4f500 R15: ffff89f737f4f500
[445771.682912] FS: 00007f0447a98840(0000) GS:ffff89fb9771d000(0000) knlGS:0000000000000000
[445771.684393] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[445771.685230] CR2: 00007f0447bf1330 CR3: 000000017cb02002 CR4: 0000000000370ef0
[445771.686273] Call Trace:
[445771.686646] <TASK>
[445771.686969] btrfs_submit_bbio+0x83f/0x860 [btrfs]
[445771.687750] ? write_one_eb+0x28f/0x340 [btrfs]
[445771.688428] btree_writepages+0x2e3/0x550 [btrfs]
[445771.689180] ? kmem_cache_alloc_noprof+0x12a/0x490
[445771.689963] ? alloc_extent_state+0x19/0x120 [btrfs]
[445771.690801] ? kmem_cache_free+0x135/0x380
[445771.691328] ? preempt_count_add+0x69/0xa0
[445771.691831] ? set_extent_bit+0x252/0x8e0 [btrfs]
[445771.692468] ? xas_load+0x9/0xc0
[445771.692873] ? xas_find+0x14d/0x1a0
[445771.693304] do_writepages+0xc6/0x160
[445771.693756] filemap_writeback+0xb8/0xe0
[445771.694274] btrfs_write_marked_extents+0x61/0x170 [btrfs]
[445771.694999] btrfs_write_and_wait_transaction+0x4e/0xc0 [btrfs]
[445771.695818] btrfs_commit_transaction+0x5c8/0xd10 [btrfs]
[445771.696530] ? kmem_cache_free+0x135/0x380
[445771.697120] ? release_extent_buffer+0x34/0x160 [btrfs]
[445771.697786] btrfs_recover_log_trees+0x7be/0x7e0 [btrfs]
[445771.698525] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
[445771.699206] open_ctree+0x11e5/0x1810 [btrfs]
[445771.699776] btrfs_get_tree.cold+0xb/0x162 [btrfs]
[445771.700463] ? fscontext_read+0x165/0x180
[445771.701146] ? rw_verify_area+0x50/0x180
[445771.701866] vfs_get_tree+0x25/0xd0
[445771.702491] vfs_cmd_create+0x59/0xe0
[445771.703125] __do_sys_fsconfig+0x303/0x610
[445771.703603] do_syscall_64+0xe9/0xf20
[445771.703974] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[445771.704700] RIP: 0033:0x7f0447cbd4aa
[445771.705108] Code: 73 01 c3 (...)
[445771.707263] RSP: 002b:00007ffc4e528318 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[445771.708107] RAX: ffffffffffffffda RBX: 00005561585d8c20 RCX: 00007f0447cbd4aa
[445771.708931] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[445771.709744] RBP: 00005561585d9120 R08: 0000000000000000 R09: 0000000000000000
[445771.710674] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[445771.711477] R13: 00007f0447e4f580 R14: 00007f0447e5126c R15: 00007f0447e36a23
[445771.712277] </TASK>
[445771.712541] ---[ end trace 0000000000000000 ]---
[445771.713382] BTRFS error (device dm-0): error while writing out transaction: -5
[445771.714679] BTRFS warning (device dm-0): Skipping commit of aborted transaction.
[445771.715562] BTRFS error (device dm-0 state A): Transaction aborted (error -5)
[445771.716459] BTRFS: error (device dm-0 state A) in cleanup_transaction:2068: errno=-5 IO failure
[445771.717936] BTRFS error (device dm-0 state EA): failed to recover log trees with error: -5
[445771.719681] BTRFS error (device dm-0 state EA): open_ctree failed: -5
The problem is that such a fsync should have result in a fallback to a
transaction commit, but that did not happen because through the
btrfs_rmdir() we never update the directory's last_unlink_trans field.
Any inode that had a link removed must have its last_unlink_trans updated
to the ID of transaction used for the operation, otherwise fsync and log
replay will not work correctly.
btrfs_rmdir() calls btrfs_unlink_inode() and through that call chain we
never call btrfs_record_unlink_dir() in order to update last_unlink_trans.
However btrfs_unlink(), which is used for unlinking regular files, calls
btrfs_record_unlink_dir() and then calls btrfs_unlink_inode(). So fix
this by moving the call to btrfs_record_unlink_dir() from btrfs_unlink()
to btrfs_unlink_inode().
A test case for fstests will follow soon.
Reported-by: Slava0135 <slava.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAAJYhww5ov62Hm+n+tmhcL-e_4cBobg+OWogKjOJxVUXivC=MQ@mail.gmail.com/
CC: stable@vger.kernel.org
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4681,6 +4681,8 @@ static int btrfs_rmdir(struct inode *vfs
if (ret)
goto out;
+ btrfs_record_unlink_dir(trans, dir, inode, false);
+
/* now the directory is empty */
ret = btrfs_unlink_inode(trans, dir, inode, &fname.disk_name);
if (!ret)
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 493/508] RDMA/mana: Validate rx_hash_key_len
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 492/508] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 494/508] mptcp: drop __mptcp_fastopen_gen_msk_ackseq() Greg Kroah-Hartman
` (16 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Jason Gunthorpe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 6dd2d4ad9c8429523b1c220c5132bd551c006425 ]
Sashiko points out that rx_hash_key_len comes from a uAPI structure and is
blindly passed to memcpy, allowing the userspace to trash kernel
memory. Bounds check it so the memcpy cannot overflow.
Cc: stable@vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1
Link: https://patch.msgid.link/r/4-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
[ kept the stable branch's existing `req_buf_size` calculation instead of upstream's `struct_size(req, indir_tab, ...)` form ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/qp.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -24,6 +24,9 @@ static int mana_ib_cfg_vport_steering(st
mdev = dev->gdma_dev;
gc = mdev->gdma_context;
+ if (rx_hash_key_len > sizeof(req->hashkey))
+ return -EINVAL;
+
req_buf_size =
sizeof(*req) + sizeof(mana_handle_t) * MANA_INDIRECT_TABLE_SIZE;
req = kzalloc(req_buf_size, GFP_KERNEL);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 494/508] mptcp: drop __mptcp_fastopen_gen_msk_ackseq()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 493/508] RDMA/mana: Validate rx_hash_key_len Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 495/508] mptcp: fix rx timestamp corruption on fastopen Greg Kroah-Hartman
` (15 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit f03afb3aeb9d81f6c5ab728a61a040012923e3b3 ]
