* [PATCH 6.18 000/957] 6.18.32-rc1 review
@ 2026-05-20 16:08 Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 001/957] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
` (962 more replies)
0 siblings, 963 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.18.32 release.
There are 957 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 22 May 2026 16:20:16 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.32-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.18.32-rc1
Johan Hovold <johan@kernel.org>
spi: sifive: fix controller deregistration
Pei Xiao <xiaopei01@kylinos.cn>
spi: sifive: Simplify clock handling with devm_clk_get_enabled()
Chao Yu <chao@kernel.org>
f2fs: fix false alarm of lockdep on cp_global_sem lock
Tejun Heo <tj@kernel.org>
sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before
Tejun Heo <tj@kernel.org>
sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Disable PMI for self-reloaded ACR events
Qu Wenruo <wqu@suse.com>
btrfs: do not mark inode incompressible after inline attempt fails
Piyush Sachdeva <s.piyush1024@gmail.com>
smb: client: Use FullSessionKey for AES-256 encryption key derivation
David Carlier <devnexen@gmail.com>
eventfs: Use list_add_tail_rcu() for SRCU-protected children list
Ashutosh Desai <ashutoshdesai993@gmail.com>
drm/v3d: Reject empty multisync extension to prevent infinite loop
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_lvds: fix hang on init failure
Johan Hovold <johan@kernel.org>
drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
Thomas Hellström <thomas.hellstrom@linux.intel.com>
drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC
Matthew Auld <matthew.auld@intel.com>
drm/xe/dma-buf: fix UAF with retry loop
Matthew Auld <matthew.auld@intel.com>
drm/xe/dma-buf: handle empty bo and UAF races
Gyeyoung Baek <gye976@gmail.com>
drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
Sebastian Brzezinka <sebastian.brzezinka@intel.com>
drm/i915: skip __i915_request_skip() for already signaled requests
Zhenzhong Duan <zhenzhong.duan@intel.com>
iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
Zhenzhong Duan <zhenzhong.duan@intel.com>
iommu/vt-d: Fix oops due to out of scope access
Naval Alcalá <ari@naval.cat>
iommu/vt-d: Disable DMAR for Intel Q35 IGFX
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: handle rbtree insertion error in decode_choose_args()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in crush_decode()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential null-ptr-deref in decode_choose_args()
Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
libceph: Fix potential out-of-bounds access in osdmap_decode()
Sascha Bischoff <Sascha.Bischoff@arm.com>
irqchip/gic-v5: Allocate ITS parent LPIs as a range
Sascha Bischoff <Sascha.Bischoff@arm.com>
irqchip/gic-v5: Support range allocation for LPIs
Sascha Bischoff <Sascha.Bischoff@arm.com>
irqchip/gic-v5: Move LPI allocation into the LPI domain
Xianwei Zhao <xianwei.zhao@amlogic.com>
irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type()
Yong-Xuan Wang <yongxuan.wang@sifive.com>
irqchip/riscv-imsic: Clear interrupt move state during CPU offlining
Scott Mayhew <smayhew@redhat.com>
nfsd: fix file change detection in CB_GETATTR
Paulo Alcantara <pc@manguebit.org>
netfs: fix error handling in netfs_extract_user_iter()
Ma Ke <make24@iscas.ac.cn>
powerpc/warp: Fix error handling in pika_dtm_thread
Vivian Wang <wangruikang@iscas.ac.cn>
riscv: misaligned: Make enabling delegation depend on NONPORTABLE
Carlos López <clopez@suse.de>
virt: sev-guest: Do not use host-controlled page order in cleanup path
Wilfred Mallawa <wilfred.mallawa@wdc.com>
xfs: fix memory leak on error in xfs_alloc_zone_info()
David Woodhouse <dwmw@amazon.co.uk>
x86/kexec: Push kjump return address even for non-kjump kexec
Jose Fernandez (Anthropic) <jose.fernandez@linux.dev>
iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
Nicholas Carlini <nicholas@carlini.com>
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
ceph: fix a buffer leak in __ceph_setxattr()
Qu Wenruo <wqu@suse.com>
btrfs: only release the dirty pages io tree after successful writes
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: qcom: Check offload mapping failures
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Bound MIDI endpoint descriptor scans
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
Markus Kramer <linux@markus-kramer.de>
ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone
Adrien Burnett <an.arctic.pigeon@gmail.com>
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx
Gyeyoung Baek <gye976@gmail.com>
accel/rocket: Fix prep_bo ioctl leaking positive return from dma_resv_wait_timeout()
Derek J. Clark <derekjohn.clark@gmail.com>
platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members
Derek J. Clark <derekjohn.clark@gmail.com>
platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
platform/x86: intel: Move debugfs register before creating devices
Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
Edward Adam Davis <eadavis@qq.com>
drm: Replace old pointer to new idr
Myeonghun Pak <mhun512@gmail.com>
drm/loongson: Use managed KMS polling
Ye Bin <yebin10@huawei.com>
smb/client: fix possible infinite loop and oob read in symlink_data()
Nick Chan <towinchenmi@gmail.com>
nvme-apple: Reset q->sq_tail during queue init
Pauli Virtanen <pav@iki.fi>
Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
Michael Tretter <m.tretter@pengutronix.de>
media: staging: imx: configure src_mux in csi_start
Igor Pylypiv <ipylypiv@google.com>
ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
Vlad Poenaru <vlad.wing@gmail.com>
fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0
Nathan Chancellor <nathan@kernel.org>
HID: core: Fix size_t specifier in hid_report_raw_event()
Benjamin Tissoires <bentiss@kernel.org>
HID: core: introduce hid_safe_input_report()
Benjamin Tissoires <bentiss@kernel.org>
HID: pass the buffer size to hid_report_raw_event
Qiang Ma <maqianga@uniontech.com>
KVM: x86: Fix Xen hypercall tracepoint argument assignment
Junrui Luo <moonafterrain@outlook.com>
KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
Aaron Sacks <contact@xchglabs.com>
KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
Sergio Correia <scorreia@redhat.com>
audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
Zoran Ilievski <goodboy@rexbytes.com>
net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
Li Xiasong <lixiasong1@huawei.com>
netfilter: nft_ct: fix missing expect put in obj eval
Mario Limonciello <mario.limonciello@amd.com>
Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn"
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
idpf: fix double free and use-after-free in aux device error paths
Guopeng Zhang <zhangguopeng@kylinos.cn>
cgroup/dmem: Return -ENOMEM on failed pool preallocation
Arthur Kiyanovski <akiyano@amazon.com>
net: ena: PHC: Check return code before setting timestamp output
Sergio Correia <scorreia@redhat.com>
audit: fix incorrect inheritable capability in CAPSET records
Li Xiasong <lixiasong1@huawei.com>
netfilter: nf_conntrack_sip: get helper before allocating expectation
Arthur Kiyanovski <akiyano@amazon.com>
net: ena: PHC: Fix potential use-after-free in get_timestamp
Breno Leitao <leitao@debian.org>
workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
Matt Vollrath <tactii@gmail.com>
i40e: Cleanup PTP pins on probe failure
Herbert Xu <herbert@gondor.apana.org.au>
crypto: af_alg - Cap AEAD AD length to 0x80000000
Vincent Guittot <vincent.guittot@linaro.org>
sched/fair: Revert force wakeup preemption
Vincent Guittot <vincent.guittot@linaro.org>
sched/fair: Fix wakeup_preempt_fair() for not waking up task
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Init gf_stats_work before potential error paths in probe
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: Fix use-after-free in reset service rescan path
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Fix VIP configuration for AN7583 SoC
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Use gdm port enum value whenever possible
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Remove code duplication in airoha_regs.h
Eric Dumazet <edumazet@google.com>
net/sched: sch_pie: annotate more data-races in pie_dump_stats()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Move entries to queue head in case of DMA mapping failure in airoha_dev_xmit()
Costa Shulyupin <costa.shul@redhat.com>
rtla: Fix parse_cpu_set() bug introduced by strtoi()
Miklos Szeredi <mszeredi@redhat.com>
fuse: make sure dentry is evicted if stale
Miklos Szeredi <mszeredi@redhat.com>
fuse: fix race when disposing stale dentries
Dan Carpenter <dan.carpenter@linaro.org>
net: airoha: Fix a copy and paste bug in probe()
Daniel Borkmann <daniel@iogearbox.net>
bpf: Fix sync_linked_regs regarding BPF_ADD_CONST32 zext propagation
Gao Xiang <xiang@kernel.org>
erofs: fix offset truncation when shifting pgoff on 32-bit platforms
Samiullah Khawaja <skhawaja@google.com>
PCI: Initialize temporary device in new_id_store()
Sasha Levin <sashal@kernel.org>
Revert "papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"
Sasha Levin <sashal@kernel.org>
Revert "pseries/papr-hvpipe: Fix race with interrupt handler"
Davidlohr Bueso <dave@stgolabs.net>
futex: Drop CLONE_THREAD requirement for private default hash alloc
Zhaoyang Huang <zhaoyang.huang@unisoc.com>
arm64: Reserve an extra page for early kernel mapping
Leo Yan <leo.yan@arm.com>
kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition
Paolo Abeni <pabeni@redhat.com>
net/sched: cls_flower: revert unintended changes
Dan Carpenter <error27@gmail.com>
sfc: fix error code in efx_devlink_info_running_versions()
Jakub Kicinski <kuba@kernel.org>
net: tls: fix strparser anchor skb leak on offload RX setup failure
Petr Oros <poros@redhat.com>
ice: add dpll peer notification for paired SMA and U.FL pins
Ivan Vecera <ivecera@redhat.com>
dpll: export __dpll_pin_change_ntf() for use under dpll_lock
Petr Oros <poros@redhat.com>
dpll: Add notifier chain for dpll events
Ivan Vecera <ivecera@redhat.com>
dpll: Allow associating dpll pin with a firmware node
Petr Oros <poros@redhat.com>
ice: fix missing dpll notifications for SW pins
Petr Oros <poros@redhat.com>
ice: fix SMA and U.FL pin state changes affecting paired pin
Petr Oros <poros@redhat.com>
ice: fix missing SMA pin initialization in DPLL subsystem
Petr Oros <poros@redhat.com>
ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw
Petr Oros <poros@redhat.com>
ice: fix NULL pointer dereference in ice_reset_all_vfs()
Petr Oros <poros@redhat.com>
iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
Petr Oros <poros@redhat.com>
iavf: wait for PF confirmation before removing VLAN filters
Petr Oros <poros@redhat.com>
iavf: stop removing VLAN filters from PF on interface down
Petr Oros <poros@redhat.com>
iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
Hasan Basbunar <basbunarhasan@gmail.com>
page_pool: fix memory-provider leak in page_pool_create_percpu() error path
Eric Dumazet <edumazet@google.com>
bonding: 3ad: implement proper RCU rules for port->aggregator
Hangbin Liu <liuhangbin@gmail.com>
bonding: print churn state via netlink
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Do not return err in ndo_stop() callback
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: fix BQL imbalance in TX path
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/gsc: Fix BO leak on error in query_compatibility_version()
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/eustall: Fix drm_dev_put called before stream disable in close
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
Matt Roper <matthew.d.roper@intel.com>
drm/xe/debugfs: Correct printing of register whitelist ranges
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Read EDID from VBIOS embedded panel info
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Allow constructing DCE8 link encoder without DDC
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Allow constructing DCE6 link encoder without DDC
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Allow DCE link encoder without AUX registers
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
Shenghao Ding <shenghao-ding@ti.com>
ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0 pages >1
Richard Fitzgerald <rf@opensource.cirrus.com>
ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()
wangdicheng <wangdicheng@kylinos.cn>
ALSA: hda/conexant: Fix missing error check for jack detection
Breno Leitao <leitao@debian.org>
netconsole: propagate device name truncation in dev_name_store()
Eric Dumazet <edumazet@google.com>
net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
Eric Dumazet <edumazet@google.com>
net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)
Weiming Shi <bestswngs@gmail.com>
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
Xin Long <lucien.xin@gmail.com>
sctp: discard stale INIT after handshake completion
Xin Long <lucien.xin@gmail.com>
netfilter: skip recording stale or retransmitted INIT
Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
ASoC: codecs: ab8500: Fix casting of private data
Jakub Kicinski <kuba@kernel.org>
net: psp: require admin permission for dev-set and key-rotate
Jakub Kicinski <kuba@kernel.org>
net: psp: check for device unregister when creating assoc
Jens Axboe <axboe@kernel.dk>
io_uring/napi: cap busy_poll_to 10 msec
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
Yinjie Yao <yinjie.yao@amd.com>
drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
Heiko Schocher <hs@nabladev.com>
net: phy: dp83869: fix setting CLK_O_SEL field.
Heiko Carstens <hca@linux.ibm.com>
s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()
Yu Kuai <yukuai@fnnas.com>
md/md-bitmap: add a none backend for bitmap grow
Yu Kuai <yukuai@fnnas.com>
md/md-bitmap: split bitmap sysfs groups
Yu Kuai <yukuai@fnnas.com>
md: factor bitmap creation away from sysfs handling
Yu Kuai <yukuai@fnnas.com>
md: add fallback to correct bitmap_ops on version mismatch
Keith Busch <kbusch@kernel.org>
md/raid1,raid10: don't fail devices for invalid IO errors
William A. Kennington III <william@wkennington.com>
net: mctp i2c: check length before marking flow active
Zicheng Qu <quzicheng@huawei.com>
sched/fair: Clear rel_deadline when initializing forked entities
Vincent Guittot <vincent.guittot@linaro.org>
sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue
Mel Gorman <mgorman@techsingularity.net>
sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
Breno Leitao <leitao@debian.org>
netpoll: fix IPv6 local-address corruption
Altan Hacigumus <ahacigu.linux@gmail.com>
tcp: make probe0 timer handle expired user timeout
Florian Westphal <fw@strlen.de>
neigh: let neigh_xmit take skb ownership
Weiming Shi <bestswngs@gmail.com>
net/sched: taprio: fix NULL pointer dereference in class dump
Paul Geurts <paul.geurts@prodrive-technologies.com>
NFC: trf7970a: Ignore antenna noise when checking for RF field
Felix Gu <ustc.gu@gmail.com>
spi: amlogic-spisg: initialize completion before requesting IRQ
Morduan Zang <zhangdandan@uniontech.com>
net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
Zhan Jun <zhanjun@uniontech.com>
net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
Ido Schimmel <idosch@nvidia.com>
vrf: Fix a potential NPD when removing a port from a VRF
Eric Dumazet <edumazet@google.com>
net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_choke: annotate data-races in choke_dump_stats()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Do not read uninitialized fragment address in airoha_dev_xmit()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs()
Zhengping Zhang <aquapinn@qq.com>
net: airoha: fix typo in function name
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: stop net_device TX queue before updating CPU index
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: check for negative latency and jitter
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix slot delay calculation overflow
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: validate slot configuration
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: only reseed PRNG when seed is explicitly provided
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix queue limit check to include reordered packets
Stephen Hemminger <stephen@networkplumber.org>
net/sched: netem: fix probability gaps in 4-state loss model
Nikola Z. Ivanov <zlatistiv@gmail.com>
netdevsim: zero initialize struct iphdr in dummy sk_buff
Daan De Meyer <daan@amutable.com>
cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
Tony Luck <tony.luck@intel.com>
ACPI: APEI: EINJ: Fix EINJV2 memory error injection
Tony Luck <tony.luck@intel.com>
ACPICA: Provide #defines for EINJV2 error types
Wentao Guan <guanwentao@uniontech.com>
arm64/scs: Fix potential sign extension issue of advance_loc4
Geert Uytterhoeven <geert+renesas@glider.be>
drm/color-mgmt: Typo s/R332/RGB332/
Yuho Choi <dbgh9129@gmail.com>
drm/sysfb: ofdrm: fix PCI device reference leaks
James Calligeros <jcalligeros99@gmail.com>
ASoC: tas2770: Fix order of operations for temperature calculation
James Calligeros <jcalligeros99@gmail.com>
ASoC: tas2764: Mark die temp register as volatile
John Madieu <john.madieu@gmail.com>
spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
Guilherme G. Piccoli <gpiccoli@igalia.com>
ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED
Florian Westphal <fw@strlen.de>
netfilter: nf_conntrack_sip: don't use simple_strtoul
Jiexun Wang <wangjiexun2025@gmail.com>
netfilter: xt_policy: fix strict mode inbound policy matching
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
Christian König <christian.koenig@amd.com>
drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM
Keith Busch <kbusch@kernel.org>
nvme-pci: fix missed admin queue sq doorbell write
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: use list_del_rcu for netlink hooks
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
Maurizio Lombardi <mlombard@redhat.com>
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Breno Leitao <leitao@debian.org>
tracing: branch: Fix inverted check on stat tracer registration
Petr Malat <oss@malat.biz>
cgroup: Increment nr_dying_subsys_* from rmdir context
Mark Harmstone <mark@harmstone.com>
btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
Amir Goldstein <amir73il@gmail.com>
fsnotify: fix inode reference leak in fsnotify_recalc_mask()
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: make data_ready a per-instance variable
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: initialize struct earlier
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: don't free the reused channel
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: add sanity check for channel array
cuitao <cuitao@kylinos.cn>
cgroup/rdma: fix integer overflow in rdmacg_try_charge()
Edward Adam Davis <eadavis@qq.com>
sched/psi: fix race between file release and pressure write
Wolfram Sang <wsa+renesas@sang-engineering.com>
mailbox: mailbox-test: free channels on probe error
Jason-JH Lin <jason-jh.lin@mediatek.com>
mailbox: mtk-cmdq: Fix CURR and END addr for task insert case
Thomas Weißschuh <linux@weissschuh.net>
kbuild: Never respect CONFIG_WERROR / W=e to fixdep
David Arcari <darcari@redhat.com>
tools/power turbostat: Fix unrecognized option '-P'
Len Brown <len.brown@intel.com>
tools/power turbostat: Fix and document --header_iterations
Kaushlendra Kumar <kaushlendra.kumar@intel.com>
tools/power turbostat: Use strtoul() for iteration parsing
Len Brown <len.brown@intel.com>
tools/power turbostat.8: Document the "--force" option
Yuho Choi <dbgh9129@gmail.com>
fbdev: offb: fix PCI device reference leak on probe failure
Mathias Krause <minipli@grsecurity.net>
kbuild: builddeb - avoid recompiles for non-cross-compiles
Anthony Pighin (Nokia) <anthony.pighin@nokia.com>
rtc: abx80x: Disable alarm feature if no interrupt attached
Bae Yeonju <iwasbaeyz@gmail.com>
fs/adfs: validate nzones in adfs_validate_bblk()
Christian Brauner <brauner@kernel.org>
eventpoll: fix ep_remove struct eventpoll / struct file UAF
Christian Brauner <brauner@kernel.org>
eventpoll: move epi_fget() up
Christian Brauner <brauner@kernel.org>
eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()
Christian Brauner <brauner@kernel.org>
eventpoll: kill __ep_remove()
Christian Brauner <brauner@kernel.org>
eventpoll: split __ep_remove()
Christian Brauner <brauner@kernel.org>
eventpoll: use hlist_is_singular_node() in __ep_remove()
Randy Dunlap <rdunlap@infradead.org>
nstree: fix func. parameter kernel-doc warnings
Kohei Enju <kohei@enjuk.jp>
vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
Lee Jones <lee@kernel.org>
tipc: fix double-free in tipc_buf_append()
Jiayuan Chen <jiayuan.chen@linux.dev>
tcp: send a challenge ACK on SEG.ACK > SND.NXT
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
Brett Creeley <brett.creeley@amd.com>
virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET
Stefano Garzarella <sgarzare@redhat.com>
vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Fix EQ leak in mana_remove on NULL port
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: Implement ndo_tx_timeout and serialize queue resets per port.
Long Li <longli@microsoft.com>
net: mana: Handle hardware recovery events when probing the device
Aditya Garg <gargaditya@linux.microsoft.com>
net: mana: Handle SKB if TX SGEs exceed hardware limit
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Don't overwrite port probe error with add_adev result
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Add standard counter rx_missed_errors
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Move hardware counter stats from per-port to per-VF context
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Guard mana_remove against double invocation
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Init link_change_work before potential error paths in probe
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Rework the code flow in airoha_remove() and in airoha_probe() error path
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()
Mieczyslaw Nalewaj <namiltd@yahoo.com>
net: dsa: realtek: rtl8365mb: fix mode mask calculation
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add the capability to consume out-of-order DMA tx descriptors
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add AN7583 SoC support
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Refactor src port configuration in airhoha_set_gdm2_loopback
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: ppe: Move PPE memory info in airoha_eth_soc_data struct
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct
Eric Dumazet <edumazet@google.com>
net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_red: annotate data-races in red_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
Eric Dumazet <edumazet@google.com>
net/sched: sch_pie: annotate data-races in pie_dump_stats()
Eric Dumazet <edumazet@google.com>
net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
Jacob Keller <jacob.e.keller@intel.com>
ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g
Jacob Keller <jacob.e.keller@intel.com>
ice: fix ready bitmap check for non-E822 devices
Grzegorz Nitka <grzegorz.nitka@intel.com>
ice: perform PHY soft reset for E825C ports at initialization
Grzegorz Nitka <grzegorz.nitka@intel.com>
ice: fix timestamp interrupt configuration for E825C
Michael Bommarito <michael.bommarito@gmail.com>
net/rds: zero per-item info buffer before handing it to visitors
Vikas Gupta <vikas.gupta@broadcom.com>
bnge: remove unsupported backing store type
Vikas Gupta <vikas.gupta@broadcom.com>
bnge: fix initial HWRM sequence
Kohei Enju <kohei@enjuk.jp>
net: validate skb->napi_id in RX tracepoints
Hyunwoo Kim <imv4bel@gmail.com>
ksmbd: scope conn->binding slowpath to bound sessions only
DaeMyung Kang <charsyam@gmail.com>
ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
DaeMyung Kang <charsyam@gmail.com>
ksmbd: destroy async_ida in ksmbd_conn_free()
DaeMyung Kang <charsyam@gmail.com>
ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
Sangyun Kim <sangyun.kim@snu.ac.kr>
pwm: atmel-tcb: Cache clock rates and mark chip as atomic
Jun Yan <jerrysteve1101@gmail.com>
arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
Anand Moon <linux.amoon@gmail.com>
arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0
Chia-Yu Chang <chia-yu.chang@nokia-bell-labs.com>
net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change()
Weiming Shi <bestswngs@gmail.com>
slip: bound decode() reads against the compressed packet length
Weiming Shi <bestswngs@gmail.com>
slip: reject VJ receive packets on instances with no rstate array
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
Yingnan Zhang <342144303@qq.com>
ipvs: fix MTU check for GSO packets in tunnel mode
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nat: use kfree_rcu to release ops
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xtables: restrict several matches to inet family
Florian Westphal <fw@strlen.de>
netfilter: conntrack: remove sprintf usage
Xiang Mei <xmei5@asu.edu>
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_osf: restrict it to ipv4
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()
Weiming Shi <bestswngs@gmail.com>
openvswitch: cap upcall PID array size and pre-size vport replies
Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
net/mlx5: Fix HCA caps leak on notifier init failure
Qingfang Deng <qingfang.deng@linux.dev>
pppoe: drop PFC frames
Michael Bommarito <michael.bommarito@gmail.com>
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
Eric Dumazet <edumazet@google.com>
ipv6: fix possible UAF in icmpv6_rcv()
Matt Vollrath <tactii@gmail.com>
e1000e: Unroll PTP in probe error handling
Petr Oros <poros@redhat.com>
iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2
Kohei Enju <kohei@enjuk.jp>
i40e: don't advertise IFF_SUPP_NOFCS
Paul Greenwalt <paul.greenwalt@intel.com>
ice: fix ICE_AQ_LINK_SPEED_M for 200G
Michal Schmidt <mschmidt@redhat.com>
ice: fix double-free of tx_buf skb
Alice Mikityanska <alice@isovalent.com>
ice: Remove jumbo_remove step from TX path
Grzegorz Nitka <grzegorz.nitka@intel.com>
ice: update PCS latency settings for E825 10G/25Gb modes
Grzegorz Nitka <grzegorz.nitka@intel.com>
ice: fix 'adjust' timer programming for E830 devices
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->plb_rehash
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->timeout_rehash
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->srtt_us
Eric Dumazet <edumazet@google.com>
tcp: better handle TCP_TX_DELAY on established flows
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->reord_seen
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->dsack_dups
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->bytes_retrans
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->bytes_sent
Eric Dumazet <edumazet@google.com>
tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->delivered and tp->delivered_ce
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races around tp->snd_ssthresh
Eric Dumazet <edumazet@google.com>
tcp: add data-races annotations around tp->reordering, tp->snd_cwnd
Eric Dumazet <edumazet@google.com>
tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
Eric Dumazet <edumazet@google.com>
tcp: annotate data-races in tcp_get_info_chrono_stats()
Eric Dumazet <edumazet@google.com>
tcp: inline tcp_chrono_start()
Eric Dumazet <edumazet@google.com>
tcp: move tp->chrono_type next tp->chrono_stat[]
Akif <akif.sait111@gmail.com>
ksmbd: fix use-after-free in smb2_open during durable reconnect
ZhangGuoDong <zhangguodong@kylinos.cn>
smb: move smb_version_values to common/smbglob.h
Wei Fang <wei.fang@nxp.com>
net: enetc: fix NTMP DMA use-after-free issue
Wei Fang <wei.fang@nxp.com>
net: enetc: correct the command BD ring consumer index
Stanislav Fomichev <sdf.kernel@gmail.com>
net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: append ethtool counters of all hidden ports to conduit
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: use kernel data types for ethtool ops on conduit
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: cpu_dp->orig_ethtool_ops might be NULL
Vinicius Costa Gomes <vinicius.gomes@intel.com>
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Wait for NPU PPE configuration to complete in airoha_ppe_offload_setup()
Jiayuan Chen <jiayuan.chen@linux.dev>
nexthop: fix IPv6 route referencing IPv4 nexthop
Dudu Lu <phx0fer@gmail.com>
net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
Dudu Lu <phx0fer@gmail.com>
macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
Dudu Lu <phx0fer@gmail.com>
net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: stm32: Fix rounding issue for requests with inverted polarity
Gabor Juhos <j4g8y7@gmail.com>
arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's phy-names
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
Ronald Claveau <linux-kernel-dev@aliel.fr>
reset: amlogic: t7: Fix null reset ops
René Rebe <rene@exactco.de>
PCMCIA: Fix garbled log messages for KERN_CONT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
Peng Fan <peng.fan@nxp.com>
arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
Gao Xiang <xiang@kernel.org>
erofs: unify lcn as u64 for 32-bit platforms
Paul Moses <p@1g4.org>
crypto: ccp - copy IV using skcipher ivsize
T Pratham <t-pratham@ti.com>
crypto: sa2ul - Fix AEAD fallback algorithm names
Aleksander Jan Bajkowski <olek2@wp.pl>
crypto: eip93 - fix hmac setkey algo selection
Sami Mujawar <sami.mujawar@arm.com>
virt: arm-cca-guest: fix error check for RSI_INCOMPLETE
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915/wm: Verify the correct plane DDB entry
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: allow empty mount string for Opt_usr|grp|projjquota
Brian Masney <bmasney@redhat.com>
clk: visconti: pll: initialize clk_init_data to zero
Jagadeesh Kona <jagadeesh.kona@oss.qualcomm.com>
clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON
Zhiguo Niu <zhiguo.niu@unisoc.com>
f2fs: fix to preserve previous reserve_{blocks,node} value when remount
Chao Yu <chao@kernel.org>
f2fs: expand scalability of f2fs mount option
Geert Uytterhoeven <geert+renesas@glider.be>
lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
clk: qcom: gdsc: Fix error path on registration of multiple pm subdomains
Jianan Huang <huangjianan@xiaomi.com>
f2fs: avoid reading already updated pages during GC
Chao Yu <chao@kernel.org>
f2fs: use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page()
Shuwei Wu <shuwei.wu@mailbox.org>
clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
clk: qcom: dispcc-sc7180: Add missing MDSS resets
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
Geert Uytterhoeven <geert+renesas@glider.be>
clk: xgene: Fix mapping leak in xgene_pllclk_init()
Arnd Bergmann <arnd@arndb.de>
clk: qoriq: avoid format string warning
Thomas Weißschuh <linux@weissschuh.net>
x86/um: fix vDSO installation
Thomas Weißschuh <linux@weissschuh.net>
x86/um/vdso: Drop VDSO64-y from Makefile
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
clk: imx8mq: Correct the CSI PHY sels
Felix Gu <ustc.gu@gmail.com>
clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
Felix Gu <ustc.gu@gmail.com>
clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
Val Packett <val@packett.cool>
clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
Val Packett <val@packett.cool>
clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Use retention for USB power domains
Val Packett <val@packett.cool>
clk: qcom: gcc-sc8180x: Add missing GDSCs
Val Packett <val@packett.cool>
dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
Shawn Lin <shawn.lin@rock-chips.com>
scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item
Junrui Luo <moonafterrain@outlook.com>
scsi: target: core: Fix integer overflow in UNMAP bounds check
Fabrizio Castro <fabrizio.castro.jz@renesas.com>
clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}
Ovidiu Panait <ovidiu.panait.rb@renesas.com>
clk: renesas: r9a09g057: Fix ordering of module clocks array
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
clk: renesas: r9a09g057: Add entries for RSCIs
Ovidiu Panait <ovidiu.panait.rb@renesas.com>
clk: renesas: r9a09g057: Add clock and reset entries for RTC
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
clk: qcom: dispcc-milos: Fix DSI byte clock rate setting
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting
White Lewis <liu224806@gmail.com>
clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers
Yang Erkun <yangerkun@huawei.com>
scsi: sg: Resolve soft lockup issue when opening /dev/sgX
Yang Erkun <yangerkun@huawei.com>
scsi: sg: Fix sysctl sg-big-buff register during sg_init()
Chen-Yu Tsai <wens@kernel.org>
clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source
Taniya Das <taniya.das@oss.qualcomm.com>
clk: qcom: gcc-glymur: Add video axi clock resets for glymur
Taniya Das <taniya.das@oss.qualcomm.com>
dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur
Florian Westphal <fw@strlen.de>
RDMA/core: Prefer NLA_NUL_STRING
Pengpeng Hou <pengpeng@iscas.ac.cn>
platform/x86: dell-wmi-sysman: bound enumeration string aggregation
Fedor Pchelkin <pchelkin@ispras.ru>
platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
Pengpeng Hou <pengpeng@iscas.ac.cn>
fs/ntfs3: terminate the cached volume label after UTF-8 conversion
Thomas Bogendoerfer <tbogendoerfer@suse.de>
tty: serial: ip22zilog: Fix section mispatch warning
Denis Benato <denis.benato@linux.dev>
platform/x86: asus-wmi: fix screenpad brightness range
Denis Benato <denis.benato@linux.dev>
platform/x86: asus-wmi: adjust screenpad power/brightness handling
Dai Ngo <dai.ngo@oracle.com>
NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
Dmitry Torokhov <dmitry.torokhov@gmail.com>
platform/x86: barco-p50-gpio: normalize return value of gpio_get
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
Mostafa Saleh <smostafa@google.com>
usb: typec: ps883x: Fix Oops at unbind
Randy Dunlap <rdunlap@infradead.org>
tty: hvc_iucv: fix off-by-one in number of supported devices
Ethan Tidmore <ethantidmore06@gmail.com>
usb: typec: Fix error pointer dereference
Chen Ni <nichen@iscas.ac.cn>
leds: lgm-sso: Remove duplicate assignments for priv->mmap
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/surface: surfacepro3_button: Drop wakeup source on remove
Chen Ni <nichen@iscas.ac.cn>
backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
Billy Tsai <billy_tsai@aspeedtech.com>
i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
Jorge Marques <jorge.marques@analog.com>
i3c: master: adi: Fix error propagation for CCCs
Jorge Marques <jorge.marques@analog.com>
i3c: master: Fix error codes at send_ccc_cmd
Felix Gu <ustc.gu@gmail.com>
i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()
Felix Gu <ustc.gu@gmail.com>
i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()
Felix Gu <ustc.gu@gmail.com>
i3c: master: dw-i3c: Fix missing reset assertion in remove() callback
Arnaldo Carvalho de Melo <acme@redhat.com>
perf util: Kill die() prototype, dead for a long time
Ian Rogers <irogers@google.com>
perf maps: Fix copy_from that can break sorted by name order
Ian Rogers <irogers@google.com>
perf maps: Fix fixup_overlap_and_insert that can break sorted by name order
Inochi Amaoto <inochiama@gmail.com>
pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description
Inochi Amaoto <inochiama@gmail.com>
pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description
Ian Rogers <irogers@google.com>
perf cgroup: Update metric leader in evlist__expand_cgroup
Jian Zhang <zhangjian.3032@bytedance.com>
ipmi: ssif_bmc: change log level to dbg in irq callback
Jian Zhang <zhangjian.3032@bytedance.com>
ipmi: ssif_bmc: fix message desynchronization after truncated response
Jian Zhang <zhangjian.3032@bytedance.com>
ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
Leo Yan <leo.yan@arm.com>
perf expr: Return -EINVAL for syntax error in expr__find_ids()
Chuck Lever <chuck.lever@oracle.com>
perf tools: Fix module symbol resolution for non-zero .text sh_addr
Mike Rapoport (Microsoft) <rppt@kernel.org>
memblock: reserve_mem: fix end caclulation in reserve_mem_release_by_name()
Ian Rogers <irogers@google.com>
perf stat: Fix opt->value type for parse_cache_level
Ian Rogers <irogers@google.com>
perf lock: Fix option value type in parse_max_stack
Biju Das <biju.das.jz@bp.renesas.com>
pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers
Yu-Chun Lin <eleanor15x@gmail.com>
pinctrl: abx500: Fix type of 'argument' variable
Yu-Chun Lin <eleanor.lin@realtek.com>
pinctrl: realtek: Fix function signature for config argument
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: pinconf-generic: Fully validate 'pinmux' property
Mike Leach <mike.leach@arm.com>
perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
Ian Rogers <irogers@google.com>
perf branch: Avoid incrementing NULL
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: Avoid returning positive values to user space
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: cy8c95x0: remove duplicate error message
Ian Rogers <irogers@google.com>
perf trace: Avoid an ERR_PTR in syscall_stats
Ethan Tidmore <ethantidmore06@gmail.com>
pinctrl: pinctrl-pic32: Fix resource leak
wangguangju <wangguangju@hygon.cn>
perf trace: Fix IS_ERR() vs NULL check bug
Puranjay Mohan <puranjay@kernel.org>
bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
Puranjay Mohan <puranjay@kernel.org>
bpf: Validate node_id in arena_alloc_pages()
Jiri Olsa <jolsa@kernel.org>
libbpf: Prevent double close and leak of btf objects
Yihan Ding <dingyihan@uniontech.com>
bpf: allow UTF-8 literals in bpf_bprintf_prepare()
Mykyta Yatsenko <yatsenko@meta.com>
bpf: Fix NULL deref in map_kptr_match_type for scalar regs
Daniel Borkmann <daniel@iogearbox.net>
bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Take state lock for af_unix iter
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Fix af_unix null-ptr-deref in proto update
Michal Luczaj <mhal@rbox.co>
bpf, sockmap: Fix af_unix iter deadlock
Puranjay Mohan <puranjay@kernel.org>
bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize
Puranjay Mohan <puranjay@kernel.org>
bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize
Daniel Borkmann <daniel@iogearbox.net>
bpf, arm64: Fix off-by-one in check_imm signed range check
Ye Bin <yebin10@huawei.com>
ext4: fix possible null-ptr-deref in mbt_kunit_exit()
Oliver Neukum <oneukum@suse.com>
HID: usbhid: fix deadlock in hid_post_reset()
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: winbond: Clarify when to enable the HS bit
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: Give the bus interface to the configuration helper
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: Add support for setting a bus interface
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: Gather all the bus interface steps in one single function
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: winbond: Configure the IO mode after the dummy cycles
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: winbond: Rename IO_MODE register macro
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: Create an array of operation templates
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: Decouple write enable and write disable operations
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spinand: Add missing check
Richard Genoud <richard.genoud@bootlin.com>
mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
Li Ming <ming.li@zohomail.com>
cxl/pci: Check memdev driver binding status in cxl_reset_done()
Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
Shiji Yang <yangshiji66@outlook.com>
mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
Jonas Gorski <jonas.gorski@gmail.com>
mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
Haibo Chen <haibo.chen@nxp.com>
mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
Geert Uytterhoeven <geert+renesas@glider.be>
dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
Dmitry Safonov <0x7f454c46@gmail.com>
ima_fs: Correctly create securityfs files for unsupported hash algos
Chen Ni <nichen@iscas.ac.cn>
mtd: physmap_of_gemini: Fix disabled pinctrl state check
Denis Benato <denis.benato@linux.dev>
HID: asus: do not abort probe when not necessary
Denis Benato <denis.benato@linux.dev>
HID: asus: make asus_resume adhere to linux kernel coding standards
Daniel Hodges <hodgesd@meta.com>
ima: check return value of crypto_shash_final() in boot aggregate
Chen Ni <nichen@iscas.ac.cn>
remoteproc: imx_rproc: Check return value of regmap_attach_dev() in imx_rproc_mmio_detect_mode()
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
stop_machine: Fix the documentation for a NULL cpus argument
Tim Michals <tcmichals@yahoo.com>
remoteproc: xlnx: Fix sram property parsing
Francesco Lavra <flavra@baylibre.com>
hte: tegra194: remove Kconfig dependency on Tegra194 SoC
Pengpeng Hou <pengpeng@iscas.ac.cn>
tracing: Rebuild full_name on each hist_field_name() call
Arnd Bergmann <arnd@arndb.de>
tracing: move __printf() attribute on __ftrace_vbprintk()
Yury Norov <ynorov@nvidia.com>
tracing: move tracing declarations from kernel.h to a dedicated header
Steven Rostedt <rostedt@goodmis.org>
tracing: remove size parameter in __trace_puts()
Richard Fitzgerald <rf@opensource.cirrus.com>
soundwire: cadence: Clear message complete before signaling waiting thread
Frank Li <Frank.Li@nxp.com>
dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
Bard Liao <yung-chuan.liao@linux.intel.com>
soundwire: Intel: test bus.bpt_stream before assigning it
Cole Leavitt <cole@unwrap.rs>
soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
Khairul Anuar Romli <karom.9560@gmail.com>
dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
ZhengYuan Huang <gality369@gmail.com>
ocfs2: validate group add input before caching
ZhengYuan Huang <gality369@gmail.com>
ocfs2: validate bg_bits during freefrag scan
ZhengYuan Huang <gality369@gmail.com>
ocfs2: fix listxattr handling when the buffer is full
Richard Cheng <icheng@nvidia.com>
fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
Sebastian Ene <sebastianene@google.com>
firmware: arm_ffa: Use the correct buffer size during RXTX_MAP
Frank Li <Frank.Li@nxp.com>
ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
Christian A. Ehrhardt <lk@c--e.de>
lib: kunit_iov_iter: fix memory leaks
Kees Cook <kees@kernel.org>
slab: Introduce kmalloc_obj() and family
Christoph Hellwig <hch@lst.de>
arm64/xor: fix conflicting attributes for xor_block_template
Aaro Koskinen <aaro.koskinen@iki.fi>
ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
Alexander Koskovich <AKoskovich@pm.me>
arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
Alok Tiwari <alok.a.tiwari@oracle.com>
soc: qcom: aoss: compare against normalized cooling state
Alok Tiwari <alok.a.tiwari@oracle.com>
soc: qcom: llcc: fix v1 SB syndrome register offset
Junrui Luo <moonafterrain@outlook.com>
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
Junrui Luo <moonafterrain@outlook.com>
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
Michal Grzedzicki <mge@meta.com>
unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
Sumit Gupta <sumitg@nvidia.com>
soc/tegra: cbb: Fix cross-fabric target timeout lookup
Sumit Gupta <sumitg@nvidia.com>
soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables
Sumit Gupta <sumitg@nvidia.com>
soc/tegra: cbb: Set ERD on resume for err interrupt
Xu Yang <xu.yang_2@nxp.com>
arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
Xu Yang <xu.yang_2@nxp.com>
arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual
Josua Mayer <josua@solid-run.com>
arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word
Josua Mayer <josua@solid-run.com>
arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes
Josua Mayer <josua@solid-run.com>
arm64: dts: lx2160a: add sda gpio references for i2c bus recovery
Josua Mayer <josua@solid-run.com>
arm64: dts: lx2160a: rename pinmux nodes for readability
Josua Mayer <josua@solid-run.com>
arm64: dts: lx2160a: remove duplicate pinmux nodes
Josua Mayer <josua@solid-run.com>
arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit
Shengjiu Wang <shengjiu.wang@nxp.com>
arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3
Annette Kobou <annette.kobou@kontron.de>
arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC
Nora Schiffer <nora.schiffer@ew.tq-group.com>
arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing
Francesco Dolcini <francesco.dolcini@toradex.com>
arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins
Judith Mendez <jm@ti.com>
arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader
David Heidelberg <david@ixit.cz>
arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
Luca Weiss <luca.weiss@fairphone.com>
arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host controller
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: sm8750: Fix GIC_ITS range length
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: sm8650: Fix GIC_ITS range length
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: sm8550: Fix GIC_ITS range length
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: sm8450: Fix GIC_ITS range length
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
arm64: dts: qcom: monaco: correct Iris corners for the MXC rail
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
arm64: dts: qcom: lemans: correct Iris corners for the MXC rail
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail
Gatien Chevallier <gatien.chevallier@foss.st.com>
bus: rifsc: fix RIF configuration check for peripherals
Shawn Lin <shawn.lin@rock-chips.com>
arm64: dts: rockchip: Add mphy reset to ufshc node
谢致邦 (XIE Zhibang) <Yeking@Red54.com>
arm64: dts: rockchip: Fix RK3562 EVB2 model name
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: register reasons for probe deferrals
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
soc: qcom: ocmem: make the core clock optional
Chris Morgan <macromorgan@hotmail.com>
arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace
Chris Morgan <macromorgan@hotmail.com>
arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace
Robin Murphy <robin.murphy@arm.com>
Revert "arm64: dts: rockchip: add SPDIF audio to Beelink A1"
Ming Wang <wangming5719@gmail.com>
arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
Josua Mayer <josua@solid-run.com>
arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference
Frieder Schrempf <frieder.schrempf@kontron.de>
arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC eval carrier
Frieder Schrempf <frieder.schrempf@kontron.de>
arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices
Thorsten Blum <thorsten.blum@linux.dev>
iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}
Akari Tsuyukusa <akkun11.open@gmail.com>
arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
Akari Tsuyukusa <akkun11.open@gmail.com>
arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count
Akari Tsuyukusa <akkun11.open@gmail.com>
arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
arm64: dts: qcom: talos: Add missing clock-names to GCC
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges
Barnabás Czémán <barnabas.czeman@mainlining.org>
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id
Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
arm64: dts: qcom: sm6125-ginkgo: Fix missing msm-id subtype
Jacob Pan <jacob.pan@linux.microsoft.com>
iommufd: vfio compatibility extension check for noiommu mode
Sherry Sun <sherry.sun@nxp.com>
arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
Heiko Stuebner <heiko.stuebner@cherry.de>
arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config
Luke Wang <ziniu.wang_1@nxp.com>
arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD
Francesco Dolcini <francesco.dolcini@toradex.com>
arm64: dts: imx8-apalis: Fix LEDs name collision
Mikko Perttunen <mperttunen@nvidia.com>
memory: tegra30-emc: Fix dll_change check
Mikko Perttunen <mperttunen@nvidia.com>
memory: tegra124-emc: Fix dll_change check
Rafał Miłecki <rafal@milecki.pl>
ARM: dts: mediatek: mt7623: fix efuse fallback compatible
Nícolas F. R. A. Prado <nfraprado@collabora.com>
arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon
Joshua Klinesmith <joshuaklinesmith@gmail.com>
ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
Thomas Huth <thuth@redhat.com>
efi/capsule-loader: fix incorrect sizeof in phys array reallocation
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: prevent NULL pointer dereference during unmount
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: add some missing log locking
Arnd Bergmann <arnd@arndb.de>
vfio: unhide vdev->debug_root
Jan Kara <jack@suse.cz>
quota: Fix race of dquot_scan_active() with quota deactivation
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: less aggressive low-memory log flushing
Wander Lairson Costa <wander@redhat.com>
rtla/utils: Fix resource leak in set_comm_sched_attr()
Wander Lairson Costa <wander@redhat.com>
rtla: Replace atoi() with a robust strtoi()
Ivan Pravdin <ipravdin.official@gmail.com>
rtla: Fix -C/--cgroup interface
Ricardo B. Marlière <rbm@suse.com>
ktest: Run POST_KTEST hooks on failure and cancellation
Ricardo B. Marlière <rbm@suse.com>
ktest: Honor empty per-test option overrides
Ricardo B. Marlière <rbm@suse.com>
ktest: Avoid undef warning when WARNINGS_FILE is unset
Luis Henriques <luis@igalia.com>
fuse: fix uninit-value in fuse_dentry_revalidate()
Luis Henriques <luis@igalia.com>
fuse: new work queue to periodically invalidate expired dentries
Luis Henriques <luis@igalia.com>
dcache: export shrink_dentry_list() and add new helper d_dispose_if_unused()
Jingbo Xu <jefflexu@linux.alibaba.com>
fuse: fix premature writetrhough request for large folio
Ondrej Mosnacek <omosnace@redhat.com>
fanotify: call fanotify_events_supported() before path_permission() and security_path_notify()
Ondrej Mosnacek <omosnace@redhat.com>
fanotify: avoid/silence premature LSM capability checks
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Call unlock_new_inode before d_instantiate
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek - fixed speaker no sound update
Geoffrey D. Bennett <g@b4.vu>
ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP
Haixin Xu <jerryxucs@gmail.com>
crypto: jitterentropy - replace long-held spinlock with mutex
Tejun Heo <tj@kernel.org>
sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking
Tejun Heo <tj@kernel.org>
sched_ext: Track @p's rq lock across set_cpus_allowed_scx -> ops.set_cpumask
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix missing return in invalidate_committed's error path
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: sc6000: Keep the programmed board state in card-private data
Pei Xiao <xiaopei01@kylinos.cn>
spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Disable L1.2 capability of Tegra234 EP
Bjorn Helgaas <bhelgaas@google.com>
PCI: tegra194: Remove unnecessary L1SS disable code
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Use DWC IP core version
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Free up Endpoint resources during remove()
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Allow system suspend when the Endpoint link is not up
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Disable direct speed change for Endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Don't force the device into the D0 state before L2
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
Manikanta Maddireddy <mmaddireddy@nvidia.com>
PCI: tegra194: Increase LTSSM poll time on surprise link down
Vidya Sagar <vidyas@nvidia.com>
PCI: tegra194: Fix polling delay for L2 state
songxiebing <songxiebing@kylinos.cn>
ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream
Richard Cheng <icheng@nvidia.com>
PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: SOF: compress: return the configured codec from get_params
Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
ALSA: scarlett2: Add missing sentinel initializer field
Waiman Long <longman@redhat.com>
selftest: memcg: skip memcg_sock test if address family not supported
Jane Chu <jane.chu@oracle.com>
Documentation: fix a hugetlbfs reservation statement
Pasha Tatashin <pasha.tatashin@soleen.com>
kho: make debugfs interface optional
AnishMulay <anishm7030@gmail.com>
selftests/mm: skip migration tests if NUMA is unavailable
Eliot Courtney <ecourtney@nvidia.com>
gpu: nova-core: bitfield: fix broken Default implementation
Joel Fernandes <joelagnelf@nvidia.com>
gpu: nova-core: bitfield: Move bitfield-specific code from register! into new macro
Alexandre Courbot <acourbot@nvidia.com>
gpu: nova-core: register: use field type for Into implementation
Chen-Yu Tsai <wenst@chromium.org>
PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
Gerd Bayer <gbayer@linux.ibm.com>
PCI: Enable AtomicOps only if Root Port supports them
Denis Rastyogin <gerben@altlinux.org>
ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - use swab32 macro
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - fix type mismatch in RAS sysfs show functions
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - fix compression instance leak
Ahsan Atta <ahsan.atta@intel.com>
crypto: qat - disable 420xx AE cluster when lead engine is fused off
Ahsan Atta <ahsan.atta@intel.com>
crypto: qat - disable 4xxx AE cluster when lead engine is fused off
Hans Zhang <18255117159@163.com>
PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: qdsp6: topology: check widget type before accessing data
Jason Gunthorpe <jgg@ziepe.ca>
iommu/riscv: Remove overflows on the invalidation path
Vasant Hegde <vasant.hegde@amd.com>
iommu/amd: Fix clone_alias() to use the original device's devid
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Change the type for iec958 channel status controls
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_micfil: Add access property for "VAD Detected"
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm/dpu: drop INTF_0 on MSM8953
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
PM: domains: De-constify fields in struct dev_pm_domain_attach_data
Felix Gu <ustc.gu@gmail.com>
pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
Felix Gu <gu_0233@qq.com>
pmdomain: ti: omap_prm: Fix a reference leak on device node
wangdicheng <wangdicheng@kylinos.cn>
ALSA: hda/cmedia: Remove duplicate pin configuration parsing
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Use barriers while updating HFI Q headers
Connor Abbott <cwabbott0@gmail.com>
drm/msm/a6xx: Fix dumping A650+ debugbus blocks
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm/shrinker: Fix can_block() logic
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm/a6xx: Fix HLSQ register dumping
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm: Fix VM_BIND UNMAP locking
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm: Reject fb creation from _NO_SHARE objs
Rob Clark <robin.clark@oss.qualcomm.com>
drm/msm/vma: Avoid lock in VM_BIND fence signaling path
Ethan Tidmore <ethantidmore06@gmail.com>
ASoC: SOF: Intel: hda: Place check before dereference
Lei Huang <huanglei@kylinos.cn>
ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}')
Billy Tsai <billy_tsai@aspeedtech.com>
hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback
Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors
Timur Kristóf <timur.kristof@gmail.com>
drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Fill DW8 fields from SMC
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
Vijendar Mukunda <Vijendar.Mukunda@amd.com>
ASoC: amd: acp: update dmic_num logic for acp pdm dmic
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: core: Validate compress device numbers without dynamic minors
Ethan Tidmore <ethantidmore06@gmail.com>
iommu/riscv: Fix signedness bug
Yaxing Guo <guoyaxing@bosc.ac.cn>
iommu/riscv: Skip IRQ count check when using MSI interrupts
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Fix alignment calculation for resource size larger than align
Wenkai Lin <linwenkai6@hisilicon.com>
crypto: hisilicon/sec2 - prevent req used-after-free for sec
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Fix premature removal from realloc_head list during resource assignment
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
PCI: Use res_to_dev_res() in reassign_resources_sorted()
Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support
Sebastian Reichel <sebastian.reichel@collabora.com>
drm/panel: simple: Correct G190EAN01 prepare timing
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/panel: sharp-ls043t1le01: make use of prepare_prev_first
Alexey Charkov <alchark@flipper.net>
ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode
Alexander Koskovich <akoskovich@pm.me>
drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: fix hdisplay calculation for CMD mode panel
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: fix bits_per_pclk
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm/dpu: don't try using 2 LMs if only one DSC is available
Pengyu Luo <mitltlatltl@gmail.com>
drm/msm/dsi: add the missing parameter description
Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
drm/msm/dpu: fix mismatch between power and frequency
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm: add missing MODULE_DEVICE_ID definitions
Nicolin Chen <nicolinc@nvidia.com>
iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement
Nicolin Chen <nicolinc@nvidia.com>
iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()
Alexandru Dadu <alexandru.dadu@imgtec.com>
drm/imagination: Switch reset_reason fields from enum to u32
Pei Xiao <xiaopei01@kylinos.cn>
spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gfx11: look at the right prop for gfx queue priority
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gfx10: look at the right prop for gfx queue priority
Koichiro Den <den@valinux.co.jp>
PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation
Daniel Jordan <daniel.m.jordan@oracle.com>
padata: Put CPU offline callback in ONLINE section to allow failure
Chuyi Zhou <zhouchuyi@bytedance.com>
padata: Remove cpu online check from cpu add and removal
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs
Thorsten Blum <thorsten.blum@linux.dev>
crypto: atmel - Use unregister_{aeads,ahashes,skciphers}
Herbert Xu <herbert@gondor.apana.org.au>
crypto: tegra - Disable softirqs before finalizing request
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break
Guillaume Gonnet <ggonnet.linux@gmail.com>
dm init: ensure device probing has finished in dm-mod.waitfor=
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdgpu: Add default case in DVI mode validation
Fangyu Yu <fangyu.yu@linux.alibaba.com>
iommu/riscv: Stop polling when CQCSR reports an error
Jason Gunthorpe <jgg@ziepe.ca>
iommu/riscv: Add missing GENERIC_MSI_IRQ
Fangyu Yu <fangyu.yu@linux.alibaba.com>
iommu/riscv: Add IOTINVAL after updating DDT/PDT entries
Aleksander Jan Bajkowski <olek2@wp.pl>
crypto: inside-secure/eip93 - register hash before authenc algorithms
Ethan Tidmore <ethantidmore06@gmail.com>
drm/sun4i: Fix resource leaks
Maíra Canal <mcanal@igalia.com>
drm/v3d: Handle error from drm_sched_entity_init()
David Carlier <devnexen@gmail.com>
selftests/sched_ext: Add missing error check for exit__load()
Lijo Lazar <lijo.lazar@amd.com>
drm/amd/pm: Fix xgmi max speed reporting
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe
Felix Gu <ustc.gu@gmail.com>
spi: fsl-qspi: Use reinit_completion() for repeated operations
Felix Gu <ustc.gu@gmail.com>
spi: nxp-fspi: Use reinit_completion() for repeated operations
Harikrishna Shenoy <h-shenoy@ti.com>
drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check
Jayesh Choudhary <j-choudhary@ti.com>
drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs
Jayesh Choudhary <j-choudhary@ti.com>
drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()
Randy Dunlap <rdunlap@infradead.org>
iopoll: fix function parameter names in read_poll_timeout_atomic()
Junrui Luo <moonafterrain@outlook.com>
dm log: fix out-of-bounds write due to region_count overflow
Ming-Hung Tsai <mtsai@redhat.com>
dm cache metadata: fix memory leak on metadata abort retry
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()
Richard Zhu <hongxing.zhu@nxp.com>
PCI: dwc: Invoke post_init in dw_pcie_resume_noirq()
Aksh Garg <a-garg7@ti.com>
PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
platform/chrome: chromeos_tbmc: Drop wakeup source on remove
Benjamin Marzinski <bmarzins@redhat.com>
dm-mpath: don't stop probing paths at presuspend
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix dirty mapping checking in passthrough mode switching
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix concurrent write failure in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache policy smq: fix missing locks in invalidating cache blocks
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix write hang in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix write path cache coherency in passthrough mode
Ming-Hung Tsai <mtsai@redhat.com>
dm cache: fix null-deref with concurrent writes in passthrough mode
Sander Vanheule <sander@svanheule.net>
ASoC: sti: use managed regmap_field allocations
Sander Vanheule <sander@svanheule.net>
ASoC: sti: Return errors from regmap_field_alloc()
Aleksander Jan Bajkowski <olek2@wp.pl>
crypto: inside-secure/eip93 - fix register definition
Charles Keepax <ckeepax@opensource.cirrus.com>
ASoC: SDCA: Update counting of SU/GE DAPM routes
Felix Gu <ustc.gu@gmail.com>
PCI: imx6: Fix device node reference leak in imx_pcie_probe()
Ethan Tidmore <ethantidmore06@gmail.com>
drm/sun4i: backend: fix error pointer dereference
Koichiro Den <den@valinux.co.jp>
PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc
Koichiro Den <den@valinux.co.jp>
PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested
George Abraham P <george.abraham.p@intel.com>
PCI/TPH: Allow TPH enable for RCiEPs
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-compress: use function to clear symmetric params
Val Packett <val@invisiblethingslab.com>
drm/virtio: Allow importing prime buffers when 3D is enabled
Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
drm/komeda: fix integer overflow in AFBC framebuffer size check
Yuwen Chen <ywen.chen@foxmail.com>
selftests/futex: Fix incorrect result reporting of futex_requeue test item
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()
Jiayuan Chen <jiayuan.chen@linux.dev>
net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
Xin Long <lucien.xin@gmail.com>
sctp: fix missing encap_port propagation for GSO fragments
Kuniyuki Iwashima <kuniyu@google.com>
tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().