When we will move the whole RX path under the msk socket lock, updating
the already queued skb for passive fastopen socket at 3rd ack time will
be extremely painful and race prone
The map_seq for already enqueued skbs is used only to allow correct
coalescing with later data; preventing collapsing to the first skb of
a fastopen connect we can completely remove the
__mptcp_fastopen_gen_msk_ackseq() helper.
Before dropping this helper, a new item had to be added to the
mptcp_skb_cb structure. Because this item will be frequently tested in
the fast path -- almost on every packet -- and because there is free
space there, a single byte is used instead of a bitfield. This micro
optimisation slightly reduces the number of CPU operations to do the
associated check.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250218-net-next-mptcp-rx-path-refactor-v1-2-4a47d90d7998@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 6254a16d6f0c ("mptcp: fix rx timestamp corruption on fastopen")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/fastopen.c | 24 ++----------------------
net/mptcp/protocol.c | 4 +++-
net/mptcp/protocol.h | 5 ++---
net/mptcp/subflow.c | 3 ---
4 files changed, 7 insertions(+), 29 deletions(-)
--- a/net/mptcp/fastopen.c
+++ b/net/mptcp/fastopen.c
@@ -40,13 +40,12 @@ void mptcp_fastopen_subflow_synack_set_p
tp->copied_seq += skb->len;
subflow->ssn_offset += skb->len;
- /* initialize a dummy sequence number, we will update it at MPC
- * completion, if needed
- */
+ /* Only the sequence delta is relevant */
MPTCP_SKB_CB(skb)->map_seq = -skb->len;
MPTCP_SKB_CB(skb)->end_seq = 0;
MPTCP_SKB_CB(skb)->offset = 0;
MPTCP_SKB_CB(skb)->has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
+ MPTCP_SKB_CB(skb)->cant_coalesce = 1;
mptcp_data_lock(sk);
@@ -58,22 +57,3 @@ void mptcp_fastopen_subflow_synack_set_p
mptcp_data_unlock(sk);
}
-
-void __mptcp_fastopen_gen_msk_ackseq(struct mptcp_sock *msk, struct mptcp_subflow_context *subflow,
- const struct mptcp_options_received *mp_opt)
-{
- struct sock *sk = (struct sock *)msk;
- struct sk_buff *skb;
-
- skb = skb_peek_tail(&sk->sk_receive_queue);
- if (skb) {
- WARN_ON_ONCE(MPTCP_SKB_CB(skb)->end_seq);
- pr_debug("msk %p moving seq %llx -> %llx end_seq %llx -> %llx\n", sk,
- MPTCP_SKB_CB(skb)->map_seq, MPTCP_SKB_CB(skb)->map_seq + msk->ack_seq,
- MPTCP_SKB_CB(skb)->end_seq, MPTCP_SKB_CB(skb)->end_seq + msk->ack_seq);
- MPTCP_SKB_CB(skb)->map_seq += msk->ack_seq;
- MPTCP_SKB_CB(skb)->end_seq += msk->ack_seq;
- }
-
- pr_debug("msk=%p ack_seq=%llx\n", msk, msk->ack_seq);
-}
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -139,7 +139,8 @@ static bool mptcp_try_coalesce(struct so
bool fragstolen;
int delta;
- if (MPTCP_SKB_CB(from)->offset ||
+ if (unlikely(MPTCP_SKB_CB(to)->cant_coalesce) ||
+ MPTCP_SKB_CB(from)->offset ||
((to->len + from->len) > (sk->sk_rcvbuf >> 3)) ||
!skb_try_coalesce(to, from, &fragstolen, &delta))
return false;
@@ -370,6 +371,7 @@ static bool __mptcp_move_skb(struct mptc
MPTCP_SKB_CB(skb)->end_seq = MPTCP_SKB_CB(skb)->map_seq + copy_len;
MPTCP_SKB_CB(skb)->offset = offset;
MPTCP_SKB_CB(skb)->has_rxtstamp = has_rxtstamp;
+ MPTCP_SKB_CB(skb)->cant_coalesce = 0;
if (MPTCP_SKB_CB(skb)->map_seq == msk->ack_seq) {
/* in sequence */
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -129,7 +129,8 @@ struct mptcp_skb_cb {
u64 map_seq;
u64 end_seq;
u32 offset;
- u8 has_rxtstamp:1;
+ u8 has_rxtstamp;
+ u8 cant_coalesce;
};
#define MPTCP_SKB_CB(__skb) ((struct mptcp_skb_cb *)&((__skb)->cb[0]))
@@ -988,8 +989,6 @@ void mptcp_event_pm_listener(const struc
enum mptcp_event_type event);
bool mptcp_userspace_pm_active(const struct mptcp_sock *msk);
-void __mptcp_fastopen_gen_msk_ackseq(struct mptcp_sock *msk, struct mptcp_subflow_context *subflow,
- const struct mptcp_options_received *mp_opt);
void mptcp_fastopen_subflow_synack_set_params(struct mptcp_subflow_context *subflow,
struct request_sock *req);
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -778,9 +778,6 @@ void __mptcp_subflow_fully_established(s
subflow_set_remote_key(msk, subflow, mp_opt);
subflow->fully_established = 1;
WRITE_ONCE(msk->fully_established, true);
-
- if (subflow->is_mptfo)
- __mptcp_fastopen_gen_msk_ackseq(msk, subflow, mp_opt);
}
static struct sock *subflow_syn_recv_sock(const struct sock *sk,
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 495/508] mptcp: fix rx timestamp corruption on fastopen
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 494/508] mptcp: drop __mptcp_fastopen_gen_msk_ackseq() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 496/508] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
` (14 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 6254a16d6f0c672e3809ca5d7c9a28a55d71f764 ]
The skb cb offset containing the timestamp presence flag is cleared
before loading such information. Cache such value before MPTCP CB
initialization.
Fixes: 36b122baf6a8 ("mptcp: add subflow_v(4,6)_send_synack()")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-3-b70118df778e@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/fastopen.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/mptcp/fastopen.c
+++ b/net/mptcp/fastopen.c
@@ -12,6 +12,7 @@ void mptcp_fastopen_subflow_synack_set_p
struct sock *sk, *ssk;
struct sk_buff *skb;
struct tcp_sock *tp;
+ bool has_rxtstamp;
/* on early fallback the subflow context is deleted by
* subflow_syn_recv_sock()
@@ -39,12 +40,13 @@ void mptcp_fastopen_subflow_synack_set_p
*/
tp->copied_seq += skb->len;
subflow->ssn_offset += skb->len;
+ has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
/* Only the sequence delta is relevant */
MPTCP_SKB_CB(skb)->map_seq = -skb->len;
MPTCP_SKB_CB(skb)->end_seq = 0;
MPTCP_SKB_CB(skb)->offset = 0;
- MPTCP_SKB_CB(skb)->has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
+ MPTCP_SKB_CB(skb)->has_rxtstamp = has_rxtstamp;
MPTCP_SKB_CB(skb)->cant_coalesce = 1;
mptcp_data_lock(sk);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 496/508] mptcp: pm: prio: skip closed subflows
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 495/508] mptcp: fix rx timestamp corruption on fastopen Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 497/508] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
` (13 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 166b78344031bf7ac9f55cb5282776cfd85f220e ]
When sending an MP_PRIO, closed subflows need to be skipped.
This fixes the case where the initial subflow got closed, re-opened
later, then an MP_PRIO is needed for the same local address.
Note that explicit MP_PRIO cannot be sent during the 3WHS, so it is fine
to use __mptcp_subflow_active().
Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support")
Cc: stable@vger.kernel.org
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-9-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied to renamed function `mptcp_pm_nl_mp_prio_send_ack()` in `pm_netlink.c` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -923,6 +923,9 @@ int mptcp_pm_nl_mp_prio_send_ack(struct
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
struct mptcp_addr_info local, remote;
+ if (!__mptcp_subflow_active(subflow))
+ continue;
+
mptcp_local_address((struct sock_common *)ssk, &local);
if (!mptcp_addresses_equal(&local, addr, addr->port))
continue;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 497/508] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 496/508] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 498/508] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
` (12 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit b12014d2d36eaed4e4bec5f1ac7e91110eeb100d ]
When adding the ADD_ADDR to the list, the address including the IP, port
and ID are copied. On the other hand, when the endpoint corresponds to
the one from the initial subflow, the ID is set to 0, as specified by
the MPTCP protocol.
The issue is that the ID was reset after having copied the ID in the
ADD_ADDR entry. So the retransmission was done, but using a different ID
than the initial one.
Fixes: 8b8ed1b429f8 ("mptcp: pm: reuse ID 0 after delete and re-add")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-1-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied to net/mptcp/pm_netlink.c instead of upstream's pm_kernel.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -591,6 +591,8 @@ static void mptcp_pm_create_subflow_or_s
/* check first for announce */
if (msk->pm.add_addr_signaled < add_addr_signal_max) {
+ u8 endp_id;
+
/* due to racing events on both ends we can reach here while
* previous add address is still running: if we invoke now
* mptcp_pm_announce_addr(), that will fail and the
@@ -604,19 +606,20 @@ static void mptcp_pm_create_subflow_or_s
if (!select_signal_address(pernet, msk, &local))
goto subflow;
+ /* Special case for ID0: set the correct ID */
+ endp_id = local.addr.id;
+ if (endp_id == msk->mpc_endpoint_id)
+ local.addr.id = 0;
+
/* If the alloc fails, we are on memory pressure, not worth
* continuing, and trying to create subflows.
*/
if (!mptcp_pm_alloc_anno_list(msk, &local.addr))
return;
- __clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
+ __clear_bit(endp_id, msk->pm.id_avail_bitmap);
msk->pm.add_addr_signaled++;
- /* Special case for ID0: set the correct ID */
- if (local.addr.id == msk->mpc_endpoint_id)
- local.addr.id = 0;
-
mptcp_pm_announce_addr(msk, &local.addr, false);
mptcp_pm_nl_addr_send_ack(msk);
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 498/508] f2fs: fix incorrect file address mapping when inline inode is unwritten
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 497/508] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 499/508] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
` (11 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 68a0178981a0f493295afa29f8880246e561494c ]
When `fileinfo->fi_flags` does not have the `FIEMAP_FLAG_SYNC` bit set
and inline data has not been persisted yet, the physical address of the
extent is calculated incorrectly for unwritten inline inodes.
root@vm:/mnt/f2fs# dd if=/dev/zero of=data.3k bs=3k count=1
root@vm:/mnt/f2fs# f2fs_io fiemap 0 100 data.3k
Fiemap: offset = 0 len = 100
logical addr. physical addr. length flags
0 0000000000000000 00000ffffffff16c 0000000000000c00 00000301
This patch fixes the issue by checking if the inode's address is valid.
If the inline inode is unwritten, set the physical address to 0 and
mark the extent with `FIEMAP_EXTENT_UNKNOWN | FIEMAP_EXTENT_DELALLOC`
flags.
Cc: stable@kernel.org
Fixes: 67f8cf3cee6f ("f2fs: support fiemap for inline_data")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ renamed `ifolio` to `ipage` in `inline_data_addr()` and `F2FS_INODE()` calls ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inline.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -791,7 +791,7 @@ int f2fs_read_inline_dir(struct file *fi
int f2fs_inline_data_fiemap(struct inode *inode,
struct fiemap_extent_info *fieinfo, __u64 start, __u64 len)
{
- __u64 byteaddr, ilen;
+ __u64 byteaddr = 0, ilen;
__u32 flags = FIEMAP_EXTENT_DATA_INLINE | FIEMAP_EXTENT_NOT_ALIGNED |
FIEMAP_EXTENT_LAST;
struct node_info ni;
@@ -824,9 +824,14 @@ int f2fs_inline_data_fiemap(struct inode
if (err)
goto out;
- byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
- byteaddr += (char *)inline_data_addr(inode, ipage) -
- (char *)F2FS_INODE(ipage);
+ if (__is_valid_data_blkaddr(ni.blk_addr)) {
+ byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
+ byteaddr += (char *)inline_data_addr(inode, ipage) -
+ (char *)F2FS_INODE(ipage);
+ } else {
+ f2fs_bug_on(F2FS_I_SB(inode), ni.blk_addr != NEW_ADDR);
+ flags |= FIEMAP_EXTENT_DELALLOC | FIEMAP_EXTENT_UNKNOWN;
+ }
err = fiemap_fill_next_extent(fieinfo, start, byteaddr, ilen, flags);
trace_f2fs_fiemap(inode, start, byteaddr, ilen, flags, err);
out:
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 499/508] f2fs: fix false alarm of lockdep on cp_global_sem lock
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 498/508] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 500/508] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Greg Kroah-Hartman
` (10 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Shinichiro Kawasaki, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6a5e3de9c2bb0b691d16789a5d19e9276a09b308 ]
lockdep reported a potential deadlock:
a) TCMU device removal context:
- call del_gendisk() to get q->q_usage_counter
- call start_flush_work() to get work_completion of wb->dwork
b) f2fs writeback context:
- in wb_workfn(), which holds work_completion of wb->dwork
- call f2fs_balance_fs() to get sbi->gc_lock
c) f2fs vfs_write context:
- call f2fs_gc() to get sbi->gc_lock
- call f2fs_write_checkpoint() to get sbi->cp_global_sem
d) f2fs mount context:
- call recover_fsync_data() to get sbi->cp_global_sem
- call f2fs_check_and_fix_write_pointer() to call blkdev_report_zones()
that goes down to blk_mq_alloc_request and get q->q_usage_counter
Original callstack is in Closes tag.
However, I think this is a false alarm due to before mount returns
successfully (context d), we can not access file therein via vfs_write
(context c).
Let's introduce per-sb cp_global_sem_key, and assign the key for
cp_global_sem, so that lockdep can recognize cp_global_sem from
different super block correctly.
A lot of work are done by Shin'ichiro Kawasaki, thanks a lot for
the work.
Fixes: c426d99127b1 ("f2fs: Check write pointer consistency of open zones")
Cc: stable@kernel.org
Reported-and-tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/20260218125237.3340441-1-shinichiro.kawasaki@wdc.com
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ re-anchored lockdep_register_key after init_f2fs_rwsem and placed lockdep_unregister_key before kfree(sbi) in f2fs_put_super instead of kill_f2fs_super ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 3 +++
fs/f2fs/super.c | 11 +++++++++++
2 files changed, 14 insertions(+)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1824,6 +1824,9 @@ struct f2fs_sb_info {
spinlock_t iostat_lat_lock;
struct iostat_lat_info *iostat_io_lat;
#endif
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lock_class_key cp_global_sem_key;
+#endif
};
/* Definitions to access f2fs_sb_info */
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1695,6 +1695,9 @@ static void f2fs_put_super(struct super_
#if IS_ENABLED(CONFIG_UNICODE)
utf8_unload(sb->s_encoding);
#endif
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
}
@@ -4380,6 +4383,11 @@ try_onemore:
init_f2fs_rwsem(&sbi->gc_lock);
mutex_init(&sbi->writepages);
init_f2fs_rwsem(&sbi->cp_global_sem);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_register_key(&sbi->cp_global_sem_key);
+ lockdep_set_class(&sbi->cp_global_sem.internal_rwsem,
+ &sbi->cp_global_sem_key);
+#endif
init_f2fs_rwsem(&sbi->node_write);
init_f2fs_rwsem(&sbi->node_change);
spin_lock_init(&sbi->stat_lock);
@@ -4838,6 +4846,9 @@ free_sb_buf:
free_sbi:
if (sbi->s_chksum_driver)
crypto_free_shash(sbi->s_chksum_driver);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
/* give only one another chance */
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 500/508] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 499/508] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 501/508] ksmbd: validate inherited ACE SID length Greg Kroah-Hartman
` (9 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Jason Gunthorpe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 6aaa978c6b6218cfac15fe1dab17c76fe229ce3f ]
Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal
destroy path cleans it up.