Gabriel Krisman Bertazi <krisman@suse.de>
udp: Force compute_score to always inline
Maxime Chevallier <maxime.chevallier@bootlin.com>
net: phy: qcom: at803x: Use the correct bit to disable extended next page
Stefan Metzmacher <metze@samba.org>
Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec
Dudu Lu <phx0fer@gmail.com>
Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
Pauli Virtanen <pav@iki.fi>
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
Jonathan Rissanen <jonathan.rissanen@axis.com>
Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
Sun Jian <sun.jian.kdev@gmail.com>
bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
Gal Pressman <gal@nvidia.com>
net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()
Gal Pressman <gal@nvidia.com>
net/mlx5e: Fix features not applied during netdev registration
Charles Perry <charles.perry@microchip.com>
net: phy: fix a return path in get_phy_c45_ids()
Josua Mayer <josua@solid-run.com>
dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110
Luca Weiss <luca.weiss@fairphone.com>
net: ipa: Fix decoding EV_PER_EE for IPA v5.0+
Luca Weiss <luca.weiss@fairphone.com>
net: ipa: Fix programming of QTIME_TIMESTAMP_CFG
Taegu Ha <hataegu0826@gmail.com>
ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
Lang Xu <xulang@uniontech.com>
bpf: Fix OOB in pcpu_init_value
Greg Jumper <greg.jumper@oracle.com>
net/rds: Restrict use of RDS/IB to the initial network namespace
Håkon Bugge <haakon.bugge@oracle.com>
net/rds: Optimize rds_ib_laddr_check
Paul Chaignon <paul.chaignon@gmail.com>
selftests/bpf: Fix reg_bounds to match new tnum-based refinement
Emil Tsalapatis <emil@etsalapatis.com>
bpf: Allow instructions with arena source and non-arena dest registers
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue()
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Move current_speed debugfs file to mana_init_port()
Haiyang Zhang <haiyangz@microsoft.com>
net: mana: Support HW link state events
Erni Sri Satya Vennela <ernis@linux.microsoft.com>
net: mana: Use pci_name() for debugfs directory naming
Florian Westphal <fw@strlen.de>
selftests: netfilter: nft_tproxy.sh: adjust to socat changes
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_ct: Only release RCU read lock after ct_ft
Eduard Zingerman <eddyz87@gmail.com>
selftests/bpf: fix __jited_unpriv tag name
Daniel Borkmann <daniel@iogearbox.net>
bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
Puranjay Mohan <puranjay@kernel.org>
bpf: Relax scalar id equivalence for state pruning
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Generalize airoha_ppe2_is_enabled routine
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add airoha_eth_soc_data struct
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add airoha_ppe_get_num_stats_entries() and airoha_ppe_get_num_total_stats_entries()
Mashiro Chen <mashiro.chen@mailbox.org>
net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
Sechang Lim <rhkrqnwk98@gmail.com>
bpf: Fix RCU stall in bpf_fd_array_map_clear()
Puranjay Mohan <puranjay@kernel.org>
bpf: return VMA snapshot from task_vma iterator
Puranjay Mohan <puranjay@kernel.org>
bpf: switch task_vma iterator from mmap_lock to per-VMA locks
Puranjay Mohan <puranjay@kernel.org>
bpf: fix mm lifecycle in open-coded task_vma iterator
Florian Westphal <fw@strlen.de>
netfilter: nft_fwd_netdev: check ttl/hl before forwarding
Florian Westphal <fw@strlen.de>
netfilter: xt_socket: enable defrag after all other checks
Mohsin Bashir <hmohsin@meta.com>
eth: fbnic: Use wake instead of start
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix racing timeout handler
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix leaking free_bds
Justin Chen <justin.chen@broadcom.com>
net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
Cosmin Ratiu <cratiu@nvidia.com>
macsec: Support VLAN-filtering lower devices
Wang Wensheng <wsw9603@163.com>
arm64: kexec: Remove duplicate allocation for trans_pgd
Haoyu Lu <hechushiguitu666@gmail.com>
ACPI: AGDI: fix missing newline in error message
Mark Rutland <mark.rutland@arm.com>
arm64: entry: Don't preempt with SError or Debug masked
Daniel Borkmann <daniel@iogearbox.net>
bpf: Fix linked reg delta tracking when src_reg == dst_reg
Puranjay Mohan <puranjay@kernel.org>
bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking
Baochen Qiang <baochen.qiang@oss.qualcomm.com>
wifi: ath10k: fix station lookup failure during disconnect
Weiming Shi <bestswngs@gmail.com>
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
Nicolas Escande <nico.escande@gmail.com>
wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()
Ethan Tidmore <ethantidmore06@gmail.com>
wifi: brcmfmac: Fix error pointer dereference
Arnd Bergmann <arnd@arndb.de>
net: ethernet: ti-cpsw: fix linking built-in code to modules
Arnd Bergmann <arnd@arndb.de>
net: ethernet: ti-cpsw:: rename soft_reset() function
MingTao Huang <mintaohuang@tencent.com>
bpf: Fix stale offload->prog pointer after constant blinding
Weiming Shi <bestswngs@gmail.com>
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
Eric Dumazet <edumazet@google.com>
macvlan: annotate data-races around port->bc_queue_len_used
Leon Hwang <leon.hwang@linux.dev>
bpf: Fix abuse of kprobe_write_ctx via freplace
Amit Machhiwal <amachhiw@linux.ibm.com>
selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug
Sourabh Jain <sourabhjain@linux.ibm.com>
powerpc/crash: fix backup region offset update to elfcorehdr
Chih Kai Hsu <hsu.chih.kai@realtek.com>
r8152: fix incorrect register write to USB_UPHY_XTAL
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
drivers/vfio_pci_core: Change PXD_ORDER check from switch case to if/else block
Ankit Agrawal <ankita@nvidia.com>
vfio: refactor vfio_pci_mmap_huge_fault function
Alexey Velichayshiy <a.velichayshiy@ispras.ru>
wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
haoyu.lu <hechushiguitu666@gmail.com>
bpf,arc_jit: Fix missing newline in pr_err messages
Alexei Starovoitov <ast@kernel.org>
bpf: Fix variable length stack write over spilled pointers
David Carlier <devnexen@gmail.com>
bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
Keisuke Nishimura <keisuke.nishimura@inria.fr>
bpf: Fix refcount check in check_struct_ops_btf_id()
Peter Chiu <chui-hao.chiu@mediatek.com>
wifi: mt76: mt7996: fix RRO EMU configuration
Chad Monroe <chad@monroe.io>
wifi: mt76: support upgrading passive scans to active
Chad Monroe <chad@monroe.io>
wifi: mt76: fix multi-radio on-channel scanning
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter()
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Switch to the secondary link if the default one is removed
Shayne Chen <shayne.chen@mediatek.com>
wifi: mt76: mt7996: use correct link_id when filling TXD and TXP
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links()
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property
Michael Lo <michael.lo@mediatek.com>
wifi: mt76: mt7921: fix 6GHz regulatory update on connection
Duoming Zhou <duoming@zju.edu.cn>
wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
Duoming Zhou <duoming@zju.edu.cn>
wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
StanleyYP Wang <StanleyYP.Wang@mediatek.com>
wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event
Shayne Chen <shayne.chen@mediatek.com>
wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP
James Clark <james.clark@linaro.org>
arm64: cpufeature: Make PMUVer and PerfMon unsigned
Chad Monroe <chad@monroe.io>
wifi: mt76: fix deadlock in remain-on-channel
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7925: drop puncturing handling from BSS change path
Jack Kao <jack.kao@mediatek.com>
wifi: mt76: mt7925: cqm rssi low/high event notify
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: Fix memory leak destroying device
Rory Little <rory@candelatech.com>
wifi: mt76: mt7921: Place upper limit on station AID
Alok Tiwari <alok.a.tiwari@oracle.com>
wifi: mt76: mt7996: fix FCS error flag check in RX descriptor
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi
Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr()
Ryder Lee <ryder.lee@mediatek.com>
wifi: mt76: mt7915: fix use_cts_prot support
Ryder Lee <ryder.lee@mediatek.com>
wifi: mt76: mt7615: fix use_cts_prot support
Leon Yen <leon.yen@mediatek.com>
wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr()
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Reset ampdu_state state in case of failure in mt7996_tx_check_aggr()
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in mt7996_vif_link_remove()
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7996: Set mtxq->wcid just for primary link
Shayne Chen <shayne.chen@mediatek.com>
wifi: mt76: mt7996: fix iface combination for different chipsets
StanleyYP Wang <StanleyYP.Wang@mediatek.com>
wifi: mt76: mt7996: fix the behavior of radar detection
David Laight <david.laight.linux@gmail.com>
tools/nolibc/printf: Move snprintf length check to callback
David Laight <david.laight.linux@gmail.com>
tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to 'outbuf[]'
Benjamin Berg <benjamin.berg@intel.com>
tools/nolibc: implement %m if errno is not defined
Heitor Alves de Siqueira <halves@igalia.com>
wifi: libertas: don't kill URBs in interrupt context
Heitor Alves de Siqueira <halves@igalia.com>
wifi: libertas: use USB anchors for tracking in-flight URBs
Petr Pavlu <petr.pavlu@suse.com>
module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
Petr Pavlu <petr.pavlu@suse.com>
params: Replace __modinit with __init_or_module
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy
Ilya Leoshkevich <iii@linux.ibm.com>
s390/bpf: Zero-extend bpf prog return values and kfunc arguments
Cai Xinchen <caixinchen1@huawei.com>
dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
Cai Xinchen <caixinchen1@huawei.com>
dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
Shayne Chen <shayne.chen@mediatek.com>
wifi: ieee80211: fix definition of EHT-MCS 15 in MRU
Johannes Berg <johannes.berg@intel.com>
wifi: ieee80211: split EHT definitions out
Johannes Berg <johannes.berg@intel.com>
wifi: ieee80211: split HE definitions out
Johannes Berg <johannes.berg@intel.com>
wifi: ieee80211: split VHT definitions out
Johannes Berg <johannes.berg@intel.com>
wifi: ieee80211: split HT definitions out
Johannes Berg <johannes.berg@intel.com>
wifi: ieee80211: split mesh definitions out
Feng Yang <yangfeng@kylinos.cn>
bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
Duoming Zhou <duoming@zju.edu.cn>
wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
Zilin Guan <zilin@seu.edu.cn>
wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
Michal Koutný <mkoutny@suse.com>
sched/rt: Skip group schedulable check with rt_group_sched=0
John Stultz <jstultz@google.com>
sched: Make class_schedulers avoid pushing current, and get rid of proxy_tag_curr()
Mario Limonciello (AMD) <superm1@kernel.org>
firmware: dmi: Correct an indexing error in dmi.h
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
x86/vdso: Clean up remnants of VDSO32_NOTE_MASK
Ahmed S. Darwish <darwi@linutronix.de>
ASoC: Intel: avs: Include CPUID header at file scope
Ahmed S. Darwish <darwi@linutronix.de>
ASoC: Intel: avs: Check maximum valid CPUID leaf
Biju Das <biju.das.jz@bp.renesas.com>
irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()
Peter Zijlstra <peterz@infradead.org>
sched/topology: Fix sched_domain_span()
K Prateek Nayak <kprateek.nayak@amd.com>
sched/topology: Compute sd_weight considering cpuset partitions
Bart Van Assche <bvanassche@acm.org>
locking: Fix rwlock support in <linux/spinlock_up.h>
Thomas Weißschuh (Schneider Electric) <thomas.weissschuh@linutronix.de>
scripts/gdb: timerlist: Adapt to move of tk_core
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
sparc64: vdso: Link with -z noexecstack
Boqun Feng <boqun.feng@gmail.com>
rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`
Xiaoyao Li <xiaoyao.li@intel.com>
x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE
Ravi Bangoria <ravi.bangoria@amd.com>
perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler
Ravi Bangoria <ravi.bangoria@amd.com>
perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR
Thomas Gleixner <tglx@kernel.org>
hrtimer: Reduce trace noise in hrtimer_start()
Peter Zijlstra <peterz@infradead.org>
hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
Brian Masney <bmasney@redhat.com>
irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter
Danilo Krummrich <dakr@kernel.org>
bus: fsl-mc: use generic driver_override infrastructure
Danilo Krummrich <dakr@kernel.org>
s390/cio: use generic driver_override infrastructure
Danilo Krummrich <dakr@kernel.org>
vdpa: use generic driver_override infrastructure
Danilo Krummrich <dakr@kernel.org>
platform/wmi: use generic driver_override infrastructure
Danilo Krummrich <dakr@kernel.org>
PCI: use generic driver_override infrastructure
K Prateek Nayak <kprateek.nayak@amd.com>
cpufreq: Pass the policy to cpufreq_driver->adjust_perf()
Gautham R. Shenoy <gautham.shenoy@amd.com>
amd-pstate: Update cppc_req_cached in fast_switch case
Gautham R. Shenoy <gautham.shenoy@amd.com>
amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()
Gui-Dong Han <hanguidong02@gmail.com>
soundwire: debugfs: initialize firmware_file to empty string
Gui-Dong Han <hanguidong02@gmail.com>
debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()
Gui-Dong Han <hanguidong02@gmail.com>
debugfs: check for NULL pointer in debugfs_create_str()
Gopi Krishna Menon <krishnagopi487@gmail.com>
thermal/drivers/spear: Fix error condition for reading st,thermal-flags
Danilo Krummrich <dakr@kernel.org>
devres: fix missing node debug info in devm_krealloc()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: x86: cmos_rtc: Clean up address space handler driver
Viresh Kumar <viresh.kumar@linaro.org>
OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
OPP: debugfs: Use performance level if available to distinguish between rates
Filipe Manana <fdmanana@suse.com>
btrfs: fix deadlock between reflink and transaction commit when using flushoncommit
Yu Kuai <yukuai@fnnas.com>
md: wake raid456 reshape waiters before suspend
Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
md: remove unused static md_wq workqueue
Marco Crivellari <marco.crivellari@suse.com>
dm: add WQ_PERCPU to alloc_workqueue users
Zhan Xusheng <zhanxusheng1024@gmail.com>
erofs: handle 48-bit blocks/uniaddr for extra devices
Yu Kuai <yukuai3@huawei.com>
md: fix array_state=clear sysfs deadlock
Zhan Xusheng <zhanxusheng1024@gmail.com>
erofs: include the trailing NUL in FS_IOC_GETFSLABEL
Gao Xiang <xiang@kernel.org>
erofs: verify metadata accesses for file-backed mounts
Cole Leavitt <cole@unwrap.rs>
pstore/ram: fix resource leak when ioremap() fails
Jackie Liu <liuyun01@kylinos.cn>
blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
Deepanshu Kartikey <kartikey406@gmail.com>
nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
Daan De Meyer <daan.j.demeyer@gmail.com>
loop: fix partition scan race between udev and loop_reread_partitions()
Bart Van Assche <bvanassche@acm.org>
drbd: Balance RCU calls in drbd_adm_dump_devices()
Xiao Ni <xni@redhat.com>
md/raid1: fix the comparing region of interval tree
HyungJung Joo <jhj140711@gmail.com>
fs/mbcache: cancel shrink work before destroying the cache
HyungJung Joo <jhj140711@gmail.com>
fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
Ming Lei <ming.lei@redhat.com>
blk-cgroup: wait for blkcg cleanup before initializing new disk
-------------
Diffstat:
.../bindings/interrupt-controller/arm,gic-v3.yaml | 2 +-
.../devicetree/bindings/net/dsa/nxp,sja1105.yaml | 2 -
.../bindings/ufs/rockchip,rk3576-ufshc.yaml | 7 +-
Documentation/mm/hugetlbfs_reserv.rst | 2 +-
Documentation/netlink/specs/psp.yaml | 2 +
Documentation/process/deprecated.rst | 24 +
Documentation/tools/rtla/common_options.txt | 2 +-
MAINTAINERS | 2 +-
Makefile | 4 +-
arch/arc/net/bpf_jit_arcv2.c | 8 +-
arch/arm/boot/dts/mediatek/mt7623.dtsi | 2 +-
.../boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi | 8 +-
.../nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +-
arch/arm/mach-omap1/clock_data.c | 4 +-
arch/arm/net/bpf_jit_32.c | 6 +
arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 6 +
.../boot/dts/amlogic/meson-gxl-s905d-p230.dts | 3 +-
arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 161 +-
.../boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi | 4 +
.../boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi | 4 +
arch/arm64/boot/dts/freescale/imx8dxl-evk.dts | 114 +-
.../arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi | 4 +-
.../arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi | 2 +-
.../arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 2 +-
.../freescale/imx8mp-aristainetos3a-som-v1.dtsi | 2 +-
.../dts/freescale/imx8mp-data-modul-edm-sbc.dts | 2 +-
.../boot/dts/freescale/imx8mp-debix-model-a.dts | 2 +-
.../dts/freescale/imx8mp-debix-som-a-bmb-08.dts | 2 +-
.../boot/dts/freescale/imx8mp-debix-som-a.dtsi | 2 +-
.../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8mp-edm-g.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 +-
.../imx8mp-hummingboard-pulse-mini-hdmi.dtsi | 11 +-
.../boot/dts/freescale/imx8mp-icore-mx8mp.dtsi | 2 +-
.../boot/dts/freescale/imx8mp-kontron-dl.dtso | 19 +
.../boot/dts/freescale/imx8mp-kontron-osm-s.dtsi | 6 +
.../imx8mp-kontron-smarc-eval-carrier.dts | 1 -
arch/arm64/boot/dts/freescale/imx8mp-navqp.dts | 2 +-
.../boot/dts/freescale/imx8mp-nitrogen-som.dtsi | 2 +-
arch/arm64/boot/dts/freescale/imx8mp-sr-som.dtsi | 4 +-
.../freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts | 4 +-
.../boot/dts/freescale/imx8mp-ultra-mach-sbc.dts | 4 +-
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 10 +-
arch/arm64/boot/dts/freescale/imx8qxp-mek.dts | 10 +-
arch/arm64/boot/dts/freescale/imx91-11x11-evk.dts | 2 +
arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 2 +-
arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt6795.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt7981b.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/mt8365.dtsi | 5 +-
arch/arm64/boot/dts/qcom/lemans.dtsi | 6 +-
arch/arm64/boot/dts/qcom/msm8917-xiaomi-riva.dts | 2 +-
arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts | 2 +-
arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts | 2 +-
arch/arm64/boot/dts/qcom/qcs8300.dtsi | 6 +-
.../dts/qcom/sdm845-xiaomi-beryllium-common.dtsi | 1 +
arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts | 60 +-
arch/arm64/boot/dts/qcom/sm6150.dtsi | 3 +
arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts | 4 +
arch/arm64/boot/dts/qcom/sm8250.dtsi | 5 +
arch/arm64/boot/dts/qcom/sm8450.dtsi | 5 +-
arch/arm64/boot/dts/qcom/sm8550.dtsi | 13 +-
arch/arm64/boot/dts/qcom/sm8650.dtsi | 15 +-
arch/arm64/boot/dts/qcom/sm8750.dtsi | 2 +-
arch/arm64/boot/dts/qcom/x1e80100.dtsi | 10 +-
arch/arm64/boot/dts/rockchip/rk3328-a1.dts | 23 -
arch/arm64/boot/dts/rockchip/rk3562-evb2-v10.dts | 2 +-
arch/arm64/boot/dts/rockchip/rk3566-lckfb-tspi.dts | 4 +-
arch/arm64/boot/dts/rockchip/rk3576.dtsi | 5 +-
arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts | 2 +-
.../boot/dts/rockchip/rk3588s-gameforce-ace.dts | 12 +-
arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts | 14 +-
arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 2 +-
arch/arm64/boot/dts/ti/k3-am62p5-sk.dts | 6 +-
arch/arm64/include/asm/entry-common.h | 21 +-
arch/arm64/include/asm/kernel-pgtable.h | 7 +-
arch/arm64/include/asm/xor.h | 2 +-
arch/arm64/kernel/cpufeature.c | 4 +-
arch/arm64/kernel/machine_kexec.c | 3 -
arch/arm64/kernel/pi/patch-scs.c | 4 +-
arch/arm64/net/bpf_jit_comp.c | 16 +-
arch/powerpc/include/asm/kexec.h | 14 +-
arch/powerpc/kexec/crash.c | 64 +
arch/powerpc/kexec/file_load_64.c | 29 +-
arch/powerpc/mm/pgtable-frag.c | 1 +
arch/powerpc/platforms/44x/warp.c | 2 +
arch/powerpc/platforms/pseries/papr-hvpipe.c | 59 +-
arch/riscv/Kconfig | 22 +
arch/riscv/kernel/traps_misaligned.c | 2 +-
arch/riscv/net/bpf_jit.h | 6 -
arch/riscv/net/bpf_jit_core.c | 7 -
arch/s390/kvm/interrupt.c | 3 +-
arch/s390/kvm/pci.c | 6 +-
arch/s390/mm/fault.c | 2 +-
arch/s390/net/bpf_jit_comp.c | 39 +-
arch/sparc/vdso/Makefile | 2 +-
arch/x86/Makefile.um | 2 +
arch/x86/coco/tdx/debug.c | 2 +-
arch/x86/entry/vdso/vdso2c.c | 1 -
arch/x86/events/amd/ibs.c | 7 +-
arch/x86/events/intel/core.c | 17 +-
arch/x86/events/perf_event.h | 10 +
arch/x86/events/perf_event_flags.h | 1 +
arch/x86/include/asm/shared/tdx.h | 4 +-
arch/x86/include/asm/vdso.h | 1 -
arch/x86/kernel/acpi/cppc.c | 6 +-
arch/x86/kernel/relocate_kernel_64.S | 8 +
arch/x86/kvm/trace.h | 2 +-
arch/x86/um/vdso/Makefile | 7 +-
block/blk-cgroup.c | 16 +
block/disk-events.c | 3 +-
crypto/af_alg.c | 2 +
crypto/jitterentropy-kcapi.c | 14 +-
drivers/accel/rocket/rocket_gem.c | 2 +
drivers/acpi/apei/einj-core.c | 55 +-
drivers/acpi/arm64/agdi.c | 2 +-
drivers/acpi/x86/cmos_rtc.c | 79 +-
drivers/ata/libata-scsi.c | 4 +-
drivers/base/devres.c | 2 +
drivers/block/drbd/drbd_nl.c | 8 +-
drivers/bluetooth/btmtk.c | 4 +-
drivers/bluetooth/hci_ldisc.c | 3 +
drivers/bus/fsl-mc/fsl-mc-bus.c | 43 +-
drivers/bus/stm32_rifsc.c | 52 +-
drivers/cdrom/cdrom.c | 73 +-
drivers/char/ipmi/ssif_bmc.c | 34 +-
drivers/clk/clk-qoriq.c | 17 +-
drivers/clk/clk-xgene.c | 2 +
drivers/clk/imx/clk-imx6q.c | 12 +-
drivers/clk/imx/clk-imx8mq.c | 4 +-
drivers/clk/qcom/dispcc-glymur.c | 4 +-
drivers/clk/qcom/dispcc-milos.c | 1 -
drivers/clk/qcom/dispcc-sc7180.c | 8 +
drivers/clk/qcom/dispcc-sc8280xp.c | 4 -
drivers/clk/qcom/dispcc-sm4450.c | 1 -
drivers/clk/qcom/dispcc-sm8250.c | 6 +-
drivers/clk/qcom/dispcc-sm8450.c | 2 +-
drivers/clk/qcom/dispcc0-sa8775p.c | 2 -
drivers/clk/qcom/dispcc1-sa8775p.c | 2 -
drivers/clk/qcom/gcc-glymur.c | 1 +
drivers/clk/qcom/gcc-sc8180x.c | 64 +-
drivers/clk/qcom/gcc-x1e80100.c | 1 +
drivers/clk/qcom/gdsc.c | 12 +-
drivers/clk/renesas/r9a09g057-cpg.c | 145 +-
drivers/clk/spacemit/ccu_mix.c | 2 +-
drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 17 +-
drivers/clk/visconti/pll.c | 2 +-
drivers/cpufreq/amd-pstate.c | 6 +-
drivers/cpufreq/cpufreq.c | 6 +-
drivers/cpufreq/intel_pstate.c | 4 +-
drivers/crypto/atmel-aes.c | 23 +-
drivers/crypto/atmel-sha.c | 27 +-
drivers/crypto/atmel-tdes.c | 25 +-
drivers/crypto/ccp/ccp-crypto-aes.c | 7 +-
drivers/crypto/hisilicon/sec2/sec_crypto.c | 2 +-
drivers/crypto/inside-secure/eip93/eip93-common.c | 2 +-
drivers/crypto/inside-secure/eip93/eip93-main.c | 16 +-
drivers/crypto/inside-secure/eip93/eip93-regs.h | 2 +-
drivers/crypto/intel/iaa/iaa_crypto_main.c | 2 +-
.../crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 20 +-
.../crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c | 14 +-
.../intel/qat/qat_common/adf_sysfs_ras_counters.c | 12 +-
.../intel/qat/qat_common/icp_qat_hw_20_comp.h | 10 +-
.../crypto/intel/qat/qat_common/qat_comp_algs.c | 10 +-
drivers/crypto/sa2ul.c | 4 +-
drivers/crypto/tegra/tegra-se-aes.c | 9 +
drivers/crypto/tegra/tegra-se-hash.c | 3 +
drivers/cxl/pci.c | 3 +
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 2 -
drivers/dma/mxs-dma.c | 1 +
drivers/dpll/dpll_core.c | 106 +
drivers/dpll/dpll_core.h | 6 +
drivers/dpll/dpll_netlink.c | 16 +
drivers/dpll/dpll_netlink.h | 2 -
drivers/firmware/arm_ffa/driver.c | 2 +-
drivers/firmware/efi/capsule-loader.c | 2 +-
drivers/fwctl/main.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 57 +-
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 66 +
drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 +
drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 1 +
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 10 +
drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 5 +
drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 2 +
drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 2 +
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 3 +
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 +
drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 +
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 1 +
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 1 +
drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 62 +
.../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 4 +-
.../amd/display/dc/resource/dce60/dce60_resource.c | 3 +-
.../amd/display/dc/resource/dce80/dce80_resource.c | 3 +-
.../amd/display/include/grph_object_ctrl_defs.h | 4 +
drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c | 15 +
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 118 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h | 1 +
drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h | 1 +
.../gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 15 +-
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_12_ppt.c | 5 +-
.../drm/arm/display/komeda/komeda_framebuffer.c | 6 +-
.../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 72 +-
.../gpu/drm/bridge/cadence/cdns-mhdp8546-core.h | 1 +
.../gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c | 18 +-
drivers/gpu/drm/drm_color_mgmt.c | 2 +-
drivers/gpu/drm/drm_gem.c | 7 +-
drivers/gpu/drm/gma500/oaktrail_hdmi.c | 1 +
drivers/gpu/drm/gma500/oaktrail_lvds.c | 9 +-
drivers/gpu/drm/i915/display/intel_dp.c | 9 +-
drivers/gpu/drm/i915/display/skl_watermark.c | 4 +-
drivers/gpu/drm/i915/gt/intel_reset.c | 3 +-
drivers/gpu/drm/imagination/pvr_rogue_fwif.h | 8 +-
.../gpu/drm/imagination/pvr_rogue_fwif_shared.h | 6 +-
drivers/gpu/drm/loongson/lsdc_drv.c | 2 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 14 +-
drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 14 +-
.../drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h | 7 -
drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 3 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 -
drivers/gpu/drm/msm/dp/dp_display.c | 1 +
drivers/gpu/drm/msm/dsi/dsi.c | 1 +
drivers/gpu/drm/msm/dsi/dsi_cfg.c | 4 +-
drivers/gpu/drm/msm/dsi/dsi_cfg.h | 2 +-
drivers/gpu/drm/msm/dsi/dsi_host.c | 16 +-
drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 1 +
drivers/gpu/drm/msm/hdmi/hdmi.c | 1 +
drivers/gpu/drm/msm/hdmi/hdmi_phy.c | 1 +
drivers/gpu/drm/msm/msm_fb.c | 7 +-
drivers/gpu/drm/msm/msm_gem.c | 3 +
drivers/gpu/drm/msm/msm_gem_shrinker.c | 5 +-
drivers/gpu/drm/msm/msm_gem_vma.c | 11 +-
drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c | 1 +
drivers/gpu/drm/panel/panel-simple.c | 2 +-
drivers/gpu/drm/panfrost/panfrost_drv.c | 2 +
drivers/gpu/drm/sun4i/sun4i_backend.c | 6 +-
drivers/gpu/drm/sysfb/ofdrm.c | 2 +
drivers/gpu/drm/ttm/ttm_bo.c | 2 +-
drivers/gpu/drm/ttm/ttm_resource.c | 5 +-
drivers/gpu/drm/v3d/v3d_drv.c | 16 +-
drivers/gpu/drm/v3d/v3d_submit.c | 5 +
drivers/gpu/drm/virtio/virtgpu_prime.c | 2 +-
drivers/gpu/drm/xe/xe_dma_buf.c | 52 +-
drivers/gpu/drm/xe/xe_eu_stall.c | 4 +-
drivers/gpu/drm/xe/xe_exec_queue.c | 7 +-
drivers/gpu/drm/xe/xe_gsc.c | 2 +-
drivers/gpu/drm/xe/xe_reg_whitelist.c | 2 +-
drivers/gpu/nova-core/bitfield.rs | 318 +++
drivers/gpu/nova-core/falcon.rs | 38 +-
drivers/gpu/nova-core/nova_core.rs | 3 +
drivers/gpu/nova-core/regs/macros.rs | 259 +-
drivers/hid/bpf/hid_bpf_dispatch.c | 6 +-
drivers/hid/hid-asus.c | 28 +-
drivers/hid/hid-core.c | 67 +-
drivers/hid/hid-gfrm.c | 4 +-
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-vivaldi-common.c | 2 +-
drivers/hid/i2c-hid/i2c-hid-core.c | 7 +-
drivers/hid/usbhid/hid-core.c | 13 +-
drivers/hid/wacom_sys.c | 6 +-
drivers/hte/Kconfig | 6 +-
drivers/hwmon/aspeed-g6-pwm-tach.c | 8 -
drivers/i3c/master.c | 32 +-
drivers/i3c/master/adi-i3c-master.c | 2 +-
drivers/i3c/master/dw-i3c-master.c | 16 +-
drivers/i3c/master/mipi-i3c-hci/dma.c | 5 +-
drivers/i3c/master/renesas-i3c.c | 4 +-
drivers/infiniband/core/iwpm_msg.c | 6 +-
drivers/iommu/amd/iommu.c | 15 +-
drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 7 +-
drivers/iommu/intel/iommu.c | 16 +-
drivers/iommu/iommufd/selftest.c | 4 +-
drivers/iommu/iommufd/vfio_compat.c | 2 +-
drivers/iommu/riscv/Kconfig | 1 +
drivers/iommu/riscv/iommu-platform.c | 17 +-
drivers/iommu/riscv/iommu.c | 84 +-
drivers/irqchip/irq-gic-v5-its.c | 34 +-
drivers/irqchip/irq-gic-v5.c | 98 +-
drivers/irqchip/irq-meson-gpio.c | 3 +-
drivers/irqchip/irq-pic32-evic.c | 2 +-
drivers/irqchip/irq-renesas-rzg2l.c | 2 +-
drivers/irqchip/irq-riscv-imsic-early.c | 2 +
drivers/leds/blink/leds-lgm-sso.c | 2 -
drivers/mailbox/mailbox-test.c | 39 +-
drivers/mailbox/mailbox.c | 3 +-
drivers/mailbox/mtk-cmdq-mailbox.c | 8 +-
drivers/md/dm-bufio.c | 3 +-
drivers/md/dm-cache-metadata.c | 24 +-
drivers/md/dm-cache-metadata.h | 5 -
drivers/md/dm-cache-policy-smq.c | 4 +
drivers/md/dm-cache-target.c | 76 +-
drivers/md/dm-clone-target.c | 3 +-
drivers/md/dm-crypt.c | 6 +-
drivers/md/dm-delay.c | 4 +-
drivers/md/dm-init.c | 4 +-
drivers/md/dm-integrity.c | 15 +-
drivers/md/dm-kcopyd.c | 3 +-
drivers/md/dm-log-userspace-base.c | 3 +-
drivers/md/dm-log.c | 6 +-
drivers/md/dm-mpath.c | 14 +-
drivers/md/dm-raid1.c | 5 +-
drivers/md/dm-snap-persistent.c | 3 +-
drivers/md/dm-stripe.c | 2 +-
drivers/md/dm-verity-target.c | 4 +-
drivers/md/dm-writecache.c | 3 +-
drivers/md/dm.c | 3 +-
drivers/md/md-bitmap.c | 133 +-
drivers/md/md-bitmap.h | 2 +-
drivers/md/md-llbitmap.c | 7 +-
drivers/md/md.c | 257 +-
drivers/md/md.h | 3 +
drivers/md/raid1-10.c | 7 +-
drivers/md/raid1.c | 4 +-
drivers/media/i2c/og01a1b.c | 13 +-
drivers/memory/tegra/tegra124-emc.c | 2 +-
drivers/memory/tegra/tegra30-emc.c | 6 +-
drivers/mfd/mc13xxx-core.c | 2 +-
drivers/mtd/maps/physmap-gemini.c | 2 +-
drivers/mtd/nand/raw/sunxi_nand.c | 6 +-
drivers/mtd/nand/spi/core.c | 100 +-
drivers/mtd/nand/spi/esmt.c | 2 +-
drivers/mtd/nand/spi/micron.c | 2 +-
drivers/mtd/nand/spi/winbond.c | 71 +-
drivers/mtd/parsers/ofpart_core.c | 4 +-
drivers/mtd/spi-nor/core.c | 2 +-
drivers/mtd/spi-nor/core.h | 8 +-
drivers/mtd/spi-nor/sfdp.c | 30 +-
drivers/mtd/spi-nor/swp.c | 4 +-
drivers/net/bareudp.c | 3 +
drivers/net/bonding/bond_3ad.c | 109 +-
drivers/net/bonding/bond_main.c | 8 +-
drivers/net/bonding/bond_netlink.c | 21 +-
drivers/net/bonding/bond_procfs.c | 3 +-
drivers/net/bonding/bond_sysfs_slave.c | 17 +-
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
drivers/net/ethernet/airoha/airoha_eth.c | 711 ++++--
drivers/net/ethernet/airoha/airoha_eth.h | 82 +-
drivers/net/ethernet/airoha/airoha_ppe.c | 261 +-
drivers/net/ethernet/airoha/airoha_ppe_debugfs.c | 3 +-
drivers/net/ethernet/airoha/airoha_regs.h | 115 +-
drivers/net/ethernet/amazon/ena/ena_com.c | 7 +-
drivers/net/ethernet/amazon/ena/ena_phc.c | 5 +-
.../net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
drivers/net/ethernet/broadcom/bnge/bnge_core.c | 30 +-
drivers/net/ethernet/broadcom/bnge/bnge_rmem.c | 16 -
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 30 +-
drivers/net/ethernet/freescale/Makefile | 3 +-
drivers/net/ethernet/freescale/dpaa2/Kconfig | 4 +
drivers/net/ethernet/freescale/enetc/ntmp.c | 231 +-
.../net/ethernet/freescale/enetc/ntmp_private.h | 10 +-
drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
drivers/net/ethernet/intel/i40e/i40e.h | 1 +
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 +-
drivers/net/ethernet/intel/iavf/iavf.h | 9 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 52 +-
drivers/net/ethernet/intel/iavf/iavf_type.h | 2 +-
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 76 +-
drivers/net/ethernet/intel/ice/devlink/devlink.c | 2 +
drivers/net/ethernet/intel/ice/ice_adminq_cmd.h | 2 +-
drivers/net/ethernet/intel/ice/ice_common.c | 2 -
drivers/net/ethernet/intel/ice/ice_dpll.c | 146 +-
drivers/net/ethernet/intel/ice/ice_main.c | 2 +
drivers/net/ethernet/intel/ice/ice_ptp.c | 44 +-
drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 12 +-
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 259 +-
drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 5 +
drivers/net/ethernet/intel/ice/ice_txrx.c | 7 +-
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 +-
drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 +
.../mellanox/mlx5/core/en_accel/ipsec_offload.c | 12 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 +
drivers/net/ethernet/mellanox/mlx5/core/main.c | 4 +-
drivers/net/ethernet/meta/fbnic/fbnic_pci.c | 2 +-
drivers/net/ethernet/microsoft/mana/gdma_main.c | 184 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 12 +
drivers/net/ethernet/microsoft/mana/mana_en.c | 303 ++-
drivers/net/ethernet/microsoft/mana/mana_ethtool.c | 123 +-
.../ethernet/netronome/nfp/nfpcore/nfp_target.c | 17 +-
drivers/net/ethernet/sfc/efx_devlink.c | 2 +-
drivers/net/ethernet/ti/Makefile | 30 +-
drivers/net/ethernet/ti/cpsw.c | 2 +-
drivers/net/ethernet/ti/cpsw_ale.c | 25 +
drivers/net/ethernet/ti/cpsw_ethtool.c | 24 +
drivers/net/ethernet/ti/cpsw_new.c | 2 +-
drivers/net/ethernet/ti/cpsw_priv.c | 39 +-
drivers/net/ethernet/ti/cpsw_priv.h | 2 +-
drivers/net/ethernet/ti/cpsw_sl.c | 11 +
drivers/net/ethernet/ti/davinci_cpdma.c | 27 +
drivers/net/hamradio/6pack.c | 9 +-
drivers/net/ipa/gsi.c | 1 +
drivers/net/ipa/ipa_main.c | 6 +-
drivers/net/macsec.c | 71 +-
drivers/net/macvlan.c | 9 +-
drivers/net/mctp/mctp-i2c.c | 4 +-
drivers/net/netconsole.c | 7 +
drivers/net/netdevsim/dev.c | 2 +-
drivers/net/phy/dp83869.c | 13 +-
drivers/net/phy/phy_device.c | 4 +-
drivers/net/phy/qcom/at803x.c | 2 +-
drivers/net/ppp/ppp_generic.c | 5 +-
drivers/net/ppp/pppoe.c | 8 +-
drivers/net/slip/slhc.c | 49 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/rtl8150.c | 12 +-
drivers/net/virtio_net.c | 6 +
drivers/net/vrf.c | 15 +-
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 26 +-
.../wireless/broadcom/brcm80211/brcmfmac/chip.c | 15 +
drivers/net/wireless/marvell/libertas/if_usb.c | 32 +-
drivers/net/wireless/marvell/libertas/if_usb.h | 3 +
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
drivers/net/wireless/mediatek/mt76/channel.c | 13 +-
drivers/net/wireless/mediatek/mt76/dma.c | 11 +-
drivers/net/wireless/mediatek/mt76/mac80211.c | 1 +
drivers/net/wireless/mediatek/mt76/mt76.h | 4 +
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 15 -
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 47 +
drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h | 5 +-
drivers/net/wireless/mediatek/mt76/mt7615/regs.h | 2 -
.../net/wireless/mediatek/mt76/mt76_connac_mac.c | 6 +-
.../net/wireless/mediatek/mt76/mt76_connac_mcu.h | 2 +
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 13 -
drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 62 +
drivers/net/wireless/mediatek/mt76/mt7915/mcu.h | 11 +
drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h | 4 +
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 22 +-
drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h | 2 +
drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 9 +-
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 26 +-
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 91 +-
drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 8 +
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 11 +-
drivers/net/wireless/mediatek/mt76/mt7996/init.c | 22 +-
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 75 +-
drivers/net/wireless/mediatek/mt76/mt7996/main.c | 128 +-
drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 55 +-
drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 5 +-
drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 3 +
drivers/net/wireless/mediatek/mt76/scan.c | 66 +-
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
drivers/net/wireless/realtek/rtw89/phy.c | 2 +-
drivers/nfc/trf7970a.c | 3 +-
drivers/nvme/host/apple.c | 1 +
drivers/nvme/host/pci.c | 1 +
drivers/nvme/target/tcp.c | 51 +-
drivers/opp/core.c | 2 +-
drivers/opp/debugfs.c | 20 +-
drivers/pci/controller/dwc/pci-imx6.c | 4 +-
.../pci/controller/dwc/pcie-designware-debugfs.c | 21 +-
drivers/pci/controller/dwc/pcie-designware-ep.c | 2 +-
drivers/pci/controller/dwc/pcie-designware-host.c | 18 +-
drivers/pci/controller/dwc/pcie-designware.c | 16 +-
drivers/pci/controller/dwc/pcie-designware.h | 2 +
drivers/pci/controller/dwc/pcie-qcom.c | 17 +-
drivers/pci/controller/dwc/pcie-rcar-gen4.c | 2 +-
drivers/pci/controller/dwc/pcie-tegra194.c | 247 +-
drivers/pci/controller/pcie-mediatek-gen3.c | 8 +-
drivers/pci/endpoint/functions/pci-epf-test.c | 8 +-
drivers/pci/endpoint/pci-ep-msi.c | 5 +
drivers/pci/npem.c | 2 +-
drivers/pci/pci-driver.c | 20 +-
drivers/pci/pci-sysfs.c | 28 -
drivers/pci/pci.c | 41 +-
drivers/pci/pcie/dpc.c | 1 +
drivers/pci/probe.c | 1 -
drivers/pci/setup-bus.c | 26 +-
drivers/pci/tph.c | 9 +-
drivers/pcmcia/rsrc_nonstatic.c | 6 +-
drivers/pinctrl/nomadik/pinctrl-abx500.c | 2 +-
drivers/pinctrl/pinconf-generic.c | 7 +-
drivers/pinctrl/pinctrl-cy8c95x0.c | 27 +-
drivers/pinctrl/pinctrl-pic32.c | 20 +-
drivers/pinctrl/realtek/pinctrl-rtd.c | 2 +-
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 7 +
drivers/pinctrl/sophgo/pinctrl-sg2042.c | 2 +-
drivers/pinctrl/sophgo/pinctrl-sg2044.c | 2 +-
drivers/platform/chrome/chromeos_tbmc.c | 6 +
drivers/platform/surface/surfacepro3_button.c | 1 +
drivers/platform/x86/asus-wmi.c | 50 +-
drivers/platform/x86/barco-p50-gpio.c | 5 +-
.../x86/dell/dell-wmi-sysman/enum-attributes.c | 34 +-
drivers/platform/x86/dell/dell_rbu.c | 6 +-
drivers/platform/x86/intel/vsec_tpmi.c | 10 +-
drivers/platform/x86/lenovo/wmi-events.c | 2 +-
drivers/platform/x86/lenovo/wmi-gamezone.c | 1 -
drivers/platform/x86/lenovo/wmi-gamezone.h | 20 -
drivers/platform/x86/lenovo/wmi-helpers.h | 13 +
drivers/platform/x86/lenovo/wmi-other.c | 8 +-
drivers/platform/x86/panasonic-laptop.c | 5 +-
drivers/platform/x86/wmi.c | 36 +-
drivers/pmdomain/imx/scu-pd.c | 1 +
drivers/pmdomain/ti/omap_prm.c | 1 +
drivers/pwm/pwm-atmel-tcb.c | 38 +-
drivers/pwm/pwm-stm32.c | 22 +-
drivers/remoteproc/imx_rproc.c | 6 +-
drivers/remoteproc/xlnx_r5_remoteproc.c | 2 +-
drivers/reset/amlogic/reset-meson.c | 1 +
drivers/rtc/rtc-abx80x.c | 2 +
drivers/s390/cio/cio.h | 5 -
drivers/s390/cio/css.c | 34 +-
drivers/scsi/sg.c | 31 +-
drivers/scsi/sr.c | 11 +-
drivers/scsi/sr.h | 1 -
drivers/soc/qcom/llcc-qcom.c | 2 +-
drivers/soc/qcom/ocmem.c | 17 +-
drivers/soc/qcom/qcom_aoss.c | 2 +-
drivers/soc/tegra/cbb/tegra234-cbb.c | 35 +-
drivers/soundwire/bus.c | 8 +-
drivers/soundwire/cadence_master.c | 8 +
drivers/soundwire/debugfs.c | 9 +-
drivers/soundwire/intel_ace2x.c | 5 +
drivers/spi/spi-amlogic-spisg.c | 3 +-
drivers/spi/spi-fsl-qspi.c | 3 +-
drivers/spi/spi-hisi-kunpeng.c | 12 +-
drivers/spi/spi-mtk-snfi.c | 14 +
drivers/spi/spi-nxp-fspi.c | 3 +-
drivers/spi/spi-rockchip.c | 3 +-
drivers/spi/spi-sifive.c | 29 +-
drivers/staging/greybus/hid.c | 2 +-
drivers/staging/media/imx/imx-media-csi.c | 44 +-
drivers/target/target_core_sbc.c | 3 +-
drivers/thermal/spear_thermal.c | 2 +-
drivers/tty/hvc/hvc_iucv.c | 2 +-
drivers/tty/serial/ip22zilog.c | 2 +-
drivers/usb/typec/mux/ps883x.c | 1 +
drivers/usb/typec/tipd/core.c | 6 +-
drivers/vdpa/vdpa.c | 48 +-
drivers/vfio/fsl-mc/vfio_fsl_mc.c | 4 +-
drivers/vfio/pci/vfio_pci_core.c | 64 +-
drivers/vhost/net.c | 4 +-
drivers/video/backlight/sky81452-backlight.c | 3 +
drivers/video/fbdev/matrox/g450_pll.c | 2 +-
drivers/video/fbdev/offb.c | 7 +-
drivers/virt/coco/arm-cca-guest/arm-cca-guest.c | 3 +-
drivers/virt/coco/sev-guest/sev-guest.c | 12 +-
drivers/xen/xen-pciback/pci_stub.c | 6 +-
fs/adfs/super.c | 3 +
fs/btrfs/disk-io.c | 1 +
fs/btrfs/inode.c | 8 +-
fs/btrfs/reflink.c | 45 +
fs/btrfs/transaction.c | 9 +-
fs/ceph/xattr.c | 17 +
fs/dcache.c | 18 +-
fs/debugfs/file.c | 7 +-
fs/erofs/data.c | 14 +
fs/erofs/erofs_fs.h | 4 +-
fs/erofs/inode.c | 2 +-
fs/erofs/super.c | 8 +-
fs/erofs/zdata.c | 2 +-
fs/erofs/zmap.c | 19 +-
fs/eventpoll.c | 126 +-
fs/ext4/mballoc-test.c | 6 +-
fs/f2fs/f2fs.h | 98 +-
fs/f2fs/gc.c | 28 +-
fs/f2fs/super.c | 76 +-
fs/f2fs/sysfs.c | 7 +-
fs/fuse/dir.c | 226 +-
fs/fuse/file.c | 20 +-
fs/fuse/fuse_i.h | 10 +
fs/fuse/inode.c | 3 +
fs/gfs2/aops.c | 5 +-
fs/gfs2/inode.c | 3 +-
fs/gfs2/log.c | 33 +-
fs/mbcache.c | 1 +
fs/netfs/iterator.c | 13 +-
fs/nfs/blocklayout/blocklayout.c | 4 +-
fs/nfsd/nfs4state.c | 17 +-
fs/nilfs2/ioctl.c | 6 +
fs/notify/fanotify/fanotify_user.c | 50 +-
fs/notify/mark.c | 39 +-
fs/ntfs3/super.c | 7 +-
fs/ocfs2/dlm/dlmdomain.c | 10 +-
fs/ocfs2/ioctl.c | 18 +-
fs/ocfs2/resize.c | 12 +-
fs/ocfs2/xattr.c | 4 +-
fs/omfs/inode.c | 6 +
fs/pstore/ram_core.c | 4 +
fs/quota/dquot.c | 38 +-
fs/smb/client/cifsglob.h | 22 -
fs/smb/client/ioctl.c | 2 +-
fs/smb/client/smb2file.c | 3 +
fs/smb/client/smb2transport.c | 32 +-
fs/smb/common/cifsglob.h | 31 +
fs/smb/server/auth.c | 11 +-
fs/smb/server/connection.c | 9 +
fs/smb/server/mgmt/user_session.c | 12 +-
fs/smb/server/smb2misc.c | 2 +-
fs/smb/server/smb2ops.c | 32 +-
fs/smb/server/smb2pdu.c | 25 +-
fs/smb/server/smb_common.h | 29 -
fs/tracefs/event_inode.c | 2 +-
fs/xfs/xfs_zone_alloc.c | 2 +-
include/acpi/actbl1.h | 6 +
include/dt-bindings/clock/qcom,dispcc-sc7180.h | 7 +-
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 5 +
include/dt-bindings/clock/qcom,glymur-gcc.h | 1 +
include/linux/bpf_verifier.h | 6 +-
include/linux/cdrom.h | 1 +
include/linux/cpufreq.h | 4 +-
include/linux/cpuhotplug.h | 1 -
include/linux/dcache.h | 2 +
include/linux/dmi.h | 5 +
include/linux/dpll.h | 41 +
include/linux/fsl/mc.h | 4 -
include/linux/fsl/ntmp.h | 9 +-
include/linux/hid.h | 6 +-
include/linux/hid_bpf.h | 14 +-
include/linux/ieee80211-eht.h | 1182 +++++++++
include/linux/ieee80211-he.h | 824 ++++++
include/linux/ieee80211-ht.h | 292 +++
include/linux/ieee80211-mesh.h | 230 ++
include/linux/ieee80211-vht.h | 236 ++
include/linux/ieee80211.h | 2663 +-------------------
include/linux/iopoll.h | 8 +-
include/linux/irqchip/arm-gic-v5.h | 3 -
include/linux/kernel.h | 196 +-
include/linux/moduleparam.h | 11 +-
include/linux/mtd/spinand.h | 69 +-
include/linux/nstree.h | 6 +-
include/linux/padata.h | 8 +-
include/linux/pci.h | 6 -
include/linux/pm_domain.h | 4 +-
include/linux/ppp_defs.h | 16 +
include/linux/printk.h | 5 +-
include/linux/quotaops.h | 9 +-
include/linux/sched/topology.h | 24 +-
include/linux/slab.h | 58 +
include/linux/spinlock_up.h | 20 +-
include/linux/stop_machine.h | 4 +-
include/linux/tcp.h | 4 +-
include/linux/trace_printk.h | 203 ++
include/linux/vdpa.h | 4 -
include/linux/vfio.h | 2 -
include/linux/vfio_pci_core.h | 13 +
include/linux/wmi.h | 4 -
include/net/bond_3ad.h | 2 +-
include/net/mana/gdma.h | 29 +-
include/net/mana/hw_channel.h | 2 +
include/net/mana/mana.h | 24 +-
include/net/pie.h | 2 +-
include/net/tcp.h | 33 +-
include/net/tcp_ecn.h | 2 +-
include/sound/soc.h | 3 +
include/trace/events/net.h | 4 +-
include/trace/events/timer.h | 11 +-
include/uapi/linux/if_link.h | 2 +
include/uapi/linux/iommufd.h | 5 +
include/uapi/linux/mii.h | 3 +-
io_uring/io-wq.c | 3 +-
io_uring/napi.c | 2 +
kernel/Kconfig.kexec | 12 +-
kernel/Makefile | 1 +
kernel/audit.c | 4 +
kernel/auditsc.c | 2 +-
kernel/bpf/arena.c | 4 +
kernel/bpf/arraymap.c | 4 +-
kernel/bpf/bpf_lsm.c | 3 -
kernel/bpf/core.c | 2 +
kernel/bpf/devmap.c | 5 +-
kernel/bpf/hashtab.c | 2 +-
kernel/bpf/helpers.c | 17 +-
kernel/bpf/local_storage.c | 2 +-
kernel/bpf/syscall.c | 17 +
kernel/bpf/task_iter.c | 151 +-
kernel/bpf/verifier.c | 189 +-
kernel/cgroup/cgroup.c | 46 +-
kernel/cgroup/dmem.c | 1 +
kernel/cgroup/rdma.c | 2 +-
kernel/fork.c | 23 +-
kernel/futex/requeue.c | 13 +-
kernel/kexec_handover.c | 269 +-
kernel/kexec_handover_debugfs.c | 216 ++
kernel/kexec_handover_internal.h | 35 +
kernel/module/main.c | 4 +-
kernel/padata.c | 130 +-
kernel/params.c | 42 +-
kernel/sched/core.c | 25 +-
kernel/sched/cpufreq_schedutil.c | 5 +-
kernel/sched/deadline.c | 18 +-
kernel/sched/ext.c | 14 +-
kernel/sched/fair.c | 166 +-
kernel/sched/rt.c | 20 +-
kernel/sched/topology.c | 14 +-
kernel/time/hrtimer.c | 51 +-
kernel/trace/trace.c | 7 +-
kernel/trace/trace.h | 2 +-
kernel/trace/trace_branch.c | 8 +-
kernel/trace/trace_events_hist.c | 12 +-
kernel/trace/trace_printk.c | 1 +
kernel/workqueue.c | 4 +-
lib/tests/kunit_iov_iter.c | 14 +-
mm/memblock.c | 2 +-
net/bluetooth/hci_event.c | 3 -
net/bluetooth/l2cap_core.c | 8 +-
net/bluetooth/sco.c | 3 +-
net/bpf/test_run.c | 35 +-
net/ceph/crush/crush.c | 6 +-
net/ceph/osdmap.c | 14 +-
net/core/filter.c | 6 +-
net/core/neighbour.c | 10 +-
net/core/netpoll.c | 19 +-
net/core/page_pool.c | 10 +-
net/dsa/conduit.c | 169 +-
net/ipv4/netfilter/arp_tables.c | 18 +-
net/ipv4/netfilter/arpt_mangle.c | 8 +
net/ipv4/netfilter/iptable_nat.c | 4 +-
net/ipv4/nexthop.c | 4 +-
net/ipv4/syncookies.c | 2 +-
net/ipv4/tcp.c | 91 +-
net/ipv4/tcp_bbr.c | 6 +-
net/ipv4/tcp_bic.c | 2 +-
net/ipv4/tcp_cdg.c | 4 +-
net/ipv4/tcp_cubic.c | 6 +-
net/ipv4/tcp_dctcp.c | 2 +-
net/ipv4/tcp_input.c | 56 +-
net/ipv4/tcp_metrics.c | 6 +-
net/ipv4/tcp_nv.c | 4 +-
net/ipv4/tcp_output.c | 43 +-
net/ipv4/tcp_plb.c | 2 +-
net/ipv4/tcp_timer.c | 7 +-
net/ipv4/tcp_vegas.c | 9 +-
net/ipv4/tcp_westwood.c | 4 +-
net/ipv4/tcp_yeah.c | 3 +-
net/ipv4/udp.c | 12 +-
net/ipv6/icmp.c | 10 +-
net/ipv6/netfilter/ip6table_nat.c | 4 +-
net/ipv6/udp.c | 13 +-
net/mac80211/mlme.c | 3 +-
net/netfilter/ipvs/ip_vs_xmit.c | 19 +-
net/netfilter/nf_conntrack_proto_sctp.c | 10 +-
net/netfilter/nf_conntrack_sip.c | 160 +-
net/netfilter/nf_nat_amanda.c | 2 +-
net/netfilter/nf_nat_core.c | 10 +-
net/netfilter/nf_nat_sip.c | 34 +-
net/netfilter/nf_tables_api.c | 44 +-
net/netfilter/nfnetlink_osf.c | 45 +-
net/netfilter/nft_ct.c | 2 +
net/netfilter/nft_fwd_netdev.c | 10 +
net/netfilter/nft_osf.c | 6 +-
net/netfilter/xt_mac.c | 34 +-
net/netfilter/xt_owner.c | 37 +-
net/netfilter/xt_physdev.c | 29 +-
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_realm.c | 2 +-
net/netfilter/xt_socket.c | 23 +-
net/openvswitch/datapath.c | 35 +-
net/openvswitch/vport.c | 3 +
net/psp/psp-nl-gen.c | 4 +-
net/psp/psp_nl.c | 10 +-
net/rds/af_rds.c | 10 +-
net/rds/connection.c | 14 +
net/rds/ib.c | 24 +-
net/rds/ib.h | 1 +
net/rds/ib_rdma.c | 2 +-
net/sched/act_ct.c | 8 +-
net/sched/act_mirred.c | 2 +-
net/sched/sch_cake.c | 53 +-
net/sched/sch_choke.c | 26 +-
net/sched/sch_dualpi2.c | 32 +-
net/sched/sch_fq_codel.c | 3 +-
net/sched/sch_fq_pie.c | 19 +-
net/sched/sch_hhf.c | 19 +-
net/sched/sch_netem.c | 76 +-
net/sched/sch_pie.c | 52 +-
net/sched/sch_red.c | 31 +-
net/sched/sch_sfb.c | 54 +-
net/sched/sch_taprio.c | 22 +-
net/sctp/inqueue.c | 1 +
net/sctp/sm_statefuns.c | 6 +
net/sctp/socket.c | 2 +-
net/tipc/msg.c | 14 +-
net/tls/tls.h | 1 +
net/tls/tls_strp.c | 6 +
net/tls/tls_sw.c | 4 +
net/unix/af_unix.c | 9 +-
net/unix/unix_bpf.c | 3 +
net/vmw_vsock/virtio_transport_common.c | 11 +-
rust/kernel/cpufreq.rs | 13 +-
rust/kernel/sync/atomic.rs | 5 +-
scripts/gdb/linux/timerlist.py | 2 +-
scripts/package/builddeb | 8 +-
security/integrity/ima/ima_crypto.c | 2 +-
security/integrity/ima/ima_fs.c | 16 +-
sound/core/compress_offload.c | 7 -
sound/core/sound.c | 7 +
sound/hda/codecs/cmedia.c | 7 -
sound/hda/codecs/conexant.c | 8 +-
sound/hda/codecs/realtek/alc269.c | 22 +-
sound/hda/codecs/side-codecs/cs35l56_hda.c | 12 +-
sound/hda/codecs/side-codecs/cs35l56_hda.h | 1 +
sound/hda/codecs/side-codecs/tas2781_hda_spi.c | 14 +-
sound/isa/sc6000.c | 152 +-
sound/soc/amd/acp/acp-legacy-mach.c | 2 +-
sound/soc/amd/acp/acp-mach-common.c | 22 +-
sound/soc/amd/acp/acp-mach.h | 4 +
sound/soc/amd/acp/acp-sdw-legacy-mach.c | 4 +-
sound/soc/amd/acp/acp-sof-mach.c | 2 +-
sound/soc/codecs/ab8500-codec.c | 6 +-
sound/soc/codecs/tas2764.c | 1 +
sound/soc/codecs/tas2770.c | 4 +-
sound/soc/fsl/fsl_easrc.c | 123 +-
sound/soc/fsl/fsl_micfil.c | 60 +-
sound/soc/fsl/fsl_xcvr.c | 22 +-
sound/soc/intel/Kconfig | 2 +-
sound/soc/intel/avs/tgl.c | 38 +-
sound/soc/qcom/qdsp6/topology.c | 8 +-
sound/soc/renesas/rcar/core.c | 2 +-
sound/soc/rockchip/rockchip_sai.c | 4 +
sound/soc/sdca/sdca_asoc.c | 41 +-
sound/soc/soc-compress.c | 4 +-
sound/soc/soc-pcm.c | 4 +-
sound/soc/sof/compress.c | 8 +-
sound/soc/sof/intel/hda-stream.c | 10 +-
sound/soc/sof/sof-priv.h | 2 +
sound/soc/sti/uniperif_player.c | 9 +-
sound/usb/midi.c | 12 +-
sound/usb/midi2.c | 12 +-
sound/usb/mixer_scarlett2.c | 2 +-
sound/usb/qcom/qc_audio_offload.c | 33 +-
sound/usb/quirks.c | 3 +-
sound/usb/stream.c | 58 +-
sound/usb/stream.h | 3 +-
tools/include/nolibc/stdio.h | 138 +-
tools/lib/bpf/libbpf.c | 23 +-
tools/lib/bpf/relo_core.c | 2 +
tools/perf/builtin-lock.c | 2 +-
tools/perf/builtin-stat.c | 43 +-
tools/perf/builtin-trace.c | 12 +-
tools/perf/util/branch.h | 3 +
tools/perf/util/cgroup.c | 30 +-
tools/perf/util/cs-etm-decoder/cs-etm-decoder.c | 51 +-
tools/perf/util/expr.c | 3 +-
tools/perf/util/maps.c | 15 +-
tools/perf/util/symbol-elf.c | 8 +-
tools/perf/util/util.h | 1 -
tools/power/x86/turbostat/turbostat.8 | 12 +-
tools/power/x86/turbostat/turbostat.c | 26 +-
tools/testing/ktest/ktest.pl | 35 +-
tools/testing/selftests/arm64/gcs/gcs-util.h | 6 -
tools/testing/selftests/arm64/gcs/libc-gcs.c | 1 +
.../testing/selftests/bpf/prog_tests/reg_bounds.c | 35 +
tools/testing/selftests/bpf/prog_tests/snprintf.c | 3 +-
tools/testing/selftests/bpf/progs/bpf_misc.h | 2 +-
.../testing/selftests/bpf/progs/verifier_bounds.c | 2 +-
.../selftests/bpf/progs/verifier_scalar_ids.c | 8 +-
tools/testing/selftests/cgroup/test_memcontrol.c | 11 +-
.../selftests/futex/functional/futex_requeue.c | 49 +-
tools/testing/selftests/kho/vmtest.sh | 1 +
tools/testing/selftests/mm/migration.c | 3 +-
.../selftests/net/netfilter/nft_tproxy_udp.sh | 14 +-
.../net/packetdrill/tcp_ts_recent_invalid_ack.pkt | 4 +-
tools/testing/selftests/powerpc/vphn/Makefile | 2 +-
tools/testing/selftests/sched_ext/exit.c | 2 +-
tools/tracing/rtla/src/actions.c | 7 +-
tools/tracing/rtla/src/osnoise_hist.c | 26 +-
tools/tracing/rtla/src/osnoise_top.c | 26 +-
tools/tracing/rtla/src/timerlat_hist.c | 26 +-
tools/tracing/rtla/src/timerlat_top.c | 26 +-
tools/tracing/rtla/src/utils.c | 65 +-
tools/tracing/rtla/src/utils.h | 3 +
virt/kvm/dirty_ring.c | 3 +-
879 files changed, 14292 insertions(+), 8434 deletions(-)
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 001/957] blk-cgroup: wait for blkcg cleanup before initializing new disk
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 002/957] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
` (961 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Zhang, Ming Lei,
Christoph Hellwig, Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 3dbaacf6ab68f81e3375fe769a2ecdbd3ce386fd ]
When a queue is shared across disk rebind (e.g., SCSI unbind/bind), the
previous disk's blkcg state is cleaned up asynchronously via
disk_release() -> blkcg_exit_disk(). If the new disk's blkcg_init_disk()
runs before that cleanup finishes, we may overwrite q->root_blkg while
the old one is still alive, and radix_tree_insert() in blkg_create()
fails with -EEXIST because the old blkg entries still occupy the same
queue id slot in blkcg->blkg_tree. This causes the sd probe to fail
with -ENOMEM.
Fix it by waiting in blkcg_init_disk() for root_blkg to become NULL,
which indicates the previous disk's blkcg cleanup has completed.
Fixes: 1059699f87eb ("block: move blkcg initialization/destroy into disk allocation/release handler")
Cc: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260311032837.2368714-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-cgroup.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 3cffb68ba5d87..890c161bee25e 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -24,6 +24,7 @@
#include <linux/backing-dev.h>
#include <linux/slab.h>
#include <linux/delay.h>
+#include <linux/wait_bit.h>
#include <linux/atomic.h>
#include <linux/ctype.h>
#include <linux/resume_user_mode.h>
@@ -611,6 +612,8 @@ static void blkg_destroy_all(struct gendisk *disk)
q->root_blkg = NULL;
spin_unlock_irq(&q->queue_lock);
+
+ wake_up_var(&q->root_blkg);
}
static void blkg_iostat_set(struct blkg_iostat *dst, struct blkg_iostat *src)
@@ -1498,6 +1501,18 @@ int blkcg_init_disk(struct gendisk *disk)
struct blkcg_gq *new_blkg, *blkg;
bool preloaded;
+ /*
+ * If the queue is shared across disk rebind (e.g., SCSI), the
+ * previous disk's blkcg state is cleaned up asynchronously via
+ * disk_release() -> blkcg_exit_disk(). Wait for that cleanup to
+ * finish (indicated by root_blkg becoming NULL) before setting up
+ * new blkcg state. Otherwise, we may overwrite q->root_blkg while
+ * the old one is still alive, and radix_tree_insert() in
+ * blkg_create() will fail with -EEXIST because the old entries
+ * still occupy the same queue id slot in blkcg->blkg_tree.
+ */
+ wait_var_event(&q->root_blkg, !READ_ONCE(q->root_blkg));
+
new_blkg = blkg_alloc(&blkcg_root, disk, GFP_KERNEL);
if (!new_blkg)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 002/957] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 001/957] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 003/957] fs/mbcache: cancel shrink work before destroying the cache Greg Kroah-Hartman
` (960 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyungjung Joo, Christian Brauner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyungJung Joo <jhj140711@gmail.com>
[ Upstream commit 0621c385fda1376e967f37ccd534c26c3e511d14 ]
omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).
Later, omfs_make_empty() uses
sbi->s_sys_blocksize - OMFS_DIR_START
as the length argument to memset(). Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32. That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.
Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.
Fixes: a3ab7155ea21 ("omfs: add directory routines")
Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Link: https://patch.msgid.link/20260317054827.1822061-1-jhj140711@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/omfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 135c49c5d848c..31218d89b7580 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -512,6 +512,12 @@ static int omfs_fill_super(struct super_block *sb, struct fs_context *fc)
goto out_brelse_bh;
}
+ if (sbi->s_sys_blocksize < OMFS_DIR_START) {
+ printk(KERN_ERR "omfs: sysblock size (%d) is too small\n",
+ sbi->s_sys_blocksize);
+ goto out_brelse_bh;
+ }
+
if (sbi->s_blocksize < sbi->s_sys_blocksize ||
sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) {
printk(KERN_ERR "omfs: block size (%d) is out of range\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 003/957] fs/mbcache: cancel shrink work before destroying the cache
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 001/957] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 002/957] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 004/957] md/raid1: fix the comparing region of interval tree Greg Kroah-Hartman
` (959 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyungjung Joo, Christian Brauner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyungJung Joo <jhj140711@gmail.com>
[ Upstream commit d227786ab1119669df4dc333a61510c52047cce4 ]
mb_cache_destroy() calls shrinker_free() and then frees all cache
entries and the cache itself, but it does not cancel the pending
c_shrink_work work item first.
If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
and the work item is still pending or running when mb_cache_destroy()
runs, mb_cache_shrink_worker() will access the cache after its memory
has been freed, causing a use-after-free.
This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.
Cancel the work item with cancel_work_sync() before calling
shrinker_free(), ensuring the worker has finished and will not be
rescheduled before the cache is torn down.
Fixes: c2f3140fe2ec ("mbcache2: limit cache size")
Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Link: https://patch.msgid.link/20260317054556.1821600-1-jhj140711@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/mbcache.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/mbcache.c b/fs/mbcache.c
index e60a840999aa9..90b0564c62d0b 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -408,6 +408,7 @@ void mb_cache_destroy(struct mb_cache *cache)
{
struct mb_cache_entry *entry, *next;
+ cancel_work_sync(&cache->c_shrink_work);
shrinker_free(cache->c_shrink);
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 004/957] md/raid1: fix the comparing region of interval tree
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 003/957] fs/mbcache: cancel shrink work before destroying the cache Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 005/957] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
` (958 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiao Ni, Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiao Ni <xni@redhat.com>
[ Upstream commit de3544d2e5ea99064498de3c21ba490155864657 ]
Interval tree uses [start, end] as a region which stores in the tree.
In raid1, it uses the wrong end value. For example:
bio(A,B) is too big and needs to be split to bio1(A,C-1), bio2(C,B).
The region of bio1 is [A,C] and the region of bio2 is [C,B]. So bio1 and
bio2 overlap which is not right.
Fix this problem by using right end value of the region.
Fixes: d0d2d8ba0494 ("md/raid1: introduce wait_for_serialization")
Signed-off-by: Xiao Ni <xni@redhat.com>
Link: https://lore.kernel.org/linux-raid/20260305011839.5118-2-xni@redhat.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid1.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index ce7fd68869566..84dbf801e9b1b 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -62,7 +62,7 @@ static int check_and_add_serial(struct md_rdev *rdev, struct r1bio *r1_bio,
unsigned long flags;
int ret = 0;
sector_t lo = r1_bio->sector;
- sector_t hi = lo + r1_bio->sectors;
+ sector_t hi = lo + r1_bio->sectors - 1;
struct serial_in_rdev *serial = &rdev->serial[idx];
spin_lock_irqsave(&serial->serial_lock, flags);
@@ -453,7 +453,7 @@ static void raid1_end_write_request(struct bio *bio)
int mirror = find_bio_disk(r1_bio, bio);
struct md_rdev *rdev = conf->mirrors[mirror].rdev;
sector_t lo = r1_bio->sector;
- sector_t hi = r1_bio->sector + r1_bio->sectors;
+ sector_t hi = r1_bio->sector + r1_bio->sectors - 1;
bool ignore_error = !raid1_should_handle_error(bio) ||
(bio->bi_status && bio_op(bio) == REQ_OP_DISCARD);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 005/957] drbd: Balance RCU calls in drbd_adm_dump_devices()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 004/957] md/raid1: fix the comparing region of interval tree Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 006/957] loop: fix partition scan race between udev and loop_reread_partitions() Greg Kroah-Hartman
` (957 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Böhmwalder,
Christoph Hellwig, Andreas Gruenbacher, Bart Van Assche,
Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 2b31e86387e60b3689339f0f0fbb4d3623d9d494 ]
Make drbd_adm_dump_devices() call rcu_read_lock() before
rcu_read_unlock() is called. This has been detected by the Clang
thread-safety analyzer.
Tested-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Andreas Gruenbacher <agruenba@redhat.com>
Fixes: a55bbd375d18 ("drbd: Backport the "status" command")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260326214054.284593-1-bvanassche@acm.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/drbd/drbd_nl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index b502038be0a92..0ddbf71286a91 100644
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -3378,8 +3378,10 @@ int drbd_adm_dump_devices(struct sk_buff *skb, struct netlink_callback *cb)
if (resource_filter) {
retcode = ERR_RES_NOT_KNOWN;
resource = drbd_find_resource(nla_data(resource_filter));
- if (!resource)
+ if (!resource) {
+ rcu_read_lock();
goto put_result;
+ }
cb->args[0] = (long)resource;
}
}
@@ -3628,8 +3630,10 @@ int drbd_adm_dump_peer_devices(struct sk_buff *skb, struct netlink_callback *cb)
if (resource_filter) {
retcode = ERR_RES_NOT_KNOWN;
resource = drbd_find_resource(nla_data(resource_filter));
- if (!resource)
+ if (!resource) {
+ rcu_read_lock();
goto put_result;
+ }
}
cb->args[0] = (long)resource;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 006/957] loop: fix partition scan race between udev and loop_reread_partitions()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 005/957] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 007/957] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
` (956 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daan De Meyer, Christian Brauner,
Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daan De Meyer <daan.j.demeyer@gmail.com>
[ Upstream commit 267ec4d7223a783f029a980f41b93c39b17996da ]
When LOOP_CONFIGURE is called with LO_FLAGS_PARTSCAN, the following
sequence occurs:
1. disk_force_media_change() sets GD_NEED_PART_SCAN
2. Uevent suppression is lifted and a KOBJ_CHANGE uevent is sent
3. loop_global_unlock() releases the lock
4. loop_reread_partitions() calls bdev_disk_changed() to scan
There is a race between steps 2 and 4: when udev receives the uevent
and opens the device before loop_reread_partitions() runs,
blkdev_get_whole() in bdev.c sees GD_NEED_PART_SCAN set and calls
bdev_disk_changed() for a first scan. Then loop_reread_partitions()
does a second scan. The open_mutex serializes these two scans, but
does not prevent both from running.
The second scan in bdev_disk_changed() drops all partition devices
from the first scan (via blk_drop_partitions()) before re-adding
them, causing partition block devices to briefly disappear. This
breaks any systemd unit with BindsTo= on the partition device: systemd
observes the device going dead, fails the dependent units, and does
not retry them when the device reappears.
Fix this by removing the GD_NEED_PART_SCAN set from
disk_force_media_change() entirely. None of the current callers need
the lazy on-open partition scan triggered by this flag:
- floppy: sets GENHD_FL_NO_PART, so disk_has_partscan() is always
false and GD_NEED_PART_SCAN has no effect.
- loop (loop_configure, loop_change_fd): when LO_FLAGS_PARTSCAN is
set, loop_reread_partitions() performs an explicit scan. When not
set, GD_SUPPRESS_PART_SCAN prevents the lazy scan path.
- loop (__loop_clr_fd): calls bdev_disk_changed() explicitly if
LO_FLAGS_PARTSCAN is set.
- nbd (nbd_clear_sock_ioctl): capacity is set to zero immediately
after; nbd manages GD_NEED_PART_SCAN explicitly elsewhere.
With GD_NEED_PART_SCAN no longer set by disk_force_media_change(),
udev opening the loop device after the uevent no longer triggers a
redundant scan in blkdev_get_whole(), and only the single explicit
scan from loop_reread_partitions() runs.
A regression test for this bug has been submitted to blktests:
https://github.com/linux-blktests/blktests/pull/240.
Fixes: 9f65c489b68d ("loop: raise media_change event")
Signed-off-by: Daan De Meyer <daan@amutable.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Link: https://patch.msgid.link/20260331105130.1077599-1-daan@amutable.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/disk-events.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/disk-events.c b/block/disk-events.c
index 2f697224386aa..868823915bdc6 100644
--- a/block/disk-events.c
+++ b/block/disk-events.c
@@ -290,13 +290,14 @@ EXPORT_SYMBOL(disk_check_media_change);
* Should be called when the media changes for @disk. Generates a uevent
* and attempts to free all dentries and inodes and invalidates all block
* device page cache entries in that case.
+ *
+ * Callers that need a partition re-scan should arrange for one explicitly.
*/
void disk_force_media_change(struct gendisk *disk)
{
disk_event_uevent(disk, DISK_EVENT_MEDIA_CHANGE);
inc_diskseq(disk);
bdev_mark_dead(disk->part0, true);
- set_bit(GD_NEED_PART_SCAN, &disk->state);
}
EXPORT_SYMBOL_GPL(disk_force_media_change);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 007/957] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 006/957] loop: fix partition scan race between udev and loop_reread_partitions() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 008/957] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Greg Kroah-Hartman
` (955 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+98a040252119df0506f8,
Ryusuke Konishi, Deepanshu Kartikey, syzbot+466a45fcfb0562f5b9a0,
Junjie Cao, Viacheslav Dubeyko, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit be3e5d10643d3be1cbac9d9939f220a99253f980 ]
nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks
by comparing it with the current block number bd_blocknr. If they differ,
the block is considered dead and skipped.
However, bd_oblocknr should never be 0 since block 0 typically stores the
primary superblock and is never a valid GC target block. A corrupted ioctl
request with bd_oblocknr set to 0 causes the comparison to incorrectly
match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing
the dead block check and calling nilfs_bmap_mark() on a non-existent
block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering
the WARN_ON(ret == -ENOENT).
Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the
beginning of each iteration.
[ryusuke: slightly modified the commit message and comments for accuracy]
Fixes: 7942b919f732 ("nilfs2: ioctl operations")
Reported-by: syzbot+98a040252119df0506f8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=98a040252119df0506f8
Suggested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Reported-by: syzbot+466a45fcfb0562f5b9a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=466a45fcfb0562f5b9a0
Cc: Junjie Cao <junjie.cao@linux.dev>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/ioctl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 3288c3b4be9ec..7fa02146f1e06 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -736,6 +736,12 @@ static int nilfs_ioctl_mark_blocks_dirty(struct the_nilfs *nilfs,
int ret, i;
for (i = 0; i < nmembs; i++) {
+ /*
+ * bd_oblocknr must never be 0 as block 0
+ * is never a valid GC target block
+ */
+ if (unlikely(!bdescs[i].bd_oblocknr))
+ return -EINVAL;
/* XXX: use macro or inline func to check liveness */
ret = nilfs_bmap_lookup_at_level(bmap,
bdescs[i].bd_offset,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 008/957] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 007/957] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 009/957] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
` (954 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jackie Liu, Tejun Heo,
Christoph Hellwig, Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jackie Liu <liuyun01@kylinos.cn>
[ Upstream commit 23308af722fefed00af5f238024c11710938fba3 ]
Add the missing put_disk() on the error path in
blkcg_maybe_throttle_current(). When blkcg lookup, blkg lookup, or
blkg_tryget() fails, the function jumps to the out label which only
calls rcu_read_unlock() but does not release the disk reference acquired
by blkcg_schedule_throttle() via get_device(). Since current->throttle_disk
is already set to NULL before the lookup, blkcg_exit() cannot release
this reference either, causing the disk to never be freed.
Restore the reference release that was present as blk_put_queue() in the
original code but was inadvertently dropped during the conversion from
request_queue to gendisk.
Fixes: f05837ed73d0 ("blk-cgroup: store a gendisk to throttle in struct task_struct")
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260331085054.46857-1-liu.yun@linux.dev
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-cgroup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 890c161bee25e..9a8d047be580b 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -2037,6 +2037,7 @@ void blkcg_maybe_throttle_current(void)
return;
out:
rcu_read_unlock();
+ put_disk(disk);
}
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 009/957] pstore/ram: fix resource leak when ioremap() fails
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 008/957] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 010/957] erofs: verify metadata accesses for file-backed mounts Greg Kroah-Hartman
` (953 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cole Leavitt, Kees Cook, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cole Leavitt <cole@unwrap.rs>
[ Upstream commit 2ddb69f686ef7a621645e97fc7329c50edf5d0e5 ]
In persistent_ram_iomap(), ioremap() or ioremap_wc() may return NULL on
failure. Currently, if this happens, the function returns NULL without
releasing the memory region acquired by request_mem_region().
This leads to a resource leak where the memory region remains reserved
but unusable.
Additionally, the caller persistent_ram_buffer_map() handles NULL
correctly by returning -ENOMEM, but without this check, a NULL return
combined with request_mem_region() succeeding leaves resources in an
inconsistent state.
This is the ioremap() counterpart to commit 05363abc7625 ("pstore:
ram_core: fix incorrect success return when vmap() fails") which fixed
a similar issue in the vmap() path.
Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory")
Signed-off-by: Cole Leavitt <cole@unwrap.rs>
Link: https://patch.msgid.link/20260225235406.11790-1-cole@unwrap.rs
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/ram_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index 7b6d6378a3b87..95675d4bab141 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -489,6 +489,10 @@ static void *persistent_ram_iomap(phys_addr_t start, size_t size,
else
va = ioremap_wc(start, size);
+ /* We must release the mem region if ioremap fails. */
+ if (!va)
+ release_mem_region(start, size);
+
/*
* Since request_mem_region() and ioremap() are byte-granularity
* there is no need handle anything special like we do when the
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 010/957] erofs: verify metadata accesses for file-backed mounts
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 009/957] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 17:22 ` Gao Xiang
2026-05-20 16:08 ` [PATCH 6.18 011/957] erofs: include the trailing NUL in FS_IOC_GETFSLABEL Greg Kroah-Hartman
` (952 subsequent siblings)
962 siblings, 1 reply; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amir Goldstein, Chunhai Guo,
Gao Xiang, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit 307210c262a29f41d7177851295ea1703bd04175 ]
For file-backed mounts, metadata is fetched via the page cache of
backing inodes to avoid double caching and redundant copy ops out
of RO uptodate folios, which is used by Android APEXes, ComposeFS,
containerd. However, rw_verify_area() was missing prior to
metadata accesses.
Similar to vfs_iocb_iter_read(), fix this by:
- Enabling fanotify pre-content hooks on metadata accesses;
- security_file_permission() for security modules.
Verified that fanotify pre-content hooks now works correctly.
Fixes: fb176750266a ("erofs: add file-backed mount support")
Acked-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Chunhai Guo <guochunhai@vivo.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/data.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/fs/erofs/data.c b/fs/erofs/data.c
index 8ca29962a3dde..58aea2b48580c 100644
--- a/fs/erofs/data.c
+++ b/fs/erofs/data.c
@@ -29,6 +29,20 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offset, bool need_kmap)
{
pgoff_t index = (buf->off + offset) >> PAGE_SHIFT;
struct folio *folio = NULL;
+ loff_t fpos;
+ int err;
+
+ /*
+ * Metadata access for file-backed mounts reuses page cache of backing
+ * fs inodes (only folio data will be needed) to prevent double caching.
+ * However, the data access range must be verified here in advance.
+ */
+ if (buf->file) {
+ fpos = index << PAGE_SHIFT;
+ err = rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE);
+ if (err < 0)
+ return ERR_PTR(err);
+ }
if (buf->page) {
folio = page_folio(buf->page);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 011/957] erofs: include the trailing NUL in FS_IOC_GETFSLABEL
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 010/957] erofs: verify metadata accesses for file-backed mounts Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 012/957] md: fix array_state=clear sysfs deadlock Greg Kroah-Hartman
` (951 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhan Xusheng, Gao Xiang, Chunhai Guo,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhan Xusheng <zhanxusheng1024@gmail.com>
[ Upstream commit d6250d49da4d8f11afc0d8991c84e0307949f92e ]
erofs_ioctl_get_volume_label() passes strlen(sbi->volume_name) as
the length to copy_to_user(), which copies the label string without
the trailing NUL byte. Since FS_IOC_GETFSLABEL callers expect a
NUL-terminated string in the FSLABEL_MAX-sized buffer and may not
pre-zero the buffer, this can cause userspace to read past the label
into uninitialised stack memory.
Fix this by using strlen() + 1 to include the NUL terminator,
consistent with how ext4 and xfs implement FS_IOC_GETFSLABEL.
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Fixes: 1cf12c717741 ("erofs: Add support for FS_IOC_GETFSLABEL")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chunhai Guo <guochunhai@vivo.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
index cb780c095d282..218ab22589228 100644
--- a/fs/erofs/inode.c
+++ b/fs/erofs/inode.c
@@ -348,7 +348,7 @@ static int erofs_ioctl_get_volume_label(struct inode *inode, void __user *arg)
ret = clear_user(arg, 1);
else
ret = copy_to_user(arg, sbi->volume_name,
- strlen(sbi->volume_name));
+ strlen(sbi->volume_name) + 1);
return ret ? -EFAULT : 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 012/957] md: fix array_state=clear sysfs deadlock
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 011/957] erofs: include the trailing NUL in FS_IOC_GETFSLABEL Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 013/957] erofs: handle 48-bit blocks/uniaddr for extra devices Greg Kroah-Hartman
` (950 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiao Ni, Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 2aa72276fab9851dbd59c2daeb4b590c5a113908 ]
When "clear" is written to array_state, md_attr_store() breaks sysfs
active protection so the array can delete itself from its own sysfs
store method.
However, md_attr_store() currently drops the mddev reference before
calling sysfs_unbreak_active_protection(). Once do_md_stop(..., 0)
has made the mddev eligible for delayed deletion, the temporary
kobject reference taken by sysfs_break_active_protection() can become
the last kobject reference protecting the md kobject.
That allows sysfs_unbreak_active_protection() to drop the last
kobject reference from the current sysfs writer context. kobject
teardown then recurses into kernfs removal while the current sysfs
node is still being unwound, and lockdep reports recursive locking on
kn->active with kernfs_drain() in the call chain.
Reproducer on an existing level:
1. Create an md0 linear array and activate it:
mknod /dev/md0 b 9 0
echo none > /sys/block/md0/md/metadata_version
echo linear > /sys/block/md0/md/level
echo 1 > /sys/block/md0/md/raid_disks
echo "$(cat /sys/class/block/sdb/dev)" > /sys/block/md0/md/new_dev
echo "$(($(cat /sys/class/block/sdb/size) / 2))" > \
/sys/block/md0/md/dev-sdb/size
echo 0 > /sys/block/md0/md/dev-sdb/slot
echo active > /sys/block/md0/md/array_state
2. Wait briefly for the array to settle, then clear it:
sleep 2
echo clear > /sys/block/md0/md/array_state
The warning looks like:
WARNING: possible recursive locking detected
bash/588 is trying to acquire lock:
(kn->active#65) at __kernfs_remove+0x157/0x1d0
but task is already holding lock:
(kn->active#65) at sysfs_unbreak_active_protection+0x1f/0x40
...
Call Trace:
kernfs_drain
__kernfs_remove
kernfs_remove_by_name_ns
sysfs_remove_group
sysfs_remove_groups
__kobject_del
kobject_put
md_attr_store
kernfs_fop_write_iter
vfs_write
ksys_write
Restore active protection before mddev_put() so the extra sysfs
kobject reference is dropped while the mddev is still held alive. The
actual md kobject deletion is then deferred until after the sysfs
write path has fully returned.
Fixes: 9e59d609763f ("md: call del_gendisk in control path")
Reviewed-by: Xiao Ni <xni@redhat.com>
Link: https://lore.kernel.org/linux-raid/20260330055213.3976052-1-yukuai@fnnas.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 92ec4be20db85..7560e98dc35b3 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6032,10 +6032,16 @@ md_attr_store(struct kobject *kobj, struct attribute *attr,
}
spin_unlock(&all_mddevs_lock);
rv = entry->store(mddev, page, length);
- mddev_put(mddev);
+ /*
+ * For "array_state=clear", dropping the extra kobject reference from
+ * sysfs_break_active_protection() can trigger md kobject deletion.
+ * Restore active protection before mddev_put() so deletion happens
+ * after the sysfs write path fully unwinds.
+ */
if (kn)
sysfs_unbreak_active_protection(kn);
+ mddev_put(mddev);
return rv;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 013/957] erofs: handle 48-bit blocks/uniaddr for extra devices
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 012/957] md: fix array_state=clear sysfs deadlock Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 014/957] dm: add WQ_PERCPU to alloc_workqueue users Greg Kroah-Hartman
` (949 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gao Xiang, Zhan Xusheng, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhan Xusheng <zhanxusheng1024@gmail.com>
[ Upstream commit 63c2f06198ca7513433f1c92f2c654869d72417e ]
erofs_init_device() only reads blocks_lo and uniaddr_lo from the
on-disk device slot, ignoring blocks_hi and uniaddr_hi that were
introduced alongside the 48-bit block addressing feature.
For the primary device (dif0), erofs_read_superblock() already handles
this correctly by combining blocks_lo with blocks_hi when 48-bit
layout is enabled. But the same logic was not applied to extra
devices.
With a 48-bit EROFS image using extra devices whose uniaddr or blocks
exceed 32-bit range, the truncated values cause erofs_map_dev() to
compute wrong physical addresses, leading to silent data corruption.
Fix this by reading blocks_hi and uniaddr_hi in erofs_init_device()
when 48-bit layout is enabled, consistent with the primary device
handling. Also fix the erofs_deviceslot on-disk definition where
blocks_hi was incorrectly declared as __le32 instead of __le16.
Fixes: 61ba89b57905 ("erofs: add 48-bit block addressing on-disk support")
Suggested-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Zhan Xusheng <zhanxusheng@xiaomi.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/erofs_fs.h | 4 ++--
fs/erofs/super.c | 8 ++++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/erofs/erofs_fs.h b/fs/erofs/erofs_fs.h
index 3d5738f80072e..63efadf75b1c0 100644
--- a/fs/erofs/erofs_fs.h
+++ b/fs/erofs/erofs_fs.h
@@ -44,9 +44,9 @@ struct erofs_deviceslot {
u8 tag[64]; /* digest(sha256), etc. */
__le32 blocks_lo; /* total blocks count of this device */
__le32 uniaddr_lo; /* unified starting block of this device */
- __le32 blocks_hi; /* total blocks count MSB */
+ __le16 blocks_hi; /* total blocks count MSB */
__le16 uniaddr_hi; /* unified starting block MSB */
- u8 reserved[50];
+ u8 reserved[52];
};
#define EROFS_DEVT_SLOT_SIZE sizeof(struct erofs_deviceslot)
diff --git a/fs/erofs/super.c b/fs/erofs/super.c
index ee37628ec99fb..f5f5d19459ecc 100644
--- a/fs/erofs/super.c
+++ b/fs/erofs/super.c
@@ -140,6 +140,7 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb,
struct erofs_fscache *fscache;
struct erofs_deviceslot *dis;
struct file *file;
+ bool _48bit;
dis = erofs_read_metabuf(buf, sb, *pos, false);
if (IS_ERR(dis))
@@ -186,8 +187,11 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb,
dif->file = file;
}
- dif->blocks = le32_to_cpu(dis->blocks_lo);
- dif->uniaddr = le32_to_cpu(dis->uniaddr_lo);
+ _48bit = erofs_sb_has_48bit(sbi);
+ dif->blocks = le32_to_cpu(dis->blocks_lo) |
+ (_48bit ? (u64)le16_to_cpu(dis->blocks_hi) << 32 : 0);
+ dif->uniaddr = le32_to_cpu(dis->uniaddr_lo) |
+ (_48bit ? (u64)le16_to_cpu(dis->uniaddr_hi) << 32 : 0);
sbi->total_blocks += dif->blocks;
*pos += EROFS_DEVT_SLOT_SIZE;
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 014/957] dm: add WQ_PERCPU to alloc_workqueue users
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 013/957] erofs: handle 48-bit blocks/uniaddr for extra devices Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 015/957] md: remove unused static md_wq workqueue Greg Kroah-Hartman
` (948 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tejun Heo, Marco Crivellari,
Mikulas Patocka, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Crivellari <marco.crivellari@suse.com>
[ Upstream commit d4880868670198df321627a949e7b7f2d76cf54e ]
This continues the effort to refactor workqueue APIs, which began with
the introduction of new workqueues and a new alloc_workqueue flag in:
commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq")
commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag")
The refactoring is going to alter the default behavior of
alloc_workqueue() to be unbound by default.
With the introduction of the WQ_PERCPU flag (equivalent to !WQ_UNBOUND),
any alloc_workqueue() caller that doesn’t explicitly specify WQ_UNBOUND
must now use WQ_PERCPU. For more details see the Link tag below.
In order to keep alloc_workqueue() behavior identical, explicitly request
WQ_PERCPU.
Link: https://lore.kernel.org/all/20250221112003.1dSuoGyc@linutronix.de/
Suggested-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Marco Crivellari <marco.crivellari@suse.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Stable-dep-of: e4979f4fac4d ("md: remove unused static md_wq workqueue")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-bufio.c | 3 ++-
drivers/md/dm-cache-target.c | 3 ++-
drivers/md/dm-clone-target.c | 3 ++-
drivers/md/dm-crypt.c | 6 ++++--
drivers/md/dm-delay.c | 4 +++-
drivers/md/dm-integrity.c | 15 ++++++++++-----
drivers/md/dm-kcopyd.c | 3 ++-
drivers/md/dm-log-userspace-base.c | 3 ++-
drivers/md/dm-mpath.c | 5 +++--
drivers/md/dm-raid1.c | 5 +++--
drivers/md/dm-snap-persistent.c | 3 ++-
drivers/md/dm-stripe.c | 2 +-
drivers/md/dm-verity-target.c | 4 +++-
drivers/md/dm-writecache.c | 3 ++-
drivers/md/dm.c | 3 ++-
drivers/md/md.c | 4 ++--
16 files changed, 45 insertions(+), 24 deletions(-)
diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
index 5235f3e4924b7..f41f649c01d4e 100644
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -2833,7 +2833,8 @@ static int __init dm_bufio_init(void)
__cache_size_refresh();
mutex_unlock(&dm_bufio_clients_lock);
- dm_bufio_wq = alloc_workqueue("dm_bufio_cache", WQ_MEM_RECLAIM, 0);
+ dm_bufio_wq = alloc_workqueue("dm_bufio_cache",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 0);
if (!dm_bufio_wq)
return -ENOMEM;
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index a10d75a562db0..7bad7cc87d370 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2533,7 +2533,8 @@ static int cache_create(struct cache_args *ca, struct cache **result)
goto bad;
}
- cache->wq = alloc_workqueue("dm-" DM_MSG_PREFIX, WQ_MEM_RECLAIM, 0);
+ cache->wq = alloc_workqueue("dm-" DM_MSG_PREFIX,
+ WQ_MEM_RECLAIM | WQ_PERCPU, 0);
if (!cache->wq) {
*error = "could not create workqueue for metadata object";
goto bad;
diff --git a/drivers/md/dm-clone-target.c b/drivers/md/dm-clone-target.c
index e956d980672c8..b25845e362744 100644
--- a/drivers/md/dm-clone-target.c
+++ b/drivers/md/dm-clone-target.c
@@ -1877,7 +1877,8 @@ static int clone_ctr(struct dm_target *ti, unsigned int argc, char **argv)
clone->hydration_offset = 0;
atomic_set(&clone->hydrations_in_flight, 0);
- clone->wq = alloc_workqueue("dm-" DM_MSG_PREFIX, WQ_MEM_RECLAIM, 0);
+ clone->wq = alloc_workqueue("dm-" DM_MSG_PREFIX,
+ WQ_MEM_RECLAIM | WQ_PERCPU, 0);
if (!clone->wq) {
ti->error = "Failed to allocate workqueue";
r = -ENOMEM;
diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 5ef43231fe77f..fd735155336bc 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -3441,7 +3441,9 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
if (test_bit(DM_CRYPT_HIGH_PRIORITY, &cc->flags))
common_wq_flags |= WQ_HIGHPRI;
- cc->io_queue = alloc_workqueue("kcryptd_io-%s-%d", common_wq_flags, 1, devname, wq_id);
+ cc->io_queue = alloc_workqueue("kcryptd_io-%s-%d",
+ common_wq_flags | WQ_PERCPU, 1,
+ devname, wq_id);
if (!cc->io_queue) {
ti->error = "Couldn't create kcryptd io queue";
goto bad;
@@ -3449,7 +3451,7 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
if (test_bit(DM_CRYPT_SAME_CPU, &cc->flags)) {
cc->crypt_queue = alloc_workqueue("kcryptd-%s-%d",
- common_wq_flags | WQ_CPU_INTENSIVE,
+ common_wq_flags | WQ_CPU_INTENSIVE | WQ_PERCPU,
1, devname, wq_id);
} else {
/*
diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c
index 4bb6553278c74..029f04776490a 100644
--- a/drivers/md/dm-delay.c
+++ b/drivers/md/dm-delay.c
@@ -290,7 +290,9 @@ static int delay_ctr(struct dm_target *ti, unsigned int argc, char **argv)
} else {
timer_setup(&dc->delay_timer, handle_delayed_timer, 0);
INIT_WORK(&dc->flush_expired_bios, flush_expired_bios);
- dc->kdelayd_wq = alloc_workqueue("kdelayd", WQ_MEM_RECLAIM, 0);
+ dc->kdelayd_wq = alloc_workqueue("kdelayd",
+ WQ_MEM_RECLAIM | WQ_PERCPU,
+ 0);
if (!dc->kdelayd_wq) {
ret = -EINVAL;
DMERR("Couldn't start kdelayd");
diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index ba52631052503..a9c0157bf42fe 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -5003,7 +5003,8 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned int argc, char **argv
}
ic->metadata_wq = alloc_workqueue("dm-integrity-metadata",
- WQ_MEM_RECLAIM, METADATA_WORKQUEUE_MAX_ACTIVE);
+ WQ_MEM_RECLAIM | WQ_PERCPU,
+ METADATA_WORKQUEUE_MAX_ACTIVE);
if (!ic->metadata_wq) {
ti->error = "Cannot allocate workqueue";
r = -ENOMEM;
@@ -5021,7 +5022,8 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned int argc, char **argv
goto bad;
}
- ic->offload_wq = alloc_workqueue("dm-integrity-offload", WQ_MEM_RECLAIM,
+ ic->offload_wq = alloc_workqueue("dm-integrity-offload",
+ WQ_MEM_RECLAIM | WQ_PERCPU,
METADATA_WORKQUEUE_MAX_ACTIVE);
if (!ic->offload_wq) {
ti->error = "Cannot allocate workqueue";
@@ -5029,7 +5031,8 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned int argc, char **argv
goto bad;
}
- ic->commit_wq = alloc_workqueue("dm-integrity-commit", WQ_MEM_RECLAIM, 1);
+ ic->commit_wq = alloc_workqueue("dm-integrity-commit",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 1);
if (!ic->commit_wq) {
ti->error = "Cannot allocate workqueue";
r = -ENOMEM;
@@ -5038,7 +5041,8 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned int argc, char **argv
INIT_WORK(&ic->commit_work, integrity_commit);
if (ic->mode == 'J' || ic->mode == 'B') {
- ic->writer_wq = alloc_workqueue("dm-integrity-writer", WQ_MEM_RECLAIM, 1);
+ ic->writer_wq = alloc_workqueue("dm-integrity-writer",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 1);
if (!ic->writer_wq) {
ti->error = "Cannot allocate workqueue";
r = -ENOMEM;
@@ -5210,7 +5214,8 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned int argc, char **argv
}
if (ic->internal_hash) {
- ic->recalc_wq = alloc_workqueue("dm-integrity-recalc", WQ_MEM_RECLAIM, 1);
+ ic->recalc_wq = alloc_workqueue("dm-integrity-recalc",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 1);
if (!ic->recalc_wq) {
ti->error = "Cannot allocate workqueue";
r = -ENOMEM;
diff --git a/drivers/md/dm-kcopyd.c b/drivers/md/dm-kcopyd.c
index 6ea75436a433a..cec9a60227b6f 100644
--- a/drivers/md/dm-kcopyd.c
+++ b/drivers/md/dm-kcopyd.c
@@ -934,7 +934,8 @@ struct dm_kcopyd_client *dm_kcopyd_client_create(struct dm_kcopyd_throttle *thro
goto bad_slab;
INIT_WORK(&kc->kcopyd_work, do_work);
- kc->kcopyd_wq = alloc_workqueue("kcopyd", WQ_MEM_RECLAIM, 0);
+ kc->kcopyd_wq = alloc_workqueue("kcopyd", WQ_MEM_RECLAIM | WQ_PERCPU,
+ 0);
if (!kc->kcopyd_wq) {
r = -ENOMEM;
goto bad_workqueue;
diff --git a/drivers/md/dm-log-userspace-base.c b/drivers/md/dm-log-userspace-base.c
index 9fbb4b48fb2bb..607436804a8b2 100644
--- a/drivers/md/dm-log-userspace-base.c
+++ b/drivers/md/dm-log-userspace-base.c
@@ -299,7 +299,8 @@ static int userspace_ctr(struct dm_dirty_log *log, struct dm_target *ti,
}
if (lc->integrated_flush) {
- lc->dmlog_wq = alloc_workqueue("dmlogd", WQ_MEM_RECLAIM, 0);
+ lc->dmlog_wq = alloc_workqueue("dmlogd",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 0);
if (!lc->dmlog_wq) {
DMERR("couldn't start dmlogd");
r = -ENOMEM;
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index 7d3fdd96f4edf..00df5be165759 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -2330,7 +2330,8 @@ static int __init dm_multipath_init(void)
{
int r = -ENOMEM;
- kmultipathd = alloc_workqueue("kmpathd", WQ_MEM_RECLAIM, 0);
+ kmultipathd = alloc_workqueue("kmpathd", WQ_MEM_RECLAIM | WQ_PERCPU,
+ 0);
if (!kmultipathd) {
DMERR("failed to create workqueue kmpathd");
goto bad_alloc_kmultipathd;
@@ -2349,7 +2350,7 @@ static int __init dm_multipath_init(void)
goto bad_alloc_kmpath_handlerd;
}
- dm_mpath_wq = alloc_workqueue("dm_mpath_wq", 0, 0);
+ dm_mpath_wq = alloc_workqueue("dm_mpath_wq", WQ_PERCPU, 0);
if (!dm_mpath_wq) {
DMERR("failed to create workqueue dm_mpath_wq");
goto bad_alloc_dm_mpath_wq;
diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
index bc8e04f6832a6..d9ec783a37ddc 100644
--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -1128,7 +1128,8 @@ static int mirror_ctr(struct dm_target *ti, unsigned int argc, char **argv)
ti->num_discard_bios = 1;
ti->per_io_data_size = sizeof(struct dm_raid1_bio_record);
- ms->kmirrord_wq = alloc_workqueue("kmirrord", WQ_MEM_RECLAIM, 0);
+ ms->kmirrord_wq = alloc_workqueue("kmirrord",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 0);
if (!ms->kmirrord_wq) {
DMERR("couldn't start kmirrord");
r = -ENOMEM;
@@ -1500,7 +1501,7 @@ static int __init dm_mirror_init(void)
{
int r;
- dm_raid1_wq = alloc_workqueue("dm_raid1_wq", 0, 0);
+ dm_raid1_wq = alloc_workqueue("dm_raid1_wq", WQ_PERCPU, 0);
if (!dm_raid1_wq) {
DMERR("Failed to alloc workqueue");
return -ENOMEM;
diff --git a/drivers/md/dm-snap-persistent.c b/drivers/md/dm-snap-persistent.c
index 568d10842b1f4..0e13d60bfdd12 100644
--- a/drivers/md/dm-snap-persistent.c
+++ b/drivers/md/dm-snap-persistent.c
@@ -871,7 +871,8 @@ static int persistent_ctr(struct dm_exception_store *store, char *options)
atomic_set(&ps->pending_count, 0);
ps->callbacks = NULL;
- ps->metadata_wq = alloc_workqueue("ksnaphd", WQ_MEM_RECLAIM, 0);
+ ps->metadata_wq = alloc_workqueue("ksnaphd",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 0);
if (!ps->metadata_wq) {
DMERR("couldn't start header metadata update thread");
r = -ENOMEM;
diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
index 1461dc740dae6..1cff9df5b8b47 100644
--- a/drivers/md/dm-stripe.c
+++ b/drivers/md/dm-stripe.c
@@ -489,7 +489,7 @@ int __init dm_stripe_init(void)
{
int r;
- dm_stripe_wq = alloc_workqueue("dm_stripe_wq", 0, 0);
+ dm_stripe_wq = alloc_workqueue("dm_stripe_wq", WQ_PERCPU, 0);
if (!dm_stripe_wq)
return -ENOMEM;
r = dm_register_target(&stripe_target);
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index c8695c079cfe0..a5cd55b2ba02f 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -1549,7 +1549,9 @@ static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv)
* will fall-back to using it for error handling (or if the bufio cache
* doesn't have required hashes).
*/
- v->verify_wq = alloc_workqueue("kverityd", WQ_MEM_RECLAIM | WQ_HIGHPRI, 0);
+ v->verify_wq = alloc_workqueue("kverityd",
+ WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_PERCPU,
+ 0);
if (!v->verify_wq) {
ti->error = "Cannot allocate workqueue";
r = -ENOMEM;
diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
index d8de4a3076a17..af54e289bcebe 100644
--- a/drivers/md/dm-writecache.c
+++ b/drivers/md/dm-writecache.c
@@ -2275,7 +2275,8 @@ static int writecache_ctr(struct dm_target *ti, unsigned int argc, char **argv)
goto bad;
}
- wc->writeback_wq = alloc_workqueue("writecache-writeback", WQ_MEM_RECLAIM, 1);
+ wc->writeback_wq = alloc_workqueue("writecache-writeback",
+ WQ_MEM_RECLAIM | WQ_PERCPU, 1);
if (!wc->writeback_wq) {
r = -ENOMEM;
ti->error = "Could not allocate writeback workqueue";
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 52f01c44e73a6..fb6bcd598c5b8 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2363,7 +2363,8 @@ static struct mapped_device *alloc_dev(int minor)
format_dev_t(md->name, MKDEV(_major, minor));
- md->wq = alloc_workqueue("kdmflush/%s", WQ_MEM_RECLAIM, 0, md->name);
+ md->wq = alloc_workqueue("kdmflush/%s", WQ_MEM_RECLAIM | WQ_PERCPU, 0,
+ md->name);
if (!md->wq)
goto bad;
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 7560e98dc35b3..0fc779493fa78 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -10345,11 +10345,11 @@ static int __init md_init(void)
goto err_bitmap;
ret = -ENOMEM;
- md_wq = alloc_workqueue("md", WQ_MEM_RECLAIM, 0);
+ md_wq = alloc_workqueue("md", WQ_MEM_RECLAIM | WQ_PERCPU, 0);
if (!md_wq)
goto err_wq;
- md_misc_wq = alloc_workqueue("md_misc", 0, 0);
+ md_misc_wq = alloc_workqueue("md_misc", WQ_PERCPU, 0);
if (!md_misc_wq)
goto err_misc_wq;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 015/957] md: remove unused static md_wq workqueue
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 014/957] dm: add WQ_PERCPU to alloc_workqueue users Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 016/957] md: wake raid456 reshape waiters before suspend Greg Kroah-Hartman
` (947 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abd-Alrhman Masalkhi, Yu Kuai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
[ Upstream commit e4979f4fac4d6bbe757be50441b45e28e6bf7360 ]
The md_wq workqueue is defined as static and initialized in md_init(),
but it is not used anywhere within md.c.
All asynchronous and deferred work in this file is handled via
md_misc_wq or dedicated md threads.