Cc: stable@vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
Link: https://patch.msgid.link/r/7-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/qp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -237,13 +237,15 @@ static int mana_ib_create_qp_rss(struct
ibdev_dbg(&mdev->ib_dev,
"Failed to copy to udata create rss-qp, %d\n",
ret);
- goto fail;
+ goto err_disable_vport_rx;
}
kfree(mana_ind_table);
return 0;
+err_disable_vport_rx:
+ mana_disable_vport_rx(mpc);
fail:
while (i-- > 0) {
ibwq = ind_tbl->ind_tbl[i];
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 501/508] ksmbd: validate inherited ACE SID length
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 500/508] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 502/508] spi: st-ssc4: switch to use modern name Greg Kroah-Hartman
` (8 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shota Zaizen, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shota Zaizen <s@zaizen.me>
[ Upstream commit 996454bc0da84d5a1dedb1a7861823087e01a7ae ]
smb_inherit_dacl() walks the parent directory DACL loaded from the
security descriptor xattr. It verifies that each ACE contains the fixed
SID header before using it, but does not verify that the variable-length
SID described by sid.num_subauth is fully contained in the ACE.
A malformed inheritable ACE can advertise more subauthorities than are
present in the ACE. compare_sids() may then read past the ACE.
smb_set_ace() also clamps the copied destination SID, but used the
unchecked source SID count to compute the inherited ACE size. That could
advance the temporary inherited ACE buffer pointer and nt_size accounting
past the allocated buffer.
Fix this by validating the parent ACE SID count and SID length before
using the SID during inheritance. Compute the inherited ACE size from the
copied SID so the size matches the bounded destination SID. Reject the
inherited DACL if size accumulation would overflow smb_acl.size or the
security descriptor allocation size.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Shota Zaizen <s@zaizen.me>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 66 ++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 52 insertions(+), 14 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1025,7 +1025,26 @@ static void smb_set_ace(struct smb_ace *
ace->flags = flags;
ace->access_req = access_req;
smb_copy_sid(&ace->sid, sid);
- ace->size = cpu_to_le16(1 + 1 + 2 + 4 + 1 + 1 + 6 + (sid->num_subauth * 4));
+ ace->size = cpu_to_le16(1 + 1 + 2 + 4 + 1 + 1 + 6 +
+ (ace->sid.num_subauth * 4));
+}
+
+static int smb_append_inherited_ace(struct smb_ace **ace, int *nt_size,
+ u16 *ace_cnt, const struct smb_sid *sid,
+ u8 type, u8 flags, __le32 access_req)
+{
+ int ace_size;
+
+ smb_set_ace(*ace, sid, type, flags, access_req);
+ ace_size = le16_to_cpu((*ace)->size);
+ /* pdacl->size is __le16 and includes struct smb_acl. */
+ if (check_add_overflow(*nt_size, ace_size, nt_size) ||
+ *nt_size > U16_MAX - (int)sizeof(struct smb_acl))
+ return -EINVAL;
+
+ (*ace_cnt)++;
+ *ace = (struct smb_ace *)((char *)*ace + ace_size);
+ return 0;
}
int smb_inherit_dacl(struct ksmbd_conn *conn,
@@ -1090,6 +1109,12 @@ int smb_inherit_dacl(struct ksmbd_conn *
if (pace_size > aces_size)
break;
+ if (parent_aces->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+ pace_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE +
+ sizeof(__le32) * parent_aces->sid.num_subauth)
+ break;
+
aces_size -= pace_size;
flags = parent_aces->flags;
@@ -1119,22 +1144,24 @@ int smb_inherit_dacl(struct ksmbd_conn *
}
if (is_dir && creator && flags & CONTAINER_INHERIT_ACE) {
- smb_set_ace(aces, psid, parent_aces->type, inherited_flags,
- parent_aces->access_req);
- nt_size += le16_to_cpu(aces->size);
- ace_cnt++;
- aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size));
+ rc = smb_append_inherited_ace(&aces, &nt_size, &ace_cnt,
+ psid, parent_aces->type,
+ inherited_flags,
+ parent_aces->access_req);
+ if (rc)
+ goto free_aces_base;
flags |= INHERIT_ONLY_ACE;
psid = creator;
} else if (is_dir && !(parent_aces->flags & NO_PROPAGATE_INHERIT_ACE)) {
psid = &parent_aces->sid;
}
- smb_set_ace(aces, psid, parent_aces->type, flags | inherited_flags,
- parent_aces->access_req);
- nt_size += le16_to_cpu(aces->size);
- aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size));
- ace_cnt++;
+ rc = smb_append_inherited_ace(&aces, &nt_size, &ace_cnt, psid,
+ parent_aces->type,
+ flags | inherited_flags,
+ parent_aces->access_req);
+ if (rc)
+ goto free_aces_base;
pass:
parent_aces = (struct smb_ace *)((char *)parent_aces + pace_size);
}
@@ -1144,7 +1171,7 @@ pass:
struct smb_acl *pdacl;
struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL;
int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size;
- int pntsd_alloc_size;
+ size_t pntsd_alloc_size;
if (parent_pntsd->osidoffset) {
powner_sid = (struct smb_sid *)((char *)parent_pntsd +
@@ -1157,8 +1184,19 @@ pass:
pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4);
}
- pntsd_alloc_size = sizeof(struct smb_ntsd) + powner_sid_size +
- pgroup_sid_size + sizeof(struct smb_acl) + nt_size;
+ if (check_add_overflow(sizeof(struct smb_ntsd),
+ (size_t)powner_sid_size,
+ &pntsd_alloc_size) ||
+ check_add_overflow(pntsd_alloc_size,
+ (size_t)pgroup_sid_size,
+ &pntsd_alloc_size) ||
+ check_add_overflow(pntsd_alloc_size, sizeof(struct smb_acl),
+ &pntsd_alloc_size) ||
+ check_add_overflow(pntsd_alloc_size, (size_t)nt_size,
+ &pntsd_alloc_size)) {
+ rc = -EINVAL;
+ goto free_aces_base;
+ }
pntsd = kzalloc(pntsd_alloc_size, GFP_KERNEL);
if (!pntsd) {
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 502/508] spi: st-ssc4: switch to use modern name
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 501/508] ksmbd: validate inherited ACE SID length Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 503/508] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
` (7 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e6b7e64cb11966b26646a362677ca5a08481157e ]
Change legacy name master/slave to modern name host/target or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://msgid.link/r/20231128093031.3707034-4-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 19857374010d ("spi: st-ssc4: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-st-ssc4.c | 70 +++++++++++++++++++++++-----------------------
1 file changed, 35 insertions(+), 35 deletions(-)
--- a/drivers/spi/spi-st-ssc4.c
+++ b/drivers/spi/spi-st-ssc4.c
@@ -6,7 +6,7 @@
* Patrice Chotard <patrice.chotard@st.com>
* Lee Jones <lee.jones@linaro.org>
*
- * SPI master mode controller driver, used in STMicroelectronics devices.
+ * SPI host mode controller driver, used in STMicroelectronics devices.