Fixes: b75197e86e6d3 ("md: Remove flush handling")
Signed-off-by: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
Link: https://lore.kernel.org/linux-raid/20260328193522.3624-1-abd.masalkhi@gmail.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0fc779493fa78..0a3152f21d488 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -84,7 +84,6 @@ static DEFINE_XARRAY(md_submodule);
static const struct kobj_type md_ktype;
static DECLARE_WAIT_QUEUE_HEAD(resync_wait);
-static struct workqueue_struct *md_wq;
/*
* This workqueue is used for sync_work to register new sync_thread, and for
@@ -10345,10 +10344,6 @@ static int __init md_init(void)
goto err_bitmap;
ret = -ENOMEM;
- md_wq = alloc_workqueue("md", WQ_MEM_RECLAIM | WQ_PERCPU, 0);
- if (!md_wq)
- goto err_wq;
-
md_misc_wq = alloc_workqueue("md_misc", WQ_PERCPU, 0);
if (!md_misc_wq)
goto err_misc_wq;
@@ -10373,8 +10368,6 @@ static int __init md_init(void)
err_md:
destroy_workqueue(md_misc_wq);
err_misc_wq:
- destroy_workqueue(md_wq);
-err_wq:
md_llbitmap_exit();
err_bitmap:
md_bitmap_exit();
@@ -10683,7 +10676,6 @@ static __exit void md_exit(void)
spin_unlock(&all_mddevs_lock);
destroy_workqueue(md_misc_wq);
- destroy_workqueue(md_wq);
md_bitmap_exit();
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 016/957] md: wake raid456 reshape waiters before suspend
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 015/957] md: remove unused static md_wq workqueue Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 017/957] btrfs: fix deadlock between reflink and transaction commit when using flushoncommit Greg Kroah-Hartman
` (946 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai@fnnas.com>
[ Upstream commit cf86bb53b9c92354904a328e947a05ffbfdd1840 ]
During raid456 reshape, direct IO across the reshape position can sleep
in raid5_make_request() waiting for reshape progress while still
holding an active_io reference. If userspace then freezes reshape and
writes md/suspend_lo or md/suspend_hi, mddev_suspend() kills active_io
and waits for all in-flight IO to drain.
This can deadlock: the IO needs reshape progress to continue, but the
reshape thread is already frozen, so the active_io reference is never
dropped and suspend never completes.
raid5_prepare_suspend() already wakes wait_for_reshape for dm-raid. Do
the same for normal md suspend when reshape is already interrupted, so
waiting raid456 IO can abort, drop its reference, and let suspend
finish.
The mdadm test tests/25raid456-reshape-deadlock reproduces the hang.
Fixes: 714d20150ed8 ("md: add new helpers to suspend/resume array")
Link: https://lore.kernel.org/linux-raid/20260327140729.2030564-1-yukuai@fnnas.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0a3152f21d488..b91ac1b7d7a15 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -486,6 +486,17 @@ int mddev_suspend(struct mddev *mddev, bool interruptible)
}
percpu_ref_kill(&mddev->active_io);
+
+ /*
+ * RAID456 IO can sleep in wait_for_reshape while still holding an
+ * active_io reference. If reshape is already interrupted or frozen,
+ * wake those waiters so they can abort and drop the reference instead
+ * of deadlocking suspend.
+ */
+ if (mddev->pers && mddev->pers->prepare_suspend &&
+ reshape_interrupted(mddev))
+ mddev->pers->prepare_suspend(mddev);
+
if (interruptible)
err = wait_event_interruptible(mddev->sb_wait,
percpu_ref_is_zero(&mddev->active_io));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 017/957] btrfs: fix deadlock between reflink and transaction commit when using flushoncommit
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 016/957] md: wake raid456 reshape waiters before suspend Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 018/957] OPP: debugfs: Use performance level if available to distinguish between rates Greg Kroah-Hartman
` (945 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+63056bf627663701bbbf,
Boris Burkov, Filipe Manana, David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit b48c980b6a7e409050bb3067165db31cc6205e3e ]
When using the flushoncommit mount option, we can have a deadlock between
a transaction commit and a reflink operation that copied an inline extent
to an offset beyond the current i_size of the destination node.
The deadlock happens like this:
1) Task A clones an inline extent from inode X to an offset of inode Y
that is beyond Y's current i_size. This means we copied the inline
extent's data to a folio of inode Y that is beyond its EOF, using a
call to copy_inline_to_page();
2) Task B starts a transaction commit and calls
btrfs_start_delalloc_flush() to flush delalloc;
3) The delalloc flushing sees the new dirty folio of inode Y and when it
attempts to flush it, it ends up at extent_writepage() and sees that
the offset of the folio is beyond the i_size of inode Y, so it attempts
to invalidate the folio by calling folio_invalidate(), which ends up at
btrfs' folio invalidate callback - btrfs_invalidate_folio(). There it
tries to lock the folio's range in inode Y's extent io tree, but it
blocks since it's currently locked by task A - during a reflink we lock
the inodes and the source and destination ranges after flushing all
delalloc and waiting for ordered extent completion - after that we
don't expect to have dirty folios in the ranges, the exception is if
we have to copy an inline extent's data (because the destination offset
is not zero);
4) Task A then attempts to start a transaction to update the inode item,
and then it's blocked since the current transaction is in the
TRANS_STATE_COMMIT_START state. Therefore task A has to wait for the
current transaction to become unblocked (its state >=
TRANS_STATE_UNBLOCKED).
So task A is waiting for the transaction commit done by task B, and
the later waiting on the extent lock of inode Y that is currently
held by task A.
Syzbot recently reported this with the following stack traces:
INFO: task kworker/u8:7:1053 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:7 state:D stack:23520 pid:1053 tgid:1053 ppid:2 task_flags:0x4208060 flags:0x00080000
Workqueue: writeback wb_workfn (flush-btrfs-46)
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x1553/0x5240 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
wait_extent_bit fs/btrfs/extent-io-tree.c:811 [inline]
btrfs_lock_extent_bits+0x59c/0x700 fs/btrfs/extent-io-tree.c:1914
btrfs_lock_extent fs/btrfs/extent-io-tree.h:152 [inline]
btrfs_invalidate_folio+0x43d/0xc40 fs/btrfs/inode.c:7704
extent_writepage fs/btrfs/extent_io.c:1852 [inline]
extent_write_cache_pages fs/btrfs/extent_io.c:2580 [inline]
btrfs_writepages+0x12ff/0x2440 fs/btrfs/extent_io.c:2713
do_writepages+0x32e/0x550 mm/page-writeback.c:2554
__writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750
writeback_sb_inodes+0x995/0x19d0 fs/fs-writeback.c:2042
wb_writeback+0x456/0xb70 fs/fs-writeback.c:2227
wb_do_writeback fs/fs-writeback.c:2374 [inline]
wb_workfn+0x41a/0xf60 fs/fs-writeback.c:2414
process_one_work kernel/workqueue.c:3276 [inline]
process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.4.64:6910 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.64 state:D stack:22752 pid:6910 tgid:6905 ppid:5944 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x1553/0x5240 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
wait_current_trans+0x39f/0x590 fs/btrfs/transaction.c:535
start_transaction+0x6a7/0x1650 fs/btrfs/transaction.c:705
clone_copy_inline_extent fs/btrfs/reflink.c:299 [inline]
btrfs_clone+0x128a/0x24d0 fs/btrfs/reflink.c:529
btrfs_clone_files+0x271/0x3f0 fs/btrfs/reflink.c:750
btrfs_remap_file_range+0x76b/0x1320 fs/btrfs/reflink.c:903
vfs_copy_file_range+0xda7/0x1390 fs/read_write.c:1600
__do_sys_copy_file_range fs/read_write.c:1683 [inline]
__se_sys_copy_file_range+0x2fb/0x480 fs/read_write.c:1650
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5f73afc799
RSP: 002b:00007f5f7315e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000146
RAX: ffffffffffffffda RBX: 00007f5f73d75fa0 RCX: 00007f5f73afc799
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f5f73b92c99 R08: 0000000000000863 R09: 0000000000000000
R10: 00002000000000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5f73d76038 R14: 00007f5f73d75fa0 R15: 00007fff138a5068
</TASK>
INFO: task syz.4.64:6975 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.64 state:D stack:24736 pid:6975 tgid:6905 ppid:5944 task_flags:0x400040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x1553/0x5240 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
wb_wait_for_completion+0x3e8/0x790 fs/fs-writeback.c:227
__writeback_inodes_sb_nr+0x24c/0x2d0 fs/fs-writeback.c:2838
try_to_writeback_inodes_sb+0x9a/0xc0 fs/fs-writeback.c:2886
btrfs_start_delalloc_flush fs/btrfs/transaction.c:2175 [inline]
btrfs_commit_transaction+0x82e/0x31a0 fs/btrfs/transaction.c:2364
btrfs_ioctl+0xca7/0xd00 fs/btrfs/ioctl.c:5206
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xff/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5f73afc799
RSP: 002b:00007f5f7313d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f5f73d76090 RCX: 00007f5f73afc799
RDX: 0000000000000000 RSI: 0000000000009408 RDI: 0000000000000004
RBP: 00007f5f73b92c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5f73d76128 R14: 00007f5f73d76090 R15: 00007fff138a5068
</TASK>
Fix this by updating the i_size of the destination inode of a reflink
operation after we copy an inline extent's data to an offset beyond the
i_size and before attempting to start a transaction to update the inode's
item.
Reported-by: syzbot+63056bf627663701bbbf@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/69bba3fe.050a0220.227207.002f.GAE@google.com/
Fixes: 05a5a7621ce6 ("Btrfs: implement full reflink support for inline extents")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/reflink.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/fs/btrfs/reflink.c b/fs/btrfs/reflink.c
index 5465a5eae9b2d..614e884c2a9bc 100644
--- a/fs/btrfs/reflink.c
+++ b/fs/btrfs/reflink.c
@@ -321,6 +321,51 @@ static int clone_copy_inline_extent(struct btrfs_inode *inode,
ret = copy_inline_to_page(inode, new_key->offset,
inline_data, size, datal, comp_type);
+
+ /*
+ * If we copied the inline extent data to a page/folio beyond the i_size
+ * of the destination inode, then we need to increase the i_size before
+ * we start a transaction to update the inode item. This is to prevent a
+ * deadlock when the flushoncommit mount option is used, which happens
+ * like this:
+ *
+ * 1) Task A clones an inline extent from inode X to an offset of inode
+ * Y that is beyond Y's current i_size. This means we copied the
+ * inline extent's data to a folio of inode Y that is beyond its EOF,
+ * using the call above to copy_inline_to_page();
+ *
+ * 2) Task B starts a transaction commit and calls
+ * btrfs_start_delalloc_flush() to flush delalloc;
+ *
+ * 3) The delalloc flushing sees the new dirty folio of inode Y and when
+ * it attempts to flush it, it ends up at extent_writepage() and sees
+ * that the offset of the folio is beyond the i_size of inode Y, so
+ * it attempts to invalidate the folio by calling folio_invalidate(),
+ * which ends up at btrfs' folio invalidate callback -
+ * btrfs_invalidate_folio(). There it tries to lock the folio's range
+ * in inode Y's extent io tree, but it blocks since it's currently
+ * locked by task A - during reflink we lock the inodes and the
+ * source and destination ranges after flushing all delalloc and
+ * waiting for ordered extent completion - after that we don't expect
+ * to have dirty folios in the ranges, the exception is if we have to
+ * copy an inline extent's data (because the destination offset is
+ * not zero);
+ *
+ * 4) Task A then does the 'goto out' below and attempts to start a
+ * transaction to update the inode item, and then it's blocked since
+ * the current transaction is in the TRANS_STATE_COMMIT_START state.
+ * Therefore task A has to wait for the current transaction to become
+ * unblocked (its state >= TRANS_STATE_UNBLOCKED).
+ *
+ * This leads to a deadlock - the task committing the transaction
+ * waiting for the delalloc flushing which is blocked during folio
+ * invalidation on the inode's extent lock and the reflink task waiting
+ * for the current transaction to be unblocked so that it can start a
+ * a new one to update the inode item (while holding the extent lock).
+ */
+ if (ret == 0 && new_key->offset + datal > i_size_read(&inode->vfs_inode))
+ i_size_write(&inode->vfs_inode, new_key->offset + datal);
+
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 018/957] OPP: debugfs: Use performance level if available to distinguish between rates
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 017/957] btrfs: fix deadlock between reflink and transaction commit when using flushoncommit Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 019/957] OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp() Greg Kroah-Hartman
` (944 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Andersson,
Manivannan Sadhasivam, Viresh Kumar, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit e560083c0467f86b72aecac377b27bd1e7d16c49 ]
Some OPP tables have entries with same rate and different performance
level. For these entries, using only the rate as the debugfs directory name
causes below error:
debugfs: 'opp:5000000' already exists in 'soc@0-1c00000.pci'
Fix it by appending the performance level to the dir name if available.
Reported-by: Bjorn Andersson <andersson@kernel.org>
Closes: https://lore.kernel.org/linux-arm-msm/75lzykd37zdvrks5i2bb4zb2yzjtm25kv3hegmikndkbr772mz@w2ykff3ny45u/
Fixes: 05db35963eef ("OPP: Add support to find OPP for a set of keys")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/opp/debugfs.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/opp/debugfs.c b/drivers/opp/debugfs.c
index 8fc6238b17284..61506d30d5ff0 100644
--- a/drivers/opp/debugfs.c
+++ b/drivers/opp/debugfs.c
@@ -130,22 +130,24 @@ void opp_debug_create_one(struct dev_pm_opp *opp, struct opp_table *opp_table)
{
struct dentry *pdentry = opp_table->dentry;
struct dentry *d;
- unsigned long id;
- char name[25]; /* 20 chars for 64 bit value + 5 (opp:\0) */
+ char name[36]; /* "opp:"(4) + u64(20) + "-" (1) + u32(10) + NULL(1) */
/*
* Get directory name for OPP.
*
- * - Normally rate is unique to each OPP, use it to get unique opp-name.
+ * - Normally rate is unique to each OPP, use it to get unique opp-name,
+ * together with performance level if available.
* - For some devices rate isn't available or there are multiple, use
* index instead for them.
*/
- if (likely(opp_table->clk_count == 1 && opp->rates[0]))
- id = opp->rates[0];
- else
- id = _get_opp_count(opp_table);
-
- snprintf(name, sizeof(name), "opp:%lu", id);
+ if (likely(opp_table->clk_count == 1 && opp->rates[0])) {
+ if (opp->level == OPP_LEVEL_UNSET)
+ snprintf(name, sizeof(name), "opp:%lu", opp->rates[0]);
+ else
+ snprintf(name, sizeof(name), "opp:%lu-%u", opp->rates[0], opp->level);
+ } else {
+ snprintf(name, sizeof(name), "opp:%u", _get_opp_count(opp_table));
+ }
/* Create per-opp directory */
d = debugfs_create_dir(name, pdentry);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 019/957] OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 018/957] OPP: debugfs: Use performance level if available to distinguish between rates Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 020/957] ACPI: x86: cmos_rtc: Clean up address space handler driver Greg Kroah-Hartman
` (943 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Viresh Kumar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
[ Upstream commit 3d2398f44a2d48fb1c575a6e0bc6b38f3e689e22 ]
The commit ff9c512041f2 ("OPP: Use mutex locking guards")
unintentionally made the for loop run longer than required.
scoped_guard() is implemented as a for loop. The break statement now
breaks out out the scoped_guard() and not out of the outer for loop.
The outer loop always iterates to completion.
Fix it.
Fixes: ff9c512041f2 ("OPP: Use mutex locking guards")
Reported-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/opp/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/opp/core.c b/drivers/opp/core.c
index 775d4a36f2f54..157c84b689feb 100644
--- a/drivers/opp/core.c
+++ b/drivers/opp/core.c
@@ -2741,8 +2741,8 @@ struct dev_pm_opp *dev_pm_opp_xlate_required_opp(struct opp_table *src_table,
break;
}
}
- break;
}
+ break;
}
if (IS_ERR(dest_opp)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 020/957] ACPI: x86: cmos_rtc: Clean up address space handler driver
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 019/957] OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 021/957] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver Greg Kroah-Hartman
` (942 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit ba0b236736dde4059bdcb8e99beaa50d6e5b6e7e ]
Make multiple changes that do not alter functionality to the CMOS RTC
ACPI address space handler driver, including the following:
- Drop the unused .detach() callback from cmos_rtc_handler.
- Rename acpi_cmos_rtc_attach_handler() to acpi_cmos_rtc_attach().
- Rearrange acpi_cmos_rtc_space_handler() to reduce the number of
redundant checks and make white space follow the coding style.
- Adjust an error message in acpi_install_cmos_rtc_space_handler()
and make the white space follow the coding style.
- Rearrange acpi_remove_cmos_rtc_space_handler() and adjust an error
message in it.
No intentional functional impact.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5094429.31r3eYUQgx@rafael.j.wysocki
Stable-dep-of: 6cee29ad9d7e ("ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/x86/cmos_rtc.c | 61 +++++++++++++++++++------------------
1 file changed, 32 insertions(+), 29 deletions(-)
diff --git a/drivers/acpi/x86/cmos_rtc.c b/drivers/acpi/x86/cmos_rtc.c
index 51643ff6fe5fc..977234da9fc11 100644
--- a/drivers/acpi/x86/cmos_rtc.c
+++ b/drivers/acpi/x86/cmos_rtc.c
@@ -24,31 +24,35 @@ static const struct acpi_device_id acpi_cmos_rtc_ids[] = {
{}
};
-static acpi_status
-acpi_cmos_rtc_space_handler(u32 function, acpi_physical_address address,
- u32 bits, u64 *value64,
- void *handler_context, void *region_context)
+static acpi_status acpi_cmos_rtc_space_handler(u32 function,
+ acpi_physical_address address,
+ u32 bits, u64 *value64,
+ void *handler_context,
+ void *region_context)
{
- int i;
+ unsigned int i, bytes = DIV_ROUND_UP(bits, 8);
u8 *value = (u8 *)value64;
if (address > 0xff || !value64)
return AE_BAD_PARAMETER;
- if (function != ACPI_WRITE && function != ACPI_READ)
- return AE_BAD_PARAMETER;
+ guard(spinlock_irq)(&rtc_lock);
+
+ if (function == ACPI_WRITE) {
+ for (i = 0; i < bytes; i++, address++, value++)
+ CMOS_WRITE(*value, address);
- spin_lock_irq(&rtc_lock);
+ return AE_OK;
+ }
- for (i = 0; i < DIV_ROUND_UP(bits, 8); ++i, ++address, ++value)
- if (function == ACPI_READ)
+ if (function == ACPI_READ) {
+ for (i = 0; i < bytes; i++, address++, value++)
*value = CMOS_READ(address);
- else
- CMOS_WRITE(*value, address);
- spin_unlock_irq(&rtc_lock);
+ return AE_OK;
+ }
- return AE_OK;
+ return AE_BAD_PARAMETER;
}
int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
@@ -56,11 +60,11 @@ int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
acpi_status status;
status = acpi_install_address_space_handler(handle,
- ACPI_ADR_SPACE_CMOS,
- &acpi_cmos_rtc_space_handler,
- NULL, NULL);
+ ACPI_ADR_SPACE_CMOS,
+ acpi_cmos_rtc_space_handler,
+ NULL, NULL);
if (ACPI_FAILURE(status)) {
- pr_err("Error installing CMOS-RTC region handler\n");
+ pr_err("Failed to install CMOS-RTC address space handler\n");
return -ENODEV;
}
@@ -70,26 +74,25 @@ EXPORT_SYMBOL_GPL(acpi_install_cmos_rtc_space_handler);
void acpi_remove_cmos_rtc_space_handler(acpi_handle handle)
{
- if (ACPI_FAILURE(acpi_remove_address_space_handler(handle,
- ACPI_ADR_SPACE_CMOS, &acpi_cmos_rtc_space_handler)))
- pr_err("Error removing CMOS-RTC region handler\n");
+ acpi_status status;
+
+ status = acpi_remove_address_space_handler(handle,
+ ACPI_ADR_SPACE_CMOS,
+ acpi_cmos_rtc_space_handler);
+ if (ACPI_FAILURE(status))
+ pr_err("Failed to remove CMOS-RTC address space handler\n");
}
EXPORT_SYMBOL_GPL(acpi_remove_cmos_rtc_space_handler);
-static int acpi_cmos_rtc_attach_handler(struct acpi_device *adev, const struct acpi_device_id *id)
+static int acpi_cmos_rtc_attach(struct acpi_device *adev,
+ const struct acpi_device_id *id)
{
return acpi_install_cmos_rtc_space_handler(adev->handle);
}
-static void acpi_cmos_rtc_detach_handler(struct acpi_device *adev)
-{
- acpi_remove_cmos_rtc_space_handler(adev->handle);
-}
-
static struct acpi_scan_handler cmos_rtc_handler = {
.ids = acpi_cmos_rtc_ids,
- .attach = acpi_cmos_rtc_attach_handler,
- .detach = acpi_cmos_rtc_detach_handler,
+ .attach = acpi_cmos_rtc_attach,
};
void __init acpi_cmos_rtc_init(void)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 021/957] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 020/957] ACPI: x86: cmos_rtc: Clean up address space handler driver Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 022/957] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
` (941 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 6cee29ad9d7e400d39ae0b1a54447fedcb62eecd ]
If a CMOS RTC (PNP0B00/PNP0B01/PNP0B02) device coexists with an ACPI
TAD (timer and event alarm device, ACPI000E), the ACPI TAD driver will
attempt to install the CMOS RTC address space hanlder that has been
installed already and the TAD probing will fail.
Avoid that by changing acpi_install_cmos_rtc_space_handler() to return
zero and acpi_remove_cmos_rtc_space_handler() to do nothing if the CMOS
RTC address space handler has been installed already.
Fixes: 596ca52a56da ("ACPI: TAD: Install SystemCMOS address space handler for ACPI000E")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2415111.ElGaqSPkdT@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/x86/cmos_rtc.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/x86/cmos_rtc.c b/drivers/acpi/x86/cmos_rtc.c
index 977234da9fc11..45db7e51cbe60 100644
--- a/drivers/acpi/x86/cmos_rtc.c
+++ b/drivers/acpi/x86/cmos_rtc.c
@@ -24,6 +24,8 @@ static const struct acpi_device_id acpi_cmos_rtc_ids[] = {
{}
};
+static bool cmos_rtc_space_handler_present __read_mostly;
+
static acpi_status acpi_cmos_rtc_space_handler(u32 function,
acpi_physical_address address,
u32 bits, u64 *value64,
@@ -59,6 +61,9 @@ int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
{
acpi_status status;
+ if (cmos_rtc_space_handler_present)
+ return 0;
+
status = acpi_install_address_space_handler(handle,
ACPI_ADR_SPACE_CMOS,
acpi_cmos_rtc_space_handler,
@@ -68,6 +73,8 @@ int acpi_install_cmos_rtc_space_handler(acpi_handle handle)
return -ENODEV;
}
+ cmos_rtc_space_handler_present = true;
+
return 1;
}
EXPORT_SYMBOL_GPL(acpi_install_cmos_rtc_space_handler);
@@ -76,6 +83,9 @@ void acpi_remove_cmos_rtc_space_handler(acpi_handle handle)
{
acpi_status status;
+ if (cmos_rtc_space_handler_present)
+ return;
+
status = acpi_remove_address_space_handler(handle,
ACPI_ADR_SPACE_CMOS,
acpi_cmos_rtc_space_handler);
@@ -87,7 +97,13 @@ EXPORT_SYMBOL_GPL(acpi_remove_cmos_rtc_space_handler);
static int acpi_cmos_rtc_attach(struct acpi_device *adev,
const struct acpi_device_id *id)
{
- return acpi_install_cmos_rtc_space_handler(adev->handle);
+ int ret;
+
+ ret = acpi_install_cmos_rtc_space_handler(adev->handle);
+ if (ret < 0)
+ return ret;
+
+ return 1;
}
static struct acpi_scan_handler cmos_rtc_handler = {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 022/957] devres: fix missing node debug info in devm_krealloc()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 021/957] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 023/957] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
` (940 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Danilo Krummrich, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit f813ec9e84b4d0ca81ec1da94ab07bfb4a29266c ]
Fix missing call to set_node_dbginfo() for new devres nodes created by
devm_krealloc().
Fixes: f82485722e5d ("devres: provide devm_krealloc()")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/20260202235210.55176-2-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/devres.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index c948c88d39560..9893d656302d9 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -940,6 +940,8 @@ void *devm_krealloc(struct device *dev, void *ptr, size_t new_size, gfp_t gfp)
if (!new_dr)
return NULL;
+ set_node_dbginfo(&new_dr->node, "devm_krealloc_release", new_size);
+
/*
* The spinlock protects the linked list against concurrent
* modifications but not the resource itself.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 023/957] thermal/drivers/spear: Fix error condition for reading st,thermal-flags
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 022/957] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 024/957] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
` (939 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gopi Krishna Menon, Daniel Lezcano,
Daniel Baluta, Lukasz Luba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gopi Krishna Menon <krishnagopi487@gmail.com>
[ Upstream commit da2c4f332a0504d9c284e7626a561d343c8d6f57 ]
of_property_read_u32 returns 0 on success. The current check returns
-EINVAL if the property is read successfully.
Fix the check by removing ! from of_property_read_u32
Fixes: b9c7aff481f1 ("drivers/thermal/spear_thermal.c: add Device Tree probing capability")
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Suggested-by: Daniel Baluta <daniel.baluta@nxp.com>
Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Link: https://patch.msgid.link/20260327090526.59330-1-krishnagopi487@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/spear_thermal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/thermal/spear_thermal.c b/drivers/thermal/spear_thermal.c
index 603dadcd3df58..5e3e9c1f32f8e 100644
--- a/drivers/thermal/spear_thermal.c
+++ b/drivers/thermal/spear_thermal.c
@@ -93,7 +93,7 @@ static int spear_thermal_probe(struct platform_device *pdev)
struct device_node *np = pdev->dev.of_node;
int ret = 0, val;
- if (!np || !of_property_read_u32(np, "st,thermal-flags", &val)) {
+ if (!np || of_property_read_u32(np, "st,thermal-flags", &val)) {
dev_err(&pdev->dev, "Failed: DT Pdata not passed\n");
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 024/957] debugfs: check for NULL pointer in debugfs_create_str()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 023/957] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 025/957] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() Greg Kroah-Hartman
` (938 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, yangshiguang, Gui-Dong Han,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 31de83980d3764d784f79ff1bc93c42b324f4013 ]
Passing a NULL pointer to debugfs_create_str() leads to a NULL pointer
dereference when the debugfs file is read. Following upstream
discussions, forbid the creation of debugfs string files with NULL
pointers. Add a WARN_ON() to expose offending callers and return early.
Fixes: 9af0440ec86e ("debugfs: Implement debugfs_create_str()")
Reported-by: yangshiguang <yangshiguang@xiaomi.com>
Closes: https://lore.kernel.org/lkml/2025122221-gag-malt-75ba@gregkh/
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260323085930.88894-2-hanguidong02@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/debugfs/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 3ec3324c20603..252fca572eb76 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -1127,7 +1127,7 @@ static const struct file_operations fops_str_wo = {
* directory dentry if set. If this parameter is %NULL, then the
* file will be created in the root of the debugfs filesystem.
* @value: a pointer to the variable that the file should read to and write
- * from.
+ * from. This pointer and the string it points to must not be %NULL.
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @value. If the @mode variable is so
@@ -1136,6 +1136,9 @@ static const struct file_operations fops_str_wo = {
void debugfs_create_str(const char *name, umode_t mode,
struct dentry *parent, char **value)
{
+ if (WARN_ON(!value || !*value))
+ return;
+
debugfs_create_mode_unsafe(name, mode, parent, value, &fops_str,
&fops_str_ro, &fops_str_wo);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 025/957] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 024/957] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 026/957] soundwire: debugfs: initialize firmware_file to empty string Greg Kroah-Hartman
` (937 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 4afc929c0f74c4f22b055a82b371d50586da58ca ]
The EXPORT_SYMBOL_GPL() for debugfs_create_str was placed incorrectly
away from the function definition. Move it immediately below the
debugfs_create_str() function where it belongs.
Fixes: d60b59b96795 ("debugfs: Export debugfs_create_str symbol")
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260323085930.88894-3-hanguidong02@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/debugfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 252fca572eb76..880a8a9deacfe 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -1047,7 +1047,6 @@ ssize_t debugfs_read_file_str(struct file *file, char __user *user_buf,
return ret;
}
-EXPORT_SYMBOL_GPL(debugfs_create_str);
static ssize_t debugfs_write_file_str(struct file *file, const char __user *user_buf,
size_t count, loff_t *ppos)
@@ -1142,6 +1141,7 @@ void debugfs_create_str(const char *name, umode_t mode,
debugfs_create_mode_unsafe(name, mode, parent, value, &fops_str,
&fops_str_ro, &fops_str_wo);
}
+EXPORT_SYMBOL_GPL(debugfs_create_str);
static ssize_t read_file_blob(struct file *file, char __user *user_buf,
size_t count, loff_t *ppos)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 026/957] soundwire: debugfs: initialize firmware_file to empty string
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 025/957] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 027/957] amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() Greg Kroah-Hartman
` (936 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, yangshiguang, Gui-Dong Han,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
[ Upstream commit 7215e4552f31e53595eae56a834f7e286beecccc ]
Passing NULL to debugfs_create_str() causes a NULL pointer dereference,
and creating debugfs nodes with NULL string pointers is no longer
permitted.
Additionally, firmware_file is a global pointer. Previously, adding every
new slave blindly overwrote it with NULL.
Fix these issues by initializing firmware_file to an allocated empty
string once in the subsystem init path (sdw_debugfs_init), and freeing
it in the exit path. Existing driver code handles empty strings
correctly.
Fixes: fe46d2a4301d ("soundwire: debugfs: add interface to read/write commands")
Reported-by: yangshiguang <yangshiguang@xiaomi.com>
Closes: https://lore.kernel.org/lkml/17647e4c.d461.19b46144a4e.Coremail.yangshiguang1011@163.com/
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260323085930.88894-4-hanguidong02@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/debugfs.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/soundwire/debugfs.c b/drivers/soundwire/debugfs.c
index 1e0f9318b6165..feb4d15102753 100644
--- a/drivers/soundwire/debugfs.c
+++ b/drivers/soundwire/debugfs.c
@@ -350,8 +350,8 @@ void sdw_slave_debugfs_init(struct sdw_slave *slave)
debugfs_create_file("go", 0200, d, slave, &cmd_go_fops);
debugfs_create_file("read_buffer", 0400, d, slave, &read_buffer_fops);
- firmware_file = NULL;
- debugfs_create_str("firmware_file", 0200, d, &firmware_file);
+ if (firmware_file)
+ debugfs_create_str("firmware_file", 0200, d, &firmware_file);
slave->debugfs = d;
}
@@ -363,10 +363,15 @@ void sdw_slave_debugfs_exit(struct sdw_slave *slave)
void sdw_debugfs_init(void)
{
+ if (!firmware_file)
+ firmware_file = kstrdup("", GFP_KERNEL);
+
sdw_debugfs_root = debugfs_create_dir("soundwire", NULL);
}
void sdw_debugfs_exit(void)
{
debugfs_remove_recursive(sdw_debugfs_root);
+ kfree(firmware_file);
+ firmware_file = NULL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 027/957] amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 026/957] soundwire: debugfs: initialize firmware_file to empty string Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 028/957] amd-pstate: Update cppc_req_cached in fast_switch case Greg Kroah-Hartman
` (935 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD),
Gautham R. Shenoy, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
[ Upstream commit beda3b363546a423e4e29a7395e04c0ac4ff677e ]
On failure to set the epp, the function amd_pstate_epp_cpu_init()
returns with an error code without freeing the cpudata object that was
allocated at the beginning of the function.
Ensure that the cpudata object is freed before returning from the
function.
This memory leak was discovered by Claude Opus 4.6 with the aid of
Chris Mason's AI review-prompts
(https://github.com/masoncl/review-prompts/tree/main/kernel).
Assisted-by: Claude:claude-opus-4.6 review-prompts/linux
Fixes: f9a378ff6443 ("cpufreq/amd-pstate: Set different default EPP policy for Epyc and Ryzen")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/amd-pstate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
index 602e4fa81d6c5..86d8762ac82c5 100644
--- a/drivers/cpufreq/amd-pstate.c
+++ b/drivers/cpufreq/amd-pstate.c
@@ -1525,7 +1525,7 @@ static int amd_pstate_epp_cpu_init(struct cpufreq_policy *policy)
ret = amd_pstate_set_epp(policy, cpudata->epp_default);
if (ret)
- return ret;
+ goto free_cpudata1;
current_pstate_driver->adjust_perf = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 028/957] amd-pstate: Update cppc_req_cached in fast_switch case
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 027/957] amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 029/957] cpufreq: Pass the policy to cpufreq_driver->adjust_perf() Greg Kroah-Hartman
` (934 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD),
Gautham R. Shenoy, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
[ Upstream commit fcc25a291fbdca2c06c2c6602532050873f0c9de ]
The function msr_update_perf() does not cache the new value that is
written to MSR_AMD_CPPC_REQ into the variable cpudata->cppc_req_cached
when the update is happening from the fast path.
Fix that by caching the value everytime the MSR_AMD_CPPC_REQ gets
updated.
This issue was discovered by Claude Opus 4.6 with the aid of Chris
Mason's AI review-prompts
(https://github.com/masoncl/review-prompts/tree/main/kernel).
Assisted-by: Claude:claude-opus-4.6 review-prompts/linux
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Fixes: fff395796917 ("cpufreq/amd-pstate: Always write EPP value when updating perf")
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/amd-pstate.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
index 86d8762ac82c5..39681ad1606f6 100644
--- a/drivers/cpufreq/amd-pstate.c
+++ b/drivers/cpufreq/amd-pstate.c
@@ -259,7 +259,6 @@ static int msr_update_perf(struct cpufreq_policy *policy, u8 min_perf,
if (fast_switch) {
wrmsrq(MSR_AMD_CPPC_REQ, value);
- return 0;
} else {
int ret = wrmsrq_on_cpu(cpudata->cpu, MSR_AMD_CPPC_REQ, value);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 029/957] cpufreq: Pass the policy to cpufreq_driver->adjust_perf()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 028/957] amd-pstate: Update cppc_req_cached in fast_switch case Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 030/957] PCI: use generic driver_override infrastructure Greg Kroah-Hartman
` (933 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bert Karwatzki, Viresh Kumar,
K Prateek Nayak, Gautham R. Shenoy, Zhongqiu Han,
Mario Limonciello (AMD), Sasha Levin, Gary Guo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: K Prateek Nayak <kprateek.nayak@amd.com>
[ Upstream commit c03791085adcd61fa9b766ab303c7d0941d7378d ]
cpufreq_cpu_get() can sleep on PREEMPT_RT in presence of concurrent
writer(s), however amd-pstate depends on fetching the cpudata via the
policy's driver data which necessitates grabbing the reference.
Since schedutil governor can call "cpufreq_driver->update_perf()"
during sched_tick/enqueue/dequeue with rq_lock held and IRQs disabled,
fetching the policy object using the cpufreq_cpu_get() helper in the
scheduler fast-path leads to "BUG: scheduling while atomic" on
PREEMPT_RT [1].
Pass the cached cpufreq policy object in sg_policy to the update_perf()
instead of just the CPU. The CPU can be inferred using "policy->cpu".
The lifetime of cpufreq_policy object outlasts that of the governor and
the cpufreq driver (allocated when the CPU is onlined and only reclaimed
when the CPU is offlined / the CPU device is removed) which makes it
safe to be referenced throughout the governor's lifetime.
Closes:https://lore.kernel.org/all/20250731092316.3191-1-spasswolf@web.de/ [1]
Fixes: 1d215f0319c2 ("cpufreq: amd-pstate: Add fast switch function for AMD P-State")
Reported-by: Bert Karwatzki <spasswolf@web.de>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com>
Acked-by: Gary Guo <gary@garyguo.net> # Rust
Reviewed-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260316081849.19368-3-kprateek.nayak@amd.com
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/amd-pstate.c | 3 +--
drivers/cpufreq/cpufreq.c | 6 +++---
drivers/cpufreq/intel_pstate.c | 4 ++--
include/linux/cpufreq.h | 4 ++--
kernel/sched/cpufreq_schedutil.c | 5 +++--
rust/kernel/cpufreq.rs | 13 ++++++-------
6 files changed, 17 insertions(+), 18 deletions(-)
diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
index 39681ad1606f6..ce6d6b3ff58a3 100644
--- a/drivers/cpufreq/amd-pstate.c
+++ b/drivers/cpufreq/amd-pstate.c
@@ -697,13 +697,12 @@ static unsigned int amd_pstate_fast_switch(struct cpufreq_policy *policy,
return policy->cur;
}
-static void amd_pstate_adjust_perf(unsigned int cpu,
+static void amd_pstate_adjust_perf(struct cpufreq_policy *policy,
unsigned long _min_perf,
unsigned long target_perf,
unsigned long capacity)
{
u8 max_perf, min_perf, des_perf, cap_perf;
- struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpu);
struct amd_cpudata *cpudata;
union perf_cached perf;
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index 852e024facc3c..1ed528e34bab4 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -2222,7 +2222,7 @@ EXPORT_SYMBOL_GPL(cpufreq_driver_fast_switch);
/**
* cpufreq_driver_adjust_perf - Adjust CPU performance level in one go.
- * @cpu: Target CPU.
+ * @policy: cpufreq policy object of the target CPU.
* @min_perf: Minimum (required) performance level (units of @capacity).
* @target_perf: Target (desired) performance level (units of @capacity).
* @capacity: Capacity of the target CPU.
@@ -2241,12 +2241,12 @@ EXPORT_SYMBOL_GPL(cpufreq_driver_fast_switch);
* parallel with either ->target() or ->target_index() or ->fast_switch() for
* the same CPU.
*/
-void cpufreq_driver_adjust_perf(unsigned int cpu,
+void cpufreq_driver_adjust_perf(struct cpufreq_policy *policy,
unsigned long min_perf,
unsigned long target_perf,
unsigned long capacity)
{
- cpufreq_driver->adjust_perf(cpu, min_perf, target_perf, capacity);
+ cpufreq_driver->adjust_perf(policy, min_perf, target_perf, capacity);
}
/**
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index 5efda8af4b708..eb7fb25dfbefc 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -3270,12 +3270,12 @@ static unsigned int intel_cpufreq_fast_switch(struct cpufreq_policy *policy,
return target_pstate * cpu->pstate.scaling;
}
-static void intel_cpufreq_adjust_perf(unsigned int cpunum,
+static void intel_cpufreq_adjust_perf(struct cpufreq_policy *policy,
unsigned long min_perf,
unsigned long target_perf,
unsigned long capacity)
{
- struct cpudata *cpu = all_cpu_data[cpunum];
+ struct cpudata *cpu = all_cpu_data[policy->cpu];
u64 hwp_cap = READ_ONCE(cpu->hwp_cap_cached);
int old_pstate = cpu->pstate.current_pstate;
int cap_pstate, min_pstate, max_pstate, target_pstate;
diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
index 0465d1e6f72ac..fd26b3a4aa286 100644
--- a/include/linux/cpufreq.h
+++ b/include/linux/cpufreq.h
@@ -367,7 +367,7 @@ struct cpufreq_driver {
* conditions) scale invariance can be disabled, which causes the
* schedutil governor to fall back to the latter.
*/
- void (*adjust_perf)(unsigned int cpu,
+ void (*adjust_perf)(struct cpufreq_policy *policy,
unsigned long min_perf,
unsigned long target_perf,
unsigned long capacity);
@@ -612,7 +612,7 @@ struct cpufreq_governor {
/* Pass a target to the cpufreq driver */
unsigned int cpufreq_driver_fast_switch(struct cpufreq_policy *policy,
unsigned int target_freq);
-void cpufreq_driver_adjust_perf(unsigned int cpu,
+void cpufreq_driver_adjust_perf(struct cpufreq_policy *policy,
unsigned long min_perf,
unsigned long target_perf,
unsigned long capacity);
diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
index 0ab5f9d4bc59a..307f3076635eb 100644
--- a/kernel/sched/cpufreq_schedutil.c
+++ b/kernel/sched/cpufreq_schedutil.c
@@ -461,6 +461,7 @@ static void sugov_update_single_perf(struct update_util_data *hook, u64 time,
unsigned int flags)
{
struct sugov_cpu *sg_cpu = container_of(hook, struct sugov_cpu, update_util);
+ struct sugov_policy *sg_policy = sg_cpu->sg_policy;
unsigned long prev_util = sg_cpu->util;
unsigned long max_cap;
@@ -482,10 +483,10 @@ static void sugov_update_single_perf(struct update_util_data *hook, u64 time,
if (sugov_hold_freq(sg_cpu) && sg_cpu->util < prev_util)
sg_cpu->util = prev_util;
- cpufreq_driver_adjust_perf(sg_cpu->cpu, sg_cpu->bw_min,
+ cpufreq_driver_adjust_perf(sg_policy->policy, sg_cpu->bw_min,
sg_cpu->util, max_cap);
- sg_cpu->sg_policy->last_freq_update_time = time;
+ sg_policy->last_freq_update_time = time;
}
static unsigned int sugov_next_freq_shared(struct sugov_cpu *sg_cpu, u64 time)
diff --git a/rust/kernel/cpufreq.rs b/rust/kernel/cpufreq.rs
index df5d9f6f43f3b..19729ccb3f6d2 100644
--- a/rust/kernel/cpufreq.rs
+++ b/rust/kernel/cpufreq.rs
@@ -1257,18 +1257,17 @@ impl<T: Driver> Registration<T> {
/// # Safety
///
/// - This function may only be called from the cpufreq C infrastructure.
+ /// - The pointer arguments must be valid pointers.
unsafe extern "C" fn adjust_perf_callback(
- cpu: c_uint,
+ ptr: *mut bindings::cpufreq_policy,
min_perf: c_ulong,
target_perf: c_ulong,
capacity: c_ulong,
) {
- // SAFETY: The C API guarantees that `cpu` refers to a valid CPU number.
- let cpu_id = unsafe { CpuId::from_u32_unchecked(cpu) };
-
- if let Ok(mut policy) = PolicyCpu::from_cpu(cpu_id) {
- T::adjust_perf(&mut policy, min_perf, target_perf, capacity);
- }
+ // SAFETY: The `ptr` is guaranteed to be valid by the contract with the C code for the
+ // lifetime of `policy`.
+ let policy = unsafe { Policy::from_raw_mut(ptr) };
+ T::adjust_perf(policy, min_perf, target_perf, capacity);
}
/// Driver's `get_intermediate` callback.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 030/957] PCI: use generic driver_override infrastructure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 029/957] cpufreq: Pass the policy to cpufreq_driver->adjust_perf() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 031/957] platform/wmi: " Greg Kroah-Hartman
` (932 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Bjorn Helgaas,
Alex Williamson, Danilo Krummrich, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit 10a4206a24013be4d558d476010cbf2eb4c9fa64 ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override")
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Alex Williamson <alex@shazbot.org>
Tested-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260324005919.2408620-6-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci-driver.c | 11 +++++++----
drivers/pci/pci-sysfs.c | 28 ----------------------------
drivers/pci/probe.c | 1 -
drivers/vfio/pci/vfio_pci_core.c | 5 ++---
drivers/xen/xen-pciback/pci_stub.c | 6 ++++--
include/linux/pci.h | 6 ------
6 files changed, 13 insertions(+), 44 deletions(-)
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index b4111c92c9572..fba07a700508f 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -138,9 +138,11 @@ static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
{
struct pci_dynid *dynid;
const struct pci_device_id *found_id = NULL, *ids;
+ int ret;
/* When driver_override is set, only bind to the matching driver */
- if (dev->driver_override && strcmp(dev->driver_override, drv->name))
+ ret = device_match_driver_override(&dev->dev, &drv->driver);
+ if (ret == 0)
return NULL;
/* Look at the dynamic ids first, before the static ones */
@@ -164,7 +166,7 @@ static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
* matching.
*/
if (found_id->override_only) {
- if (dev->driver_override)
+ if (ret > 0)
return found_id;
} else {
return found_id;
@@ -172,7 +174,7 @@ static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
}
/* driver_override will always match, send a dummy id */
- if (dev->driver_override)
+ if (ret > 0)
return &pci_device_id_any;
return NULL;
}
@@ -423,7 +425,7 @@ static int __pci_device_probe(struct pci_driver *drv, struct pci_dev *pci_dev)
static inline bool pci_device_can_probe(struct pci_dev *pdev)
{
return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe ||
- pdev->driver_override);
+ device_has_driver_override(&pdev->dev));
}
#else
static inline bool pci_device_can_probe(struct pci_dev *pdev)
@@ -1695,6 +1697,7 @@ static const struct cpumask *pci_device_irq_get_affinity(struct device *dev,
const struct bus_type pci_bus_type = {
.name = "pci",
+ .driver_override = true,
.match = pci_bus_match,
.uevent = pci_uevent,
.probe = pci_device_probe,
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 9d6f74bd95f8c..d36b46849fee2 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -615,33 +615,6 @@ static ssize_t devspec_show(struct device *dev,
static DEVICE_ATTR_RO(devspec);
#endif
-static ssize_t driver_override_store(struct device *dev,
- struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct pci_dev *pdev = to_pci_dev(dev);
- int ret;
-
- ret = driver_set_override(dev, &pdev->driver_override, buf, count);
- if (ret)
- return ret;
-
- return count;
-}
-
-static ssize_t driver_override_show(struct device *dev,
- struct device_attribute *attr, char *buf)
-{
- struct pci_dev *pdev = to_pci_dev(dev);
- ssize_t len;
-
- device_lock(dev);
- len = sysfs_emit(buf, "%s\n", pdev->driver_override);
- device_unlock(dev);
- return len;
-}
-static DEVICE_ATTR_RW(driver_override);
-
static struct attribute *pci_dev_attrs[] = {
&dev_attr_power_state.attr,
&dev_attr_resource.attr,
@@ -669,7 +642,6 @@ static struct attribute *pci_dev_attrs[] = {
#ifdef CONFIG_OF
&dev_attr_devspec.attr,
#endif
- &dev_attr_driver_override.attr,
&dev_attr_ari_enabled.attr,
NULL,
};
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 23833fd7265e2..4e4e38e626912 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -2449,7 +2449,6 @@ static void pci_release_dev(struct device *dev)
pci_release_of_node(pci_dev);
pcibios_release_device(pci_dev);
pci_bus_put(pci_dev->bus);
- kfree(pci_dev->driver_override);
bitmap_free(pci_dev->dma_alias_mask);
dev_dbg(dev, "device released\n");
kfree(pci_dev);
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index 085373d71e9c2..69476fc67ca08 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -2013,9 +2013,8 @@ static int vfio_pci_bus_notifier(struct notifier_block *nb,
pdev->is_virtfn && physfn == vdev->pdev) {
pci_info(vdev->pdev, "Captured SR-IOV VF %s driver_override\n",
pci_name(pdev));
- pdev->driver_override = kasprintf(GFP_KERNEL, "%s",
- vdev->vdev.ops->name);
- WARN_ON(!pdev->driver_override);
+ WARN_ON(device_set_driver_override(&pdev->dev,
+ vdev->vdev.ops->name));
} else if (action == BUS_NOTIFY_BOUND_DRIVER &&
pdev->is_virtfn && physfn == vdev->pdev) {
struct pci_driver *drv = pci_dev_driver(pdev);
diff --git a/drivers/xen/xen-pciback/pci_stub.c b/drivers/xen/xen-pciback/pci_stub.c
index 045e74847fe6b..7de2fa67743c6 100644
--- a/drivers/xen/xen-pciback/pci_stub.c
+++ b/drivers/xen/xen-pciback/pci_stub.c
@@ -598,6 +598,8 @@ static int pcistub_seize(struct pci_dev *dev,
return err;
}
+static struct pci_driver xen_pcibk_pci_driver;
+
/* Called when 'bind'. This means we must _NOT_ call pci_reset_function or
* other functions that take the sysfs lock. */
static int pcistub_probe(struct pci_dev *dev, const struct pci_device_id *id)
@@ -609,8 +611,8 @@ static int pcistub_probe(struct pci_dev *dev, const struct pci_device_id *id)
match = pcistub_match(dev);
- if ((dev->driver_override &&
- !strcmp(dev->driver_override, PCISTUB_DRIVER_NAME)) ||
+ if (device_match_driver_override(&dev->dev,
+ &xen_pcibk_pci_driver.driver) > 0 ||
match) {
if (dev->hdr_type != PCI_HEADER_TYPE_NORMAL
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 05aeee8c8844a..89f5a4290b6e2 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -547,12 +547,6 @@ struct pci_dev {
u8 supported_speeds; /* Supported Link Speeds Vector */
phys_addr_t rom; /* Physical address if not from BAR */
size_t romlen; /* Length if not from BAR */
- /*
- * Driver name to force a match. Do not set directly, because core
- * frees it. Use driver_set_override() to set or clear it.
- */
- const char *driver_override;
-
unsigned long priv_flags; /* Private flags for the PCI driver */
/* These methods index pci_reset_fn_methods[] */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 031/957] platform/wmi: use generic driver_override infrastructure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 030/957] PCI: use generic driver_override infrastructure Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 032/957] vdpa: " Greg Kroah-Hartman
` (931 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Armin Wolf,
Ilpo Järvinen, Danilo Krummrich, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit 8a700b1fc94df4d847a04f14ebc7f8532592b367 ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: 12046f8c77e0 ("platform/x86: wmi: Add driver_override support")
Reviewed-by: Armin Wolf <W_Armin@gmx.de>
Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://patch.msgid.link/20260324005919.2408620-7-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/wmi.c | 36 +++++-------------------------------
include/linux/wmi.h | 4 ----
2 files changed, 5 insertions(+), 35 deletions(-)
diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
index 4e86a422f05f1..6f8e96476fd07 100644
--- a/drivers/platform/x86/wmi.c
+++ b/drivers/platform/x86/wmi.c
@@ -702,39 +702,11 @@ static ssize_t expensive_show(struct device *dev,
}
static DEVICE_ATTR_RO(expensive);
-static ssize_t driver_override_show(struct device *dev, struct device_attribute *attr,
- char *buf)
-{
- struct wmi_device *wdev = to_wmi_device(dev);
- ssize_t ret;
-
- device_lock(dev);
- ret = sysfs_emit(buf, "%s\n", wdev->driver_override);
- device_unlock(dev);
-
- return ret;
-}
-
-static ssize_t driver_override_store(struct device *dev, struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct wmi_device *wdev = to_wmi_device(dev);
- int ret;
-
- ret = driver_set_override(dev, &wdev->driver_override, buf, count);
- if (ret < 0)
- return ret;
-
- return count;
-}
-static DEVICE_ATTR_RW(driver_override);
-
static struct attribute *wmi_attrs[] = {
&dev_attr_modalias.attr,
&dev_attr_guid.attr,
&dev_attr_instance_count.attr,
&dev_attr_expensive.attr,
- &dev_attr_driver_override.attr,
NULL
};
ATTRIBUTE_GROUPS(wmi);
@@ -803,7 +775,6 @@ static void wmi_dev_release(struct device *dev)
{
struct wmi_block *wblock = dev_to_wblock(dev);
- kfree(wblock->dev.driver_override);
kfree(wblock);
}
@@ -812,10 +783,12 @@ static int wmi_dev_match(struct device *dev, const struct device_driver *driver)
const struct wmi_driver *wmi_driver = to_wmi_driver(driver);
struct wmi_block *wblock = dev_to_wblock(dev);
const struct wmi_device_id *id = wmi_driver->id_table;
+ int ret;
/* When driver_override is set, only bind to the matching driver */
- if (wblock->dev.driver_override)
- return !strcmp(wblock->dev.driver_override, driver->name);
+ ret = device_match_driver_override(dev, driver);
+ if (ret >= 0)
+ return ret;
if (id == NULL)
return 0;
@@ -936,6 +909,7 @@ static struct class wmi_bus_class = {
static const struct bus_type wmi_bus_type = {
.name = "wmi",
.dev_groups = wmi_groups,
+ .driver_override = true,
.match = wmi_dev_match,
.uevent = wmi_dev_uevent,
.probe = wmi_dev_probe,
diff --git a/include/linux/wmi.h b/include/linux/wmi.h
index 10751c8e5e6a0..c20bb22133381 100644
--- a/include/linux/wmi.h
+++ b/include/linux/wmi.h
@@ -16,16 +16,12 @@
* struct wmi_device - WMI device structure
* @dev: Device associated with this WMI device
* @setable: True for devices implementing the Set Control Method
- * @driver_override: Driver name to force a match; do not set directly,
- * because core frees it; use driver_set_override() to
- * set or clear it.
*
* This represents WMI devices discovered by the WMI driver core.
*/
struct wmi_device {
struct device dev;
bool setable;
- const char *driver_override;
};
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 032/957] vdpa: use generic driver_override infrastructure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 031/957] platform/wmi: " Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 033/957] s390/cio: " Greg Kroah-Hartman
` (930 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Eugenio Pérez,
Michael S. Tsirkin, Danilo Krummrich, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit 85bb534ff12aab6916058897b39c748940a7a4c6 ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: 539fec78edb4 ("vdpa: add driver_override support")
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20260324005919.2408620-9-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/vdpa.c | 48 +++++---------------------------------------
include/linux/vdpa.h | 4 ----
2 files changed, 5 insertions(+), 47 deletions(-)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 34874beb0152e..caf0ee5d6856c 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -67,57 +67,20 @@ static void vdpa_dev_remove(struct device *d)
static int vdpa_dev_match(struct device *dev, const struct device_driver *drv)
{
- struct vdpa_device *vdev = dev_to_vdpa(dev);
+ int ret;
/* Check override first, and if set, only use the named driver */
- if (vdev->driver_override)
- return strcmp(vdev->driver_override, drv->name) == 0;
+ ret = device_match_driver_override(dev, drv);
+ if (ret >= 0)
+ return ret;
/* Currently devices must be supported by all vDPA bus drivers */
return 1;
}
-static ssize_t driver_override_store(struct device *dev,
- struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct vdpa_device *vdev = dev_to_vdpa(dev);
- int ret;
-
- ret = driver_set_override(dev, &vdev->driver_override, buf, count);
- if (ret)
- return ret;
-
- return count;
-}
-
-static ssize_t driver_override_show(struct device *dev,
- struct device_attribute *attr, char *buf)
-{
- struct vdpa_device *vdev = dev_to_vdpa(dev);
- ssize_t len;
-
- device_lock(dev);
- len = sysfs_emit(buf, "%s\n", vdev->driver_override);
- device_unlock(dev);
-
- return len;
-}
-static DEVICE_ATTR_RW(driver_override);
-
-static struct attribute *vdpa_dev_attrs[] = {
- &dev_attr_driver_override.attr,
- NULL,
-};
-
-static const struct attribute_group vdpa_dev_group = {
- .attrs = vdpa_dev_attrs,
-};
-__ATTRIBUTE_GROUPS(vdpa_dev);
-
static const struct bus_type vdpa_bus = {
.name = "vdpa",
- .dev_groups = vdpa_dev_groups,
+ .driver_override = true,
.match = vdpa_dev_match,
.probe = vdpa_dev_probe,
.remove = vdpa_dev_remove,
@@ -132,7 +95,6 @@ static void vdpa_release_dev(struct device *d)
ops->free(vdev);
ida_free(&vdpa_index_ida, vdev->index);
- kfree(vdev->driver_override);
kfree(vdev);
}
diff --git a/include/linux/vdpa.h b/include/linux/vdpa.h
index 4cf21d6e9cfde..0d8373adc1e46 100644
--- a/include/linux/vdpa.h
+++ b/include/linux/vdpa.h
@@ -72,9 +72,6 @@ struct vdpa_mgmt_dev;
* struct vdpa_device - representation of a vDPA device
* @dev: underlying device
* @vmap: the metadata passed to upper layer to be used for mapping
- * @driver_override: driver name to force a match; do not set directly,
- * because core frees it; use driver_set_override() to
- * set or clear it.
* @config: the configuration ops for this device.
* @map: the map ops for this device
* @cf_lock: Protects get and set access to configuration layout.
@@ -90,7 +87,6 @@ struct vdpa_mgmt_dev;
struct vdpa_device {
struct device dev;
union virtio_map vmap;
- const char *driver_override;
const struct vdpa_config_ops *config;
const struct virtio_map_ops *map;
struct rw_semaphore cf_lock; /* Protects get/set config */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 033/957] s390/cio: use generic driver_override infrastructure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 032/957] vdpa: " Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 034/957] bus: fsl-mc: " Greg Kroah-Hartman
` (929 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Vineeth Vijayan,
Danilo Krummrich, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit ac4d8bb6e2e13e8684a76ea48d13ebaaaf5c24c4 ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: ebc3d1791503 ("s390/cio: introduce driver_override on the css bus")
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Link: https://patch.msgid.link/20260324005919.2408620-10-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/cio.h | 5 -----
drivers/s390/cio/css.c | 34 ++++------------------------------
2 files changed, 4 insertions(+), 35 deletions(-)
diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
index 08a5e9380e75a..bad142c536e1e 100644
--- a/drivers/s390/cio/cio.h
+++ b/drivers/s390/cio/cio.h
@@ -103,11 +103,6 @@ struct subchannel {
struct work_struct todo_work;
struct schib_config config;
u64 dma_mask;
- /*
- * Driver name to force a match. Do not set directly, because core
- * frees it. Use driver_set_override() to set or clear it.
- */
- const char *driver_override;
} __attribute__ ((aligned(8)));
DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb);
diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c
index 8a70596a55447..629d3993144e1 100644
--- a/drivers/s390/cio/css.c
+++ b/drivers/s390/cio/css.c
@@ -160,7 +160,6 @@ static void css_subchannel_release(struct device *dev)
sch->config.intparm = 0;
cio_commit_config(sch);
- kfree(sch->driver_override);
kfree(sch);
}
@@ -324,37 +323,9 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
static DEVICE_ATTR_RO(modalias);
-static ssize_t driver_override_store(struct device *dev,
- struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct subchannel *sch = to_subchannel(dev);
- int ret;
-
- ret = driver_set_override(dev, &sch->driver_override, buf, count);
- if (ret)
- return ret;
-
- return count;
-}
-
-static ssize_t driver_override_show(struct device *dev,
- struct device_attribute *attr, char *buf)
-{
- struct subchannel *sch = to_subchannel(dev);
- ssize_t len;
-
- device_lock(dev);
- len = sysfs_emit(buf, "%s\n", sch->driver_override);
- device_unlock(dev);
- return len;
-}
-static DEVICE_ATTR_RW(driver_override);
-
static struct attribute *subch_attrs[] = {
&dev_attr_type.attr,
&dev_attr_modalias.attr,
- &dev_attr_driver_override.attr,
NULL,
};
@@ -1358,9 +1329,11 @@ static int css_bus_match(struct device *dev, const struct device_driver *drv)
struct subchannel *sch = to_subchannel(dev);
const struct css_driver *driver = to_cssdriver(drv);
struct css_device_id *id;
+ int ret;
/* When driver_override is set, only bind to the matching driver */
- if (sch->driver_override && strcmp(sch->driver_override, drv->name))
+ ret = device_match_driver_override(dev, drv);
+ if (ret == 0)
return 0;
for (id = driver->subchannel_type; id->match_flags; id++) {
@@ -1417,6 +1390,7 @@ static int css_uevent(const struct device *dev, struct kobj_uevent_env *env)
static const struct bus_type css_bus_type = {
.name = "css",
+ .driver_override = true,
.match = css_bus_match,
.probe = css_probe,
.remove = css_remove,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 034/957] bus: fsl-mc: use generic driver_override infrastructure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 033/957] s390/cio: " Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 035/957] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
` (928 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei,
Christophe Leroy (CS GROUP), Gui-Dong Han, Danilo Krummrich,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
[ Upstream commit 6c8dfb0362732bf1e4829867a2a5239fedc592d0 ]
When a driver is probed through __driver_attach(), the bus' match()
callback is called without the device lock held, thus accessing the
driver_override field without a lock, which can cause a UAF.
Fix this by using the driver-core driver_override infrastructure taking
care of proper locking internally.
Note that calling match() from __driver_attach() without the device lock
held is intentional. [1]
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Acked-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Link: https://lore.kernel.org/driver-core/DGRGTIRHA62X.3RY09D9SOK77P@kernel.org/ [1]
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220789
Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus")
Link: https://patch.msgid.link/20260324005919.2408620-3-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/fsl-mc/fsl-mc-bus.c | 43 +++++--------------------------
drivers/vfio/fsl-mc/vfio_fsl_mc.c | 4 +--
include/linux/fsl/mc.h | 4 ---
3 files changed, 8 insertions(+), 43 deletions(-)
diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c
index eb7b6c0ba9e7c..996379ace3764 100644
--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
@@ -86,12 +86,16 @@ static int fsl_mc_bus_match(struct device *dev, const struct device_driver *drv)
struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
const struct fsl_mc_driver *mc_drv = to_fsl_mc_driver(drv);
bool found = false;
+ int ret;
/* When driver_override is set, only bind to the matching driver */
- if (mc_dev->driver_override) {
- found = !strcmp(mc_dev->driver_override, mc_drv->driver.name);
+ ret = device_match_driver_override(dev, drv);
+ if (ret > 0) {
+ found = true;
goto out;
}
+ if (ret == 0)
+ goto out;
if (!mc_drv->match_id_table)
goto out;
@@ -181,39 +185,8 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
}
static DEVICE_ATTR_RO(modalias);
-static ssize_t driver_override_store(struct device *dev,
- struct device_attribute *attr,
- const char *buf, size_t count)
-{
- struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
- int ret;
-
- if (WARN_ON(dev->bus != &fsl_mc_bus_type))
- return -EINVAL;
-
- ret = driver_set_override(dev, &mc_dev->driver_override, buf, count);
- if (ret)
- return ret;
-
- return count;
-}
-
-static ssize_t driver_override_show(struct device *dev,
- struct device_attribute *attr, char *buf)
-{
- struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
- ssize_t len;
-
- device_lock(dev);
- len = sysfs_emit(buf, "%s\n", mc_dev->driver_override);
- device_unlock(dev);
- return len;
-}
-static DEVICE_ATTR_RW(driver_override);
-
static struct attribute *fsl_mc_dev_attrs[] = {
&dev_attr_modalias.attr,
- &dev_attr_driver_override.attr,
NULL,
};
@@ -316,6 +289,7 @@ ATTRIBUTE_GROUPS(fsl_mc_bus);
const struct bus_type fsl_mc_bus_type = {
.name = "fsl-mc",
+ .driver_override = true,
.match = fsl_mc_bus_match,
.uevent = fsl_mc_bus_uevent,
.dma_configure = fsl_mc_dma_configure,
@@ -925,9 +899,6 @@ static struct notifier_block fsl_mc_nb;
*/
void fsl_mc_device_remove(struct fsl_mc_device *mc_dev)
{
- kfree(mc_dev->driver_override);
- mc_dev->driver_override = NULL;
-
/*
* The device-specific remove callback will get invoked by device_del()
*/
diff --git a/drivers/vfio/fsl-mc/vfio_fsl_mc.c b/drivers/vfio/fsl-mc/vfio_fsl_mc.c
index 76ccbab0e3d64..84cd0eb65c471 100644
--- a/drivers/vfio/fsl-mc/vfio_fsl_mc.c
+++ b/drivers/vfio/fsl-mc/vfio_fsl_mc.c
@@ -430,9 +430,7 @@ static int vfio_fsl_mc_bus_notifier(struct notifier_block *nb,
if (action == BUS_NOTIFY_ADD_DEVICE &&
vdev->mc_dev == mc_cont) {
- mc_dev->driver_override = kasprintf(GFP_KERNEL, "%s",
- vfio_fsl_mc_ops.name);
- if (!mc_dev->driver_override)
+ if (device_set_driver_override(dev, vfio_fsl_mc_ops.name))
dev_warn(dev, "VFIO_FSL_MC: Setting driver override for device in dprc %s failed\n",
dev_name(&mc_cont->dev));
else
diff --git a/include/linux/fsl/mc.h b/include/linux/fsl/mc.h
index 897d6211c1635..1da63f2d70401 100644
--- a/include/linux/fsl/mc.h
+++ b/include/linux/fsl/mc.h
@@ -178,9 +178,6 @@ struct fsl_mc_obj_desc {
* @regions: pointer to array of MMIO region entries
* @irqs: pointer to array of pointers to interrupts allocated to this device
* @resource: generic resource associated with this MC object device, if any.
- * @driver_override: driver name to force a match; do not set directly,
- * because core frees it; use driver_set_override() to
- * set or clear it.
*
* Generic device object for MC object devices that are "attached" to a
* MC bus.
@@ -214,7 +211,6 @@ struct fsl_mc_device {
struct fsl_mc_device_irq **irqs;
struct fsl_mc_resource *resource;
struct device_link *consumer_link;
- const char *driver_override;
};
#define to_fsl_mc_device(_dev) \
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 035/957] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 034/957] bus: fsl-mc: " Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 036/957] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
` (927 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Thomas Gleixner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 86be659415b0ddefebc3120e309091aa215a9064 ]
This driver is currently only build on 32 bit MIPS systems. When building
it on x86_64, the following warning occurs:
drivers/irqchip/irq-pic32-evic.c: In function ‘pic32_ext_irq_of_init’:
./include/linux/kern_levels.h:5:25: error: format ‘%d’ expects argument of type
‘int’, but argument 2 has type ‘long unsigned int’ [-Werror=format=]
Update the printf() formatter in preparation for allowing this driver to
be compiled on all architectures.
Fixes: aaa8666ada780 ("IRQCHIP: irq-pic32-evic: Add support for PIC32 interrupt controller")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260222-irqchip-pic32-v1-1-37f50d1f14af@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-pic32-evic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-pic32-evic.c b/drivers/irqchip/irq-pic32-evic.c
index 5dfda8e8df10d..0bb664e3d7c51 100644
--- a/drivers/irqchip/irq-pic32-evic.c
+++ b/drivers/irqchip/irq-pic32-evic.c
@@ -196,7 +196,7 @@ static void __init pic32_ext_irq_of_init(struct irq_domain *domain)
of_property_for_each_u32(node, pname, hwirq) {
if (i >= ARRAY_SIZE(priv->ext_irqs)) {
- pr_warn("More than %d external irq, skip rest\n",
+ pr_warn("More than %zu external irq, skip rest\n",
ARRAY_SIZE(priv->ext_irqs));
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 036/957] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 035/957] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 037/957] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
` (926 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel),
Thomas Gleixner, Juri Lelli, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit d19ff16c11db38f3ee179d72751fb9b340174330 ]
Much like hrtimer_reprogram(), skip programming if the cpu_base is running
the hrtimer interrupt.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260224163429.069535561@kernel.org
Stable-dep-of: f2e388a019e4 ("hrtimer: Reduce trace noise in hrtimer_start()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/hrtimer.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 21b6d93401480..2589cd1b2ec3a 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1261,6 +1261,14 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
}
first = enqueue_hrtimer(timer, new_base, mode);
+
+ /*
+ * If the hrtimer interrupt is running, then it will reevaluate the
+ * clock bases and reprogram the clock event device.
+ */
+ if (new_base->cpu_base->in_hrtirq)
+ return false;
+
if (!force_local) {
/*
* If the current CPU base is online, then the timer is
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 037/957] hrtimer: Reduce trace noise in hrtimer_start()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 036/957] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 038/957] perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR Greg Kroah-Hartman
` (925 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@kernel.org>
[ Upstream commit f2e388a019e4cf83a15883a3d1f1384298e9a6aa ]
hrtimer_start() when invoked with an already armed timer traces like:
<comm>-.. [032] d.h2. 5.002263: hrtimer_cancel: hrtimer= ....
<comm>-.. [032] d.h1. 5.002263: hrtimer_start: hrtimer= ....
Which is incorrect as the timer doesn't get canceled. Just the expiry time
changes. The internal dequeue operation which is required for that is not
really interesting for trace analysis. But it makes it tedious to keep real
cancellations and the above case apart.
Remove the cancel tracing in hrtimer_start() and add a 'was_armed'
indicator to the hrtimer start tracepoint, which clearly indicates what the
state of the hrtimer is when hrtimer_start() is invoked:
<comm>-.. [032] d.h1. 6.200103: hrtimer_start: hrtimer= .... was_armed=0
<comm>-.. [032] d.h1. 6.200558: hrtimer_start: hrtimer= .... was_armed=1
Fixes: c6a2a1770245 ("hrtimer: Add tracepoint for hrtimers")
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260224163430.208491877@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/timer.h | 11 +++++----
kernel/time/hrtimer.c | 43 +++++++++++++++++-------------------
2 files changed, 27 insertions(+), 27 deletions(-)
diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
index 1641ae3e6ca06..ab9a9386f7b65 100644
--- a/include/trace/events/timer.h
+++ b/include/trace/events/timer.h
@@ -218,12 +218,13 @@ TRACE_EVENT(hrtimer_setup,
* hrtimer_start - called when the hrtimer is started
* @hrtimer: pointer to struct hrtimer
* @mode: the hrtimers mode
+ * @was_armed: Was armed when hrtimer_start*() was invoked
*/
TRACE_EVENT(hrtimer_start,
- TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode),
+ TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode, bool was_armed),
- TP_ARGS(hrtimer, mode),
+ TP_ARGS(hrtimer, mode, was_armed),
TP_STRUCT__entry(
__field( void *, hrtimer )
@@ -231,6 +232,7 @@ TRACE_EVENT(hrtimer_start,
__field( s64, expires )
__field( s64, softexpires )
__field( enum hrtimer_mode, mode )
+ __field( bool, was_armed )
),
TP_fast_assign(
@@ -239,13 +241,14 @@ TRACE_EVENT(hrtimer_start,
__entry->expires = hrtimer_get_expires(hrtimer);
__entry->softexpires = hrtimer_get_softexpires(hrtimer);
__entry->mode = mode;
+ __entry->was_armed = was_armed;
),
TP_printk("hrtimer=%p function=%ps expires=%llu softexpires=%llu "
- "mode=%s", __entry->hrtimer, __entry->function,
+ "mode=%s was_armed=%d", __entry->hrtimer, __entry->function,
(unsigned long long) __entry->expires,
(unsigned long long) __entry->softexpires,
- decode_hrtimer_mode(__entry->mode))
+ decode_hrtimer_mode(__entry->mode), __entry->was_armed)
);
/**
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 2589cd1b2ec3a..1f602deeb09a4 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -471,17 +471,10 @@ static inline void debug_setup_on_stack(struct hrtimer *timer, clockid_t clockid
trace_hrtimer_setup(timer, clockid, mode);
}
-static inline void debug_activate(struct hrtimer *timer,
- enum hrtimer_mode mode)
+static inline void debug_activate(struct hrtimer *timer, enum hrtimer_mode mode, bool was_armed)
{
debug_hrtimer_activate(timer, mode);
- trace_hrtimer_start(timer, mode);
-}
-
-static inline void debug_deactivate(struct hrtimer *timer)
-{
- debug_hrtimer_deactivate(timer);
- trace_hrtimer_cancel(timer);
+ trace_hrtimer_start(timer, mode, was_armed);
}
static struct hrtimer_clock_base *
@@ -1076,9 +1069,9 @@ EXPORT_SYMBOL_GPL(hrtimer_forward);
* Returns true when the new timer is the leftmost timer in the tree.
*/
static bool enqueue_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
- enum hrtimer_mode mode)
+ enum hrtimer_mode mode, bool was_armed)
{
- debug_activate(timer, mode);
+ debug_activate(timer, mode, was_armed);
WARN_ON_ONCE(!base->cpu_base->online);
base->cpu_base->active_bases |= 1 << base->index;
@@ -1138,6 +1131,8 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
if (state & HRTIMER_STATE_ENQUEUED) {
bool reprogram;
+ debug_hrtimer_deactivate(timer);
+
/*
* Remove the timer and force reprogramming when high
* resolution mode is active and the timer is on the current
@@ -1146,7 +1141,6 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base,
* reprogramming happens in the interrupt handler. This is a
* rare case and less expensive than a smp call.
*/
- debug_deactivate(timer);
reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
/*
@@ -1213,15 +1207,15 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
{
struct hrtimer_cpu_base *this_cpu_base = this_cpu_ptr(&hrtimer_bases);
struct hrtimer_clock_base *new_base;
- bool force_local, first;
+ bool force_local, first, was_armed;
/*
* If the timer is on the local cpu base and is the first expiring
* timer then this might end up reprogramming the hardware twice
- * (on removal and on enqueue). To avoid that by prevent the
- * reprogram on removal, keep the timer local to the current CPU
- * and enforce reprogramming after it is queued no matter whether
- * it is the new first expiring timer again or not.
+ * (on removal and on enqueue). To avoid that prevent the reprogram
+ * on removal, keep the timer local to the current CPU and enforce
+ * reprogramming after it is queued no matter whether it is the new
+ * first expiring timer again or not.
*/
force_local = base->cpu_base == this_cpu_base;
force_local &= base->cpu_base->next_timer == timer;
@@ -1243,7 +1237,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
* avoids programming the underlying clock event twice (once at
* removal and once after enqueue).
*/
- remove_hrtimer(timer, base, true, force_local);
+ was_armed = remove_hrtimer(timer, base, true, force_local);
if (mode & HRTIMER_MODE_REL)
tim = ktime_add_safe(tim, __hrtimer_cb_get_time(base->clockid));
@@ -1260,7 +1254,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
new_base = base;
}
- first = enqueue_hrtimer(timer, new_base, mode);
+ first = enqueue_hrtimer(timer, new_base, mode, was_armed);
/*
* If the hrtimer interrupt is running, then it will reevaluate the
@@ -1362,8 +1356,11 @@ int hrtimer_try_to_cancel(struct hrtimer *timer)
base = lock_hrtimer_base(timer, &flags);
- if (!hrtimer_callback_running(timer))
+ if (!hrtimer_callback_running(timer)) {
ret = remove_hrtimer(timer, base, false, false);
+ if (ret)
+ trace_hrtimer_cancel(timer);
+ }
unlock_hrtimer_base(timer, &flags);
@@ -1799,7 +1796,7 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
*/
if (restart != HRTIMER_NORESTART &&
!(timer->state & HRTIMER_STATE_ENQUEUED))
- enqueue_hrtimer(timer, base, HRTIMER_MODE_ABS);
+ enqueue_hrtimer(timer, base, HRTIMER_MODE_ABS, false);
/*
* Separate the ->running assignment from the ->state assignment.
@@ -2278,7 +2275,7 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
while ((node = timerqueue_getnext(&old_base->active))) {
timer = container_of(node, struct hrtimer, node);
BUG_ON(hrtimer_callback_running(timer));
- debug_deactivate(timer);
+ debug_hrtimer_deactivate(timer);
/*
* Mark it as ENQUEUED not INACTIVE otherwise the
@@ -2295,7 +2292,7 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
* sort out already expired timers and reprogram the
* event device.
*/
- enqueue_hrtimer(timer, new_base, HRTIMER_MODE_ABS);
+ enqueue_hrtimer(timer, new_base, HRTIMER_MODE_ABS, true);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 038/957] perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 037/957] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 039/957] perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler Greg Kroah-Hartman
` (924 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ravi Bangoria,
Peter Zijlstra (Intel), Namhyung Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ravi Bangoria <ravi.bangoria@amd.com>
[ Upstream commit 723a290326e015b07931eabc603d3735999377be ]
Commit 50a53b60e141 ("perf/amd/ibs: Prevent leaking sensitive data to
userspace") zeroed the physical address and also cleared the PhyAddrVal
flag before copying the value into a perf sample to avoid exposing
physical addresses to unprivileged users.
Clearing PhyAddrVal, however, has an unintended side-effect: several
other IBS fields are considered valid only when this bit is set. As a
result, those otherwise correct fields are discarded, reducing IBS
functionality.
Continue to zero the physical address, but keep the PhyAddrVal bit
intact so the related fields remain usable while still preventing any
address leak.
Fixes: 50a53b60e141 ("perf/amd/ibs: Prevent leaking sensitive data to userspace")
Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Link: https://patch.msgid.link/20260216042216.1440-4-ravi.bangoria@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/amd/ibs.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
index 112f43b23ebf8..10af127f779fe 100644
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -1214,12 +1214,10 @@ static void perf_ibs_phyaddr_clear(struct perf_ibs *perf_ibs,
struct perf_ibs_data *ibs_data)
{
if (perf_ibs == &perf_ibs_op) {
- ibs_data->regs[ibs_op_msr_idx(MSR_AMD64_IBSOPDATA3)] &= ~(1ULL << 18);
ibs_data->regs[ibs_op_msr_idx(MSR_AMD64_IBSDCPHYSAD)] = 0;
return;
}
- ibs_data->regs[ibs_fetch_msr_idx(MSR_AMD64_IBSFETCHCTL)] &= ~(1ULL << 52);
ibs_data->regs[ibs_fetch_msr_idx(MSR_AMD64_IBSFETCHPHYSAD)] = 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 039/957] perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 038/957] perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 040/957] x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE Greg Kroah-Hartman
` (923 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sadasivan Shaiju, Ravi Bangoria,
Peter Zijlstra (Intel), Namhyung Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ravi Bangoria <ravi.bangoria@amd.com>
[ Upstream commit b0a09142622a994c4f4088c3f61db5da87cfc711 ]
Calling perf_allow_kernel() from the NMI context is unsafe and could be
fatal. Capture the permission at event-initialization time by storing it
in event->hw.flags, and have the NMI handler rely on that cached flag
instead of making the call directly.
Fixes: 50a53b60e141d ("perf/amd/ibs: Prevent leaking sensitive data to userspace")
Reported-by: Sadasivan Shaiju <sadasivan.shaiju2@amd.com>
Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Link: https://patch.msgid.link/20260216042216.1440-5-ravi.bangoria@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/amd/ibs.c | 5 ++++-
arch/x86/events/perf_event_flags.h | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
index 10af127f779fe..56918cd91115c 100644
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -313,6 +313,9 @@ static int perf_ibs_init(struct perf_event *event)
if (ret)
return ret;
+ if (perf_allow_kernel())
+ hwc->flags |= PERF_X86_EVENT_UNPRIVILEGED;
+
if (hwc->sample_period) {
if (config & perf_ibs->cnt_mask)
/* raw max_cnt may not be set */
@@ -1342,7 +1345,7 @@ static int perf_ibs_handle_irq(struct perf_ibs *perf_ibs, struct pt_regs *iregs)
* unprivileged users.
*/
if ((event->attr.sample_type & PERF_SAMPLE_RAW) &&
- perf_allow_kernel()) {
+ (hwc->flags & PERF_X86_EVENT_UNPRIVILEGED)) {
perf_ibs_phyaddr_clear(perf_ibs, &ibs_data);
}
diff --git a/arch/x86/events/perf_event_flags.h b/arch/x86/events/perf_event_flags.h
index 70078334e4a33..47f84ee8f5409 100644
--- a/arch/x86/events/perf_event_flags.h
+++ b/arch/x86/events/perf_event_flags.h
@@ -23,3 +23,4 @@ PERF_ARCH(PEBS_LAT_HYBRID, 0x0020000) /* ld and st lat for hybrid */
PERF_ARCH(NEEDS_BRANCH_STACK, 0x0040000) /* require branch stack setup */
PERF_ARCH(BRANCH_COUNTERS, 0x0080000) /* logs the counters in the extra space of each branch */
PERF_ARCH(ACR, 0x0100000) /* Auto counter reload */
+PERF_ARCH(UNPRIVILEGED, 0x0200000) /* Unprivileged event (wrt perf_allow_kernel()) */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 040/957] x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 039/957] perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 041/957] rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()` Greg Kroah-Hartman
` (922 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaoyao Li, Dave Hansen,
Kirill A. Shutemov, Kai Huang, Sean Christopherson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaoyao Li <xiaoyao.li@intel.com>
[ Upstream commit 3aecb2e7b948400354399b26f3f1653bd2c1bae0 ]
The TD scoped TDCS attributes are defined by bit positions. In the guest
side of the TDX code, the 'tdx_attributes' string array holds pretty
print names for these attributes, which are generated via macros and
defines. Today these pretty print names are only used to print the
attribute names to dmesg.
Unfortunately there is a typo in the define for the migratable bit.
Change the defines TDX_ATTR_MIGRTABLE* to TDX_ATTR_MIGRATABLE*. Update
the sole user, the tdx_attributes array, to use the fixed name.
Since these defines control the string printed to dmesg, the change is
user visible. But the risk of breakage is almost zero since it is not
exposed in any interface expected to be consumed programmatically.
Fixes: 564ea84c8c14 ("x86/tdx: Dump attributes and TD_CTLS on boot")
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Acked-by: Sean Christopherson <seanjc@google.com>
Link: https://patch.msgid.link/20260303030335.766779-2-xiaoyao.li@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/coco/tdx/debug.c | 2 +-
arch/x86/include/asm/shared/tdx.h | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/coco/tdx/debug.c b/arch/x86/coco/tdx/debug.c
index cef847c8bb67f..28990c2ab0a14 100644
--- a/arch/x86/coco/tdx/debug.c
+++ b/arch/x86/coco/tdx/debug.c
@@ -17,7 +17,7 @@ static __initdata const char *tdx_attributes[] = {
DEF_TDX_ATTR_NAME(ICSSD),
DEF_TDX_ATTR_NAME(LASS),
DEF_TDX_ATTR_NAME(SEPT_VE_DISABLE),
- DEF_TDX_ATTR_NAME(MIGRTABLE),
+ DEF_TDX_ATTR_NAME(MIGRATABLE),
DEF_TDX_ATTR_NAME(PKS),
DEF_TDX_ATTR_NAME(KL),
DEF_TDX_ATTR_NAME(TPA),
diff --git a/arch/x86/include/asm/shared/tdx.h b/arch/x86/include/asm/shared/tdx.h
index 8bc074c8d7c6a..11f3cf30b1ac8 100644
--- a/arch/x86/include/asm/shared/tdx.h
+++ b/arch/x86/include/asm/shared/tdx.h
@@ -35,8 +35,8 @@
#define TDX_ATTR_LASS BIT_ULL(TDX_ATTR_LASS_BIT)
#define TDX_ATTR_SEPT_VE_DISABLE_BIT 28
#define TDX_ATTR_SEPT_VE_DISABLE BIT_ULL(TDX_ATTR_SEPT_VE_DISABLE_BIT)
-#define TDX_ATTR_MIGRTABLE_BIT 29
-#define TDX_ATTR_MIGRTABLE BIT_ULL(TDX_ATTR_MIGRTABLE_BIT)
+#define TDX_ATTR_MIGRATABLE_BIT 29
+#define TDX_ATTR_MIGRATABLE BIT_ULL(TDX_ATTR_MIGRATABLE_BIT)
#define TDX_ATTR_PKS_BIT 30
#define TDX_ATTR_PKS BIT_ULL(TDX_ATTR_PKS_BIT)
#define TDX_ATTR_KL_BIT 31
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 041/957] rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 040/957] x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 042/957] sparc64: vdso: Link with -z noexecstack Greg Kroah-Hartman
` (921 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boqun Feng, Peter Zijlstra (Intel),
Alice Ryhl, Gary Guo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boqun Feng <boqun.feng@gmail.com>
[ Upstream commit 4a5dc632e0b603ec1cbbf87b78de86b4b6359cff ]
Originally, `Atomic::from_ptr()` requires `T` being a `Sync` because I
thought having the ability to do `from_ptr()` meant multiplle
`&Atomic<T>`s shared by different threads, which was identical (or
similar) to multiple `&T`s shared by different threads. Hence `T` was
required to be `Sync`. However this is not true, since `&Atomic<T>` is
not the same at `&T`. Moreover, having this bound makes `Atomic::<*mut
T>::from_ptr()` impossible, which is definitely not intended. Therefore
remove the `T: Sync` bound.
[boqun: Fix title typo spotted by Alice & Gary]
Fixes: 29c32c405e53 ("rust: sync: atomic: Add generic atomics")
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20260120115207.55318-2-boqun.feng@gmail.com
Link: https://patch.msgid.link/20260303201701.12204-2-boqun@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
rust/kernel/sync/atomic.rs | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/rust/kernel/sync/atomic.rs b/rust/kernel/sync/atomic.rs
index 016a6bcaf0807..43229f0320e92 100644
--- a/rust/kernel/sync/atomic.rs
+++ b/rust/kernel/sync/atomic.rs
@@ -202,10 +202,7 @@ impl<T: AtomicType> Atomic<T> {
/// // no data race.
/// unsafe { Atomic::from_ptr(foo_a_ptr) }.store(2, Release);
/// ```
- pub unsafe fn from_ptr<'a>(ptr: *mut T) -> &'a Self
- where
- T: Sync,
- {
+ pub unsafe fn from_ptr<'a>(ptr: *mut T) -> &'a Self {
// CAST: `T` and `Atomic<T>` have the same size, alignment and bit validity.
// SAFETY: Per function safety requirement, `ptr` is a valid pointer and the object will
// live long enough. It's safe to return a `&Atomic<T>` because function safety requirement
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 042/957] sparc64: vdso: Link with -z noexecstack
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 041/957] rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()` Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 043/957] scripts/gdb: timerlist: Adapt to move of tk_core Greg Kroah-Hartman
` (920 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Thomas Weißschuh,
Thomas Gleixner, Andreas Larsson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit acc4f131d5d57c2aa89db914aeb6f7bb0ab4eb4a ]
The vDSO stack does not need to be executable. Prevent the linker from
creating executable. For more background see commit ffcf9c5700e4 ("x86:
link vdso and boot with -z noexecstack --no-warn-rwx-segments").
Also prevent the following warning from the linker:
sparc64-linux-ld: warning: arch/sparc/vdso/vdso-note.o: missing .note.GNU-stack section implies executable stack
sparc64-linux-ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
Fixes: 9a08862a5d2e ("vDSO for sparc")
Suggested-by: Arnd Bergmann <arnd@kernel.org>
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Tested-by: Andreas Larsson <andreas@gaisler.com>
Reviewed-by: Andreas Larsson <andreas@gaisler.com>
Acked-by: Andreas Larsson <andreas@gaisler.com>
Link: https://lore.kernel.org/lkml/20250707144726.4008707-1-arnd@kernel.org/
Link: https://patch.msgid.link/20260304-vdso-sparc64-generic-2-v6-4-d8eb3b0e1410@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/vdso/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/sparc/vdso/Makefile b/arch/sparc/vdso/Makefile
index 683b2d4082244..400529acd1c10 100644
--- a/arch/sparc/vdso/Makefile
+++ b/arch/sparc/vdso/Makefile
@@ -104,4 +104,4 @@ quiet_cmd_vdso = VDSO $@
$(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
-T $(filter %.lds,$^) $(filter %.o,$^)
-VDSO_LDFLAGS = -shared --hash-style=both --build-id=sha1 -Bsymbolic --no-undefined
+VDSO_LDFLAGS = -shared --hash-style=both --build-id=sha1 -Bsymbolic --no-undefined -z noexecstack
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 043/957] scripts/gdb: timerlist: Adapt to move of tk_core
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 042/957] sparc64: vdso: Link with -z noexecstack Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 044/957] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
` (919 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh ,
Thomas Gleixner, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh (Schneider Electric) <thomas.weissschuh@linutronix.de>
[ Upstream commit 5aa9383813aca45b914d4a7481ca417ef13114df ]
tk_core is a macro today which cannot be resolved by gdb.
Use the correct symbol expression to reference tk_core.
Fixes: 22c62b9a84b8 ("timekeeping: Introduce auxiliary timekeepers")
Signed-off-by: Thomas Weißschuh (Schneider Electric) <thomas.weissschuh@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260311-hrtimer-cleanups-v1-1-095357392669@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/gdb/linux/timerlist.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/gdb/linux/timerlist.py b/scripts/gdb/linux/timerlist.py
index ccc24d30de806..9fb3436a217cc 100644
--- a/scripts/gdb/linux/timerlist.py
+++ b/scripts/gdb/linux/timerlist.py
@@ -20,7 +20,7 @@ def ktime_get():
We can't read the hardware timer itself to add any nanoseconds
that need to be added since we last stored the time in the
timekeeper. But this is probably good enough for debug purposes."""
- tk_core = gdb.parse_and_eval("&tk_core")
+ tk_core = gdb.parse_and_eval("&timekeeper_data[TIMEKEEPER_CORE]")
return tk_core['timekeeper']['tkr_mono']['base']
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 044/957] locking: Fix rwlock support in <linux/spinlock_up.h>
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 043/957] scripts/gdb: timerlist: Adapt to move of tk_core Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 045/957] sched/topology: Compute sd_weight considering cpuset partitions Greg Kroah-Hartman
` (918 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 756a0e011cfca0b45a48464aa25b05d9a9c2fb0b ]
Architecture support for rwlocks must be available whether or not
CONFIG_DEBUG_SPINLOCK has been defined. Move the definitions of the
arch_{read,write}_{lock,trylock,unlock}() macros such that these become
visbile if CONFIG_DEBUG_SPINLOCK=n.
This patch prepares for converting do_raw_{read,write}_trylock() into
inline functions. Without this patch that conversion triggers a build
failure for UP architectures, e.g. arm-ep93xx. I used the following
kernel configuration to build the kernel for that architecture:
CONFIG_ARCH_MULTIPLATFORM=y
CONFIG_ARCH_MULTI_V7=n
CONFIG_ATAGS=y
CONFIG_MMU=y
CONFIG_ARCH_MULTI_V4T=y
CONFIG_CPU_LITTLE_ENDIAN=y
CONFIG_ARCH_EP93XX=y
Fixes: fb1c8f93d869 ("[PATCH] spinlock consolidation")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260313171510.230998-2-bvanassche@acm.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/spinlock_up.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/include/linux/spinlock_up.h b/include/linux/spinlock_up.h
index 1e84e71ca495e..3a50976471d71 100644
--- a/include/linux/spinlock_up.h
+++ b/include/linux/spinlock_up.h
@@ -48,16 +48,6 @@ static inline void arch_spin_unlock(arch_spinlock_t *lock)
lock->slock = 1;
}
-/*
- * Read-write spinlocks. No debug version.
- */
-#define arch_read_lock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_write_lock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_read_trylock(lock) ({ barrier(); (void)(lock); 1; })
-#define arch_write_trylock(lock) ({ barrier(); (void)(lock); 1; })
-#define arch_read_unlock(lock) do { barrier(); (void)(lock); } while (0)
-#define arch_write_unlock(lock) do { barrier(); (void)(lock); } while (0)
-
#else /* DEBUG_SPINLOCK */
#define arch_spin_is_locked(lock) ((void)(lock), 0)
/* for sched/core.c and kernel_lock.c: */
@@ -68,4 +58,14 @@ static inline void arch_spin_unlock(arch_spinlock_t *lock)
#define arch_spin_is_contended(lock) (((void)(lock), 0))
+/*
+ * Read-write spinlocks. No debug version.
+ */
+#define arch_read_lock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_write_lock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_read_trylock(lock) ({ barrier(); (void)(lock); 1; })
+#define arch_write_trylock(lock) ({ barrier(); (void)(lock); 1; })
+#define arch_read_unlock(lock) do { barrier(); (void)(lock); } while (0)
+#define arch_write_unlock(lock) do { barrier(); (void)(lock); } while (0)
+
#endif /* __LINUX_SPINLOCK_UP_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 045/957] sched/topology: Compute sd_weight considering cpuset partitions
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 044/957] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 046/957] sched/topology: Fix sched_domain_span() Greg Kroah-Hartman
` (917 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, K Prateek Nayak,
Peter Zijlstra (Intel), Shrikanth Hegde, Chen Yu,
Valentin Schneider, Dietmar Eggemann, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: K Prateek Nayak <kprateek.nayak@amd.com>
[ Upstream commit 8e8e23dea43e64ddafbd1246644c3219209be113 ]
The "sd_weight" used for calculating the load balancing interval, and
its limits, considers the span weight of the entire topology level
without accounting for cpuset partitions.
For example, consider a large system of 128CPUs divided into 8 * 16CPUs
partition which is typical when deploying virtual machines:
[ PKG Domain: 128CPUs ]
[Partition0: 16CPUs][Partition1: 16CPUs] ... [Partition7: 16CPUs]
Although each partition only contains 16CPUs, the load balancing
interval is set to a minimum of 128 jiffies considering the span of the
entire domain with 128CPUs which can lead to longer imbalances within
the partition although balancing within is cheaper with 16CPUs.
Compute the "sd_weight" after computing the "sd_span" considering the
cpu_map covered by the partition, and set the load balancing interval,
and its limits accordingly.
For the above example, the balancing intervals for the partitions PKG
domain changes as follows:
before after
balance_interval 128 16
min_interval 128 16
max_interval 256 32
Intervals are now proportional to the CPUs in the partitioned domain as
was intended by the original formula.
Fixes: cb83b629bae03 ("sched/numa: Rewrite the CONFIG_NUMA sched domain support")
Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Shrikanth Hegde <sshegde@linux.ibm.com>
Reviewed-by: Chen Yu <yu.c.chen@intel.com>
Reviewed-by: Valentin Schneider <vschneid@redhat.com>
Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Link: https://patch.msgid.link/20260312044434.1974-2-kprateek.nayak@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/topology.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
index c7a4d2fff5718..35478aa2536fc 100644
--- a/kernel/sched/topology.c
+++ b/kernel/sched/topology.c
@@ -1631,13 +1631,17 @@ sd_init(struct sched_domain_topology_level *tl,
int sd_id, sd_weight, sd_flags = 0;
struct cpumask *sd_span;
- sd_weight = cpumask_weight(tl->mask(tl, cpu));
+ sd_span = sched_domain_span(sd);
+ cpumask_and(sd_span, cpu_map, tl->mask(tl, cpu));
+ sd_weight = cpumask_weight(sd_span);
+ sd_id = cpumask_first(sd_span);
if (tl->sd_flags)
sd_flags = (*tl->sd_flags)();
if (WARN_ONCE(sd_flags & ~TOPOLOGY_SD_FLAGS,
- "wrong sd_flags in topology description\n"))
+ "wrong sd_flags in topology description\n"))
sd_flags &= TOPOLOGY_SD_FLAGS;
+ sd_flags |= asym_cpu_capacity_classify(sd_span, cpu_map);
*sd = (struct sched_domain){
.min_interval = sd_weight,
@@ -1674,12 +1678,6 @@ sd_init(struct sched_domain_topology_level *tl,
.name = tl->name,
};
- sd_span = sched_domain_span(sd);
- cpumask_and(sd_span, cpu_map, tl->mask(tl, cpu));
- sd_id = cpumask_first(sd_span);
-
- sd->flags |= asym_cpu_capacity_classify(sd_span, cpu_map);
-
WARN_ONCE((sd->flags & (SD_SHARE_CPUCAPACITY | SD_ASYM_CPUCAPACITY)) ==
(SD_SHARE_CPUCAPACITY | SD_ASYM_CPUCAPACITY),
"CPU capacity asymmetry not supported on SMT\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 046/957] sched/topology: Fix sched_domain_span()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 045/957] sched/topology: Compute sd_weight considering cpuset partitions Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 047/957] irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe() Greg Kroah-Hartman
` (916 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor,
Peter Zijlstra (Intel), Jon Hunter, Chen Yu, K Prateek Nayak,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit e379dce8af11d8d6040b4348316a499bfd174bfb ]
Commit 8e8e23dea43e ("sched/topology: Compute sd_weight considering
cpuset partitions") ends up relying on the fact that structure
initialization should not touch the flexible array.
However, the official GCC specification for "Arrays of Length Zero"
[*] says:
Although the size of a zero-length array is zero, an array member of
this kind may increase the size of the enclosing type as a result of
tail padding.
Additionally, structure initialization will zero tail padding. With
the end result that since offsetof(*type, member) < sizeof(*type),
array initialization will clobber the flex array.
Luckily, the way flexible array sizes are calculated is:
sizeof(*type) + count * sizeof(*type->member)
This means we have the complete size of the flex array *outside* of
sizeof(*type), so use that instead of relying on the broken flex array
definition.
[*] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
Fixes: 8e8e23dea43e ("sched/topology: Compute sd_weight considering cpuset partitions")
Reported-by: Nathan Chancellor <nathan@kernel.org>
Debugged-by: K Prateek Nayak <kprateek.nayak@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Chen Yu <yu.c.chen@intel.com>
Tested-by: K Prateek Nayak <kprateek.nayak@amd.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Link: https://patch.msgid.link/20260323093627.GY3738010@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched/topology.h | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/include/linux/sched/topology.h b/include/linux/sched/topology.h
index 45c0022b91ced..6f8a4ae860da8 100644
--- a/include/linux/sched/topology.h
+++ b/include/linux/sched/topology.h
@@ -141,18 +141,30 @@ struct sched_domain {
unsigned int span_weight;
/*
- * Span of all CPUs in this domain.
+ * See sched_domain_span(), on why flex arrays are broken.
*
- * NOTE: this field is variable length. (Allocated dynamically
- * by attaching extra space to the end of the structure,
- * depending on how many CPUs the kernel has booted up with)
- */
unsigned long span[];
+ */
};
static inline struct cpumask *sched_domain_span(struct sched_domain *sd)
{
- return to_cpumask(sd->span);
+ /*
+ * Turns out that C flexible arrays are fundamentally broken since it
+ * is allowed for offsetof(*sd, span) < sizeof(*sd), this means that
+ * structure initialzation *sd = { ... }; which writes every byte
+ * inside sizeof(*type), will over-write the start of the flexible
+ * array.
+ *
+ * Luckily, the way we allocate sched_domain is by:
+ *
+ * sizeof(*sd) + cpumask_size()
+ *
+ * this means that we have sufficient space for the whole flex array
+ * *outside* of sizeof(*sd). So use that, and avoid using sd->span.
+ */
+ unsigned long *bitmap = (void *)sd + sizeof(*sd);
+ return to_cpumask(bitmap);
}
extern void partition_sched_domains(int ndoms_new, cpumask_var_t doms_new[],
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 047/957] irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 046/957] sched/topology: Fix sched_domain_span() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 048/957] ASoC: Intel: avs: Check maximum valid CPUID leaf Greg Kroah-Hartman
` (915 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Biju Das, Thomas Gleixner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit fb74e35f78105efd8635c89b39f4389f567edbdc ]
Replace pm_runtime_put() with pm_runtime_put_sync() when
irq_domain_create_hierarchy() fails to ensure the device suspends
synchronously before devres cleanup disables runtime PM via
pm_runtime_disable().
[ tglx: Fix up subject and change log to be precise ]
Fixes: 7de11369ef30 ("irqchip/renesas-rzg2l: Use devm_pm_runtime_enable()")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260325192451.172562-4-biju.das.jz@bp.renesas.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-renesas-rzg2l.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
index 1bf19deb02c4e..c938ab1592895 100644
--- a/drivers/irqchip/irq-renesas-rzg2l.c
+++ b/drivers/irqchip/irq-renesas-rzg2l.c
@@ -573,7 +573,7 @@ static int rzg2l_irqc_common_probe(struct platform_device *pdev, struct device_n
irq_domain = irq_domain_create_hierarchy(parent_domain, 0, IRQC_NUM_IRQ, dev_fwnode(dev),
&rzg2l_irqc_domain_ops, rzg2l_irqc_data);
if (!irq_domain) {
- pm_runtime_put(dev);
+ pm_runtime_put_sync(dev);
return -ENOMEM;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 048/957] ASoC: Intel: avs: Check maximum valid CPUID leaf
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 047/957] irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 049/957] ASoC: Intel: avs: Include CPUID header at file scope Greg Kroah-Hartman
` (914 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahmed S. Darwish,
Borislav Petkov (AMD), Cezary Rojewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed S. Darwish <darwi@linutronix.de>
[ Upstream commit 93a1f0e61329f538cfc7122d7fa0e7a1803e326d ]
The Intel AVS driver queries CPUID(0x15) before checking if the CPUID leaf
is available. Check the maximum-valid CPU standard leaf beforehand.
Use the CPUID_LEAF_TSC macro instead of the custom local one for the
CPUID(0x15) leaf number.
Fixes: cbe37a4d2b3c ("ASoC: Intel: avs: Configure basefw on TGL-based platforms")
Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20260327021645.555257-2-darwi@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/avs/tgl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/sound/soc/intel/avs/tgl.c b/sound/soc/intel/avs/tgl.c
index afb0665161010..4649d749b41e0 100644
--- a/sound/soc/intel/avs/tgl.c
+++ b/sound/soc/intel/avs/tgl.c
@@ -11,8 +11,6 @@
#include "debug.h"
#include "messages.h"
-#define CPUID_TSC_LEAF 0x15
-
static int avs_tgl_dsp_core_power(struct avs_dev *adev, u32 core_mask, bool power)
{
core_mask &= AVS_MAIN_CORE_MASK;
@@ -49,7 +47,11 @@ static int avs_tgl_config_basefw(struct avs_dev *adev)
unsigned int ecx;
#include <asm/cpuid/api.h>
- ecx = cpuid_ecx(CPUID_TSC_LEAF);
+
+ if (boot_cpu_data.cpuid_level < CPUID_LEAF_TSC)
+ goto no_cpuid;
+
+ ecx = cpuid_ecx(CPUID_LEAF_TSC);
if (ecx) {
ret = avs_ipc_set_fw_config(adev, 1, AVS_FW_CFG_XTAL_FREQ_HZ, sizeof(ecx), &ecx);
if (ret)
@@ -57,6 +59,7 @@ static int avs_tgl_config_basefw(struct avs_dev *adev)
}
#endif
+no_cpuid:
hwid.device = pci->device;
hwid.subsystem = pci->subsystem_vendor | (pci->subsystem_device << 16);
hwid.revision = pci->revision;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 049/957] ASoC: Intel: avs: Include CPUID header at file scope
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 048/957] ASoC: Intel: avs: Check maximum valid CPUID leaf Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 050/957] x86/vdso: Clean up remnants of VDSO32_NOTE_MASK Greg Kroah-Hartman
` (913 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahmed S. Darwish,
Borislav Petkov (AMD), Cezary Rojewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed S. Darwish <darwi@linutronix.de>
[ Upstream commit 7f78e0b46e9984e955cb73ffada8dace8b4dd059 ]
Commit
cbe37a4d2b3c ("ASoC: Intel: avs: Configure basefw on TGL-based platforms")
includes the main CPUID header from within a C function. This works by
luck and forbids valid refactoring inside that header.
Include the CPUID header at file scope instead.
Remove the COMPILE_TEST build flag so that the CONFIG_X86 conditionals can
be removed. The driver gets enough compilation testing already on x86.
For clarity, refactor the CPUID(0x15) code into its own function without
changing any of the driver's logic.
Fixes: cbe37a4d2b3c ("ASoC: Intel: avs: Configure basefw on TGL-based platforms")
Suggested-by: Borislav Petkov <bp@alien8.de> # CONFIG_X86 removal
Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/all/20250612234010.572636-3-darwi@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/Kconfig | 2 +-
sound/soc/intel/avs/tgl.c | 37 ++++++++++++++++++++++++-------------
2 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/sound/soc/intel/Kconfig b/sound/soc/intel/Kconfig
index 412555e626b81..63367364916ae 100644
--- a/sound/soc/intel/Kconfig
+++ b/sound/soc/intel/Kconfig
@@ -95,7 +95,7 @@ config SND_SOC_INTEL_KEEMBAY
config SND_SOC_INTEL_AVS
tristate "Intel AVS driver"
- depends on X86 || COMPILE_TEST
+ depends on X86
depends on PCI
depends on COMMON_CLK
select ACPI_NHLT if ACPI
diff --git a/sound/soc/intel/avs/tgl.c b/sound/soc/intel/avs/tgl.c
index 4649d749b41e0..a7123639de431 100644
--- a/sound/soc/intel/avs/tgl.c
+++ b/sound/soc/intel/avs/tgl.c
@@ -7,6 +7,7 @@
//
#include <linux/pci.h>
+#include <asm/cpuid/api.h>
#include "avs.h"
#include "debug.h"
#include "messages.h"
@@ -38,28 +39,38 @@ static int avs_tgl_dsp_core_stall(struct avs_dev *adev, u32 core_mask, bool stal
return avs_dsp_core_stall(adev, core_mask, stall);
}
-static int avs_tgl_config_basefw(struct avs_dev *adev)
+/*
+ * Succeed if CPUID(0x15) is not available, or if the nominal core crystal clock
+ * frequency cannot be enumerated from it. There is nothing to do in both cases.
+ */
+static int avs_tgl_set_xtal_freq(struct avs_dev *adev)
{
- struct pci_dev *pci = adev->base.pci;
- struct avs_bus_hwid hwid;
+ unsigned int freq;
int ret;
-#ifdef CONFIG_X86
- unsigned int ecx;
-
-#include <asm/cpuid/api.h>
if (boot_cpu_data.cpuid_level < CPUID_LEAF_TSC)
- goto no_cpuid;
+ return 0;
- ecx = cpuid_ecx(CPUID_LEAF_TSC);
- if (ecx) {
- ret = avs_ipc_set_fw_config(adev, 1, AVS_FW_CFG_XTAL_FREQ_HZ, sizeof(ecx), &ecx);
+ freq = cpuid_ecx(CPUID_LEAF_TSC);
+ if (freq) {
+ ret = avs_ipc_set_fw_config(adev, 1, AVS_FW_CFG_XTAL_FREQ_HZ, sizeof(freq), &freq);
if (ret)
return AVS_IPC_RET(ret);
}
-#endif
-no_cpuid:
+ return 0;
+}
+
+static int avs_tgl_config_basefw(struct avs_dev *adev)
+{
+ struct pci_dev *pci = adev->base.pci;
+ struct avs_bus_hwid hwid;
+ int ret;
+
+ ret = avs_tgl_set_xtal_freq(adev);
+ if (ret)
+ return ret;
+
hwid.device = pci->device;
hwid.subsystem = pci->subsystem_vendor | (pci->subsystem_device << 16);
hwid.revision = pci->revision;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 050/957] x86/vdso: Clean up remnants of VDSO32_NOTE_MASK
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 049/957] ASoC: Intel: avs: Include CPUID header at file scope Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 051/957] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
` (912 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Ingo Molnar,
H. Peter Anvin, Boris Ostrovsky, Juergen Gross, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit 6517f293b2c6774d21b6e7e26a55fae60c6ec4cf ]
VDSO32_NOTE_MASK is not used or provided anymore, remove it.
Fixes: a13f2ef168cb ("x86/xen: remove 32-bit Xen PV guest support")
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Link: https://patch.msgid.link/20260330-vdso-x86-vdso32_note_mask-v1-1-2f5c473327bf@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/entry/vdso/vdso2c.c | 1 -
arch/x86/include/asm/vdso.h | 1 -
2 files changed, 2 deletions(-)
diff --git a/arch/x86/entry/vdso/vdso2c.c b/arch/x86/entry/vdso/vdso2c.c
index f84e8f8fa5fe6..b8a555763f437 100644
--- a/arch/x86/entry/vdso/vdso2c.c
+++ b/arch/x86/entry/vdso/vdso2c.c
@@ -75,7 +75,6 @@ struct vdso_sym {
};
struct vdso_sym required_syms[] = {
- {"VDSO32_NOTE_MASK", true},
{"__kernel_vsyscall", true},
{"__kernel_sigreturn", true},
{"__kernel_rt_sigreturn", true},
diff --git a/arch/x86/include/asm/vdso.h b/arch/x86/include/asm/vdso.h
index b7253ef3205a6..7bc290ae99334 100644
--- a/arch/x86/include/asm/vdso.h
+++ b/arch/x86/include/asm/vdso.h
@@ -18,7 +18,6 @@ struct vdso_image {
unsigned long extable_base, extable_len;
const void *extable;
- long sym_VDSO32_NOTE_MASK;
long sym___kernel_sigreturn;
long sym___kernel_rt_sigreturn;
long sym___kernel_vsyscall;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 051/957] firmware: dmi: Correct an indexing error in dmi.h
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 050/957] x86/vdso: Clean up remnants of VDSO32_NOTE_MASK Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 052/957] sched: Make class_schedulers avoid pushing current, and get rid of proxy_tag_curr() Greg Kroah-Hartman
` (911 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD),
Borislav Petkov (AMD), Jean Delvare, Yazen Ghannam, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
[ Upstream commit c064abc68e009d2cc18416e7132d9c25e03125b6 ]
The entries later in enum dmi_entry_type don't match the SMBIOS
specification¹.
The entry for type 33: `64-Bit Memory Error Information` is not present and
thus the index for all later entries is incorrect.
Add it.
Also, add missing entry types 43-46, while at it.