*/
#include <linux/clk.h>
@@ -115,10 +115,10 @@ static void ssc_read_rx_fifo(struct spi_
spi_st->words_remaining -= count;
}
-static int spi_st_transfer_one(struct spi_master *master,
+static int spi_st_transfer_one(struct spi_controller *host,
struct spi_device *spi, struct spi_transfer *t)
{
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
uint32_t ctl = 0;
/* Setup transfer */
@@ -165,7 +165,7 @@ static int spi_st_transfer_one(struct sp
if (ctl)
writel_relaxed(ctl, spi_st->base + SSC_CTL);
- spi_finalize_current_transfer(spi->master);
+ spi_finalize_current_transfer(spi->controller);
return t->len;
}
@@ -174,7 +174,7 @@ static int spi_st_transfer_one(struct sp
#define MODEBITS (SPI_CPOL | SPI_CPHA | SPI_LSB_FIRST | SPI_LOOP | SPI_CS_HIGH)
static int spi_st_setup(struct spi_device *spi)
{
- struct spi_st *spi_st = spi_master_get_devdata(spi->master);
+ struct spi_st *spi_st = spi_controller_get_devdata(spi->controller);
u32 spi_st_clk, sscbrg, var;
u32 hz = spi->max_speed_hz;
@@ -274,35 +274,35 @@ static irqreturn_t spi_st_irq(int irq, v
static int spi_st_probe(struct platform_device *pdev)
{
struct device_node *np = pdev->dev.of_node;
- struct spi_master *master;
+ struct spi_controller *host;
struct spi_st *spi_st;
int irq, ret = 0;
u32 var;
- master = spi_alloc_master(&pdev->dev, sizeof(*spi_st));
- if (!master)
+ host = spi_alloc_host(&pdev->dev, sizeof(*spi_st));
+ if (!host)
return -ENOMEM;
- master->dev.of_node = np;
- master->mode_bits = MODEBITS;
- master->setup = spi_st_setup;
- master->transfer_one = spi_st_transfer_one;
- master->bits_per_word_mask = SPI_BPW_MASK(8) | SPI_BPW_MASK(16);
- master->auto_runtime_pm = true;
- master->bus_num = pdev->id;
- master->use_gpio_descriptors = true;
- spi_st = spi_master_get_devdata(master);
+ host->dev.of_node = np;
+ host->mode_bits = MODEBITS;
+ host->setup = spi_st_setup;
+ host->transfer_one = spi_st_transfer_one;
+ host->bits_per_word_mask = SPI_BPW_MASK(8) | SPI_BPW_MASK(16);
+ host->auto_runtime_pm = true;
+ host->bus_num = pdev->id;
+ host->use_gpio_descriptors = true;
+ spi_st = spi_controller_get_devdata(host);
spi_st->clk = devm_clk_get(&pdev->dev, "ssc");
if (IS_ERR(spi_st->clk)) {
dev_err(&pdev->dev, "Unable to request clock\n");
ret = PTR_ERR(spi_st->clk);
- goto put_master;
+ goto put_host;
}
ret = clk_prepare_enable(spi_st->clk);
if (ret)
- goto put_master;
+ goto put_host;
init_completion(&spi_st->done);
@@ -324,7 +324,7 @@ static int spi_st_probe(struct platform_
var &= ~SSC_CTL_SR;
writel_relaxed(var, spi_st->base + SSC_CTL);
- /* Set SSC into slave mode before reconfiguring PIO pins */
+ /* Set SSC into target mode before reconfiguring PIO pins */
var = readl_relaxed(spi_st->base + SSC_CTL);
var &= ~SSC_CTL_MS;
writel_relaxed(var, spi_st->base + SSC_CTL);
@@ -347,11 +347,11 @@ static int spi_st_probe(struct platform_
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = devm_spi_register_controller(&pdev->dev, host);
if (ret) {
- dev_err(&pdev->dev, "Failed to register master\n");
+ dev_err(&pdev->dev, "Failed to register host\n");
goto rpm_disable;
}
@@ -361,15 +361,15 @@ rpm_disable:
pm_runtime_disable(&pdev->dev);
clk_disable:
clk_disable_unprepare(spi_st->clk);
-put_master:
- spi_master_put(master);
+put_host:
+ spi_controller_put(host);
return ret;
}
static void spi_st_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
pm_runtime_disable(&pdev->dev);
@@ -381,8 +381,8 @@ static void spi_st_remove(struct platfor
#ifdef CONFIG_PM
static int spi_st_runtime_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
writel_relaxed(0, spi_st->base + SSC_IEN);
pinctrl_pm_select_sleep_state(dev);
@@ -394,8 +394,8 @@ static int spi_st_runtime_suspend(struct
static int spi_st_runtime_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
- struct spi_st *spi_st = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(dev);
+ struct spi_st *spi_st = spi_controller_get_devdata(host);
int ret;
ret = clk_prepare_enable(spi_st->clk);
@@ -408,10 +408,10 @@ static int spi_st_runtime_resume(struct
#ifdef CONFIG_PM_SLEEP
static int spi_st_suspend(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
+ struct spi_controller *host = dev_get_drvdata(dev);
int ret;
- ret = spi_master_suspend(master);
+ ret = spi_controller_suspend(host);
if (ret)
return ret;
@@ -420,10 +420,10 @@ static int spi_st_suspend(struct device
static int spi_st_resume(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
+ struct spi_controller *host = dev_get_drvdata(dev);
int ret;
- ret = spi_master_resume(master);
+ ret = spi_controller_resume(host);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 503/508] spi: st-ssc4: fix controller deregistration
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 502/508] spi: st-ssc4: switch to use modern name Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 504/508] media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0 Greg Kroah-Hartman
` (6 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Johan Hovold, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 19857374010d06ca6a2f7c2c53464122eb804df0 ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 9e862375c542 ("spi: Add new driver for STMicroelectronics' SPI Controller")
Cc: stable@vger.kernel.org # 4.0
Cc: Lee Jones <lee@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-18-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-st-ssc4.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-st-ssc4.c
+++ b/drivers/spi/spi-st-ssc4.c
@@ -349,7 +349,7 @@ static int spi_st_probe(struct platform_
platform_set_drvdata(pdev, host);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret) {
dev_err(&pdev->dev, "Failed to register host\n");
goto rpm_disable;
@@ -371,10 +371,16 @@ static void spi_st_remove(struct platfor
struct spi_controller *host = platform_get_drvdata(pdev);
struct spi_st *spi_st = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
pm_runtime_disable(&pdev->dev);
clk_disable_unprepare(spi_st->clk);
+ spi_controller_put(host);
+
pinctrl_pm_select_sleep_state(&pdev->dev);
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 504/508] media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 503/508] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 505/508] spi: sifive: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
` (5 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guoniu Zhou, Laurent Pinchart,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guoniu Zhou <guoniu.zhou@nxp.com>
[ Upstream commit 2f38622d0f85f317be9e6b131da6cd511db94fd2 ]
Fix a hang issue when capturing a single frame with applications like cam
in libcamera. It would hang waiting for the driver to complete the buffer,
but streaming never starts because min_queued_buffers was set to 2.
The ISI module uses a ping-pong buffer mechanism that requires two buffers
to be programmed at all times. However, when fewer than 2 user buffers are
available, the driver use internal discard buffers to fill the remaining
slot(s). Reduce minimum queued buffers from 2 to 0 allows streaming to
start without any queued buffers.
Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Guoniu Zhou <guoniu.zhou@nxp.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://patch.msgid.link/20260312-isi_min_buffers-v2-1-d5ea1c79ad81@nxp.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ renamed `min_queued_buffers` to `min_buffers_needed` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/nxp/imx8-isi/imx8-isi-video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-video.c
+++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-video.c
@@ -1456,7 +1456,7 @@ int mxc_isi_video_register(struct mxc_is
q->mem_ops = &vb2_dma_contig_memops;
q->buf_struct_size = sizeof(struct mxc_isi_buffer);
q->timestamp_flags = V4L2_BUF_FLAG_TIMESTAMP_MONOTONIC;
- q->min_buffers_needed = 2;
+ q->min_buffers_needed = 0;
q->lock = &video->lock;
q->dev = pipe->isi->dev;
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 505/508] spi: sifive: Simplify clock handling with devm_clk_get_enabled()
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 504/508] media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0 Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 506/508] spi: sifive: fix controller deregistration Greg Kroah-Hartman
` (4 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 140039c23aca067b9ff0242e3c0ce96276bb95f3 ]
Replace devm_clk_get() followed by clk_prepare_enable() with
devm_clk_get_enabled() for the bus clock. This reduces boilerplate code
and error handling, as the managed API automatically disables the clock
when the device is removed or if probe fails.