¹ Search for "System Management BIOS (SMBIOS) Reference Specification"
[ bp: Drop the flaky SMBIOS spec URL. ]
Fixes: 93c890dbe5287 ("firmware: Add DMI entry types to the headers")
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Reviewed-by: Yazen Ghannam <yazen.ghannam@amd.com>
Link: https://patch.msgid.link/20260307141024.819807-2-superm1@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dmi.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/linux/dmi.h b/include/linux/dmi.h
index 927f8a8b7a1dd..2eedf44e68012 100644
--- a/include/linux/dmi.h
+++ b/include/linux/dmi.h
@@ -60,6 +60,7 @@ enum dmi_entry_type {
DMI_ENTRY_OOB_REMOTE_ACCESS,
DMI_ENTRY_BIS_ENTRY,
DMI_ENTRY_SYSTEM_BOOT,
+ DMI_ENTRY_64_MEM_ERROR,
DMI_ENTRY_MGMT_DEV,
DMI_ENTRY_MGMT_DEV_COMPONENT,
DMI_ENTRY_MGMT_DEV_THRES,
@@ -69,6 +70,10 @@ enum dmi_entry_type {
DMI_ENTRY_ADDITIONAL,
DMI_ENTRY_ONBOARD_DEV_EXT,
DMI_ENTRY_MGMT_CONTROLLER_HOST,
+ DMI_ENTRY_TPM_DEVICE,
+ DMI_ENTRY_PROCESSOR_ADDITIONAL,
+ DMI_ENTRY_FIRMWARE_INVENTORY,
+ DMI_ENTRY_STRING_PROPERTY,
DMI_ENTRY_INACTIVE = 126,
DMI_ENTRY_END_OF_TABLE = 127,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 052/957] sched: Make class_schedulers avoid pushing current, and get rid of proxy_tag_curr()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 051/957] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 18:32 ` John Stultz
2026-05-20 16:08 ` [PATCH 6.18 053/957] sched/rt: Skip group schedulable check with rt_group_sched=0 Greg Kroah-Hartman
` (910 subsequent siblings)
962 siblings, 1 reply; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, K Prateek Nayak, Peter Zijlstra,
John Stultz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Stultz <jstultz@google.com>
[ Upstream commit e0ca8991b2de6c9dfe6fcd8a0364951b2bd56797 ]
With proxy-execution, the scheduler selects the donor, but for
blocked donors, we end up running the lock owner.
This caused some complexity, because the class schedulers make
sure to remove the task they pick from their pushable task
lists, which prevents the donor from being migrated, but there
wasn't then anything to prevent rq->curr from being migrated
if rq->curr != rq->donor.
This was sort of hacked around by calling proxy_tag_curr() on
the rq->curr task if we were running something other then the
donor. proxy_tag_curr() did a dequeue/enqueue pair on the
rq->curr task, allowing the class schedulers to remove it from
their pushable list.
The dequeue/enqueue pair was wasteful, and additonally K Prateek
highlighted that we didn't properly undo things when we stopped
proxying, leaving the lock owner off the pushable list.
After some alternative approaches were considered, Peter
suggested just having the RT/DL classes just avoid migrating
when task_on_cpu().
So rework pick_next_pushable_dl_task() and the rt
pick_next_pushable_task() functions so that they skip over the
first pushable task if it is on_cpu.
Then just drop all of the proxy_tag_curr() logic.
Fixes: be39617e38e0 ("sched: Fix proxy/current (push,pull)ability")
Closes: https://lore.kernel.org/lkml/e735cae0-2cc9-4bae-b761-fcb082ed3e94@amd.com/
Reported-by: K Prateek Nayak <kprateek.nayak@amd.com>
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: John Stultz <jstultz@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260324191337.1841376-2-jstultz@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 24 ------------------------
kernel/sched/deadline.c | 18 ++++++++++++++++--
kernel/sched/rt.c | 15 ++++++++++++---
3 files changed, 28 insertions(+), 29 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 421efba7db5a1..522d4bad56ad1 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -6730,23 +6730,6 @@ find_proxy_task(struct rq *rq, struct task_struct *donor, struct rq_flags *rf)
}
#endif /* SCHED_PROXY_EXEC */
-static inline void proxy_tag_curr(struct rq *rq, struct task_struct *owner)
-{
- if (!sched_proxy_exec())
- return;
- /*
- * pick_next_task() calls set_next_task() on the chosen task
- * at some point, which ensures it is not push/pullable.
- * However, the chosen/donor task *and* the mutex owner form an
- * atomic pair wrt push/pull.
- *
- * Make sure owner we run is not pushable. Unfortunately we can
- * only deal with that by means of a dequeue/enqueue cycle. :-/
- */
- dequeue_task(rq, owner, DEQUEUE_NOCLOCK | DEQUEUE_SAVE);
- enqueue_task(rq, owner, ENQUEUE_NOCLOCK | ENQUEUE_RESTORE);
-}
-
/*
* __schedule() is the main scheduler function.
*
@@ -6896,9 +6879,6 @@ static void __sched notrace __schedule(int sched_mode)
*/
RCU_INIT_POINTER(rq->curr, next);
- if (!task_current_donor(rq, next))
- proxy_tag_curr(rq, next);
-
/*
* The membarrier system call requires each architecture
* to have a full memory barrier after updating
@@ -6933,10 +6913,6 @@ static void __sched notrace __schedule(int sched_mode)
/* Also unlocks the rq: */
rq = context_switch(rq, prev, next, &rf);
} else {
- /* In case next was already curr but just got blocked_donor */
- if (!task_current_donor(rq, next))
- proxy_tag_curr(rq, next);
-
rq_unpin_lock(rq, &rf);
__balance_callbacks(rq);
raw_spin_rq_unlock_irq(rq);
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index d5052f238adf7..ed96b86dec04d 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -2761,12 +2761,26 @@ static int find_later_rq(struct task_struct *task)
static struct task_struct *pick_next_pushable_dl_task(struct rq *rq)
{
- struct task_struct *p;
+ struct task_struct *i, *p = NULL;
+ struct rb_node *next_node;
if (!has_pushable_dl_tasks(rq))
return NULL;
- p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root));
+ next_node = rb_first_cached(&rq->dl.pushable_dl_tasks_root);
+ while (next_node) {
+ i = __node_2_pdl(next_node);
+ /* make sure task isn't on_cpu (possible with proxy-exec) */
+ if (!task_on_cpu(rq, i)) {
+ p = i;
+ break;
+ }
+
+ next_node = rb_next(next_node);
+ }
+
+ if (!p)
+ return NULL;
WARN_ON_ONCE(rq->cpu != task_cpu(p));
WARN_ON_ONCE(task_current(rq, p));
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index a892a01c463e5..8cead8f37aa50 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -1847,13 +1847,22 @@ static int find_lowest_rq(struct task_struct *task)
static struct task_struct *pick_next_pushable_task(struct rq *rq)
{
- struct task_struct *p;
+ struct plist_head *head = &rq->rt.pushable_tasks;
+ struct task_struct *i, *p = NULL;
if (!has_pushable_tasks(rq))
return NULL;
- p = plist_first_entry(&rq->rt.pushable_tasks,
- struct task_struct, pushable_tasks);
+ plist_for_each_entry(i, head, pushable_tasks) {
+ /* make sure task isn't on_cpu (possible with proxy-exec) */
+ if (!task_on_cpu(rq, i)) {
+ p = i;
+ break;
+ }
+ }
+
+ if (!p)
+ return NULL;
BUG_ON(rq->cpu != task_cpu(p));
BUG_ON(task_current(rq, p));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 053/957] sched/rt: Skip group schedulable check with rt_group_sched=0
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 052/957] sched: Make class_schedulers avoid pushing current, and get rid of proxy_tag_curr() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 054/957] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
` (909 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Koutný,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Koutný <mkoutny@suse.com>
[ Upstream commit 8b016dcec9365675be81d26be88f2c09cf983bd4 ]
The warning from the commit 87f1fb77d87a6 ("sched: Add RT_GROUP WARN
checks for non-root task_groups") is wrong -- it assumes that only
task_groups with rt_rq are traversed, however, the schedulability check
would iterate all task_groups even when rt_group_sched=0 is disabled at
boot time but some non-root task_groups exist.
The schedulability check is supposed to validate:
a) that children don't overcommit its parent,
b) no RT task group overcommits global RT limit.
but with rt_group_sched=0 there is no (non-trivial) hierarchy of RT groups,
therefore skip the validation altogether. Otherwise, writes to the
global sched_rt_runtime_us knob will be rejected with incorrect
validation error.
This fix is immaterial with CONFIG_RT_GROUP_SCHED=n.
Fixes: 87f1fb77d87a6 ("sched: Add RT_GROUP WARN checks for non-root task_groups")
Signed-off-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260323-sched-rert_groups-v3-1-1e7d5ed6b249@suse.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/rt.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 8cead8f37aa50..156824baef613 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -2677,9 +2677,6 @@ static int tg_rt_schedulable(struct task_group *tg, void *data)
tg->rt_bandwidth.rt_runtime && tg_has_rt_tasks(tg))
return -EBUSY;
- if (WARN_ON(!rt_group_sched_enabled() && tg != &root_task_group))
- return -EBUSY;
-
total = to_ratio(period, runtime);
/*
@@ -2823,6 +2820,8 @@ long sched_group_rt_period(struct task_group *tg)
static int sched_rt_global_constraints(void)
{
int ret = 0;
+ if (!rt_group_sched_enabled())
+ return ret;
mutex_lock(&rt_constraints_mutex);
ret = __rt_schedulable(NULL, 0, 0);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 054/957] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 053/957] sched/rt: Skip group schedulable check with rt_group_sched=0 Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 055/957] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
` (908 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Jeff Chen, Johannes Berg,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 990a73dec3fdc145fef6c827c29205437d533ece ]
In mwifiex_11n_aggregate_pkt(), skb_aggr is allocated via
mwifiex_alloc_dma_align_buf(). If mwifiex_is_ralist_valid() returns false,
the function currently returns -1 immediately without freeing the
previously allocated skb_aggr, causing a memory leak.
Since skb_aggr has not yet been queued via skb_queue_tail(), no other
references to this memory exist. Therefore, it has to be freed locally
before returning the error.
Fix this by calling mwifiex_write_data_complete() to free skb_aggr before
returning the error status.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>
Link: https://patch.msgid.link/20260119092625.1349934-1-zilin@seu.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
index 34b4b34276d6d..042b1fe5f0d67 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -203,6 +203,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
if (!mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
spin_unlock_bh(&priv->wmm.ra_list_spinlock);
+ mwifiex_write_data_complete(adapter, skb_aggr, 1, -1);
return -1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 055/957] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 054/957] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 056/957] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
` (907 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Ping-Ke Shih,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 039cd522dc70151da13329a5e3ae19b1736f468a ]
The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().
Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.
The issue was identified through static analysis.
Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260223045522.48377-1-duoming@zju.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index d080469264cf8..f0010336e78c1 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -1674,6 +1674,7 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
synchronize_irq(rtlpci->pdev->irq);
tasklet_kill(&rtlpriv->works.irq_tasklet);
+ tasklet_kill(&rtlpriv->works.irq_prepare_bcn_tasklet);
cancel_work_sync(&rtlpriv->works.lps_change_work);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 056/957] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 055/957] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
@ 2026-05-20 16:08 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 057/957] wifi: ieee80211: split mesh definitions out Greg Kroah-Hartman
` (906 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yinhao Hu, Kaiyan Mei, Yun Lu,
Feng Yang, Martin KaFai Lau, syzbot, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Yang <yangfeng@kylinos.cn>
[ Upstream commit 972787479ee73006fddb5e59ab5c8e733810ff42 ]
The bpf_lwt_xmit_push_encap helper needs to access skb_dst(skb)->dev to
calculate the needed headroom:
err = skb_cow_head(skb,
len + LL_RESERVED_SPACE(skb_dst(skb)->dev));
But skb->_skb_refdst may not be initialized when the skb is set up by
bpf_prog_test_run_skb function. Executing bpf_lwt_push_ip_encap function
in this scenario will trigger null pointer dereference, causing a kernel
crash as Yinhao reported:
[ 105.186365] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 105.186382] #PF: supervisor read access in kernel mode
[ 105.186388] #PF: error_code(0x0000) - not-present page
[ 105.186393] PGD 121d3d067 P4D 121d3d067 PUD 106c83067 PMD 0
[ 105.186404] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 105.186412] CPU: 3 PID: 3250 Comm: poc Kdump: loaded Not tainted 6.19.0-rc5 #1
[ 105.186423] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 105.186427] RIP: 0010:bpf_lwt_push_ip_encap+0x1eb/0x520
[ 105.186443] Code: 0f 84 de 01 00 00 0f b7 4a 04 66 85 c9 0f 85 47 01 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8b 73 58 48 83 e6 fe <48> 8b 36 0f b7 be ec 00 00 00 0f b7 b6 e6 00 00 00 01 fe 83 e6 f0
[ 105.186449] RSP: 0018:ffffbb0e0387bc50 EFLAGS: 00010246
[ 105.186455] RAX: 000000000000004e RBX: ffff94c74e036500 RCX: ffff94c74874da00
[ 105.186460] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff94c74e036500
[ 105.186463] RBP: 0000000000000001 R08: 0000000000000002 R09: 0000000000000000
[ 105.186467] R10: ffffbb0e0387bd50 R11: 0000000000000000 R12: ffffbb0e0387bc98
[ 105.186471] R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000002
[ 105.186484] FS: 00007f166aa4d680(0000) GS:ffff94c8b7780000(0000) knlGS:0000000000000000
[ 105.186490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 105.186494] CR2: 0000000000000000 CR3: 000000015eade001 CR4: 0000000000770ee0
[ 105.186499] PKRU: 55555554
[ 105.186502] Call Trace:
[ 105.186507] <TASK>
[ 105.186513] bpf_lwt_xmit_push_encap+0x2b/0x40
[ 105.186522] bpf_prog_a75eaad51e517912+0x41/0x49
[ 105.186536] ? kvm_clock_get_cycles+0x18/0x30
[ 105.186547] ? ktime_get+0x3c/0xa0
[ 105.186554] bpf_test_run+0x195/0x320
[ 105.186563] ? bpf_test_run+0x10f/0x320
[ 105.186579] bpf_prog_test_run_skb+0x2f5/0x4f0
[ 105.186590] __sys_bpf+0x69c/0xa40
[ 105.186603] __x64_sys_bpf+0x1e/0x30
[ 105.186611] do_syscall_64+0x59/0x110
[ 105.186620] entry_SYSCALL_64_after_hwframe+0x76/0xe0
[ 105.186649] RIP: 0033:0x7f166a97455d
Temporarily add the setting of skb->_skb_refdst before bpf_test_run to resolve the issue.
Fixes: 52f278774e79 ("bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap")
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Closes: https://groups.google.com/g/hust-os-kernel-patches/c/8-a0kPpBW2s
Signed-off-by: Yun Lu <luyun@kylinos.cn>
Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Tested-by: syzbot@syzkaller.appspotmail.com
Link: https://patch.msgid.link/20260304094429.168521-2-yangfeng59949@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 6b04f47301c1e..65d7f8d51823e 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1093,6 +1093,21 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
skb->ip_summed = CHECKSUM_COMPLETE;
}
+ if (prog->type == BPF_PROG_TYPE_LWT_XMIT) {
+ if (!ipv6_bpf_stub) {
+ pr_warn_once("Please test this program with the IPv6 module loaded\n");
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
+#if IS_ENABLED(CONFIG_IPV6)
+ /* For CONFIG_IPV6=n, ipv6_bpf_stub is NULL which is
+ * handled by the above if statement.
+ */
+ dst_hold(&net->ipv6.ip6_null_entry->dst);
+ skb_dst_set(skb, &net->ipv6.ip6_null_entry->dst);
+#endif
+ }
+
ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
if (ret)
goto out;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 057/957] wifi: ieee80211: split mesh definitions out
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-05-20 16:08 ` [PATCH 6.18 056/957] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 058/957] wifi: ieee80211: split HT " Greg Kroah-Hartman
` (905 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 69674282fc97fffd98a85ab5b4837edbc5898145 ]
The ieee80211.h file has gotten very long, start splitting it
by putting mesh definitions into a separate file.
Link: https://patch.msgid.link/20251105153843.489713ca8b34.I3befb4bf6ace0315758a1794224ddd18c4652e32@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: cb0caadb64ca ("wifi: ieee80211: fix definition of EHT-MCS 15 in MRU")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211-mesh.h | 230 +++++++++++++++++++++++++++++++++
include/linux/ieee80211.h | 211 +-----------------------------
2 files changed, 232 insertions(+), 209 deletions(-)
create mode 100644 include/linux/ieee80211-mesh.h
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
new file mode 100644
index 0000000000000..4b829bcb38b61
--- /dev/null
+++ b/include/linux/ieee80211-mesh.h
@@ -0,0 +1,230 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * IEEE 802.11 mesh definitions
+ *
+ * Copyright (c) 2001-2002, SSH Communications Security Corp and Jouni Malinen
+ * <jkmaline@cc.hut.fi>
+ * Copyright (c) 2002-2003, Jouni Malinen <jkmaline@cc.hut.fi>
+ * Copyright (c) 2005, Devicescape Software, Inc.
+ * Copyright (c) 2006, Michael Wu <flamingice@sourmilk.net>
+ * Copyright (c) 2013 - 2014 Intel Mobile Communications GmbH
+ * Copyright (c) 2016 - 2017 Intel Deutschland GmbH
+ * Copyright (c) 2018 - 2025 Intel Corporation
+ */
+
+#ifndef LINUX_IEEE80211_MESH_H
+#define LINUX_IEEE80211_MESH_H
+
+#include <linux/types.h>
+#include <linux/if_ether.h>
+
+#define IEEE80211_MAX_MESH_ID_LEN 32
+
+struct ieee80211s_hdr {
+ u8 flags;
+ u8 ttl;
+ __le32 seqnum;
+ u8 eaddr1[ETH_ALEN];
+ u8 eaddr2[ETH_ALEN];
+} __packed __aligned(2);
+
+/* Mesh flags */
+#define MESH_FLAGS_AE_A4 0x1
+#define MESH_FLAGS_AE_A5_A6 0x2
+#define MESH_FLAGS_AE 0x3
+#define MESH_FLAGS_PS_DEEP 0x4
+
+/**
+ * enum ieee80211_preq_flags - mesh PREQ element flags
+ *
+ * @IEEE80211_PREQ_PROACTIVE_PREP_FLAG: proactive PREP subfield
+ */
+enum ieee80211_preq_flags {
+ IEEE80211_PREQ_PROACTIVE_PREP_FLAG = 1<<2,
+};
+
+/**
+ * enum ieee80211_preq_target_flags - mesh PREQ element per target flags
+ *
+ * @IEEE80211_PREQ_TO_FLAG: target only subfield
+ * @IEEE80211_PREQ_USN_FLAG: unknown target HWMP sequence number subfield
+ */
+enum ieee80211_preq_target_flags {
+ IEEE80211_PREQ_TO_FLAG = 1<<0,
+ IEEE80211_PREQ_USN_FLAG = 1<<2,
+};
+
+/**
+ * struct ieee80211_mesh_chansw_params_ie - mesh channel switch parameters IE
+ * @mesh_ttl: Time To Live
+ * @mesh_flags: Flags
+ * @mesh_reason: Reason Code
+ * @mesh_pre_value: Precedence Value
+ *
+ * This structure represents the payload of the "Mesh Channel Switch
+ * Parameters element" as described in IEEE Std 802.11-2020 section
+ * 9.4.2.102.
+ */
+struct ieee80211_mesh_chansw_params_ie {
+ u8 mesh_ttl;
+ u8 mesh_flags;
+ __le16 mesh_reason;
+ __le16 mesh_pre_value;
+} __packed;
+
+/**
+ * struct ieee80211_meshconf_ie - Mesh Configuration element
+ * @meshconf_psel: Active Path Selection Protocol Identifier
+ * @meshconf_pmetric: Active Path Selection Metric Identifier
+ * @meshconf_congest: Congestion Control Mode Identifier
+ * @meshconf_synch: Synchronization Method Identifier
+ * @meshconf_auth: Authentication Protocol Identifier
+ * @meshconf_form: Mesh Formation Info
+ * @meshconf_cap: Mesh Capability (see &enum mesh_config_capab_flags)
+ *
+ * This structure represents the payload of the "Mesh Configuration
+ * element" as described in IEEE Std 802.11-2020 section 9.4.2.97.
+ */
+struct ieee80211_meshconf_ie {
+ u8 meshconf_psel;
+ u8 meshconf_pmetric;
+ u8 meshconf_congest;
+ u8 meshconf_synch;
+ u8 meshconf_auth;
+ u8 meshconf_form;
+ u8 meshconf_cap;
+} __packed;
+
+/**
+ * enum mesh_config_capab_flags - Mesh Configuration IE capability field flags
+ *
+ * @IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS: STA is willing to establish
+ * additional mesh peerings with other mesh STAs
+ * @IEEE80211_MESHCONF_CAPAB_FORWARDING: the STA forwards MSDUs
+ * @IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING: TBTT adjustment procedure
+ * is ongoing
+ * @IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL: STA is in deep sleep mode or has
+ * neighbors in deep sleep mode
+ *
+ * Enumerates the "Mesh Capability" as described in IEEE Std
+ * 802.11-2020 section 9.4.2.97.7.
+ */
+enum mesh_config_capab_flags {
+ IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS = 0x01,
+ IEEE80211_MESHCONF_CAPAB_FORWARDING = 0x08,
+ IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING = 0x20,
+ IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL = 0x40,
+};
+
+#define IEEE80211_MESHCONF_FORM_CONNECTED_TO_GATE 0x1
+
+/*
+ * mesh channel switch parameters element's flag indicator
+ *
+ */
+#define WLAN_EID_CHAN_SWITCH_PARAM_TX_RESTRICT BIT(0)
+#define WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR BIT(1)
+#define WLAN_EID_CHAN_SWITCH_PARAM_REASON BIT(2)
+
+/**
+ * struct ieee80211_rann_ie - RANN (root announcement) element
+ * @rann_flags: Flags
+ * @rann_hopcount: Hop Count
+ * @rann_ttl: Element TTL
+ * @rann_addr: Root Mesh STA Address
+ * @rann_seq: HWMP Sequence Number
+ * @rann_interval: Interval
+ * @rann_metric: Metric
+ *
+ * This structure represents the payload of the "RANN element" as
+ * described in IEEE Std 802.11-2020 section 9.4.2.111.
+ */
+struct ieee80211_rann_ie {
+ u8 rann_flags;
+ u8 rann_hopcount;
+ u8 rann_ttl;
+ u8 rann_addr[ETH_ALEN];
+ __le32 rann_seq;
+ __le32 rann_interval;
+ __le32 rann_metric;
+} __packed;
+
+enum ieee80211_rann_flags {
+ RANN_FLAG_IS_GATE = 1 << 0,
+};
+
+/* Mesh action codes */
+enum ieee80211_mesh_actioncode {
+ WLAN_MESH_ACTION_LINK_METRIC_REPORT,
+ WLAN_MESH_ACTION_HWMP_PATH_SELECTION,
+ WLAN_MESH_ACTION_GATE_ANNOUNCEMENT,
+ WLAN_MESH_ACTION_CONGESTION_CONTROL_NOTIFICATION,
+ WLAN_MESH_ACTION_MCCA_SETUP_REQUEST,
+ WLAN_MESH_ACTION_MCCA_SETUP_REPLY,
+ WLAN_MESH_ACTION_MCCA_ADVERTISEMENT_REQUEST,
+ WLAN_MESH_ACTION_MCCA_ADVERTISEMENT,
+ WLAN_MESH_ACTION_MCCA_TEARDOWN,
+ WLAN_MESH_ACTION_TBTT_ADJUSTMENT_REQUEST,
+ WLAN_MESH_ACTION_TBTT_ADJUSTMENT_RESPONSE,
+};
+
+/**
+ * enum ieee80211_mesh_sync_method - mesh synchronization method identifier
+ *
+ * @IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET: the default synchronization method
+ * @IEEE80211_SYNC_METHOD_VENDOR: a vendor specific synchronization method
+ * that will be specified in a vendor specific information element
+ */
+enum ieee80211_mesh_sync_method {
+ IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET = 1,
+ IEEE80211_SYNC_METHOD_VENDOR = 255,
+};
+
+/**
+ * enum ieee80211_mesh_path_protocol - mesh path selection protocol identifier
+ *
+ * @IEEE80211_PATH_PROTOCOL_HWMP: the default path selection protocol
+ * @IEEE80211_PATH_PROTOCOL_VENDOR: a vendor specific protocol that will
+ * be specified in a vendor specific information element
+ */
+enum ieee80211_mesh_path_protocol {
+ IEEE80211_PATH_PROTOCOL_HWMP = 1,
+ IEEE80211_PATH_PROTOCOL_VENDOR = 255,
+};
+
+/**
+ * enum ieee80211_mesh_path_metric - mesh path selection metric identifier
+ *
+ * @IEEE80211_PATH_METRIC_AIRTIME: the default path selection metric
+ * @IEEE80211_PATH_METRIC_VENDOR: a vendor specific metric that will be
+ * specified in a vendor specific information element
+ */
+enum ieee80211_mesh_path_metric {
+ IEEE80211_PATH_METRIC_AIRTIME = 1,
+ IEEE80211_PATH_METRIC_VENDOR = 255,
+};
+
+/**
+ * enum ieee80211_root_mode_identifier - root mesh STA mode identifier
+ *
+ * These attribute are used by dot11MeshHWMPRootMode to set root mesh STA mode
+ *
+ * @IEEE80211_ROOTMODE_NO_ROOT: the mesh STA is not a root mesh STA (default)
+ * @IEEE80211_ROOTMODE_ROOT: the mesh STA is a root mesh STA if greater than
+ * this value
+ * @IEEE80211_PROACTIVE_PREQ_NO_PREP: the mesh STA is a root mesh STA supports
+ * the proactive PREQ with proactive PREP subfield set to 0
+ * @IEEE80211_PROACTIVE_PREQ_WITH_PREP: the mesh STA is a root mesh STA
+ * supports the proactive PREQ with proactive PREP subfield set to 1
+ * @IEEE80211_PROACTIVE_RANN: the mesh STA is a root mesh STA supports
+ * the proactive RANN
+ */
+enum ieee80211_root_mode_identifier {
+ IEEE80211_ROOTMODE_NO_ROOT = 0,
+ IEEE80211_ROOTMODE_ROOT = 1,
+ IEEE80211_PROACTIVE_PREQ_NO_PREP = 2,
+ IEEE80211_PROACTIVE_PREQ_WITH_PREP = 3,
+ IEEE80211_PROACTIVE_RANN = 4,
+};
+
+#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 1f4679092e69d..ebc12d1939273 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -252,8 +252,6 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2)
#define IEEE80211_MAX_SSID_LEN 32
-#define IEEE80211_MAX_MESH_ID_LEN 32
-
#define IEEE80211_FIRST_TSPEC_TSID 8
#define IEEE80211_NUM_TIDS 16
@@ -881,40 +879,6 @@ static inline u16 ieee80211_get_sn(struct ieee80211_hdr *hdr)
return le16_get_bits(hdr->seq_ctrl, IEEE80211_SCTL_SEQ);
}
-struct ieee80211s_hdr {
- u8 flags;
- u8 ttl;
- __le32 seqnum;
- u8 eaddr1[ETH_ALEN];
- u8 eaddr2[ETH_ALEN];
-} __packed __aligned(2);
-
-/* Mesh flags */
-#define MESH_FLAGS_AE_A4 0x1
-#define MESH_FLAGS_AE_A5_A6 0x2
-#define MESH_FLAGS_AE 0x3
-#define MESH_FLAGS_PS_DEEP 0x4
-
-/**
- * enum ieee80211_preq_flags - mesh PREQ element flags
- *
- * @IEEE80211_PREQ_PROACTIVE_PREP_FLAG: proactive PREP subfield
- */
-enum ieee80211_preq_flags {
- IEEE80211_PREQ_PROACTIVE_PREP_FLAG = 1<<2,
-};
-
-/**
- * enum ieee80211_preq_target_flags - mesh PREQ element per target flags
- *
- * @IEEE80211_PREQ_TO_FLAG: target only subfield
- * @IEEE80211_PREQ_USN_FLAG: unknown target HWMP sequence number subfield
- */
-enum ieee80211_preq_target_flags {
- IEEE80211_PREQ_TO_FLAG = 1<<0,
- IEEE80211_PREQ_USN_FLAG = 1<<2,
-};
-
/**
* struct ieee80211_quiet_ie - Quiet element
* @count: Quiet Count
@@ -993,24 +957,6 @@ struct ieee80211_sec_chan_offs_ie {
u8 sec_chan_offs;
} __packed;
-/**
- * struct ieee80211_mesh_chansw_params_ie - mesh channel switch parameters IE
- * @mesh_ttl: Time To Live
- * @mesh_flags: Flags
- * @mesh_reason: Reason Code
- * @mesh_pre_value: Precedence Value
- *
- * This structure represents the payload of the "Mesh Channel Switch
- * Parameters element" as described in IEEE Std 802.11-2020 section
- * 9.4.2.102.
- */
-struct ieee80211_mesh_chansw_params_ie {
- u8 mesh_ttl;
- u8 mesh_flags;
- __le16 mesh_reason;
- __le16 mesh_pre_value;
-} __packed;
-
/**
* struct ieee80211_wide_bw_chansw_ie - wide bandwidth channel switch IE
* @new_channel_width: New Channel Width
@@ -1051,87 +997,6 @@ struct ieee80211_tim_ie {
};
} __packed;
-/**
- * struct ieee80211_meshconf_ie - Mesh Configuration element
- * @meshconf_psel: Active Path Selection Protocol Identifier
- * @meshconf_pmetric: Active Path Selection Metric Identifier
- * @meshconf_congest: Congestion Control Mode Identifier
- * @meshconf_synch: Synchronization Method Identifier
- * @meshconf_auth: Authentication Protocol Identifier
- * @meshconf_form: Mesh Formation Info
- * @meshconf_cap: Mesh Capability (see &enum mesh_config_capab_flags)
- *
- * This structure represents the payload of the "Mesh Configuration
- * element" as described in IEEE Std 802.11-2020 section 9.4.2.97.
- */
-struct ieee80211_meshconf_ie {
- u8 meshconf_psel;
- u8 meshconf_pmetric;
- u8 meshconf_congest;
- u8 meshconf_synch;
- u8 meshconf_auth;
- u8 meshconf_form;
- u8 meshconf_cap;
-} __packed;
-
-/**
- * enum mesh_config_capab_flags - Mesh Configuration IE capability field flags
- *
- * @IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS: STA is willing to establish
- * additional mesh peerings with other mesh STAs
- * @IEEE80211_MESHCONF_CAPAB_FORWARDING: the STA forwards MSDUs
- * @IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING: TBTT adjustment procedure
- * is ongoing
- * @IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL: STA is in deep sleep mode or has
- * neighbors in deep sleep mode
- *
- * Enumerates the "Mesh Capability" as described in IEEE Std
- * 802.11-2020 section 9.4.2.97.7.
- */
-enum mesh_config_capab_flags {
- IEEE80211_MESHCONF_CAPAB_ACCEPT_PLINKS = 0x01,
- IEEE80211_MESHCONF_CAPAB_FORWARDING = 0x08,
- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING = 0x20,
- IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL = 0x40,
-};
-
-#define IEEE80211_MESHCONF_FORM_CONNECTED_TO_GATE 0x1
-
-/*
- * mesh channel switch parameters element's flag indicator
- *
- */
-#define WLAN_EID_CHAN_SWITCH_PARAM_TX_RESTRICT BIT(0)
-#define WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR BIT(1)
-#define WLAN_EID_CHAN_SWITCH_PARAM_REASON BIT(2)
-
-/**
- * struct ieee80211_rann_ie - RANN (root announcement) element
- * @rann_flags: Flags
- * @rann_hopcount: Hop Count
- * @rann_ttl: Element TTL
- * @rann_addr: Root Mesh STA Address
- * @rann_seq: HWMP Sequence Number
- * @rann_interval: Interval
- * @rann_metric: Metric
- *
- * This structure represents the payload of the "RANN element" as
- * described in IEEE Std 802.11-2020 section 9.4.2.111.
- */
-struct ieee80211_rann_ie {
- u8 rann_flags;
- u8 rann_hopcount;
- u8 rann_ttl;
- u8 rann_addr[ETH_ALEN];
- __le32 rann_seq;
- __le32 rann_interval;
- __le32 rann_metric;
-} __packed;
-
-enum ieee80211_rann_flags {
- RANN_FLAG_IS_GATE = 1 << 0,
-};
-
enum ieee80211_ht_chanwidth_values {
IEEE80211_HT_CHANWIDTH_20MHZ = 0,
IEEE80211_HT_CHANWIDTH_ANY = 1,
@@ -3971,21 +3836,6 @@ enum ieee80211_self_protected_actioncode {
WLAN_SP_MGK_ACK = 5,
};
-/* Mesh action codes */
-enum ieee80211_mesh_actioncode {
- WLAN_MESH_ACTION_LINK_METRIC_REPORT,
- WLAN_MESH_ACTION_HWMP_PATH_SELECTION,
- WLAN_MESH_ACTION_GATE_ANNOUNCEMENT,
- WLAN_MESH_ACTION_CONGESTION_CONTROL_NOTIFICATION,
- WLAN_MESH_ACTION_MCCA_SETUP_REQUEST,
- WLAN_MESH_ACTION_MCCA_SETUP_REPLY,
- WLAN_MESH_ACTION_MCCA_ADVERTISEMENT_REQUEST,
- WLAN_MESH_ACTION_MCCA_ADVERTISEMENT,
- WLAN_MESH_ACTION_MCCA_TEARDOWN,
- WLAN_MESH_ACTION_TBTT_ADJUSTMENT_REQUEST,
- WLAN_MESH_ACTION_TBTT_ADJUSTMENT_RESPONSE,
-};
-
/* Unprotected WNM action codes */
enum ieee80211_unprotected_wnm_actioncode {
WLAN_UNPROTECTED_WNM_ACTION_TIM = 0,
@@ -4198,65 +4048,6 @@ enum ieee80211_tdls_actioncode {
/* BSS Coex IE information field bits */
#define WLAN_BSS_COEX_INFORMATION_REQUEST BIT(0)
-/**
- * enum ieee80211_mesh_sync_method - mesh synchronization method identifier
- *
- * @IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET: the default synchronization method
- * @IEEE80211_SYNC_METHOD_VENDOR: a vendor specific synchronization method
- * that will be specified in a vendor specific information element
- */
-enum ieee80211_mesh_sync_method {
- IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET = 1,
- IEEE80211_SYNC_METHOD_VENDOR = 255,
-};
-
-/**
- * enum ieee80211_mesh_path_protocol - mesh path selection protocol identifier
- *
- * @IEEE80211_PATH_PROTOCOL_HWMP: the default path selection protocol
- * @IEEE80211_PATH_PROTOCOL_VENDOR: a vendor specific protocol that will
- * be specified in a vendor specific information element
- */
-enum ieee80211_mesh_path_protocol {
- IEEE80211_PATH_PROTOCOL_HWMP = 1,
- IEEE80211_PATH_PROTOCOL_VENDOR = 255,
-};
-
-/**
- * enum ieee80211_mesh_path_metric - mesh path selection metric identifier
- *
- * @IEEE80211_PATH_METRIC_AIRTIME: the default path selection metric
- * @IEEE80211_PATH_METRIC_VENDOR: a vendor specific metric that will be
- * specified in a vendor specific information element
- */
-enum ieee80211_mesh_path_metric {
- IEEE80211_PATH_METRIC_AIRTIME = 1,
- IEEE80211_PATH_METRIC_VENDOR = 255,
-};
-
-/**
- * enum ieee80211_root_mode_identifier - root mesh STA mode identifier
- *
- * These attribute are used by dot11MeshHWMPRootMode to set root mesh STA mode
- *
- * @IEEE80211_ROOTMODE_NO_ROOT: the mesh STA is not a root mesh STA (default)
- * @IEEE80211_ROOTMODE_ROOT: the mesh STA is a root mesh STA if greater than
- * this value
- * @IEEE80211_PROACTIVE_PREQ_NO_PREP: the mesh STA is a root mesh STA supports
- * the proactive PREQ with proactive PREP subfield set to 0
- * @IEEE80211_PROACTIVE_PREQ_WITH_PREP: the mesh STA is a root mesh STA
- * supports the proactive PREQ with proactive PREP subfield set to 1
- * @IEEE80211_PROACTIVE_RANN: the mesh STA is a root mesh STA supports
- * the proactive RANN
- */
-enum ieee80211_root_mode_identifier {
- IEEE80211_ROOTMODE_NO_ROOT = 0,
- IEEE80211_ROOTMODE_ROOT = 1,
- IEEE80211_PROACTIVE_PREQ_NO_PREP = 2,
- IEEE80211_PROACTIVE_PREQ_WITH_PREP = 3,
- IEEE80211_PROACTIVE_RANN = 4,
-};
-
/*
* IEEE 802.11-2007 7.3.2.9 Country information element
*
@@ -6098,4 +5889,6 @@ static inline u32 ieee80211_eml_trans_timeout_in_us(u16 eml_cap)
#define NAN_DEV_CAPA_NDPE_SUPPORTED 0x08
#define NAN_DEV_CAPA_S3_SUPPORTED 0x10
+#include "ieee80211-mesh.h"
+
#endif /* LINUX_IEEE80211_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 058/957] wifi: ieee80211: split HT definitions out
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 057/957] wifi: ieee80211: split mesh definitions out Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 059/957] wifi: ieee80211: split VHT " Greg Kroah-Hartman
` (904 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit fdc1c141f3ef4dc94e3880e973061681843f62c0 ]
The ieee80211.h file has gotten very long, continue splitting
it by putting HT definitions into a separate file.
Link: https://patch.msgid.link/20251105153843.7532471178d0.Id956a5433ad8658e4e5c0272dbcbb59587206142@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: cb0caadb64ca ("wifi: ieee80211: fix definition of EHT-MCS 15 in MRU")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211-ht.h | 292 +++++++++++++++++++++++++++++++++++
include/linux/ieee80211.h | 272 +-------------------------------
2 files changed, 293 insertions(+), 271 deletions(-)
create mode 100644 include/linux/ieee80211-ht.h
diff --git a/include/linux/ieee80211-ht.h b/include/linux/ieee80211-ht.h
new file mode 100644
index 0000000000000..21bbf470540f6
--- /dev/null
+++ b/include/linux/ieee80211-ht.h
@@ -0,0 +1,292 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * IEEE 802.11 HT definitions
+ *
+ * Copyright (c) 2001-2002, SSH Communications Security Corp and Jouni Malinen
+ * <jkmaline@cc.hut.fi>
+ * Copyright (c) 2002-2003, Jouni Malinen <jkmaline@cc.hut.fi>
+ * Copyright (c) 2005, Devicescape Software, Inc.
+ * Copyright (c) 2006, Michael Wu <flamingice@sourmilk.net>
+ * Copyright (c) 2013 - 2014 Intel Mobile Communications GmbH
+ * Copyright (c) 2016 - 2017 Intel Deutschland GmbH
+ * Copyright (c) 2018 - 2025 Intel Corporation
+ */
+
+#ifndef LINUX_IEEE80211_HT_H
+#define LINUX_IEEE80211_HT_H
+
+#include <linux/types.h>
+#include <linux/if_ether.h>
+
+/* Maximal size of an A-MSDU that can be transported in a HT BA session */
+#define IEEE80211_MAX_MPDU_LEN_HT_BA 4095
+
+/* Maximal size of an A-MSDU */
+#define IEEE80211_MAX_MPDU_LEN_HT_3839 3839
+#define IEEE80211_MAX_MPDU_LEN_HT_7935 7935
+
+#define IEEE80211_HT_CTL_LEN 4
+
+enum ieee80211_ht_chanwidth_values {
+ IEEE80211_HT_CHANWIDTH_20MHZ = 0,
+ IEEE80211_HT_CHANWIDTH_ANY = 1,
+};
+
+/**
+ * struct ieee80211_bar - Block Ack Request frame format
+ * @frame_control: Frame Control
+ * @duration: Duration
+ * @ra: RA
+ * @ta: TA
+ * @control: BAR Control
+ * @start_seq_num: Starting Sequence Number (see Figure 9-37)
+ *
+ * This structure represents the "BlockAckReq frame format"
+ * as described in IEEE Std 802.11-2020 section 9.3.1.7.
+*/
+struct ieee80211_bar {
+ __le16 frame_control;
+ __le16 duration;
+ __u8 ra[ETH_ALEN];
+ __u8 ta[ETH_ALEN];
+ __le16 control;
+ __le16 start_seq_num;
+} __packed;
+
+/* 802.11 BAR control masks */
+#define IEEE80211_BAR_CTRL_ACK_POLICY_NORMAL 0x0000
+#define IEEE80211_BAR_CTRL_MULTI_TID 0x0002
+#define IEEE80211_BAR_CTRL_CBMTID_COMPRESSED_BA 0x0004
+#define IEEE80211_BAR_CTRL_TID_INFO_MASK 0xf000
+#define IEEE80211_BAR_CTRL_TID_INFO_SHIFT 12
+
+#define IEEE80211_HT_MCS_MASK_LEN 10
+
+/**
+ * struct ieee80211_mcs_info - Supported MCS Set field
+ * @rx_mask: RX mask
+ * @rx_highest: highest supported RX rate. If set represents
+ * the highest supported RX data rate in units of 1 Mbps.
+ * If this field is 0 this value should not be used to
+ * consider the highest RX data rate supported.
+ * @tx_params: TX parameters
+ * @reserved: Reserved bits
+ *
+ * This structure represents the "Supported MCS Set field" as
+ * described in IEEE Std 802.11-2020 section 9.4.2.55.4.
+ */
+struct ieee80211_mcs_info {
+ u8 rx_mask[IEEE80211_HT_MCS_MASK_LEN];
+ __le16 rx_highest;
+ u8 tx_params;
+ u8 reserved[3];
+} __packed;
+
+/* 802.11n HT capability MSC set */
+#define IEEE80211_HT_MCS_RX_HIGHEST_MASK 0x3ff
+#define IEEE80211_HT_MCS_TX_DEFINED 0x01
+#define IEEE80211_HT_MCS_TX_RX_DIFF 0x02
+/* value 0 == 1 stream etc */
+#define IEEE80211_HT_MCS_TX_MAX_STREAMS_MASK 0x0C
+#define IEEE80211_HT_MCS_TX_MAX_STREAMS_SHIFT 2
+#define IEEE80211_HT_MCS_TX_MAX_STREAMS 4
+#define IEEE80211_HT_MCS_TX_UNEQUAL_MODULATION 0x10
+
+#define IEEE80211_HT_MCS_CHAINS(mcs) ((mcs) == 32 ? 1 : (1 + ((mcs) >> 3)))
+
+/*
+ * 802.11n D5.0 20.3.5 / 20.6 says:
+ * - indices 0 to 7 and 32 are single spatial stream
+ * - 8 to 31 are multiple spatial streams using equal modulation
+ * [8..15 for two streams, 16..23 for three and 24..31 for four]
+ * - remainder are multiple spatial streams using unequal modulation
+ */
+#define IEEE80211_HT_MCS_UNEQUAL_MODULATION_START 33
+#define IEEE80211_HT_MCS_UNEQUAL_MODULATION_START_BYTE \
+ (IEEE80211_HT_MCS_UNEQUAL_MODULATION_START / 8)
+
+/**
+ * struct ieee80211_ht_cap - HT capabilities element
+ * @cap_info: HT Capability Information
+ * @ampdu_params_info: A-MPDU Parameters
+ * @mcs: Supported MCS Set
+ * @extended_ht_cap_info: HT Extended Capabilities
+ * @tx_BF_cap_info: Transmit Beamforming Capabilities
+ * @antenna_selection_info: ASEL Capability
+ *
+ * This structure represents the payload of the "HT Capabilities
+ * element" as described in IEEE Std 802.11-2020 section 9.4.2.55.
+ */
+struct ieee80211_ht_cap {
+ __le16 cap_info;
+ u8 ampdu_params_info;
+
+ /* 16 bytes MCS information */
+ struct ieee80211_mcs_info mcs;
+
+ __le16 extended_ht_cap_info;
+ __le32 tx_BF_cap_info;
+ u8 antenna_selection_info;
+} __packed;
+
+/* 802.11n HT capabilities masks (for cap_info) */
+#define IEEE80211_HT_CAP_LDPC_CODING 0x0001
+#define IEEE80211_HT_CAP_SUP_WIDTH_20_40 0x0002
+#define IEEE80211_HT_CAP_SM_PS 0x000C
+#define IEEE80211_HT_CAP_SM_PS_SHIFT 2
+#define IEEE80211_HT_CAP_GRN_FLD 0x0010
+#define IEEE80211_HT_CAP_SGI_20 0x0020
+#define IEEE80211_HT_CAP_SGI_40 0x0040
+#define IEEE80211_HT_CAP_TX_STBC 0x0080
+#define IEEE80211_HT_CAP_RX_STBC 0x0300
+#define IEEE80211_HT_CAP_RX_STBC_SHIFT 8
+#define IEEE80211_HT_CAP_DELAY_BA 0x0400
+#define IEEE80211_HT_CAP_MAX_AMSDU 0x0800
+#define IEEE80211_HT_CAP_DSSSCCK40 0x1000
+#define IEEE80211_HT_CAP_RESERVED 0x2000
+#define IEEE80211_HT_CAP_40MHZ_INTOLERANT 0x4000
+#define IEEE80211_HT_CAP_LSIG_TXOP_PROT 0x8000
+
+/* 802.11n HT extended capabilities masks (for extended_ht_cap_info) */
+#define IEEE80211_HT_EXT_CAP_PCO 0x0001
+#define IEEE80211_HT_EXT_CAP_PCO_TIME 0x0006
+#define IEEE80211_HT_EXT_CAP_PCO_TIME_SHIFT 1
+#define IEEE80211_HT_EXT_CAP_MCS_FB 0x0300
+#define IEEE80211_HT_EXT_CAP_MCS_FB_SHIFT 8
+#define IEEE80211_HT_EXT_CAP_HTC_SUP 0x0400
+#define IEEE80211_HT_EXT_CAP_RD_RESPONDER 0x0800
+
+/* 802.11n HT capability AMPDU settings (for ampdu_params_info) */
+#define IEEE80211_HT_AMPDU_PARM_FACTOR 0x03
+#define IEEE80211_HT_AMPDU_PARM_DENSITY 0x1C
+#define IEEE80211_HT_AMPDU_PARM_DENSITY_SHIFT 2
+
+/*
+ * Maximum length of AMPDU that the STA can receive in high-throughput (HT).
+ * Length = 2 ^ (13 + max_ampdu_length_exp) - 1 (octets)
+ */
+enum ieee80211_max_ampdu_length_exp {
+ IEEE80211_HT_MAX_AMPDU_8K = 0,
+ IEEE80211_HT_MAX_AMPDU_16K = 1,
+ IEEE80211_HT_MAX_AMPDU_32K = 2,
+ IEEE80211_HT_MAX_AMPDU_64K = 3
+};
+
+#define IEEE80211_HT_MAX_AMPDU_FACTOR 13
+
+/* Minimum MPDU start spacing */
+enum ieee80211_min_mpdu_spacing {
+ IEEE80211_HT_MPDU_DENSITY_NONE = 0, /* No restriction */
+ IEEE80211_HT_MPDU_DENSITY_0_25 = 1, /* 1/4 usec */
+ IEEE80211_HT_MPDU_DENSITY_0_5 = 2, /* 1/2 usec */
+ IEEE80211_HT_MPDU_DENSITY_1 = 3, /* 1 usec */
+ IEEE80211_HT_MPDU_DENSITY_2 = 4, /* 2 usec */
+ IEEE80211_HT_MPDU_DENSITY_4 = 5, /* 4 usec */
+ IEEE80211_HT_MPDU_DENSITY_8 = 6, /* 8 usec */
+ IEEE80211_HT_MPDU_DENSITY_16 = 7 /* 16 usec */
+};
+
+/**
+ * struct ieee80211_ht_operation - HT operation IE
+ * @primary_chan: Primary Channel
+ * @ht_param: HT Operation Information parameters
+ * @operation_mode: HT Operation Information operation mode
+ * @stbc_param: HT Operation Information STBC params
+ * @basic_set: Basic HT-MCS Set
+ *
+ * This structure represents the payload of the "HT Operation
+ * element" as described in IEEE Std 802.11-2020 section 9.4.2.56.
+ */
+struct ieee80211_ht_operation {
+ u8 primary_chan;
+ u8 ht_param;
+ __le16 operation_mode;
+ __le16 stbc_param;
+ u8 basic_set[16];
+} __packed;
+
+/* for ht_param */
+#define IEEE80211_HT_PARAM_CHA_SEC_OFFSET 0x03
+#define IEEE80211_HT_PARAM_CHA_SEC_NONE 0x00
+#define IEEE80211_HT_PARAM_CHA_SEC_ABOVE 0x01
+#define IEEE80211_HT_PARAM_CHA_SEC_BELOW 0x03
+#define IEEE80211_HT_PARAM_CHAN_WIDTH_ANY 0x04
+#define IEEE80211_HT_PARAM_RIFS_MODE 0x08
+
+/* for operation_mode */
+#define IEEE80211_HT_OP_MODE_PROTECTION 0x0003
+#define IEEE80211_HT_OP_MODE_PROTECTION_NONE 0
+#define IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER 1
+#define IEEE80211_HT_OP_MODE_PROTECTION_20MHZ 2
+#define IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED 3
+#define IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT 0x0004
+#define IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT 0x0010
+#define IEEE80211_HT_OP_MODE_CCFS2_SHIFT 5
+#define IEEE80211_HT_OP_MODE_CCFS2_MASK 0x1fe0
+
+/* for stbc_param */
+#define IEEE80211_HT_STBC_PARAM_DUAL_BEACON 0x0040
+#define IEEE80211_HT_STBC_PARAM_DUAL_CTS_PROT 0x0080
+#define IEEE80211_HT_STBC_PARAM_STBC_BEACON 0x0100
+#define IEEE80211_HT_STBC_PARAM_LSIG_TXOP_FULLPROT 0x0200
+#define IEEE80211_HT_STBC_PARAM_PCO_ACTIVE 0x0400
+#define IEEE80211_HT_STBC_PARAM_PCO_PHASE 0x0800
+
+
+/* block-ack parameters */
+#define IEEE80211_ADDBA_PARAM_AMSDU_MASK 0x0001
+#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
+#define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
+#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFC0
+#define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
+#define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
+
+/*
+ * A-MPDU buffer sizes
+ * According to HT size varies from 8 to 64 frames
+ * HE adds the ability to have up to 256 frames.
+ * EHT adds the ability to have up to 1K frames.
+ */
+#define IEEE80211_MIN_AMPDU_BUF 0x8
+#define IEEE80211_MAX_AMPDU_BUF_HT 0x40
+#define IEEE80211_MAX_AMPDU_BUF_HE 0x100
+#define IEEE80211_MAX_AMPDU_BUF_EHT 0x400
+
+
+/* Spatial Multiplexing Power Save Modes (for capability) */
+#define WLAN_HT_CAP_SM_PS_STATIC 0
+#define WLAN_HT_CAP_SM_PS_DYNAMIC 1
+#define WLAN_HT_CAP_SM_PS_INVALID 2
+#define WLAN_HT_CAP_SM_PS_DISABLED 3
+
+/* for SM power control field lower two bits */
+#define WLAN_HT_SMPS_CONTROL_DISABLED 0
+#define WLAN_HT_SMPS_CONTROL_STATIC 1
+#define WLAN_HT_SMPS_CONTROL_DYNAMIC 3
+
+/* HT action codes */
+enum ieee80211_ht_actioncode {
+ WLAN_HT_ACTION_NOTIFY_CHANWIDTH = 0,
+ WLAN_HT_ACTION_SMPS = 1,
+ WLAN_HT_ACTION_PSMP = 2,
+ WLAN_HT_ACTION_PCO_PHASE = 3,
+ WLAN_HT_ACTION_CSI = 4,
+ WLAN_HT_ACTION_NONCOMPRESSED_BF = 5,
+ WLAN_HT_ACTION_COMPRESSED_BF = 6,
+ WLAN_HT_ACTION_ASEL_IDX_FEEDBACK = 7,
+};
+
+/* BACK action code */
+enum ieee80211_back_actioncode {
+ WLAN_ACTION_ADDBA_REQ = 0,
+ WLAN_ACTION_ADDBA_RESP = 1,
+ WLAN_ACTION_DELBA = 2,
+};
+
+/* BACK (block-ack) parties */
+enum ieee80211_back_parties {
+ WLAN_BACK_RECIPIENT = 0,
+ WLAN_BACK_INITIATOR = 1,
+};
+
+#endif /* LINUX_IEEE80211_HT_H */
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index ebc12d1939273..f0a7899fb6626 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -239,13 +239,6 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2)
/* 30 byte 4 addr hdr, 2 byte QoS, 2304 byte MSDU, 12 byte crypt, 4 byte FCS */
#define IEEE80211_MAX_FRAME_LEN 2352
-/* Maximal size of an A-MSDU that can be transported in a HT BA session */
-#define IEEE80211_MAX_MPDU_LEN_HT_BA 4095
-
-/* Maximal size of an A-MSDU */
-#define IEEE80211_MAX_MPDU_LEN_HT_3839 3839
-#define IEEE80211_MAX_MPDU_LEN_HT_7935 7935
-
#define IEEE80211_MAX_MPDU_LEN_VHT_3895 3895
#define IEEE80211_MAX_MPDU_LEN_VHT_7991 7991
#define IEEE80211_MAX_MPDU_LEN_VHT_11454 11454
@@ -302,8 +295,6 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2)
#define IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK 0x03
#define IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT 5
-#define IEEE80211_HT_CTL_LEN 4
-
/* trigger type within common_info of trigger frame */
#define IEEE80211_TRIGGER_TYPE_MASK 0xf
#define IEEE80211_TRIGGER_TYPE_BASIC 0x0
@@ -997,11 +988,6 @@ struct ieee80211_tim_ie {
};
} __packed;
-enum ieee80211_ht_chanwidth_values {
- IEEE80211_HT_CHANWIDTH_20MHZ = 0,
- IEEE80211_HT_CHANWIDTH_ANY = 1,
-};
-
/**
* enum ieee80211_vht_opmode_bits - VHT operating mode field bits
* @IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK: channel width mask
@@ -1677,146 +1663,6 @@ struct ieee80211_p2p_noa_attr {
#define IEEE80211_P2P_OPPPS_ENABLE_BIT BIT(7)
#define IEEE80211_P2P_OPPPS_CTWINDOW_MASK 0x7F
-/**
- * struct ieee80211_bar - Block Ack Request frame format
- * @frame_control: Frame Control
- * @duration: Duration
- * @ra: RA
- * @ta: TA
- * @control: BAR Control
- * @start_seq_num: Starting Sequence Number (see Figure 9-37)
- *
- * This structure represents the "BlockAckReq frame format"
- * as described in IEEE Std 802.11-2020 section 9.3.1.7.
-*/
-struct ieee80211_bar {
- __le16 frame_control;
- __le16 duration;
- __u8 ra[ETH_ALEN];
- __u8 ta[ETH_ALEN];
- __le16 control;
- __le16 start_seq_num;
-} __packed;
-
-/* 802.11 BAR control masks */
-#define IEEE80211_BAR_CTRL_ACK_POLICY_NORMAL 0x0000
-#define IEEE80211_BAR_CTRL_MULTI_TID 0x0002
-#define IEEE80211_BAR_CTRL_CBMTID_COMPRESSED_BA 0x0004
-#define IEEE80211_BAR_CTRL_TID_INFO_MASK 0xf000
-#define IEEE80211_BAR_CTRL_TID_INFO_SHIFT 12
-
-#define IEEE80211_HT_MCS_MASK_LEN 10
-
-/**
- * struct ieee80211_mcs_info - Supported MCS Set field
- * @rx_mask: RX mask
- * @rx_highest: highest supported RX rate. If set represents
- * the highest supported RX data rate in units of 1 Mbps.
- * If this field is 0 this value should not be used to
- * consider the highest RX data rate supported.
- * @tx_params: TX parameters
- * @reserved: Reserved bits
- *
- * This structure represents the "Supported MCS Set field" as
- * described in IEEE Std 802.11-2020 section 9.4.2.55.4.
- */
-struct ieee80211_mcs_info {
- u8 rx_mask[IEEE80211_HT_MCS_MASK_LEN];
- __le16 rx_highest;
- u8 tx_params;
- u8 reserved[3];
-} __packed;
-
-/* 802.11n HT capability MSC set */
-#define IEEE80211_HT_MCS_RX_HIGHEST_MASK 0x3ff
-#define IEEE80211_HT_MCS_TX_DEFINED 0x01
-#define IEEE80211_HT_MCS_TX_RX_DIFF 0x02
-/* value 0 == 1 stream etc */
-#define IEEE80211_HT_MCS_TX_MAX_STREAMS_MASK 0x0C
-#define IEEE80211_HT_MCS_TX_MAX_STREAMS_SHIFT 2
-#define IEEE80211_HT_MCS_TX_MAX_STREAMS 4
-#define IEEE80211_HT_MCS_TX_UNEQUAL_MODULATION 0x10
-
-#define IEEE80211_HT_MCS_CHAINS(mcs) ((mcs) == 32 ? 1 : (1 + ((mcs) >> 3)))
-
-/*
- * 802.11n D5.0 20.3.5 / 20.6 says:
- * - indices 0 to 7 and 32 are single spatial stream
- * - 8 to 31 are multiple spatial streams using equal modulation
- * [8..15 for two streams, 16..23 for three and 24..31 for four]
- * - remainder are multiple spatial streams using unequal modulation
- */
-#define IEEE80211_HT_MCS_UNEQUAL_MODULATION_START 33
-#define IEEE80211_HT_MCS_UNEQUAL_MODULATION_START_BYTE \
- (IEEE80211_HT_MCS_UNEQUAL_MODULATION_START / 8)
-
-/**
- * struct ieee80211_ht_cap - HT capabilities element
- * @cap_info: HT Capability Information
- * @ampdu_params_info: A-MPDU Parameters
- * @mcs: Supported MCS Set
- * @extended_ht_cap_info: HT Extended Capabilities
- * @tx_BF_cap_info: Transmit Beamforming Capabilities
- * @antenna_selection_info: ASEL Capability
- *
- * This structure represents the payload of the "HT Capabilities
- * element" as described in IEEE Std 802.11-2020 section 9.4.2.55.
- */
-struct ieee80211_ht_cap {
- __le16 cap_info;
- u8 ampdu_params_info;
-
- /* 16 bytes MCS information */
- struct ieee80211_mcs_info mcs;
-
- __le16 extended_ht_cap_info;
- __le32 tx_BF_cap_info;
- u8 antenna_selection_info;
-} __packed;
-
-/* 802.11n HT capabilities masks (for cap_info) */
-#define IEEE80211_HT_CAP_LDPC_CODING 0x0001
-#define IEEE80211_HT_CAP_SUP_WIDTH_20_40 0x0002
-#define IEEE80211_HT_CAP_SM_PS 0x000C
-#define IEEE80211_HT_CAP_SM_PS_SHIFT 2
-#define IEEE80211_HT_CAP_GRN_FLD 0x0010
-#define IEEE80211_HT_CAP_SGI_20 0x0020
-#define IEEE80211_HT_CAP_SGI_40 0x0040
-#define IEEE80211_HT_CAP_TX_STBC 0x0080
-#define IEEE80211_HT_CAP_RX_STBC 0x0300
-#define IEEE80211_HT_CAP_RX_STBC_SHIFT 8
-#define IEEE80211_HT_CAP_DELAY_BA 0x0400
-#define IEEE80211_HT_CAP_MAX_AMSDU 0x0800
-#define IEEE80211_HT_CAP_DSSSCCK40 0x1000
-#define IEEE80211_HT_CAP_RESERVED 0x2000
-#define IEEE80211_HT_CAP_40MHZ_INTOLERANT 0x4000
-#define IEEE80211_HT_CAP_LSIG_TXOP_PROT 0x8000
-
-/* 802.11n HT extended capabilities masks (for extended_ht_cap_info) */
-#define IEEE80211_HT_EXT_CAP_PCO 0x0001
-#define IEEE80211_HT_EXT_CAP_PCO_TIME 0x0006
-#define IEEE80211_HT_EXT_CAP_PCO_TIME_SHIFT 1
-#define IEEE80211_HT_EXT_CAP_MCS_FB 0x0300
-#define IEEE80211_HT_EXT_CAP_MCS_FB_SHIFT 8
-#define IEEE80211_HT_EXT_CAP_HTC_SUP 0x0400
-#define IEEE80211_HT_EXT_CAP_RD_RESPONDER 0x0800
-
-/* 802.11n HT capability AMPDU settings (for ampdu_params_info) */
-#define IEEE80211_HT_AMPDU_PARM_FACTOR 0x03
-#define IEEE80211_HT_AMPDU_PARM_DENSITY 0x1C
-#define IEEE80211_HT_AMPDU_PARM_DENSITY_SHIFT 2
-
-/*
- * Maximum length of AMPDU that the STA can receive in high-throughput (HT).
- * Length = 2 ^ (13 + max_ampdu_length_exp) - 1 (octets)
- */
-enum ieee80211_max_ampdu_length_exp {
- IEEE80211_HT_MAX_AMPDU_8K = 0,
- IEEE80211_HT_MAX_AMPDU_16K = 1,
- IEEE80211_HT_MAX_AMPDU_32K = 2,
- IEEE80211_HT_MAX_AMPDU_64K = 3
-};
-
/*
* Maximum length of AMPDU that the STA can receive in VHT.
* Length = 2 ^ (13 + max_ampdu_length_exp) - 1 (octets)
@@ -1832,98 +1678,6 @@ enum ieee80211_vht_max_ampdu_length_exp {
IEEE80211_VHT_MAX_AMPDU_1024K = 7
};
-#define IEEE80211_HT_MAX_AMPDU_FACTOR 13
-
-/* Minimum MPDU start spacing */
-enum ieee80211_min_mpdu_spacing {
- IEEE80211_HT_MPDU_DENSITY_NONE = 0, /* No restriction */
- IEEE80211_HT_MPDU_DENSITY_0_25 = 1, /* 1/4 usec */
- IEEE80211_HT_MPDU_DENSITY_0_5 = 2, /* 1/2 usec */
- IEEE80211_HT_MPDU_DENSITY_1 = 3, /* 1 usec */
- IEEE80211_HT_MPDU_DENSITY_2 = 4, /* 2 usec */
- IEEE80211_HT_MPDU_DENSITY_4 = 5, /* 4 usec */
- IEEE80211_HT_MPDU_DENSITY_8 = 6, /* 8 usec */
- IEEE80211_HT_MPDU_DENSITY_16 = 7 /* 16 usec */
-};
-
-/**
- * struct ieee80211_ht_operation - HT operation IE
- * @primary_chan: Primary Channel
- * @ht_param: HT Operation Information parameters
- * @operation_mode: HT Operation Information operation mode
- * @stbc_param: HT Operation Information STBC params
- * @basic_set: Basic HT-MCS Set
- *
- * This structure represents the payload of the "HT Operation
- * element" as described in IEEE Std 802.11-2020 section 9.4.2.56.
- */
-struct ieee80211_ht_operation {
- u8 primary_chan;
- u8 ht_param;
- __le16 operation_mode;
- __le16 stbc_param;
- u8 basic_set[16];
-} __packed;
-
-/* for ht_param */
-#define IEEE80211_HT_PARAM_CHA_SEC_OFFSET 0x03
-#define IEEE80211_HT_PARAM_CHA_SEC_NONE 0x00
-#define IEEE80211_HT_PARAM_CHA_SEC_ABOVE 0x01
-#define IEEE80211_HT_PARAM_CHA_SEC_BELOW 0x03
-#define IEEE80211_HT_PARAM_CHAN_WIDTH_ANY 0x04
-#define IEEE80211_HT_PARAM_RIFS_MODE 0x08
-
-/* for operation_mode */
-#define IEEE80211_HT_OP_MODE_PROTECTION 0x0003
-#define IEEE80211_HT_OP_MODE_PROTECTION_NONE 0
-#define IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER 1
-#define IEEE80211_HT_OP_MODE_PROTECTION_20MHZ 2
-#define IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED 3
-#define IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT 0x0004
-#define IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT 0x0010
-#define IEEE80211_HT_OP_MODE_CCFS2_SHIFT 5
-#define IEEE80211_HT_OP_MODE_CCFS2_MASK 0x1fe0
-
-/* for stbc_param */
-#define IEEE80211_HT_STBC_PARAM_DUAL_BEACON 0x0040
-#define IEEE80211_HT_STBC_PARAM_DUAL_CTS_PROT 0x0080
-#define IEEE80211_HT_STBC_PARAM_STBC_BEACON 0x0100
-#define IEEE80211_HT_STBC_PARAM_LSIG_TXOP_FULLPROT 0x0200
-#define IEEE80211_HT_STBC_PARAM_PCO_ACTIVE 0x0400
-#define IEEE80211_HT_STBC_PARAM_PCO_PHASE 0x0800
-
-
-/* block-ack parameters */
-#define IEEE80211_ADDBA_PARAM_AMSDU_MASK 0x0001
-#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
-#define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFC0
-#define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
-#define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
-
-/*
- * A-MPDU buffer sizes
- * According to HT size varies from 8 to 64 frames
- * HE adds the ability to have up to 256 frames.
- * EHT adds the ability to have up to 1K frames.
- */
-#define IEEE80211_MIN_AMPDU_BUF 0x8
-#define IEEE80211_MAX_AMPDU_BUF_HT 0x40
-#define IEEE80211_MAX_AMPDU_BUF_HE 0x100
-#define IEEE80211_MAX_AMPDU_BUF_EHT 0x400
-
-
-/* Spatial Multiplexing Power Save Modes (for capability) */
-#define WLAN_HT_CAP_SM_PS_STATIC 0
-#define WLAN_HT_CAP_SM_PS_DYNAMIC 1
-#define WLAN_HT_CAP_SM_PS_INVALID 2
-#define WLAN_HT_CAP_SM_PS_DISABLED 3
-
-/* for SM power control field lower two bits */
-#define WLAN_HT_SMPS_CONTROL_DISABLED 0
-#define WLAN_HT_SMPS_CONTROL_STATIC 1
-#define WLAN_HT_SMPS_CONTROL_DYNAMIC 3
-
/**
* struct ieee80211_vht_mcs_info - VHT MCS information
* @rx_mcs_map: RX MCS map 2 bits for each stream, total 8 streams
@@ -3807,18 +3561,6 @@ enum ieee80211_spectrum_mgmt_actioncode {
WLAN_ACTION_SPCT_CHL_SWITCH = 4,
};
-/* HT action codes */
-enum ieee80211_ht_actioncode {
- WLAN_HT_ACTION_NOTIFY_CHANWIDTH = 0,
- WLAN_HT_ACTION_SMPS = 1,
- WLAN_HT_ACTION_PSMP = 2,
- WLAN_HT_ACTION_PCO_PHASE = 3,
- WLAN_HT_ACTION_CSI = 4,
- WLAN_HT_ACTION_NONCOMPRESSED_BF = 5,
- WLAN_HT_ACTION_COMPRESSED_BF = 6,
- WLAN_HT_ACTION_ASEL_IDX_FEEDBACK = 7,
-};
-
/* VHT action codes */
enum ieee80211_vht_actioncode {
WLAN_VHT_ACTION_COMPRESSED_BF = 0,
@@ -4155,19 +3897,6 @@ struct ieee80211_bss_max_idle_period_ie {
u8 idle_options;
} __packed;
-/* BACK action code */
-enum ieee80211_back_actioncode {
- WLAN_ACTION_ADDBA_REQ = 0,
- WLAN_ACTION_ADDBA_RESP = 1,
- WLAN_ACTION_DELBA = 2,
-};
-
-/* BACK (block-ack) parties */
-enum ieee80211_back_parties {
- WLAN_BACK_RECIPIENT = 0,
- WLAN_BACK_INITIATOR = 1,
-};
-
/* SA Query action */
enum ieee80211_sa_query_action {
WLAN_ACTION_SA_QUERY_REQUEST = 0,
@@ -5889,6 +5618,7 @@ static inline u32 ieee80211_eml_trans_timeout_in_us(u16 eml_cap)
#define NAN_DEV_CAPA_NDPE_SUPPORTED 0x08
#define NAN_DEV_CAPA_S3_SUPPORTED 0x10
+#include "ieee80211-ht.h"
#include "ieee80211-mesh.h"
#endif /* LINUX_IEEE80211_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 059/957] wifi: ieee80211: split VHT definitions out
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 058/957] wifi: ieee80211: split HT " Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 060/957] wifi: ieee80211: split HE " Greg Kroah-Hartman
` (903 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 7cb14da1d7bbfa4a6417ed7f1bc07dd77bcd9c83 ]
The ieee80211.h file has gotten very long, continue splitting
it by putting VHT definitions into a separate file.
Link: https://patch.msgid.link/20251105153843.c31cb771a250.I787a13064db7d80440101de3445be17881daf1b6@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: cb0caadb64ca ("wifi: ieee80211: fix definition of EHT-MCS 15 in MRU")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211-vht.h | 236 ++++++++++++++++++++++++++++++++++
include/linux/ieee80211.h | 216 +------------------------------
2 files changed, 237 insertions(+), 215 deletions(-)
create mode 100644 include/linux/ieee80211-vht.h
diff --git a/include/linux/ieee80211-vht.h b/include/linux/ieee80211-vht.h
new file mode 100644
index 0000000000000..898dfb561fef2
--- /dev/null
+++ b/include/linux/ieee80211-vht.h
@@ -0,0 +1,236 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * IEEE 802.11 VHT definitions
+ *
+ * Copyright (c) 2001-2002, SSH Communications Security Corp and Jouni Malinen
+ * <jkmaline@cc.hut.fi>
+ * Copyright (c) 2002-2003, Jouni Malinen <jkmaline@cc.hut.fi>
+ * Copyright (c) 2005, Devicescape Software, Inc.
+ * Copyright (c) 2006, Michael Wu <flamingice@sourmilk.net>
+ * Copyright (c) 2013 - 2014 Intel Mobile Communications GmbH
+ * Copyright (c) 2016 - 2017 Intel Deutschland GmbH
+ * Copyright (c) 2018 - 2025 Intel Corporation
+ */
+
+#ifndef LINUX_IEEE80211_VHT_H
+#define LINUX_IEEE80211_VHT_H
+
+#include <linux/types.h>
+#include <linux/if_ether.h>
+
+#define IEEE80211_MAX_MPDU_LEN_VHT_3895 3895
+#define IEEE80211_MAX_MPDU_LEN_VHT_7991 7991
+#define IEEE80211_MAX_MPDU_LEN_VHT_11454 11454
+
+/**
+ * enum ieee80211_vht_opmode_bits - VHT operating mode field bits
+ * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK: channel width mask
+ * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_20MHZ: 20 MHz channel width
+ * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_40MHZ: 40 MHz channel width
+ * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_80MHZ: 80 MHz channel width
+ * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_160MHZ: 160 MHz or 80+80 MHz channel width
+ * @IEEE80211_OPMODE_NOTIF_BW_160_80P80: 160 / 80+80 MHz indicator flag
+ * @IEEE80211_OPMODE_NOTIF_RX_NSS_MASK: number of spatial streams mask
+ * (the NSS value is the value of this field + 1)
+ * @IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT: number of spatial streams shift
+ * @IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF: indicates streams in SU-MIMO PPDU
+ * using a beamforming steering matrix
+ */
+enum ieee80211_vht_opmode_bits {
+ IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK = 0x03,
+ IEEE80211_OPMODE_NOTIF_CHANWIDTH_20MHZ = 0,
+ IEEE80211_OPMODE_NOTIF_CHANWIDTH_40MHZ = 1,
+ IEEE80211_OPMODE_NOTIF_CHANWIDTH_80MHZ = 2,
+ IEEE80211_OPMODE_NOTIF_CHANWIDTH_160MHZ = 3,
+ IEEE80211_OPMODE_NOTIF_BW_160_80P80 = 0x04,
+ IEEE80211_OPMODE_NOTIF_RX_NSS_MASK = 0x70,
+ IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT = 4,
+ IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF = 0x80,
+};
+
+/*
+ * Maximum length of AMPDU that the STA can receive in VHT.
+ * Length = 2 ^ (13 + max_ampdu_length_exp) - 1 (octets)
+ */
+enum ieee80211_vht_max_ampdu_length_exp {
+ IEEE80211_VHT_MAX_AMPDU_8K = 0,
+ IEEE80211_VHT_MAX_AMPDU_16K = 1,
+ IEEE80211_VHT_MAX_AMPDU_32K = 2,
+ IEEE80211_VHT_MAX_AMPDU_64K = 3,
+ IEEE80211_VHT_MAX_AMPDU_128K = 4,
+ IEEE80211_VHT_MAX_AMPDU_256K = 5,
+ IEEE80211_VHT_MAX_AMPDU_512K = 6,
+ IEEE80211_VHT_MAX_AMPDU_1024K = 7
+};
+
+/**
+ * struct ieee80211_vht_mcs_info - VHT MCS information
+ * @rx_mcs_map: RX MCS map 2 bits for each stream, total 8 streams
+ * @rx_highest: Indicates highest long GI VHT PPDU data rate
+ * STA can receive. Rate expressed in units of 1 Mbps.
+ * If this field is 0 this value should not be used to
+ * consider the highest RX data rate supported.
+ * The top 3 bits of this field indicate the Maximum NSTS,total
+ * (a beamformee capability.)
+ * @tx_mcs_map: TX MCS map 2 bits for each stream, total 8 streams
+ * @tx_highest: Indicates highest long GI VHT PPDU data rate
+ * STA can transmit. Rate expressed in units of 1 Mbps.
+ * If this field is 0 this value should not be used to
+ * consider the highest TX data rate supported.
+ * The top 2 bits of this field are reserved, the
+ * 3rd bit from the top indiciates VHT Extended NSS BW
+ * Capability.
+ */
+struct ieee80211_vht_mcs_info {
+ __le16 rx_mcs_map;
+ __le16 rx_highest;
+ __le16 tx_mcs_map;
+ __le16 tx_highest;
+} __packed;
+
+/* for rx_highest */
+#define IEEE80211_VHT_MAX_NSTS_TOTAL_SHIFT 13
+#define IEEE80211_VHT_MAX_NSTS_TOTAL_MASK (7 << IEEE80211_VHT_MAX_NSTS_TOTAL_SHIFT)
+
+/* for tx_highest */
+#define IEEE80211_VHT_EXT_NSS_BW_CAPABLE (1 << 13)
+
+/**
+ * enum ieee80211_vht_mcs_support - VHT MCS support definitions
+ * @IEEE80211_VHT_MCS_SUPPORT_0_7: MCSes 0-7 are supported for the
+ * number of streams
+ * @IEEE80211_VHT_MCS_SUPPORT_0_8: MCSes 0-8 are supported
+ * @IEEE80211_VHT_MCS_SUPPORT_0_9: MCSes 0-9 are supported
+ * @IEEE80211_VHT_MCS_NOT_SUPPORTED: This number of streams isn't supported
+ *
+ * These definitions are used in each 2-bit subfield of the @rx_mcs_map
+ * and @tx_mcs_map fields of &struct ieee80211_vht_mcs_info, which are
+ * both split into 8 subfields by number of streams. These values indicate
+ * which MCSes are supported for the number of streams the value appears
+ * for.
+ */
+enum ieee80211_vht_mcs_support {
+ IEEE80211_VHT_MCS_SUPPORT_0_7 = 0,
+ IEEE80211_VHT_MCS_SUPPORT_0_8 = 1,
+ IEEE80211_VHT_MCS_SUPPORT_0_9 = 2,
+ IEEE80211_VHT_MCS_NOT_SUPPORTED = 3,
+};
+
+/**
+ * struct ieee80211_vht_cap - VHT capabilities
+ *
+ * This structure is the "VHT capabilities element" as
+ * described in 802.11ac D3.0 8.4.2.160
+ * @vht_cap_info: VHT capability info
+ * @supp_mcs: VHT MCS supported rates
+ */
+struct ieee80211_vht_cap {
+ __le32 vht_cap_info;
+ struct ieee80211_vht_mcs_info supp_mcs;
+} __packed;
+
+/**
+ * enum ieee80211_vht_chanwidth - VHT channel width
+ * @IEEE80211_VHT_CHANWIDTH_USE_HT: use the HT operation IE to
+ * determine the channel width (20 or 40 MHz)
+ * @IEEE80211_VHT_CHANWIDTH_80MHZ: 80 MHz bandwidth
+ * @IEEE80211_VHT_CHANWIDTH_160MHZ: 160 MHz bandwidth
+ * @IEEE80211_VHT_CHANWIDTH_80P80MHZ: 80+80 MHz bandwidth
+ */
+enum ieee80211_vht_chanwidth {
+ IEEE80211_VHT_CHANWIDTH_USE_HT = 0,
+ IEEE80211_VHT_CHANWIDTH_80MHZ = 1,
+ IEEE80211_VHT_CHANWIDTH_160MHZ = 2,
+ IEEE80211_VHT_CHANWIDTH_80P80MHZ = 3,
+};
+
+/**
+ * struct ieee80211_vht_operation - VHT operation IE
+ *
+ * This structure is the "VHT operation element" as
+ * described in 802.11ac D3.0 8.4.2.161
+ * @chan_width: Operating channel width
+ * @center_freq_seg0_idx: center freq segment 0 index
+ * @center_freq_seg1_idx: center freq segment 1 index
+ * @basic_mcs_set: VHT Basic MCS rate set
+ */
+struct ieee80211_vht_operation {
+ u8 chan_width;
+ u8 center_freq_seg0_idx;
+ u8 center_freq_seg1_idx;
+ __le16 basic_mcs_set;
+} __packed;
+
+/* 802.11ac VHT Capabilities */
+#define IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 0x00000000
+#define IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 0x00000001
+#define IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 0x00000002
+#define IEEE80211_VHT_CAP_MAX_MPDU_MASK 0x00000003
+#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ 0x00000004
+#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ 0x00000008
+#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK 0x0000000C
+#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_SHIFT 2
+#define IEEE80211_VHT_CAP_RXLDPC 0x00000010
+#define IEEE80211_VHT_CAP_SHORT_GI_80 0x00000020
+#define IEEE80211_VHT_CAP_SHORT_GI_160 0x00000040
+#define IEEE80211_VHT_CAP_TXSTBC 0x00000080
+#define IEEE80211_VHT_CAP_RXSTBC_1 0x00000100
+#define IEEE80211_VHT_CAP_RXSTBC_2 0x00000200
+#define IEEE80211_VHT_CAP_RXSTBC_3 0x00000300
+#define IEEE80211_VHT_CAP_RXSTBC_4 0x00000400
+#define IEEE80211_VHT_CAP_RXSTBC_MASK 0x00000700
+#define IEEE80211_VHT_CAP_RXSTBC_SHIFT 8
+#define IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE 0x00000800
+#define IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE 0x00001000
+#define IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT 13
+#define IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK \
+ (7 << IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT)
+#define IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT 16
+#define IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK \
+ (7 << IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT)
+#define IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE 0x00080000
+#define IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE 0x00100000
+#define IEEE80211_VHT_CAP_VHT_TXOP_PS 0x00200000
+#define IEEE80211_VHT_CAP_HTC_VHT 0x00400000
+#define IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT 23
+#define IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK \
+ (7 << IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT)
+#define IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_UNSOL_MFB 0x08000000
+#define IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB 0x0c000000
+#define IEEE80211_VHT_CAP_RX_ANTENNA_PATTERN 0x10000000
+#define IEEE80211_VHT_CAP_TX_ANTENNA_PATTERN 0x20000000
+#define IEEE80211_VHT_CAP_EXT_NSS_BW_SHIFT 30
+#define IEEE80211_VHT_CAP_EXT_NSS_BW_MASK 0xc0000000
+
+/**
+ * ieee80211_get_vht_max_nss - return max NSS for a given bandwidth/MCS
+ * @cap: VHT capabilities of the peer
+ * @bw: bandwidth to use
+ * @mcs: MCS index to use
+ * @ext_nss_bw_capable: indicates whether or not the local transmitter
+ * (rate scaling algorithm) can deal with the new logic
+ * (dot11VHTExtendedNSSBWCapable)
+ * @max_vht_nss: current maximum NSS as advertised by the STA in
+ * operating mode notification, can be 0 in which case the
+ * capability data will be used to derive this (from MCS support)
+ * Return: The maximum NSS that can be used for the given bandwidth/MCS
+ * combination
+ *
+ * Due to the VHT Extended NSS Bandwidth Support, the maximum NSS can
+ * vary for a given BW/MCS. This function parses the data.
+ *
+ * Note: This function is exported by cfg80211.
+ */
+int ieee80211_get_vht_max_nss(struct ieee80211_vht_cap *cap,
+ enum ieee80211_vht_chanwidth bw,
+ int mcs, bool ext_nss_bw_capable,
+ unsigned int max_vht_nss);
+
+/* VHT action codes */
+enum ieee80211_vht_actioncode {
+ WLAN_VHT_ACTION_COMPRESSED_BF = 0,
+ WLAN_VHT_ACTION_GROUPID_MGMT = 1,
+ WLAN_VHT_ACTION_OPMODE_NOTIF = 2,
+};
+
+#endif /* LINUX_IEEE80211_VHT_H */
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index f0a7899fb6626..fb399b7833736 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -239,10 +239,6 @@ static inline u16 ieee80211_sn_sub(u16 sn1, u16 sn2)
/* 30 byte 4 addr hdr, 2 byte QoS, 2304 byte MSDU, 12 byte crypt, 4 byte FCS */
#define IEEE80211_MAX_FRAME_LEN 2352
-#define IEEE80211_MAX_MPDU_LEN_VHT_3895 3895
-#define IEEE80211_MAX_MPDU_LEN_VHT_7991 7991
-#define IEEE80211_MAX_MPDU_LEN_VHT_11454 11454
-
#define IEEE80211_MAX_SSID_LEN 32
#define IEEE80211_FIRST_TSPEC_TSID 8
@@ -988,32 +984,6 @@ struct ieee80211_tim_ie {
};
} __packed;
-/**
- * enum ieee80211_vht_opmode_bits - VHT operating mode field bits
- * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK: channel width mask
- * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_20MHZ: 20 MHz channel width
- * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_40MHZ: 40 MHz channel width
- * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_80MHZ: 80 MHz channel width
- * @IEEE80211_OPMODE_NOTIF_CHANWIDTH_160MHZ: 160 MHz or 80+80 MHz channel width
- * @IEEE80211_OPMODE_NOTIF_BW_160_80P80: 160 / 80+80 MHz indicator flag
- * @IEEE80211_OPMODE_NOTIF_RX_NSS_MASK: number of spatial streams mask
- * (the NSS value is the value of this field + 1)
- * @IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT: number of spatial streams shift
- * @IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF: indicates streams in SU-MIMO PPDU
- * using a beamforming steering matrix
- */
-enum ieee80211_vht_opmode_bits {
- IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK = 0x03,
- IEEE80211_OPMODE_NOTIF_CHANWIDTH_20MHZ = 0,
- IEEE80211_OPMODE_NOTIF_CHANWIDTH_40MHZ = 1,
- IEEE80211_OPMODE_NOTIF_CHANWIDTH_80MHZ = 2,
- IEEE80211_OPMODE_NOTIF_CHANWIDTH_160MHZ = 3,
- IEEE80211_OPMODE_NOTIF_BW_160_80P80 = 0x04,
- IEEE80211_OPMODE_NOTIF_RX_NSS_MASK = 0x70,
- IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT = 4,
- IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF = 0x80,
-};
-
/**
* enum ieee80211_s1g_chanwidth - S1G channel widths
* These are defined in IEEE802.11-2016ah Table 10-20
@@ -1663,119 +1633,6 @@ struct ieee80211_p2p_noa_attr {
#define IEEE80211_P2P_OPPPS_ENABLE_BIT BIT(7)
#define IEEE80211_P2P_OPPPS_CTWINDOW_MASK 0x7F
-/*
- * Maximum length of AMPDU that the STA can receive in VHT.
- * Length = 2 ^ (13 + max_ampdu_length_exp) - 1 (octets)
- */
-enum ieee80211_vht_max_ampdu_length_exp {
- IEEE80211_VHT_MAX_AMPDU_8K = 0,
- IEEE80211_VHT_MAX_AMPDU_16K = 1,
- IEEE80211_VHT_MAX_AMPDU_32K = 2,
- IEEE80211_VHT_MAX_AMPDU_64K = 3,
- IEEE80211_VHT_MAX_AMPDU_128K = 4,
- IEEE80211_VHT_MAX_AMPDU_256K = 5,
- IEEE80211_VHT_MAX_AMPDU_512K = 6,
- IEEE80211_VHT_MAX_AMPDU_1024K = 7
-};
-
-/**
- * struct ieee80211_vht_mcs_info - VHT MCS information
- * @rx_mcs_map: RX MCS map 2 bits for each stream, total 8 streams
- * @rx_highest: Indicates highest long GI VHT PPDU data rate
- * STA can receive. Rate expressed in units of 1 Mbps.
- * If this field is 0 this value should not be used to
- * consider the highest RX data rate supported.
- * The top 3 bits of this field indicate the Maximum NSTS,total
- * (a beamformee capability.)
- * @tx_mcs_map: TX MCS map 2 bits for each stream, total 8 streams
- * @tx_highest: Indicates highest long GI VHT PPDU data rate
- * STA can transmit. Rate expressed in units of 1 Mbps.
- * If this field is 0 this value should not be used to
- * consider the highest TX data rate supported.
- * The top 2 bits of this field are reserved, the
- * 3rd bit from the top indiciates VHT Extended NSS BW
- * Capability.
- */
-struct ieee80211_vht_mcs_info {
- __le16 rx_mcs_map;
- __le16 rx_highest;
- __le16 tx_mcs_map;
- __le16 tx_highest;
-} __packed;
-
-/* for rx_highest */
-#define IEEE80211_VHT_MAX_NSTS_TOTAL_SHIFT 13
-#define IEEE80211_VHT_MAX_NSTS_TOTAL_MASK (7 << IEEE80211_VHT_MAX_NSTS_TOTAL_SHIFT)
-
-/* for tx_highest */
-#define IEEE80211_VHT_EXT_NSS_BW_CAPABLE (1 << 13)
-
-/**
- * enum ieee80211_vht_mcs_support - VHT MCS support definitions
- * @IEEE80211_VHT_MCS_SUPPORT_0_7: MCSes 0-7 are supported for the
- * number of streams
- * @IEEE80211_VHT_MCS_SUPPORT_0_8: MCSes 0-8 are supported
- * @IEEE80211_VHT_MCS_SUPPORT_0_9: MCSes 0-9 are supported
- * @IEEE80211_VHT_MCS_NOT_SUPPORTED: This number of streams isn't supported
- *
- * These definitions are used in each 2-bit subfield of the @rx_mcs_map
- * and @tx_mcs_map fields of &struct ieee80211_vht_mcs_info, which are
- * both split into 8 subfields by number of streams. These values indicate
- * which MCSes are supported for the number of streams the value appears
- * for.
- */
-enum ieee80211_vht_mcs_support {
- IEEE80211_VHT_MCS_SUPPORT_0_7 = 0,
- IEEE80211_VHT_MCS_SUPPORT_0_8 = 1,
- IEEE80211_VHT_MCS_SUPPORT_0_9 = 2,
- IEEE80211_VHT_MCS_NOT_SUPPORTED = 3,
-};
-
-/**
- * struct ieee80211_vht_cap - VHT capabilities
- *
- * This structure is the "VHT capabilities element" as
- * described in 802.11ac D3.0 8.4.2.160
- * @vht_cap_info: VHT capability info
- * @supp_mcs: VHT MCS supported rates
- */
-struct ieee80211_vht_cap {
- __le32 vht_cap_info;
- struct ieee80211_vht_mcs_info supp_mcs;
-} __packed;
-
-/**
- * enum ieee80211_vht_chanwidth - VHT channel width
- * @IEEE80211_VHT_CHANWIDTH_USE_HT: use the HT operation IE to
- * determine the channel width (20 or 40 MHz)
- * @IEEE80211_VHT_CHANWIDTH_80MHZ: 80 MHz bandwidth
- * @IEEE80211_VHT_CHANWIDTH_160MHZ: 160 MHz bandwidth
- * @IEEE80211_VHT_CHANWIDTH_80P80MHZ: 80+80 MHz bandwidth
- */
-enum ieee80211_vht_chanwidth {
- IEEE80211_VHT_CHANWIDTH_USE_HT = 0,
- IEEE80211_VHT_CHANWIDTH_80MHZ = 1,
- IEEE80211_VHT_CHANWIDTH_160MHZ = 2,
- IEEE80211_VHT_CHANWIDTH_80P80MHZ = 3,
-};
-
-/**
- * struct ieee80211_vht_operation - VHT operation IE
- *
- * This structure is the "VHT operation element" as
- * described in 802.11ac D3.0 8.4.2.161
- * @chan_width: Operating channel width
- * @center_freq_seg0_idx: center freq segment 0 index
- * @center_freq_seg1_idx: center freq segment 1 index
- * @basic_mcs_set: VHT Basic MCS rate set
- */
-struct ieee80211_vht_operation {
- u8 chan_width;
- u8 center_freq_seg0_idx;
- u8 center_freq_seg1_idx;
- __le16 basic_mcs_set;
-} __packed;
-
/**
* struct ieee80211_he_cap_elem - HE capabilities element
* @mac_cap_info: HE MAC Capabilities Information
@@ -2045,71 +1902,6 @@ struct ieee80211_eht_operation_info {
u8 optional[];
} __packed;
-/* 802.11ac VHT Capabilities */
-#define IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895 0x00000000
-#define IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_7991 0x00000001
-#define IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 0x00000002
-#define IEEE80211_VHT_CAP_MAX_MPDU_MASK 0x00000003
-#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ 0x00000004
-#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ 0x00000008
-#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK 0x0000000C
-#define IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_SHIFT 2
-#define IEEE80211_VHT_CAP_RXLDPC 0x00000010
-#define IEEE80211_VHT_CAP_SHORT_GI_80 0x00000020
-#define IEEE80211_VHT_CAP_SHORT_GI_160 0x00000040
-#define IEEE80211_VHT_CAP_TXSTBC 0x00000080
-#define IEEE80211_VHT_CAP_RXSTBC_1 0x00000100
-#define IEEE80211_VHT_CAP_RXSTBC_2 0x00000200
-#define IEEE80211_VHT_CAP_RXSTBC_3 0x00000300
-#define IEEE80211_VHT_CAP_RXSTBC_4 0x00000400
-#define IEEE80211_VHT_CAP_RXSTBC_MASK 0x00000700
-#define IEEE80211_VHT_CAP_RXSTBC_SHIFT 8
-#define IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE 0x00000800
-#define IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE 0x00001000
-#define IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT 13
-#define IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK \
- (7 << IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT)
-#define IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT 16
-#define IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK \
- (7 << IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT)
-#define IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE 0x00080000
-#define IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE 0x00100000
-#define IEEE80211_VHT_CAP_VHT_TXOP_PS 0x00200000
-#define IEEE80211_VHT_CAP_HTC_VHT 0x00400000
-#define IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT 23
-#define IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK \
- (7 << IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT)
-#define IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_UNSOL_MFB 0x08000000
-#define IEEE80211_VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB 0x0c000000
-#define IEEE80211_VHT_CAP_RX_ANTENNA_PATTERN 0x10000000
-#define IEEE80211_VHT_CAP_TX_ANTENNA_PATTERN 0x20000000
-#define IEEE80211_VHT_CAP_EXT_NSS_BW_SHIFT 30
-#define IEEE80211_VHT_CAP_EXT_NSS_BW_MASK 0xc0000000
-
-/**
- * ieee80211_get_vht_max_nss - return max NSS for a given bandwidth/MCS
- * @cap: VHT capabilities of the peer
- * @bw: bandwidth to use
- * @mcs: MCS index to use
- * @ext_nss_bw_capable: indicates whether or not the local transmitter
- * (rate scaling algorithm) can deal with the new logic
- * (dot11VHTExtendedNSSBWCapable)
- * @max_vht_nss: current maximum NSS as advertised by the STA in
- * operating mode notification, can be 0 in which case the
- * capability data will be used to derive this (from MCS support)
- * Return: The maximum NSS that can be used for the given bandwidth/MCS
- * combination
- *
- * Due to the VHT Extended NSS Bandwidth Support, the maximum NSS can
- * vary for a given BW/MCS. This function parses the data.
- *
- * Note: This function is exported by cfg80211.
- */
-int ieee80211_get_vht_max_nss(struct ieee80211_vht_cap *cap,
- enum ieee80211_vht_chanwidth bw,
- int mcs, bool ext_nss_bw_capable,
- unsigned int max_vht_nss);
-
/* 802.11ax HE MAC capabilities */
#define IEEE80211_HE_MAC_CAP0_HTC_HE 0x01
#define IEEE80211_HE_MAC_CAP0_TWT_REQ 0x02
@@ -3561,13 +3353,6 @@ enum ieee80211_spectrum_mgmt_actioncode {
WLAN_ACTION_SPCT_CHL_SWITCH = 4,
};
-/* VHT action codes */
-enum ieee80211_vht_actioncode {
- WLAN_VHT_ACTION_COMPRESSED_BF = 0,
- WLAN_VHT_ACTION_GROUPID_MGMT = 1,
- WLAN_VHT_ACTION_OPMODE_NOTIF = 2,
-};
-
/* Self Protected Action codes */
enum ieee80211_self_protected_actioncode {
WLAN_SP_RESERVED = 0,
@@ -5619,6 +5404,7 @@ static inline u32 ieee80211_eml_trans_timeout_in_us(u16 eml_cap)
#define NAN_DEV_CAPA_S3_SUPPORTED 0x10
#include "ieee80211-ht.h"
+#include "ieee80211-vht.h"
#include "ieee80211-mesh.h"
#endif /* LINUX_IEEE80211_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 060/957] wifi: ieee80211: split HE definitions out
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 059/957] wifi: ieee80211: split VHT " Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 061/957] wifi: ieee80211: split EHT " Greg Kroah-Hartman
` (902 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 02a2cf302557eb59794bba0b05d6755f44928d78 ]
The ieee80211.h file has gotten very long, continue splitting
it by putting HE definitions into a separate file.
Link: https://patch.msgid.link/20251105153843.6998c0802104.I3dd7cfea6abbd118b999ecdedd48437d39cb0533@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: cb0caadb64ca ("wifi: ieee80211: fix definition of EHT-MCS 15 in MRU")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211-he.h | 824 +++++++++++++++++++++++++++++++++++
include/linux/ieee80211.h | 806 +---------------------------------
2 files changed, 827 insertions(+), 803 deletions(-)
create mode 100644 include/linux/ieee80211-he.h
diff --git a/include/linux/ieee80211-he.h b/include/linux/ieee80211-he.h
new file mode 100644
index 0000000000000..904d50db5bb80
--- /dev/null
+++ b/include/linux/ieee80211-he.h
@@ -0,0 +1,824 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * IEEE 802.11 HE definitions
+ *
+ * Copyright (c) 2001-2002, SSH Communications Security Corp and Jouni Malinen
+ * <jkmaline@cc.hut.fi>
+ * Copyright (c) 2002-2003, Jouni Malinen <jkmaline@cc.hut.fi>
+ * Copyright (c) 2005, Devicescape Software, Inc.
+ * Copyright (c) 2006, Michael Wu <flamingice@sourmilk.net>
+ * Copyright (c) 2013 - 2014 Intel Mobile Communications GmbH
+ * Copyright (c) 2016 - 2017 Intel Deutschland GmbH
+ * Copyright (c) 2018 - 2025 Intel Corporation
+ */
+
+#ifndef LINUX_IEEE80211_HE_H
+#define LINUX_IEEE80211_HE_H
+
+#include <linux/types.h>
+#include <linux/if_ether.h>
+
+#define IEEE80211_TWT_CONTROL_NDP BIT(0)
+#define IEEE80211_TWT_CONTROL_RESP_MODE BIT(1)
+#define IEEE80211_TWT_CONTROL_NEG_TYPE_BROADCAST BIT(3)
+#define IEEE80211_TWT_CONTROL_RX_DISABLED BIT(4)
+#define IEEE80211_TWT_CONTROL_WAKE_DUR_UNIT BIT(5)
+
+#define IEEE80211_TWT_REQTYPE_REQUEST BIT(0)
+#define IEEE80211_TWT_REQTYPE_SETUP_CMD GENMASK(3, 1)
+#define IEEE80211_TWT_REQTYPE_TRIGGER BIT(4)
+#define IEEE80211_TWT_REQTYPE_IMPLICIT BIT(5)
+#define IEEE80211_TWT_REQTYPE_FLOWTYPE BIT(6)
+#define IEEE80211_TWT_REQTYPE_FLOWID GENMASK(9, 7)
+#define IEEE80211_TWT_REQTYPE_WAKE_INT_EXP GENMASK(14, 10)
+#define IEEE80211_TWT_REQTYPE_PROTECTION BIT(15)
+
+enum ieee80211_twt_setup_cmd {
+ TWT_SETUP_CMD_REQUEST,
+ TWT_SETUP_CMD_SUGGEST,
+ TWT_SETUP_CMD_DEMAND,
+ TWT_SETUP_CMD_GROUPING,
+ TWT_SETUP_CMD_ACCEPT,
+ TWT_SETUP_CMD_ALTERNATE,
+ TWT_SETUP_CMD_DICTATE,
+ TWT_SETUP_CMD_REJECT,
+};
+
+struct ieee80211_twt_params {
+ __le16 req_type;
+ __le64 twt;
+ u8 min_twt_dur;
+ __le16 mantissa;
+ u8 channel;
+} __packed;
+
+struct ieee80211_twt_setup {
+ u8 dialog_token;
+ u8 element_id;
+ u8 length;
+ u8 control;
+ u8 params[];
+} __packed;
+
+/**
+ * struct ieee80211_he_cap_elem - HE capabilities element
+ * @mac_cap_info: HE MAC Capabilities Information
+ * @phy_cap_info: HE PHY Capabilities Information
+ *
+ * This structure represents the fixed fields of the payload of the
+ * "HE capabilities element" as described in IEEE Std 802.11ax-2021
+ * sections 9.4.2.248.2 and 9.4.2.248.3.
+ */
+struct ieee80211_he_cap_elem {
+ u8 mac_cap_info[6];
+ u8 phy_cap_info[11];
+} __packed;
+
+#define IEEE80211_TX_RX_MCS_NSS_DESC_MAX_LEN 5
+
+/**
+ * enum ieee80211_he_mcs_support - HE MCS support definitions
+ * @IEEE80211_HE_MCS_SUPPORT_0_7: MCSes 0-7 are supported for the
+ * number of streams
+ * @IEEE80211_HE_MCS_SUPPORT_0_9: MCSes 0-9 are supported
+ * @IEEE80211_HE_MCS_SUPPORT_0_11: MCSes 0-11 are supported
+ * @IEEE80211_HE_MCS_NOT_SUPPORTED: This number of streams isn't supported
+ *
+ * These definitions are used in each 2-bit subfield of the rx_mcs_*
+ * and tx_mcs_* fields of &struct ieee80211_he_mcs_nss_supp, which are
+ * both split into 8 subfields by number of streams. These values indicate
+ * which MCSes are supported for the number of streams the value appears
+ * for.
+ */
+enum ieee80211_he_mcs_support {
+ IEEE80211_HE_MCS_SUPPORT_0_7 = 0,
+ IEEE80211_HE_MCS_SUPPORT_0_9 = 1,
+ IEEE80211_HE_MCS_SUPPORT_0_11 = 2,
+ IEEE80211_HE_MCS_NOT_SUPPORTED = 3,
+};
+
+/**
+ * struct ieee80211_he_mcs_nss_supp - HE Tx/Rx HE MCS NSS Support Field
+ *
+ * This structure holds the data required for the Tx/Rx HE MCS NSS Support Field
+ * described in P802.11ax_D2.0 section 9.4.2.237.4
+ *
+ * @rx_mcs_80: Rx MCS map 2 bits for each stream, total 8 streams, for channel
+ * widths less than 80MHz.
+ * @tx_mcs_80: Tx MCS map 2 bits for each stream, total 8 streams, for channel
+ * widths less than 80MHz.
+ * @rx_mcs_160: Rx MCS map 2 bits for each stream, total 8 streams, for channel
+ * width 160MHz.
+ * @tx_mcs_160: Tx MCS map 2 bits for each stream, total 8 streams, for channel
+ * width 160MHz.
+ * @rx_mcs_80p80: Rx MCS map 2 bits for each stream, total 8 streams, for
+ * channel width 80p80MHz.
+ * @tx_mcs_80p80: Tx MCS map 2 bits for each stream, total 8 streams, for
+ * channel width 80p80MHz.
+ */
+struct ieee80211_he_mcs_nss_supp {
+ __le16 rx_mcs_80;
+ __le16 tx_mcs_80;
+ __le16 rx_mcs_160;
+ __le16 tx_mcs_160;
+ __le16 rx_mcs_80p80;
+ __le16 tx_mcs_80p80;
+} __packed;
+
+/**
+ * struct ieee80211_he_operation - HE Operation element
+ * @he_oper_params: HE Operation Parameters + BSS Color Information
+ * @he_mcs_nss_set: Basic HE-MCS And NSS Set
+ * @optional: Optional fields VHT Operation Information, Max Co-Hosted
+ * BSSID Indicator, and 6 GHz Operation Information
+ *
+ * This structure represents the payload of the "HE Operation
+ * element" as described in IEEE Std 802.11ax-2021 section 9.4.2.249.
+ */
+struct ieee80211_he_operation {
+ __le32 he_oper_params;
+ __le16 he_mcs_nss_set;
+ u8 optional[];
+} __packed;
+
+/**
+ * struct ieee80211_he_spr - Spatial Reuse Parameter Set element
+ * @he_sr_control: SR Control
+ * @optional: Optional fields Non-SRG OBSS PD Max Offset, SRG OBSS PD
+ * Min Offset, SRG OBSS PD Max Offset, SRG BSS Color
+ * Bitmap, and SRG Partial BSSID Bitmap
+ *
+ * This structure represents the payload of the "Spatial Reuse
+ * Parameter Set element" as described in IEEE Std 802.11ax-2021
+ * section 9.4.2.252.
+ */
+struct ieee80211_he_spr {
+ u8 he_sr_control;
+ u8 optional[];
+} __packed;
+
+/**
+ * struct ieee80211_he_mu_edca_param_ac_rec - MU AC Parameter Record field
+ * @aifsn: ACI/AIFSN
+ * @ecw_min_max: ECWmin/ECWmax
+ * @mu_edca_timer: MU EDCA Timer
+ *
+ * This structure represents the "MU AC Parameter Record" as described
+ * in IEEE Std 802.11ax-2021 section 9.4.2.251, Figure 9-788p.
+ */
+struct ieee80211_he_mu_edca_param_ac_rec {
+ u8 aifsn;
+ u8 ecw_min_max;
+ u8 mu_edca_timer;
+} __packed;
+
+/**
+ * struct ieee80211_mu_edca_param_set - MU EDCA Parameter Set element
+ * @mu_qos_info: QoS Info
+ * @ac_be: MU AC_BE Parameter Record
+ * @ac_bk: MU AC_BK Parameter Record
+ * @ac_vi: MU AC_VI Parameter Record
+ * @ac_vo: MU AC_VO Parameter Record
+ *
+ * This structure represents the payload of the "MU EDCA Parameter Set
+ * element" as described in IEEE Std 802.11ax-2021 section 9.4.2.251.
+ */
+struct ieee80211_mu_edca_param_set {
+ u8 mu_qos_info;
+ struct ieee80211_he_mu_edca_param_ac_rec ac_be;
+ struct ieee80211_he_mu_edca_param_ac_rec ac_bk;
+ struct ieee80211_he_mu_edca_param_ac_rec ac_vi;
+ struct ieee80211_he_mu_edca_param_ac_rec ac_vo;
+} __packed;
+
+/* 802.11ax HE MAC capabilities */
+#define IEEE80211_HE_MAC_CAP0_HTC_HE 0x01
+#define IEEE80211_HE_MAC_CAP0_TWT_REQ 0x02
+#define IEEE80211_HE_MAC_CAP0_TWT_RES 0x04
+#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_NOT_SUPP 0x00
+#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_LEVEL_1 0x08
+#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_LEVEL_2 0x10
+#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_LEVEL_3 0x18
+#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_MASK 0x18
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_1 0x00
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_2 0x20
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_4 0x40
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_8 0x60
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_16 0x80
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_32 0xa0
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_64 0xc0
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_UNLIMITED 0xe0
+#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_MASK 0xe0
+
+#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_UNLIMITED 0x00
+#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_128 0x01
+#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_256 0x02
+#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_512 0x03
+#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_MASK 0x03
+#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_0US 0x00
+#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_8US 0x04
+#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_16US 0x08
+#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_MASK 0x0c
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_1 0x00
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_2 0x10
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_3 0x20
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_4 0x30
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_5 0x40
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_6 0x50
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_7 0x60
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_8 0x70
+#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_MASK 0x70
+
+/* Link adaptation is split between byte HE_MAC_CAP1 and
+ * HE_MAC_CAP2. It should be set only if IEEE80211_HE_MAC_CAP0_HTC_HE
+ * in which case the following values apply:
+ * 0 = No feedback.
+ * 1 = reserved.
+ * 2 = Unsolicited feedback.
+ * 3 = both
+ */
+#define IEEE80211_HE_MAC_CAP1_LINK_ADAPTATION 0x80
+
+#define IEEE80211_HE_MAC_CAP2_LINK_ADAPTATION 0x01
+#define IEEE80211_HE_MAC_CAP2_ALL_ACK 0x02
+#define IEEE80211_HE_MAC_CAP2_TRS 0x04
+#define IEEE80211_HE_MAC_CAP2_BSR 0x08
+#define IEEE80211_HE_MAC_CAP2_BCAST_TWT 0x10
+#define IEEE80211_HE_MAC_CAP2_32BIT_BA_BITMAP 0x20
+#define IEEE80211_HE_MAC_CAP2_MU_CASCADING 0x40
+#define IEEE80211_HE_MAC_CAP2_ACK_EN 0x80
+
+#define IEEE80211_HE_MAC_CAP3_OMI_CONTROL 0x02
+#define IEEE80211_HE_MAC_CAP3_OFDMA_RA 0x04
+
+/* The maximum length of an A-MDPU is defined by the combination of the Maximum
+ * A-MDPU Length Exponent field in the HT capabilities, VHT capabilities and the
+ * same field in the HE capabilities.
+ */
+#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_0 0x00
+#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_1 0x08
+#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_2 0x10
+#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_3 0x18
+#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK 0x18
+#define IEEE80211_HE_MAC_CAP3_AMSDU_FRAG 0x20
+#define IEEE80211_HE_MAC_CAP3_FLEX_TWT_SCHED 0x40
+#define IEEE80211_HE_MAC_CAP3_RX_CTRL_FRAME_TO_MULTIBSS 0x80
+
+#define IEEE80211_HE_MAC_CAP4_BSRP_BQRP_A_MPDU_AGG 0x01
+#define IEEE80211_HE_MAC_CAP4_QTP 0x02
+#define IEEE80211_HE_MAC_CAP4_BQR 0x04
+#define IEEE80211_HE_MAC_CAP4_PSR_RESP 0x08
+#define IEEE80211_HE_MAC_CAP4_NDP_FB_REP 0x10
+#define IEEE80211_HE_MAC_CAP4_OPS 0x20
+#define IEEE80211_HE_MAC_CAP4_AMSDU_IN_AMPDU 0x40
+/* Multi TID agg TX is split between byte #4 and #5
+ * The value is a combination of B39,B40,B41
+ */
+#define IEEE80211_HE_MAC_CAP4_MULTI_TID_AGG_TX_QOS_B39 0x80
+
+#define IEEE80211_HE_MAC_CAP5_MULTI_TID_AGG_TX_QOS_B40 0x01
+#define IEEE80211_HE_MAC_CAP5_MULTI_TID_AGG_TX_QOS_B41 0x02
+#define IEEE80211_HE_MAC_CAP5_SUBCHAN_SELECTIVE_TRANSMISSION 0x04
+#define IEEE80211_HE_MAC_CAP5_UL_2x996_TONE_RU 0x08
+#define IEEE80211_HE_MAC_CAP5_OM_CTRL_UL_MU_DATA_DIS_RX 0x10
+#define IEEE80211_HE_MAC_CAP5_HE_DYNAMIC_SM_PS 0x20
+#define IEEE80211_HE_MAC_CAP5_PUNCTURED_SOUNDING 0x40
+#define IEEE80211_HE_MAC_CAP5_HT_VHT_TRIG_FRAME_RX 0x80
+
+#define IEEE80211_HE_VHT_MAX_AMPDU_FACTOR 20
+#define IEEE80211_HE_HT_MAX_AMPDU_FACTOR 16
+#define IEEE80211_HE_6GHZ_MAX_AMPDU_FACTOR 13
+
+/* 802.11ax HE PHY capabilities */
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G 0x02
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G 0x04
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G 0x08
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G 0x10
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL 0x1e
+
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_RU_MAPPING_IN_2G 0x20
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_RU_MAPPING_IN_5G 0x40
+#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK 0xfe
+
+#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_80MHZ_ONLY_SECOND_20MHZ 0x01
+#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_80MHZ_ONLY_SECOND_40MHZ 0x02
+#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_160MHZ_ONLY_SECOND_20MHZ 0x04
+#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_160MHZ_ONLY_SECOND_40MHZ 0x08
+#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_MASK 0x0f
+#define IEEE80211_HE_PHY_CAP1_DEVICE_CLASS_A 0x10
+#define IEEE80211_HE_PHY_CAP1_LDPC_CODING_IN_PAYLOAD 0x20
+#define IEEE80211_HE_PHY_CAP1_HE_LTF_AND_GI_FOR_HE_PPDUS_0_8US 0x40
+/* Midamble RX/TX Max NSTS is split between byte #2 and byte #3 */
+#define IEEE80211_HE_PHY_CAP1_MIDAMBLE_RX_TX_MAX_NSTS 0x80
+
+#define IEEE80211_HE_PHY_CAP2_MIDAMBLE_RX_TX_MAX_NSTS 0x01
+#define IEEE80211_HE_PHY_CAP2_NDP_4x_LTF_AND_3_2US 0x02
+#define IEEE80211_HE_PHY_CAP2_STBC_TX_UNDER_80MHZ 0x04
+#define IEEE80211_HE_PHY_CAP2_STBC_RX_UNDER_80MHZ 0x08
+#define IEEE80211_HE_PHY_CAP2_DOPPLER_TX 0x10
+#define IEEE80211_HE_PHY_CAP2_DOPPLER_RX 0x20
+
+/* Note that the meaning of UL MU below is different between an AP and a non-AP
+ * sta, where in the AP case it indicates support for Rx and in the non-AP sta
+ * case it indicates support for Tx.
+ */
+#define IEEE80211_HE_PHY_CAP2_UL_MU_FULL_MU_MIMO 0x40
+#define IEEE80211_HE_PHY_CAP2_UL_MU_PARTIAL_MU_MIMO 0x80
+
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_NO_DCM 0x00
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_BPSK 0x01
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_QPSK 0x02
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_16_QAM 0x03
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_MASK 0x03
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_TX_NSS_1 0x00
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_TX_NSS_2 0x04
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_NO_DCM 0x00
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_BPSK 0x08
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_QPSK 0x10
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_16_QAM 0x18
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_MASK 0x18
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_RX_NSS_1 0x00
+#define IEEE80211_HE_PHY_CAP3_DCM_MAX_RX_NSS_2 0x20
+#define IEEE80211_HE_PHY_CAP3_RX_PARTIAL_BW_SU_IN_20MHZ_MU 0x40
+#define IEEE80211_HE_PHY_CAP3_SU_BEAMFORMER 0x80
+
+#define IEEE80211_HE_PHY_CAP4_SU_BEAMFORMEE 0x01
+#define IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER 0x02
+
+/* Minimal allowed value of Max STS under 80MHz is 3 */
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_4 0x0c
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_5 0x10
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_6 0x14
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_7 0x18
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_8 0x1c
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_MASK 0x1c
+
+/* Minimal allowed value of Max STS above 80MHz is 3 */
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_4 0x60
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_5 0x80
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_6 0xa0
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_7 0xc0
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_8 0xe0
+#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_MASK 0xe0
+
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_1 0x00
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_2 0x01
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_3 0x02
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_4 0x03
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_5 0x04
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_6 0x05
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_7 0x06
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_8 0x07
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK 0x07
+
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_1 0x00
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_2 0x08
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_3 0x10
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_4 0x18
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_5 0x20
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_6 0x28
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_7 0x30
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_8 0x38
+#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_MASK 0x38
+
+#define IEEE80211_HE_PHY_CAP5_NG16_SU_FEEDBACK 0x40
+#define IEEE80211_HE_PHY_CAP5_NG16_MU_FEEDBACK 0x80
+
+#define IEEE80211_HE_PHY_CAP6_CODEBOOK_SIZE_42_SU 0x01
+#define IEEE80211_HE_PHY_CAP6_CODEBOOK_SIZE_75_MU 0x02
+#define IEEE80211_HE_PHY_CAP6_TRIG_SU_BEAMFORMING_FB 0x04
+#define IEEE80211_HE_PHY_CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB 0x08
+#define IEEE80211_HE_PHY_CAP6_TRIG_CQI_FB 0x10
+#define IEEE80211_HE_PHY_CAP6_PARTIAL_BW_EXT_RANGE 0x20
+#define IEEE80211_HE_PHY_CAP6_PARTIAL_BANDWIDTH_DL_MUMIMO 0x40
+#define IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT 0x80
+
+#define IEEE80211_HE_PHY_CAP7_PSR_BASED_SR 0x01
+#define IEEE80211_HE_PHY_CAP7_POWER_BOOST_FACTOR_SUPP 0x02
+#define IEEE80211_HE_PHY_CAP7_HE_SU_MU_PPDU_4XLTF_AND_08_US_GI 0x04
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_1 0x08
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_2 0x10
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_3 0x18
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_4 0x20
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_5 0x28
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_6 0x30
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_7 0x38
+#define IEEE80211_HE_PHY_CAP7_MAX_NC_MASK 0x38
+#define IEEE80211_HE_PHY_CAP7_STBC_TX_ABOVE_80MHZ 0x40
+#define IEEE80211_HE_PHY_CAP7_STBC_RX_ABOVE_80MHZ 0x80
+
+#define IEEE80211_HE_PHY_CAP8_HE_ER_SU_PPDU_4XLTF_AND_08_US_GI 0x01
+#define IEEE80211_HE_PHY_CAP8_20MHZ_IN_40MHZ_HE_PPDU_IN_2G 0x02
+#define IEEE80211_HE_PHY_CAP8_20MHZ_IN_160MHZ_HE_PPDU 0x04
+#define IEEE80211_HE_PHY_CAP8_80MHZ_IN_160MHZ_HE_PPDU 0x08
+#define IEEE80211_HE_PHY_CAP8_HE_ER_SU_1XLTF_AND_08_US_GI 0x10
+#define IEEE80211_HE_PHY_CAP8_MIDAMBLE_RX_TX_2X_AND_1XLTF 0x20
+#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_242 0x00
+#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_484 0x40
+#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_996 0x80
+#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_2x996 0xc0
+#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_MASK 0xc0
+
+#define IEEE80211_HE_PHY_CAP9_LONGER_THAN_16_SIGB_OFDM_SYM 0x01
+#define IEEE80211_HE_PHY_CAP9_NON_TRIGGERED_CQI_FEEDBACK 0x02
+#define IEEE80211_HE_PHY_CAP9_TX_1024_QAM_LESS_THAN_242_TONE_RU 0x04
+#define IEEE80211_HE_PHY_CAP9_RX_1024_QAM_LESS_THAN_242_TONE_RU 0x08
+#define IEEE80211_HE_PHY_CAP9_RX_FULL_BW_SU_USING_MU_WITH_COMP_SIGB 0x10
+#define IEEE80211_HE_PHY_CAP9_RX_FULL_BW_SU_USING_MU_WITH_NON_COMP_SIGB 0x20
+#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_0US 0x0
+#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_8US 0x1
+#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_16US 0x2
+#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_RESERVED 0x3
+#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_POS 6
+#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_MASK 0xc0
+
+#define IEEE80211_HE_PHY_CAP10_HE_MU_M1RU_MAX_LTF 0x01
+
+/* 802.11ax HE TX/RX MCS NSS Support */
+#define IEEE80211_TX_RX_MCS_NSS_SUPP_HIGHEST_MCS_POS (3)
+#define IEEE80211_TX_RX_MCS_NSS_SUPP_TX_BITMAP_POS (6)
+#define IEEE80211_TX_RX_MCS_NSS_SUPP_RX_BITMAP_POS (11)
+#define IEEE80211_TX_RX_MCS_NSS_SUPP_TX_BITMAP_MASK 0x07c0
+#define IEEE80211_TX_RX_MCS_NSS_SUPP_RX_BITMAP_MASK 0xf800
+
+/* TX/RX HE MCS Support field Highest MCS subfield encoding */
+enum ieee80211_he_highest_mcs_supported_subfield_enc {
+ HIGHEST_MCS_SUPPORTED_MCS7 = 0,
+ HIGHEST_MCS_SUPPORTED_MCS8,
+ HIGHEST_MCS_SUPPORTED_MCS9,
+ HIGHEST_MCS_SUPPORTED_MCS10,
+ HIGHEST_MCS_SUPPORTED_MCS11,
+};
+
+/* Calculate 802.11ax HE capabilities IE Tx/Rx HE MCS NSS Support Field size */
+static inline u8
+ieee80211_he_mcs_nss_size(const struct ieee80211_he_cap_elem *he_cap)
+{
+ u8 count = 4;
+
+ if (he_cap->phy_cap_info[0] &
+ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)
+ count += 4;
+
+ if (he_cap->phy_cap_info[0] &
+ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)
+ count += 4;
+
+ return count;
+}
+
+/* 802.11ax HE PPE Thresholds */
+#define IEEE80211_PPE_THRES_NSS_SUPPORT_2NSS (1)
+#define IEEE80211_PPE_THRES_NSS_POS (0)
+#define IEEE80211_PPE_THRES_NSS_MASK (7)
+#define IEEE80211_PPE_THRES_RU_INDEX_BITMASK_2x966_AND_966_RU \
+ (BIT(5) | BIT(6))
+#define IEEE80211_PPE_THRES_RU_INDEX_BITMASK_MASK 0x78
+#define IEEE80211_PPE_THRES_RU_INDEX_BITMASK_POS (3)
+#define IEEE80211_PPE_THRES_INFO_PPET_SIZE (3)
+#define IEEE80211_HE_PPE_THRES_INFO_HEADER_SIZE (7)
+
+/*
+ * Calculate 802.11ax HE capabilities IE PPE field size
+ * Input: Header byte of ppe_thres (first byte), and HE capa IE's PHY cap u8*
+ */
+static inline u8
+ieee80211_he_ppe_size(u8 ppe_thres_hdr, const u8 *phy_cap_info)
+{
+ u8 n;
+
+ if ((phy_cap_info[6] &
+ IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT) == 0)
+ return 0;
+
+ n = hweight8(ppe_thres_hdr &
+ IEEE80211_PPE_THRES_RU_INDEX_BITMASK_MASK);
+ n *= (1 + ((ppe_thres_hdr & IEEE80211_PPE_THRES_NSS_MASK) >>
+ IEEE80211_PPE_THRES_NSS_POS));
+
+ /*
+ * Each pair is 6 bits, and we need to add the 7 "header" bits to the
+ * total size.
+ */
+ n = (n * IEEE80211_PPE_THRES_INFO_PPET_SIZE * 2) + 7;
+ n = DIV_ROUND_UP(n, 8);
+
+ return n;
+}
+
+static inline bool ieee80211_he_capa_size_ok(const u8 *data, u8 len)
+{
+ const struct ieee80211_he_cap_elem *he_cap_ie_elem = (const void *)data;
+ u8 needed = sizeof(*he_cap_ie_elem);
+
+ if (len < needed)
+ return false;
+
+ needed += ieee80211_he_mcs_nss_size(he_cap_ie_elem);
+ if (len < needed)
+ return false;
+
+ if (he_cap_ie_elem->phy_cap_info[6] &
+ IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT) {
+ if (len < needed + 1)
+ return false;
+ needed += ieee80211_he_ppe_size(data[needed],
+ he_cap_ie_elem->phy_cap_info);
+ }
+
+ return len >= needed;
+}
+
+/* HE Operation defines */
+#define IEEE80211_HE_OPERATION_DFLT_PE_DURATION_MASK 0x00000007
+#define IEEE80211_HE_OPERATION_TWT_REQUIRED 0x00000008
+#define IEEE80211_HE_OPERATION_RTS_THRESHOLD_MASK 0x00003ff0
+#define IEEE80211_HE_OPERATION_RTS_THRESHOLD_OFFSET 4
+#define IEEE80211_HE_OPERATION_VHT_OPER_INFO 0x00004000
+#define IEEE80211_HE_OPERATION_CO_HOSTED_BSS 0x00008000
+#define IEEE80211_HE_OPERATION_ER_SU_DISABLE 0x00010000
+#define IEEE80211_HE_OPERATION_6GHZ_OP_INFO 0x00020000
+#define IEEE80211_HE_OPERATION_BSS_COLOR_MASK 0x3f000000
+#define IEEE80211_HE_OPERATION_BSS_COLOR_OFFSET 24
+#define IEEE80211_HE_OPERATION_PARTIAL_BSS_COLOR 0x40000000
+#define IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED 0x80000000
+
+#define IEEE80211_6GHZ_CTRL_REG_LPI_AP 0
+#define IEEE80211_6GHZ_CTRL_REG_SP_AP 1
+#define IEEE80211_6GHZ_CTRL_REG_VLP_AP 2
+#define IEEE80211_6GHZ_CTRL_REG_INDOOR_LPI_AP 3
+#define IEEE80211_6GHZ_CTRL_REG_INDOOR_SP_AP_OLD 4
+#define IEEE80211_6GHZ_CTRL_REG_INDOOR_SP_AP 8
+
+/**
+ * struct ieee80211_he_6ghz_oper - HE 6 GHz operation Information field
+ * @primary: primary channel
+ * @control: control flags
+ * @ccfs0: channel center frequency segment 0
+ * @ccfs1: channel center frequency segment 1
+ * @minrate: minimum rate (in 1 Mbps units)
+ */
+struct ieee80211_he_6ghz_oper {
+ u8 primary;
+#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH 0x3
+#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_20MHZ 0
+#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_40MHZ 1
+#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_80MHZ 2
+#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_160MHZ 3
+#define IEEE80211_HE_6GHZ_OPER_CTRL_DUP_BEACON 0x4
+#define IEEE80211_HE_6GHZ_OPER_CTRL_REG_INFO 0x78
+ u8 control;
+ u8 ccfs0;
+ u8 ccfs1;
+ u8 minrate;
+} __packed;
+
+/**
+ * enum ieee80211_reg_conn_bits - represents Regulatory connectivity field bits.
+ *
+ * This enumeration defines bit flags used to represent regulatory connectivity
+ * field bits.
+ *
+ * @IEEE80211_REG_CONN_LPI_VALID: Indicates whether the LPI bit is valid.
+ * @IEEE80211_REG_CONN_LPI_VALUE: Represents the value of the LPI bit.
+ * @IEEE80211_REG_CONN_SP_VALID: Indicates whether the SP bit is valid.
+ * @IEEE80211_REG_CONN_SP_VALUE: Represents the value of the SP bit.
+ */
+enum ieee80211_reg_conn_bits {
+ IEEE80211_REG_CONN_LPI_VALID = BIT(0),
+ IEEE80211_REG_CONN_LPI_VALUE = BIT(1),
+ IEEE80211_REG_CONN_SP_VALID = BIT(2),
+ IEEE80211_REG_CONN_SP_VALUE = BIT(3),
+};
+
+/* transmit power interpretation type of transmit power envelope element */
+enum ieee80211_tx_power_intrpt_type {
+ IEEE80211_TPE_LOCAL_EIRP,
+ IEEE80211_TPE_LOCAL_EIRP_PSD,
+ IEEE80211_TPE_REG_CLIENT_EIRP,
+ IEEE80211_TPE_REG_CLIENT_EIRP_PSD,
+};
+
+/* category type of transmit power envelope element */
+enum ieee80211_tx_power_category_6ghz {
+ IEEE80211_TPE_CAT_6GHZ_DEFAULT = 0,
+ IEEE80211_TPE_CAT_6GHZ_SUBORDINATE = 1,
+};
+
+/*
+ * For IEEE80211_TPE_LOCAL_EIRP / IEEE80211_TPE_REG_CLIENT_EIRP,
+ * setting to 63.5 dBm means no constraint.
+ */
+#define IEEE80211_TPE_MAX_TX_PWR_NO_CONSTRAINT 127
+
+/*
+ * For IEEE80211_TPE_LOCAL_EIRP_PSD / IEEE80211_TPE_REG_CLIENT_EIRP_PSD,
+ * setting to 127 indicates no PSD limit for the 20 MHz channel.
+ */
+#define IEEE80211_TPE_PSD_NO_LIMIT 127
+
+/**
+ * struct ieee80211_tx_pwr_env - Transmit Power Envelope
+ * @info: Transmit Power Information field
+ * @variable: Maximum Transmit Power field
+ *
+ * This structure represents the payload of the "Transmit Power
+ * Envelope element" as described in IEEE Std 802.11ax-2021 section
+ * 9.4.2.161
+ */
+struct ieee80211_tx_pwr_env {
+ u8 info;
+ u8 variable[];
+} __packed;
+
+#define IEEE80211_TX_PWR_ENV_INFO_COUNT 0x7
+#define IEEE80211_TX_PWR_ENV_INFO_INTERPRET 0x38
+#define IEEE80211_TX_PWR_ENV_INFO_CATEGORY 0xC0
+
+#define IEEE80211_TX_PWR_ENV_EXT_COUNT 0xF
+
+static inline bool ieee80211_valid_tpe_element(const u8 *data, u8 len)
+{
+ const struct ieee80211_tx_pwr_env *env = (const void *)data;
+ u8 count, interpret, category;
+ u8 needed = sizeof(*env);
+ u8 N; /* also called N in the spec */
+
+ if (len < needed)
+ return false;
+
+ count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT);
+ interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET);
+ category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY);
+
+ switch (category) {
+ case IEEE80211_TPE_CAT_6GHZ_DEFAULT:
+ case IEEE80211_TPE_CAT_6GHZ_SUBORDINATE:
+ break;
+ default:
+ return false;
+ }
+
+ switch (interpret) {
+ case IEEE80211_TPE_LOCAL_EIRP:
+ case IEEE80211_TPE_REG_CLIENT_EIRP:
+ if (count > 3)
+ return false;
+
+ /* count == 0 encodes 1 value for 20 MHz, etc. */
+ needed += count + 1;
+
+ if (len < needed)
+ return false;
+
+ /* there can be extension fields not accounted for in 'count' */
+
+ return true;
+ case IEEE80211_TPE_LOCAL_EIRP_PSD:
+ case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
+ if (count > 4)
+ return false;
+
+ N = count ? 1 << (count - 1) : 1;
+ needed += N;
+
+ if (len < needed)
+ return false;
+
+ if (len > needed) {
+ u8 K = u8_get_bits(env->variable[N],
+ IEEE80211_TX_PWR_ENV_EXT_COUNT);
+
+ needed += 1 + K;
+ if (len < needed)
+ return false;
+ }
+
+ return true;
+ }
+
+ return false;
+}
+
+/*
+ * ieee80211_he_oper_size - calculate 802.11ax HE Operations IE size
+ * @he_oper_ie: byte data of the He Operations IE, stating from the byte
+ * after the ext ID byte. It is assumed that he_oper_ie has at least
+ * sizeof(struct ieee80211_he_operation) bytes, the caller must have
+ * validated this.
+ * @return the actual size of the IE data (not including header), or 0 on error
+ */
+static inline u8
+ieee80211_he_oper_size(const u8 *he_oper_ie)
+{
+ const struct ieee80211_he_operation *he_oper = (const void *)he_oper_ie;
+ u8 oper_len = sizeof(struct ieee80211_he_operation);
+ u32 he_oper_params;
+
+ /* Make sure the input is not NULL */
+ if (!he_oper_ie)
+ return 0;
+
+ /* Calc required length */
+ he_oper_params = le32_to_cpu(he_oper->he_oper_params);
+ if (he_oper_params & IEEE80211_HE_OPERATION_VHT_OPER_INFO)
+ oper_len += 3;
+ if (he_oper_params & IEEE80211_HE_OPERATION_CO_HOSTED_BSS)
+ oper_len++;
+ if (he_oper_params & IEEE80211_HE_OPERATION_6GHZ_OP_INFO)
+ oper_len += sizeof(struct ieee80211_he_6ghz_oper);
+
+ /* Add the first byte (extension ID) to the total length */
+ oper_len++;
+
+ return oper_len;
+}
+
+/**
+ * ieee80211_he_6ghz_oper - obtain 6 GHz operation field
+ * @he_oper: HE operation element (must be pre-validated for size)
+ * but may be %NULL
+ *
+ * Return: a pointer to the 6 GHz operation field, or %NULL
+ */
+static inline const struct ieee80211_he_6ghz_oper *
+ieee80211_he_6ghz_oper(const struct ieee80211_he_operation *he_oper)
+{
+ const u8 *ret;
+ u32 he_oper_params;
+
+ if (!he_oper)
+ return NULL;
+
+ ret = (const void *)&he_oper->optional;
+
+ he_oper_params = le32_to_cpu(he_oper->he_oper_params);
+
+ if (!(he_oper_params & IEEE80211_HE_OPERATION_6GHZ_OP_INFO))
+ return NULL;
+ if (he_oper_params & IEEE80211_HE_OPERATION_VHT_OPER_INFO)
+ ret += 3;
+ if (he_oper_params & IEEE80211_HE_OPERATION_CO_HOSTED_BSS)
+ ret++;
+
+ return (const void *)ret;
+}
+
+/* HE Spatial Reuse defines */
+#define IEEE80211_HE_SPR_PSR_DISALLOWED BIT(0)
+#define IEEE80211_HE_SPR_NON_SRG_OBSS_PD_SR_DISALLOWED BIT(1)
+#define IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT BIT(2)
+#define IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT BIT(3)
+#define IEEE80211_HE_SPR_HESIGA_SR_VAL15_ALLOWED BIT(4)
+
+/*
+ * ieee80211_he_spr_size - calculate 802.11ax HE Spatial Reuse IE size
+ * @he_spr_ie: byte data of the He Spatial Reuse IE, stating from the byte
+ * after the ext ID byte. It is assumed that he_spr_ie has at least
+ * sizeof(struct ieee80211_he_spr) bytes, the caller must have validated
+ * this
+ * @return the actual size of the IE data (not including header), or 0 on error
+ */
+static inline u8
+ieee80211_he_spr_size(const u8 *he_spr_ie)
+{
+ const struct ieee80211_he_spr *he_spr = (const void *)he_spr_ie;
+ u8 spr_len = sizeof(struct ieee80211_he_spr);
+ u8 he_spr_params;
+
+ /* Make sure the input is not NULL */
+ if (!he_spr_ie)
+ return 0;
+
+ /* Calc required length */
+ he_spr_params = he_spr->he_sr_control;
+ if (he_spr_params & IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT)
+ spr_len++;
+ if (he_spr_params & IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT)
+ spr_len += 18;
+
+ /* Add the first byte (extension ID) to the total length */
+ spr_len++;
+
+ return spr_len;
+}
+
+struct ieee80211_he_6ghz_capa {
+ /* uses IEEE80211_HE_6GHZ_CAP_* below */
+ __le16 capa;
+} __packed;
+
+/* HE 6 GHz band capabilities */
+/* uses enum ieee80211_min_mpdu_spacing values */
+#define IEEE80211_HE_6GHZ_CAP_MIN_MPDU_START 0x0007
+/* uses enum ieee80211_vht_max_ampdu_length_exp values */
+#define IEEE80211_HE_6GHZ_CAP_MAX_AMPDU_LEN_EXP 0x0038
+/* uses IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_* values */
+#define IEEE80211_HE_6GHZ_CAP_MAX_MPDU_LEN 0x00c0
+/* WLAN_HT_CAP_SM_PS_* values */
+#define IEEE80211_HE_6GHZ_CAP_SM_PS 0x0600
+#define IEEE80211_HE_6GHZ_CAP_RD_RESPONDER 0x0800
+#define IEEE80211_HE_6GHZ_CAP_RX_ANTPAT_CONS 0x1000
+#define IEEE80211_HE_6GHZ_CAP_TX_ANTPAT_CONS 0x2000
+
+#endif /* LINUX_IEEE80211_HE_H */
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index fb399b7833736..2f3d0412ca759 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -1141,48 +1141,6 @@ ieee80211_s1g_optional_len(__le16 fc)
return len;
}
-#define IEEE80211_TWT_CONTROL_NDP BIT(0)
-#define IEEE80211_TWT_CONTROL_RESP_MODE BIT(1)
-#define IEEE80211_TWT_CONTROL_NEG_TYPE_BROADCAST BIT(3)
-#define IEEE80211_TWT_CONTROL_RX_DISABLED BIT(4)
-#define IEEE80211_TWT_CONTROL_WAKE_DUR_UNIT BIT(5)
-
-#define IEEE80211_TWT_REQTYPE_REQUEST BIT(0)
-#define IEEE80211_TWT_REQTYPE_SETUP_CMD GENMASK(3, 1)
-#define IEEE80211_TWT_REQTYPE_TRIGGER BIT(4)
-#define IEEE80211_TWT_REQTYPE_IMPLICIT BIT(5)
-#define IEEE80211_TWT_REQTYPE_FLOWTYPE BIT(6)
-#define IEEE80211_TWT_REQTYPE_FLOWID GENMASK(9, 7)
-#define IEEE80211_TWT_REQTYPE_WAKE_INT_EXP GENMASK(14, 10)
-#define IEEE80211_TWT_REQTYPE_PROTECTION BIT(15)
-
-enum ieee80211_twt_setup_cmd {
- TWT_SETUP_CMD_REQUEST,
- TWT_SETUP_CMD_SUGGEST,
- TWT_SETUP_CMD_DEMAND,
- TWT_SETUP_CMD_GROUPING,
- TWT_SETUP_CMD_ACCEPT,
- TWT_SETUP_CMD_ALTERNATE,
- TWT_SETUP_CMD_DICTATE,
- TWT_SETUP_CMD_REJECT,
-};
-
-struct ieee80211_twt_params {
- __le16 req_type;
- __le64 twt;
- u8 min_twt_dur;
- __le16 mantissa;
- u8 channel;
-} __packed;
-
-struct ieee80211_twt_setup {
- u8 dialog_token;
- u8 element_id;
- u8 length;
- u8 control;
- u8 params[];
-} __packed;
-
#define IEEE80211_TTLM_MAX_CNT 2
#define IEEE80211_TTLM_CONTROL_DIRECTION 0x03
#define IEEE80211_TTLM_CONTROL_DEF_LINK_MAP 0x04
@@ -1633,137 +1591,6 @@ struct ieee80211_p2p_noa_attr {
#define IEEE80211_P2P_OPPPS_ENABLE_BIT BIT(7)
#define IEEE80211_P2P_OPPPS_CTWINDOW_MASK 0x7F
-/**
- * struct ieee80211_he_cap_elem - HE capabilities element
- * @mac_cap_info: HE MAC Capabilities Information
- * @phy_cap_info: HE PHY Capabilities Information
- *
- * This structure represents the fixed fields of the payload of the
- * "HE capabilities element" as described in IEEE Std 802.11ax-2021
- * sections 9.4.2.248.2 and 9.4.2.248.3.
- */
-struct ieee80211_he_cap_elem {
- u8 mac_cap_info[6];
- u8 phy_cap_info[11];
-} __packed;
-
-#define IEEE80211_TX_RX_MCS_NSS_DESC_MAX_LEN 5
-
-/**
- * enum ieee80211_he_mcs_support - HE MCS support definitions
- * @IEEE80211_HE_MCS_SUPPORT_0_7: MCSes 0-7 are supported for the
- * number of streams
- * @IEEE80211_HE_MCS_SUPPORT_0_9: MCSes 0-9 are supported
- * @IEEE80211_HE_MCS_SUPPORT_0_11: MCSes 0-11 are supported
- * @IEEE80211_HE_MCS_NOT_SUPPORTED: This number of streams isn't supported
- *
- * These definitions are used in each 2-bit subfield of the rx_mcs_*
- * and tx_mcs_* fields of &struct ieee80211_he_mcs_nss_supp, which are
- * both split into 8 subfields by number of streams. These values indicate
- * which MCSes are supported for the number of streams the value appears
- * for.
- */
-enum ieee80211_he_mcs_support {
- IEEE80211_HE_MCS_SUPPORT_0_7 = 0,
- IEEE80211_HE_MCS_SUPPORT_0_9 = 1,
- IEEE80211_HE_MCS_SUPPORT_0_11 = 2,
- IEEE80211_HE_MCS_NOT_SUPPORTED = 3,
-};
-
-/**
- * struct ieee80211_he_mcs_nss_supp - HE Tx/Rx HE MCS NSS Support Field
- *
- * This structure holds the data required for the Tx/Rx HE MCS NSS Support Field
- * described in P802.11ax_D2.0 section 9.4.2.237.4
- *
- * @rx_mcs_80: Rx MCS map 2 bits for each stream, total 8 streams, for channel
- * widths less than 80MHz.
- * @tx_mcs_80: Tx MCS map 2 bits for each stream, total 8 streams, for channel
- * widths less than 80MHz.
- * @rx_mcs_160: Rx MCS map 2 bits for each stream, total 8 streams, for channel
- * width 160MHz.
- * @tx_mcs_160: Tx MCS map 2 bits for each stream, total 8 streams, for channel
- * width 160MHz.
- * @rx_mcs_80p80: Rx MCS map 2 bits for each stream, total 8 streams, for
- * channel width 80p80MHz.
- * @tx_mcs_80p80: Tx MCS map 2 bits for each stream, total 8 streams, for
- * channel width 80p80MHz.
- */
-struct ieee80211_he_mcs_nss_supp {
- __le16 rx_mcs_80;
- __le16 tx_mcs_80;
- __le16 rx_mcs_160;
- __le16 tx_mcs_160;
- __le16 rx_mcs_80p80;
- __le16 tx_mcs_80p80;
-} __packed;
-
-/**
- * struct ieee80211_he_operation - HE Operation element
- * @he_oper_params: HE Operation Parameters + BSS Color Information
- * @he_mcs_nss_set: Basic HE-MCS And NSS Set
- * @optional: Optional fields VHT Operation Information, Max Co-Hosted
- * BSSID Indicator, and 6 GHz Operation Information
- *
- * This structure represents the payload of the "HE Operation
- * element" as described in IEEE Std 802.11ax-2021 section 9.4.2.249.
- */
-struct ieee80211_he_operation {
- __le32 he_oper_params;
- __le16 he_mcs_nss_set;
- u8 optional[];
-} __packed;
-
-/**
- * struct ieee80211_he_spr - Spatial Reuse Parameter Set element
- * @he_sr_control: SR Control
- * @optional: Optional fields Non-SRG OBSS PD Max Offset, SRG OBSS PD
- * Min Offset, SRG OBSS PD Max Offset, SRG BSS Color
- * Bitmap, and SRG Partial BSSID Bitmap
- *
- * This structure represents the payload of the "Spatial Reuse
- * Parameter Set element" as described in IEEE Std 802.11ax-2021
- * section 9.4.2.252.
- */
-struct ieee80211_he_spr {
- u8 he_sr_control;
- u8 optional[];
-} __packed;
-
-/**
- * struct ieee80211_he_mu_edca_param_ac_rec - MU AC Parameter Record field
- * @aifsn: ACI/AIFSN
- * @ecw_min_max: ECWmin/ECWmax
- * @mu_edca_timer: MU EDCA Timer
- *
- * This structure represents the "MU AC Parameter Record" as described
- * in IEEE Std 802.11ax-2021 section 9.4.2.251, Figure 9-788p.
- */
-struct ieee80211_he_mu_edca_param_ac_rec {
- u8 aifsn;
- u8 ecw_min_max;
- u8 mu_edca_timer;
-} __packed;
-
-/**
- * struct ieee80211_mu_edca_param_set - MU EDCA Parameter Set element
- * @mu_qos_info: QoS Info
- * @ac_be: MU AC_BE Parameter Record
- * @ac_bk: MU AC_BK Parameter Record
- * @ac_vi: MU AC_VI Parameter Record
- * @ac_vo: MU AC_VO Parameter Record
- *
- * This structure represents the payload of the "MU EDCA Parameter Set
- * element" as described in IEEE Std 802.11ax-2021 section 9.4.2.251.
- */
-struct ieee80211_mu_edca_param_set {
- u8 mu_qos_info;
- struct ieee80211_he_mu_edca_param_ac_rec ac_be;
- struct ieee80211_he_mu_edca_param_ac_rec ac_bk;
- struct ieee80211_he_mu_edca_param_ac_rec ac_vi;
- struct ieee80211_he_mu_edca_param_ac_rec ac_vo;
-} __packed;
-
#define IEEE80211_EHT_MCS_NSS_RX 0x0f
#define IEEE80211_EHT_MCS_NSS_TX 0xf0
@@ -1902,618 +1729,6 @@ struct ieee80211_eht_operation_info {
u8 optional[];
} __packed;
-/* 802.11ax HE MAC capabilities */
-#define IEEE80211_HE_MAC_CAP0_HTC_HE 0x01
-#define IEEE80211_HE_MAC_CAP0_TWT_REQ 0x02
-#define IEEE80211_HE_MAC_CAP0_TWT_RES 0x04
-#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_NOT_SUPP 0x00
-#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_LEVEL_1 0x08
-#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_LEVEL_2 0x10
-#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_LEVEL_3 0x18
-#define IEEE80211_HE_MAC_CAP0_DYNAMIC_FRAG_MASK 0x18
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_1 0x00
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_2 0x20
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_4 0x40
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_8 0x60
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_16 0x80
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_32 0xa0
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_64 0xc0
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_UNLIMITED 0xe0
-#define IEEE80211_HE_MAC_CAP0_MAX_NUM_FRAG_MSDU_MASK 0xe0
-
-#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_UNLIMITED 0x00
-#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_128 0x01
-#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_256 0x02
-#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_512 0x03
-#define IEEE80211_HE_MAC_CAP1_MIN_FRAG_SIZE_MASK 0x03
-#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_0US 0x00
-#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_8US 0x04
-#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_16US 0x08
-#define IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_MASK 0x0c
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_1 0x00
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_2 0x10
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_3 0x20
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_4 0x30
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_5 0x40
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_6 0x50
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_7 0x60
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_8 0x70
-#define IEEE80211_HE_MAC_CAP1_MULTI_TID_AGG_RX_QOS_MASK 0x70
-
-/* Link adaptation is split between byte HE_MAC_CAP1 and
- * HE_MAC_CAP2. It should be set only if IEEE80211_HE_MAC_CAP0_HTC_HE
- * in which case the following values apply:
- * 0 = No feedback.
- * 1 = reserved.
- * 2 = Unsolicited feedback.
- * 3 = both
- */
-#define IEEE80211_HE_MAC_CAP1_LINK_ADAPTATION 0x80
-
-#define IEEE80211_HE_MAC_CAP2_LINK_ADAPTATION 0x01
-#define IEEE80211_HE_MAC_CAP2_ALL_ACK 0x02
-#define IEEE80211_HE_MAC_CAP2_TRS 0x04
-#define IEEE80211_HE_MAC_CAP2_BSR 0x08
-#define IEEE80211_HE_MAC_CAP2_BCAST_TWT 0x10
-#define IEEE80211_HE_MAC_CAP2_32BIT_BA_BITMAP 0x20
-#define IEEE80211_HE_MAC_CAP2_MU_CASCADING 0x40
-#define IEEE80211_HE_MAC_CAP2_ACK_EN 0x80
-
-#define IEEE80211_HE_MAC_CAP3_OMI_CONTROL 0x02
-#define IEEE80211_HE_MAC_CAP3_OFDMA_RA 0x04
-
-/* The maximum length of an A-MDPU is defined by the combination of the Maximum
- * A-MDPU Length Exponent field in the HT capabilities, VHT capabilities and the
- * same field in the HE capabilities.
- */
-#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_0 0x00
-#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_1 0x08
-#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_2 0x10
-#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_EXT_3 0x18
-#define IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK 0x18
-#define IEEE80211_HE_MAC_CAP3_AMSDU_FRAG 0x20
-#define IEEE80211_HE_MAC_CAP3_FLEX_TWT_SCHED 0x40
-#define IEEE80211_HE_MAC_CAP3_RX_CTRL_FRAME_TO_MULTIBSS 0x80
-
-#define IEEE80211_HE_MAC_CAP4_BSRP_BQRP_A_MPDU_AGG 0x01
-#define IEEE80211_HE_MAC_CAP4_QTP 0x02
-#define IEEE80211_HE_MAC_CAP4_BQR 0x04
-#define IEEE80211_HE_MAC_CAP4_PSR_RESP 0x08
-#define IEEE80211_HE_MAC_CAP4_NDP_FB_REP 0x10
-#define IEEE80211_HE_MAC_CAP4_OPS 0x20
-#define IEEE80211_HE_MAC_CAP4_AMSDU_IN_AMPDU 0x40
-/* Multi TID agg TX is split between byte #4 and #5
- * The value is a combination of B39,B40,B41
- */
-#define IEEE80211_HE_MAC_CAP4_MULTI_TID_AGG_TX_QOS_B39 0x80
-
-#define IEEE80211_HE_MAC_CAP5_MULTI_TID_AGG_TX_QOS_B40 0x01
-#define IEEE80211_HE_MAC_CAP5_MULTI_TID_AGG_TX_QOS_B41 0x02
-#define IEEE80211_HE_MAC_CAP5_SUBCHAN_SELECTIVE_TRANSMISSION 0x04
-#define IEEE80211_HE_MAC_CAP5_UL_2x996_TONE_RU 0x08
-#define IEEE80211_HE_MAC_CAP5_OM_CTRL_UL_MU_DATA_DIS_RX 0x10
-#define IEEE80211_HE_MAC_CAP5_HE_DYNAMIC_SM_PS 0x20
-#define IEEE80211_HE_MAC_CAP5_PUNCTURED_SOUNDING 0x40
-#define IEEE80211_HE_MAC_CAP5_HT_VHT_TRIG_FRAME_RX 0x80
-
-#define IEEE80211_HE_VHT_MAX_AMPDU_FACTOR 20
-#define IEEE80211_HE_HT_MAX_AMPDU_FACTOR 16
-#define IEEE80211_HE_6GHZ_MAX_AMPDU_FACTOR 13
-
-/* 802.11ax HE PHY capabilities */
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G 0x02
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G 0x04
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G 0x08
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G 0x10
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL 0x1e
-
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_RU_MAPPING_IN_2G 0x20
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_RU_MAPPING_IN_5G 0x40
-#define IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK 0xfe
-
-#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_80MHZ_ONLY_SECOND_20MHZ 0x01
-#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_80MHZ_ONLY_SECOND_40MHZ 0x02
-#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_160MHZ_ONLY_SECOND_20MHZ 0x04
-#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_160MHZ_ONLY_SECOND_40MHZ 0x08
-#define IEEE80211_HE_PHY_CAP1_PREAMBLE_PUNC_RX_MASK 0x0f
-#define IEEE80211_HE_PHY_CAP1_DEVICE_CLASS_A 0x10
-#define IEEE80211_HE_PHY_CAP1_LDPC_CODING_IN_PAYLOAD 0x20
-#define IEEE80211_HE_PHY_CAP1_HE_LTF_AND_GI_FOR_HE_PPDUS_0_8US 0x40
-/* Midamble RX/TX Max NSTS is split between byte #2 and byte #3 */
-#define IEEE80211_HE_PHY_CAP1_MIDAMBLE_RX_TX_MAX_NSTS 0x80
-
-#define IEEE80211_HE_PHY_CAP2_MIDAMBLE_RX_TX_MAX_NSTS 0x01
-#define IEEE80211_HE_PHY_CAP2_NDP_4x_LTF_AND_3_2US 0x02
-#define IEEE80211_HE_PHY_CAP2_STBC_TX_UNDER_80MHZ 0x04
-#define IEEE80211_HE_PHY_CAP2_STBC_RX_UNDER_80MHZ 0x08
-#define IEEE80211_HE_PHY_CAP2_DOPPLER_TX 0x10
-#define IEEE80211_HE_PHY_CAP2_DOPPLER_RX 0x20
-
-/* Note that the meaning of UL MU below is different between an AP and a non-AP
- * sta, where in the AP case it indicates support for Rx and in the non-AP sta
- * case it indicates support for Tx.
- */
-#define IEEE80211_HE_PHY_CAP2_UL_MU_FULL_MU_MIMO 0x40
-#define IEEE80211_HE_PHY_CAP2_UL_MU_PARTIAL_MU_MIMO 0x80
-
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_NO_DCM 0x00
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_BPSK 0x01
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_QPSK 0x02
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_16_QAM 0x03
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_TX_MASK 0x03
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_TX_NSS_1 0x00
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_TX_NSS_2 0x04
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_NO_DCM 0x00
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_BPSK 0x08
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_QPSK 0x10
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_16_QAM 0x18
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_CONST_RX_MASK 0x18
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_RX_NSS_1 0x00
-#define IEEE80211_HE_PHY_CAP3_DCM_MAX_RX_NSS_2 0x20
-#define IEEE80211_HE_PHY_CAP3_RX_PARTIAL_BW_SU_IN_20MHZ_MU 0x40
-#define IEEE80211_HE_PHY_CAP3_SU_BEAMFORMER 0x80
-
-#define IEEE80211_HE_PHY_CAP4_SU_BEAMFORMEE 0x01
-#define IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER 0x02
-
-/* Minimal allowed value of Max STS under 80MHz is 3 */
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_4 0x0c
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_5 0x10
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_6 0x14
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_7 0x18
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_8 0x1c
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_UNDER_80MHZ_MASK 0x1c
-
-/* Minimal allowed value of Max STS above 80MHz is 3 */
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_4 0x60
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_5 0x80
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_6 0xa0
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_7 0xc0
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_8 0xe0
-#define IEEE80211_HE_PHY_CAP4_BEAMFORMEE_MAX_STS_ABOVE_80MHZ_MASK 0xe0
-
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_1 0x00
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_2 0x01
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_3 0x02
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_4 0x03
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_5 0x04
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_6 0x05
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_7 0x06
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_8 0x07
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK 0x07
-
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_1 0x00
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_2 0x08
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_3 0x10
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_4 0x18
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_5 0x20
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_6 0x28
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_7 0x30
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_8 0x38
-#define IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_ABOVE_80MHZ_MASK 0x38
-
-#define IEEE80211_HE_PHY_CAP5_NG16_SU_FEEDBACK 0x40
-#define IEEE80211_HE_PHY_CAP5_NG16_MU_FEEDBACK 0x80
-
-#define IEEE80211_HE_PHY_CAP6_CODEBOOK_SIZE_42_SU 0x01
-#define IEEE80211_HE_PHY_CAP6_CODEBOOK_SIZE_75_MU 0x02
-#define IEEE80211_HE_PHY_CAP6_TRIG_SU_BEAMFORMING_FB 0x04
-#define IEEE80211_HE_PHY_CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB 0x08
-#define IEEE80211_HE_PHY_CAP6_TRIG_CQI_FB 0x10
-#define IEEE80211_HE_PHY_CAP6_PARTIAL_BW_EXT_RANGE 0x20
-#define IEEE80211_HE_PHY_CAP6_PARTIAL_BANDWIDTH_DL_MUMIMO 0x40
-#define IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT 0x80
-
-#define IEEE80211_HE_PHY_CAP7_PSR_BASED_SR 0x01
-#define IEEE80211_HE_PHY_CAP7_POWER_BOOST_FACTOR_SUPP 0x02
-#define IEEE80211_HE_PHY_CAP7_HE_SU_MU_PPDU_4XLTF_AND_08_US_GI 0x04
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_1 0x08
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_2 0x10
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_3 0x18
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_4 0x20
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_5 0x28
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_6 0x30
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_7 0x38
-#define IEEE80211_HE_PHY_CAP7_MAX_NC_MASK 0x38
-#define IEEE80211_HE_PHY_CAP7_STBC_TX_ABOVE_80MHZ 0x40
-#define IEEE80211_HE_PHY_CAP7_STBC_RX_ABOVE_80MHZ 0x80
-
-#define IEEE80211_HE_PHY_CAP8_HE_ER_SU_PPDU_4XLTF_AND_08_US_GI 0x01
-#define IEEE80211_HE_PHY_CAP8_20MHZ_IN_40MHZ_HE_PPDU_IN_2G 0x02
-#define IEEE80211_HE_PHY_CAP8_20MHZ_IN_160MHZ_HE_PPDU 0x04
-#define IEEE80211_HE_PHY_CAP8_80MHZ_IN_160MHZ_HE_PPDU 0x08
-#define IEEE80211_HE_PHY_CAP8_HE_ER_SU_1XLTF_AND_08_US_GI 0x10
-#define IEEE80211_HE_PHY_CAP8_MIDAMBLE_RX_TX_2X_AND_1XLTF 0x20
-#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_242 0x00
-#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_484 0x40
-#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_996 0x80
-#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_2x996 0xc0
-#define IEEE80211_HE_PHY_CAP8_DCM_MAX_RU_MASK 0xc0
-
-#define IEEE80211_HE_PHY_CAP9_LONGER_THAN_16_SIGB_OFDM_SYM 0x01
-#define IEEE80211_HE_PHY_CAP9_NON_TRIGGERED_CQI_FEEDBACK 0x02
-#define IEEE80211_HE_PHY_CAP9_TX_1024_QAM_LESS_THAN_242_TONE_RU 0x04
-#define IEEE80211_HE_PHY_CAP9_RX_1024_QAM_LESS_THAN_242_TONE_RU 0x08
-#define IEEE80211_HE_PHY_CAP9_RX_FULL_BW_SU_USING_MU_WITH_COMP_SIGB 0x10
-#define IEEE80211_HE_PHY_CAP9_RX_FULL_BW_SU_USING_MU_WITH_NON_COMP_SIGB 0x20
-#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_0US 0x0
-#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_8US 0x1
-#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_16US 0x2
-#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_RESERVED 0x3
-#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_POS 6
-#define IEEE80211_HE_PHY_CAP9_NOMINAL_PKT_PADDING_MASK 0xc0
-
-#define IEEE80211_HE_PHY_CAP10_HE_MU_M1RU_MAX_LTF 0x01
-
-/* 802.11ax HE TX/RX MCS NSS Support */
-#define IEEE80211_TX_RX_MCS_NSS_SUPP_HIGHEST_MCS_POS (3)
-#define IEEE80211_TX_RX_MCS_NSS_SUPP_TX_BITMAP_POS (6)
-#define IEEE80211_TX_RX_MCS_NSS_SUPP_RX_BITMAP_POS (11)
-#define IEEE80211_TX_RX_MCS_NSS_SUPP_TX_BITMAP_MASK 0x07c0
-#define IEEE80211_TX_RX_MCS_NSS_SUPP_RX_BITMAP_MASK 0xf800
-
-/* TX/RX HE MCS Support field Highest MCS subfield encoding */
-enum ieee80211_he_highest_mcs_supported_subfield_enc {
- HIGHEST_MCS_SUPPORTED_MCS7 = 0,
- HIGHEST_MCS_SUPPORTED_MCS8,
- HIGHEST_MCS_SUPPORTED_MCS9,
- HIGHEST_MCS_SUPPORTED_MCS10,
- HIGHEST_MCS_SUPPORTED_MCS11,
-};
-
-/* Calculate 802.11ax HE capabilities IE Tx/Rx HE MCS NSS Support Field size */
-static inline u8
-ieee80211_he_mcs_nss_size(const struct ieee80211_he_cap_elem *he_cap)
-{
- u8 count = 4;
-
- if (he_cap->phy_cap_info[0] &
- IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)
- count += 4;
-
- if (he_cap->phy_cap_info[0] &
- IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)
- count += 4;
-
- return count;
-}
-
-/* 802.11ax HE PPE Thresholds */
-#define IEEE80211_PPE_THRES_NSS_SUPPORT_2NSS (1)
-#define IEEE80211_PPE_THRES_NSS_POS (0)
-#define IEEE80211_PPE_THRES_NSS_MASK (7)
-#define IEEE80211_PPE_THRES_RU_INDEX_BITMASK_2x966_AND_966_RU \
- (BIT(5) | BIT(6))
-#define IEEE80211_PPE_THRES_RU_INDEX_BITMASK_MASK 0x78
-#define IEEE80211_PPE_THRES_RU_INDEX_BITMASK_POS (3)
-#define IEEE80211_PPE_THRES_INFO_PPET_SIZE (3)
-#define IEEE80211_HE_PPE_THRES_INFO_HEADER_SIZE (7)
-
-/*
- * Calculate 802.11ax HE capabilities IE PPE field size
- * Input: Header byte of ppe_thres (first byte), and HE capa IE's PHY cap u8*
- */
-static inline u8
-ieee80211_he_ppe_size(u8 ppe_thres_hdr, const u8 *phy_cap_info)
-{
- u8 n;
-
- if ((phy_cap_info[6] &
- IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT) == 0)
- return 0;
-
- n = hweight8(ppe_thres_hdr &
- IEEE80211_PPE_THRES_RU_INDEX_BITMASK_MASK);
- n *= (1 + ((ppe_thres_hdr & IEEE80211_PPE_THRES_NSS_MASK) >>
- IEEE80211_PPE_THRES_NSS_POS));
-
- /*
- * Each pair is 6 bits, and we need to add the 7 "header" bits to the
- * total size.
- */
- n = (n * IEEE80211_PPE_THRES_INFO_PPET_SIZE * 2) + 7;
- n = DIV_ROUND_UP(n, 8);
-
- return n;
-}
-
-static inline bool ieee80211_he_capa_size_ok(const u8 *data, u8 len)
-{
- const struct ieee80211_he_cap_elem *he_cap_ie_elem = (const void *)data;
- u8 needed = sizeof(*he_cap_ie_elem);
-
- if (len < needed)
- return false;
-
- needed += ieee80211_he_mcs_nss_size(he_cap_ie_elem);
- if (len < needed)
- return false;
-
- if (he_cap_ie_elem->phy_cap_info[6] &
- IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT) {
- if (len < needed + 1)
- return false;
- needed += ieee80211_he_ppe_size(data[needed],
- he_cap_ie_elem->phy_cap_info);
- }
-
- return len >= needed;
-}
-
-/* HE Operation defines */
-#define IEEE80211_HE_OPERATION_DFLT_PE_DURATION_MASK 0x00000007
-#define IEEE80211_HE_OPERATION_TWT_REQUIRED 0x00000008
-#define IEEE80211_HE_OPERATION_RTS_THRESHOLD_MASK 0x00003ff0
-#define IEEE80211_HE_OPERATION_RTS_THRESHOLD_OFFSET 4
-#define IEEE80211_HE_OPERATION_VHT_OPER_INFO 0x00004000
-#define IEEE80211_HE_OPERATION_CO_HOSTED_BSS 0x00008000
-#define IEEE80211_HE_OPERATION_ER_SU_DISABLE 0x00010000
-#define IEEE80211_HE_OPERATION_6GHZ_OP_INFO 0x00020000
-#define IEEE80211_HE_OPERATION_BSS_COLOR_MASK 0x3f000000
-#define IEEE80211_HE_OPERATION_BSS_COLOR_OFFSET 24
-#define IEEE80211_HE_OPERATION_PARTIAL_BSS_COLOR 0x40000000
-#define IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED 0x80000000
-
-#define IEEE80211_6GHZ_CTRL_REG_LPI_AP 0
-#define IEEE80211_6GHZ_CTRL_REG_SP_AP 1
-#define IEEE80211_6GHZ_CTRL_REG_VLP_AP 2
-#define IEEE80211_6GHZ_CTRL_REG_INDOOR_LPI_AP 3
-#define IEEE80211_6GHZ_CTRL_REG_INDOOR_SP_AP_OLD 4
-#define IEEE80211_6GHZ_CTRL_REG_INDOOR_SP_AP 8
-
-/**
- * struct ieee80211_he_6ghz_oper - HE 6 GHz operation Information field
- * @primary: primary channel
- * @control: control flags
- * @ccfs0: channel center frequency segment 0
- * @ccfs1: channel center frequency segment 1
- * @minrate: minimum rate (in 1 Mbps units)
- */
-struct ieee80211_he_6ghz_oper {
- u8 primary;
-#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH 0x3
-#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_20MHZ 0
-#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_40MHZ 1
-#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_80MHZ 2
-#define IEEE80211_HE_6GHZ_OPER_CTRL_CHANWIDTH_160MHZ 3
-#define IEEE80211_HE_6GHZ_OPER_CTRL_DUP_BEACON 0x4
-#define IEEE80211_HE_6GHZ_OPER_CTRL_REG_INFO 0x78
- u8 control;
- u8 ccfs0;
- u8 ccfs1;
- u8 minrate;
-} __packed;
-
-/**
- * enum ieee80211_reg_conn_bits - represents Regulatory connectivity field bits.
- *
- * This enumeration defines bit flags used to represent regulatory connectivity
- * field bits.
- *
- * @IEEE80211_REG_CONN_LPI_VALID: Indicates whether the LPI bit is valid.
- * @IEEE80211_REG_CONN_LPI_VALUE: Represents the value of the LPI bit.
- * @IEEE80211_REG_CONN_SP_VALID: Indicates whether the SP bit is valid.
- * @IEEE80211_REG_CONN_SP_VALUE: Represents the value of the SP bit.
- */
-enum ieee80211_reg_conn_bits {
- IEEE80211_REG_CONN_LPI_VALID = BIT(0),
- IEEE80211_REG_CONN_LPI_VALUE = BIT(1),
- IEEE80211_