Remove the now-unnecessary clk_disable_unprepare() calls from the probe
error path and the remove callback. Adjust the error handling to use the
existing put_host label.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/73d0d8ecb4e1af5a558d6a7866c0f886d94fe3d1.1773885292.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0f25236694a2 ("spi: sifive: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sifive.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)
--- a/drivers/spi/spi-sifive.c
+++ b/drivers/spi/spi-sifive.c
@@ -312,7 +312,8 @@ static int sifive_spi_probe(struct platf
goto put_host;
}
- spi->clk = devm_clk_get(&pdev->dev, NULL);
+ /* Spin up the bus clock before hitting registers */
+ spi->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(spi->clk)) {
dev_err(&pdev->dev, "Unable to find bus clock\n");
ret = PTR_ERR(spi->clk);
@@ -342,13 +343,6 @@ static int sifive_spi_probe(struct platf
goto put_host;
}
- /* Spin up the bus clock before hitting registers */
- ret = clk_prepare_enable(spi->clk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable bus clock\n");
- goto put_host;
- }
-
/* probe the number of CS lines */
spi->cs_inactive = sifive_spi_read(spi, SIFIVE_SPI_REG_CSDEF);
sifive_spi_write(spi, SIFIVE_SPI_REG_CSDEF, 0xffffffffU);
@@ -357,14 +351,14 @@ static int sifive_spi_probe(struct platf
if (!cs_bits) {
dev_err(&pdev->dev, "Could not auto probe CS lines\n");
ret = -EINVAL;
- goto disable_clk;
+ goto put_host;
}
num_cs = ilog2(cs_bits) + 1;
if (num_cs > SIFIVE_SPI_MAX_CS) {
dev_err(&pdev->dev, "Invalid number of spi targets\n");
ret = -EINVAL;
- goto disable_clk;
+ goto put_host;
}
/* Define our host */
@@ -393,7 +387,7 @@ static int sifive_spi_probe(struct platf
dev_name(&pdev->dev), spi);
if (ret) {
dev_err(&pdev->dev, "Unable to bind to interrupt\n");
- goto disable_clk;
+ goto put_host;
}
dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n",
@@ -402,13 +396,11 @@ static int sifive_spi_probe(struct platf
ret = devm_spi_register_controller(&pdev->dev, host);
if (ret < 0) {
dev_err(&pdev->dev, "spi_register_host failed\n");
- goto disable_clk;
+ goto put_host;
}
return 0;
-disable_clk:
- clk_disable_unprepare(spi->clk);
put_host:
spi_controller_put(host);
@@ -422,7 +414,6 @@ static void sifive_spi_remove(struct pla
/* Disable all the interrupts just in case */
sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0);
- clk_disable_unprepare(spi->clk);
}
static int sifive_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 506/508] spi: sifive: fix controller deregistration
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 505/508] spi: sifive: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 507/508] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
` (3 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yash Shah, Johan Hovold, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0f25236694a2854627c1597465a071e6bb6fe572 ]
Make sure to deregister the controller before disabling underlying
resources like interrupts during driver unbind.
Note that clocks were also disabled before the recent commit
140039c23aca ("spi: sifive: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 484a9a68d669 ("spi: sifive: Add driver for the SiFive SPI controller")
Cc: stable@vger.kernel.org # 5.1
Cc: Yash Shah <yash.shah@sifive.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-15-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sifive.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sifive.c
+++ b/drivers/spi/spi-sifive.c
@@ -393,7 +393,7 @@ static int sifive_spi_probe(struct platf
dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n",
irq, host->num_chipselect);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret < 0) {
dev_err(&pdev->dev, "spi_register_host failed\n");
goto put_host;
@@ -412,8 +412,14 @@ static void sifive_spi_remove(struct pla
struct spi_controller *host = platform_get_drvdata(pdev);
struct sifive_spi *spi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
/* Disable all the interrupts just in case */
sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0);
+
+ spi_controller_put(host);
}
static int sifive_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 507/508] mptcp: pm: ADD_ADDR rtx: fix potential data-race
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 506/508] spi: sifive: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 508/508] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
` (2 subsequent siblings)
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d ]
This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().
If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied hunk to `net/mptcp/pm_netlink.c` instead of `net/mptcp/pm.c` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -308,6 +308,13 @@ static void mptcp_pm_add_timer(struct ti
if (!entry->addr.id)
return;
+ bh_lock_sock(sk);
+ if (sock_owned_by_user(sk)) {
+ /* Try again later. */
+ sk_reset_timer(sk, timer, jiffies + HZ / 20);
+ goto out;
+ }
+
if (mptcp_pm_should_add_signal_addr(msk)) {
sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
goto out;
@@ -336,6 +343,7 @@ static void mptcp_pm_add_timer(struct ti
mptcp_pm_subflow_established(msk);
out:
+ bh_unlock_sock(sk);
__sock_put(sk);
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* [PATCH 6.6 508/508] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 507/508] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
@ 2026-05-20 16:25 ` Greg Kroah-Hartman
2026-05-20 19:11 ` [PATCH 6.6 000/508] 6.6.141-rc1 review Brett A C Sheffield
2026-05-20 20:33 ` Florian Fainelli
509 siblings, 0 replies; 511+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:25 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 3cf12492891c4b5ff54dda404a2de4ec54c9e1b5 ]
When an ADD_ADDR needs to be retransmitted and another one has already
been prepared -- e.g. multiple ADD_ADDRs have been sent in a row and
need to be retransmitted later -- this additional retransmission will
need to wait.
In this case, the timer was reset to TCP_RTO_MAX / 8, which is ~15
seconds. This delay is unnecessary long: it should just be rescheduled
at the next opportunity, e.g. after the retransmission timeout.
Without this modification, some issues can be seen from time to time in
the selftests when multiple ADD_ADDRs are sent, and the host takes time
to process them, e.g. the "signal addresses, ADD_ADDR timeout" MPTCP
Join selftest, especially with a debug kernel config.
Note that on older kernels, 'timeout' is not available. It should be
enough to replace it by one second (HZ).
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-6-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ replaced `TCP_RTO_MAX / 8` with `HZ` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -316,7 +316,7 @@ static void mptcp_pm_add_timer(struct ti
}
if (mptcp_pm_should_add_signal_addr(msk)) {
- sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
+ sk_reset_timer(sk, timer, jiffies + HZ);
goto out;
}
^ permalink raw reply [flat|nested] 511+ messages in thread
* Re: [PATCH 6.6 000/508] 6.6.141-rc1 review
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-05-20 16:25 ` [PATCH 6.6 508/508] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
@ 2026-05-20 19:11 ` Brett A C Sheffield
2026-05-20 20:33 ` Florian Fainelli
509 siblings, 0 replies; 511+ messages in thread
From: Brett A C Sheffield @ 2026-05-20 19:11 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.6.141-rc1-g6c78ba1a564c #1 SMP PREEMPT_DYNAMIC Wed May 20 18:52:34 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 511+ messages in thread
* Re: [PATCH 6.6 000/508] 6.6.141-rc1 review
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-05-20 19:11 ` [PATCH 6.6 000/508] 6.6.141-rc1 review Brett A C Sheffield
@ 2026-05-20 20:33 ` Florian Fainelli
509 siblings, 0 replies; 511+ messages in thread
From: Florian Fainelli @ 2026-05-20 20:33 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 5/20/26 09:17, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.141 release.
> There are 508 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 22 May 2026 16:20:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.141-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
perf fails to build with:
util/symbol-elf.c: In function 'dso__process_kernel_symbol':
util/symbol-elf.c:1379:7: warning: implicit declaration of function
'dso__rel'; did you mean 'dso__get'? [-Wimplicit-function-declaration]
if (dso__rel(dso))
^~~~~~~~
dso__get
this is coming from this commit:
commit 8b4beba45e858aa793dd5d4d2e86d60c8c1915e6
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Mon Mar 23 11:58:04 2026 -0400
perf tools: Fix module symbol resolution for non-zero .text sh_addr
[ Upstream commit 9a82bfde4775b7a87cd1a7e791f46f83ae442848 ]
--
Florian
^ permalink raw reply [flat|nested] 511+ messages in thread
end of thread, other threads:[~2026-05-20 20:33 UTC | newest]
Thread overview: 511+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 16:17 [PATCH 6.6 000/508] 6.6.141-rc1 review Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 001/508] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 002/508] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 003/508] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 004/508] loop: fix partition scan race between udev and loop_reread_partitions() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 005/508] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 006/508] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 007/508] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 008/508] ACPI: x86: cmos_rtc: Clean up address space handler driver Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 009/508] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 010/508] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 011/508] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 012/508] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 013/508] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 014/508] s390/cio: make sch->lock spinlock pointer a member Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 015/508] s390/cio: convert sprintf()/snprintf() to sysfs_emit() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 016/508] s390/cio: use generic driver_override infrastructure Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 017/508] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 018/508] hrtimers: Update the return type of enqueue_hrtimer() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 019/508] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 020/508] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 021/508] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 022/508] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 023/508] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 024/508] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 025/508] bpf: Add CHECKSUM_COMPLETE to bpf test progs Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 026/508] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 027/508] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 028/508] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 029/508] s390/bpf: Zero-extend bpf prog return values and kfunc arguments Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 030/508] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 031/508] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 032/508] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 033/508] wifi: mt76: mt7615: fix use_cts_prot support Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 034/508] wifi: mt76: mt7915: " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 035/508] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 036/508] arm64: cpufeature: Make PMUVer and PerfMon unsigned Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 037/508] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 038/508] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 039/508] bpf, devmap: Remove unnecessary if check in for loop Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 040/508] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 041/508] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 042/508] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 043/508] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 044/508] selftests/powerpc: Re-order *FLAGS to follow lib.mk Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 045/508] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15 Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 046/508] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 047/508] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 048/508] bpf: Fix stale offload->prog pointer after constant blinding Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 049/508] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 050/508] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 051/508] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 052/508] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 053/508] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 054/508] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 055/508] net: bcmgenet: Remove custom ndo_poll_controller() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.6 056/508] net: bcmgenet: add bcmgenet_has_* helpers Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 057/508] net: bcmgenet: move DESC_INDEX flow to ring 0 Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 058/508] net: bcmgenet: support reclaiming unsent Tx packets Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 059/508] net: bcmgenet: switch to use 64bit statistics Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 060/508] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 061/508] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 062/508] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 063/508] bpf: Fix RCU stall in bpf_fd_array_map_clear() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 064/508] 6pack: propagage new tty types Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 065/508] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 066/508] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 067/508] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 068/508] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 069/508] bpf: Fix OOB in pcpu_init_value Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 070/508] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 071/508] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 072/508] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 073/508] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 074/508] net/mlx5e: Fix features not applied during netdev registration Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 075/508] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 076/508] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 077/508] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 078/508] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 079/508] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 080/508] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 081/508] net: phy: aquantia: move to separate directory Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 082/508] net: phy: add Rust Asix PHY driver Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 083/508] net: phy: move at803x PHY driver to dedicated directory Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 084/508] net: phy: qcom: at803x: Use the correct bit to disable extended next page Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 085/508] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 086/508] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 087/508] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 088/508] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 089/508] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 090/508] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 091/508] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 092/508] dm cache: fix write path cache coherency " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 093/508] dm cache: fix write hang " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 094/508] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 095/508] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 096/508] dm cache: support shrinking the origin device Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 097/508] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 098/508] platform/chrome: chromeos_tbmc: Drop wakeup source on remove Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 099/508] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 100/508] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 101/508] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 102/508] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 103/508] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 104/508] spi: fsl-qspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 105/508] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 106/508] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 107/508] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 108/508] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 109/508] crypto: atmel - Remove cfb and ofb Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 110/508] crypto: atmel - Use unregister_{aeads,ahashes,skciphers} Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 111/508] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 112/508] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 113/508] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 114/508] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 115/508] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.6 116/508] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 117/508] drm/msm/dsi: add the missing parameter description Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 118/508] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 119/508] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 120/508] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 121/508] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 122/508] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 123/508] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 124/508] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 125/508] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 126/508] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 127/508] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 128/508] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 129/508] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 130/508] ASoC: SOF: Intel: hda: Place check before dereference Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 131/508] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 132/508] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 133/508] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 134/508] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 135/508] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 136/508] ASoC: fsl_micfil: Add access property for "VAD Detected" Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 137/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 138/508] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 139/508] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 140/508] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 141/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 142/508] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 143/508] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 144/508] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 145/508] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 146/508] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 147/508] crypto: qat - use swab32 macro Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 148/508] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 149/508] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 150/508] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 151/508] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 152/508] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 153/508] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 154/508] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 155/508] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 156/508] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 157/508] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 158/508] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 159/508] PCI: tegra194: Rename root_bus to root_port_bus in tegra_pcie_downstream_dev_to_D0() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 160/508] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 161/508] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 162/508] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 163/508] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 164/508] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 165/508] PCI: tegra194: Use DWC IP core version Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 166/508] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 167/508] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 168/508] ALSA: sc6000: Use standard print API Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 169/508] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 170/508] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 171/508] crypto: jitterentropy - replace long-held spinlock with mutex Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 172/508] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 173/508] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 174/508] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 175/508] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.6 176/508] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 177/508] gfs2: add some missing log locking Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 178/508] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 179/508] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 180/508] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 181/508] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 182/508] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 183/508] memory: tegra30-emc: " Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 184/508] arm64: dts: imx8-apalis: Fix LEDs name collision Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 185/508] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 186/508] iommufd: vfio compatibility extension check for noiommu mode Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 187/508] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 188/508] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 189/508] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 190/508] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 191/508] soc: qcom: ocmem: make the core clock optional Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 192/508] soc: qcom: ocmem: use scoped device node handling to simplify error paths Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 193/508] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 194/508] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 195/508] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 196/508] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 197/508] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 198/508] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 199/508] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 200/508] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 201/508] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 202/508] arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 203/508] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 204/508] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 205/508] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 206/508] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 207/508] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 208/508] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 209/508] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 210/508] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 211/508] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 212/508] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 213/508] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 214/508] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 215/508] ocfs2: validate group add input before caching Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 216/508] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 217/508] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 218/508] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 219/508] soundwire: cadence: Clear message complete before signaling waiting thread Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 220/508] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 221/508] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 222/508] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 223/508] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 224/508] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 225/508] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 226/508] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 227/508] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 228/508] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 229/508] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 230/508] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 231/508] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 232/508] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 233/508] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 234/508] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 235/508] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.6 236/508] bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 237/508] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 238/508] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 239/508] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 240/508] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 241/508] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 242/508] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 243/508] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 244/508] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 245/508] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 246/508] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 247/508] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 248/508] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 249/508] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 250/508] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 251/508] perf lock: Fix option value type in parse_max_stack Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 252/508] perf tools: Fix module symbol resolution for non-zero .text sh_addr Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 253/508] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 254/508] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 255/508] ipmi: ssif_bmc: fix message desynchronization after truncated response Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 256/508] ipmi: ssif_bmc: change log level to dbg in irq callback Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 257/508] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 258/508] i3c: master: Fix error codes at send_ccc_cmd Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 259/508] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 260/508] dev_printk: add new dev_err_probe() helpers Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 261/508] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 262/508] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 263/508] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 264/508] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 265/508] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 266/508] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 267/508] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 268/508] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 269/508] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 270/508] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 271/508] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 272/508] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 273/508] scsi: sg: Make sg_sysfs_class constant Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 274/508] scsi: sg: Fix sysctl sg-big-buff register during sg_init() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 275/508] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 276/508] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 277/508] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 278/508] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 279/508] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 280/508] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 281/508] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 282/508] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 283/508] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 284/508] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 285/508] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 286/508] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 287/508] clk: qoriq: avoid format string warning Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 288/508] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 289/508] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 290/508] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 291/508] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 292/508] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 293/508] f2fs: Use sysfs_emit_at() to simplify code Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 294/508] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 295/508] drm/i915: Constify watermark state checker Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.6 296/508] drm/i915: Simplify watermark state checker calling convention Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 297/508] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 298/508] drm/i915: Loop over all active pipes in intel_mbus_dbox_update Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 299/508] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 300/508] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 301/508] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 302/508] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 303/508] arm64: dts: imx8mp-debix-som-a: " Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 304/508] arm64: dts: imx8mp-icore-mx8mp: " Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 305/508] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 306/508] arm64: dts: imx8mp-data-modul-edm-sbc: " Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 307/508] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 308/508] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 309/508] arm64: dts: imx8mn-tqma8mqnl: " Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 310/508] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 311/508] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 312/508] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 313/508] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 314/508] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 315/508] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 316/508] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 317/508] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 318/508] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 319/508] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 320/508] tcp: annotate data-races around tp->plb_rehash Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 321/508] ice: Remove jumbo_remove step from TX path Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 322/508] ice: fix double-free of tx_buf skb Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 323/508] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 324/508] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 325/508] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 326/508] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 327/508] pppoe: drop PFC frames Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 328/508] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 329/508] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 330/508] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 331/508] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 332/508] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 333/508] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 334/508] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 335/508] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 336/508] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 337/508] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 338/508] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 339/508] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 340/508] ksmbd: Use struct_size() to improve smb_direct_rdma_xmit() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 341/508] ksmbd: add support for supplementary groups Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 342/508] ksmbd: destroy async_ida in ksmbd_conn_free() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 343/508] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 344/508] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 345/508] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 346/508] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 347/508] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 348/508] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 349/508] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 350/508] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 351/508] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 352/508] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 353/508] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 354/508] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 355/508] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.6 356/508] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 357/508] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 358/508] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 359/508] sched/psi: fix race between file release and pressure write Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 360/508] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 361/508] mailbox: add sanity check for channel array Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 362/508] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 363/508] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 364/508] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 365/508] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 366/508] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 367/508] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 368/508] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 369/508] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 370/508] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 371/508] drm/amdgpu: fix spelling typos Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 372/508] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 373/508] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 374/508] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 375/508] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 376/508] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 377/508] drm/sysfb: ofdrm: fix PCI device reference leaks Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 378/508] arm64/scs: Fix potential sign extension issue of advance_loc4 Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 379/508] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 380/508] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 381/508] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 382/508] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 383/508] net/sched: netem: only reseed PRNG when seed is explicitly provided Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 384/508] net/sched: netem: validate slot configuration Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 385/508] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 386/508] net/sched: netem: check for negative latency and jitter Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 387/508] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 388/508] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 389/508] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 390/508] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 391/508] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 392/508] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 393/508] net/sched: taprio: fix NULL pointer dereference in class dump Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 394/508] neighbour: add RCU protection to neigh_tables[] Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 395/508] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 396/508] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 397/508] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 398/508] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 399/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 400/508] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 " Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 401/508] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 " Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 402/508] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 403/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 404/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 405/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 406/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 407/508] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 408/508] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 409/508] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 410/508] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 411/508] ipv4: rename and move ip_route_output_tunnel() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 412/508] ipv4: remove "proto" argument from udp_tunnel_dst_lookup() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 413/508] ipv4: add new arguments to udp_tunnel_dst_lookup() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 414/508] ipv6: rename and move ip6_dst_lookup_tunnel() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 415/508] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.6 416/508] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 417/508] net: netconsole: move newline trimming to function Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 418/508] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 419/508] ALSA: hda/conexant: fix some typos Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 420/508] ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 421/508] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 422/508] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 423/508] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 424/508] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 425/508] bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 426/508] net: bonding: add broadcast_neighbor option for 802.3ad Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 427/508] bonding: add support for per-port LACP actor priority Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 428/508] bonding: print churn state via netlink Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 429/508] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 430/508] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 431/508] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 432/508] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 433/508] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 434/508] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 435/508] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 436/508] sfc: fix error code in efx_devlink_info_running_versions() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 437/508] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 438/508] ntfs: ->d_compare() must not block Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 439/508] Revert "crypto: nx - fix context leak in nx842_crypto_free_ctx" Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 440/508] Revert "crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx" Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 441/508] Revert "crypto: nx - Migrate to scomp API" Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 442/508] smb: client: correctly handle ErrorContextData as a flexible array Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 443/508] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 444/508] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 445/508] net: bcmgenet: Initialize u64 stats seq counter Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 446/508] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 447/508] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 448/508] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 449/508] netconsole: avoid out-of-bounds access on empty string in trim_newline() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 450/508] bonding: fix NULL pointer dereference in actor_port_prio setting Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 451/508] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 452/508] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 453/508] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 454/508] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 455/508] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 456/508] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 457/508] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 458/508] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 459/508] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 460/508] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 461/508] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 462/508] netfilter: nf_tables: unconditionally bump set->nelems before insertion Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 463/508] ASoC: SOF: Intel: hda-dai: remove dspless special case Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 464/508] ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 465/508] ASoC: SOF: Intel: hda: Fix NULL pointer dereference Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 466/508] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 467/508] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 468/508] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 469/508] ALSA: usb-audio: Bound MIDI " Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 470/508] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 471/508] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 472/508] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 473/508] netfs: fix error handling in netfs_extract_user_iter() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 474/508] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 475/508] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.6 476/508] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 477/508] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 478/508] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 479/508] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 480/508] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 481/508] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 482/508] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 483/508] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 484/508] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 485/508] btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 486/508] btrfs: fix double free in create_space_info_sub_group() error path Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 487/508] eventfs: Use list_add_tail_rcu() for SRCU-protected children list Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 488/508] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 489/508] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 490/508] btrfs: use inode already stored in local variable at btrfs_rmdir() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 491/508] btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 492/508] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 493/508] RDMA/mana: Validate rx_hash_key_len Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 494/508] mptcp: drop __mptcp_fastopen_gen_msk_ackseq() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 495/508] mptcp: fix rx timestamp corruption on fastopen Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 496/508] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 497/508] mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 498/508] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 499/508] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 500/508] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 501/508] ksmbd: validate inherited ACE SID length Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 502/508] spi: st-ssc4: switch to use modern name Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 503/508] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 504/508] media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0 Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 505/508] spi: sifive: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 506/508] spi: sifive: fix controller deregistration Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 507/508] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
2026-05-20 16:25 ` [PATCH 6.6 508/508] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
2026-05-20 19:11 ` [PATCH 6.6 000/508] 6.6.141-rc1 review Brett A C Sheffield
2026-05-20 20:33 ` Florian Fainelli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox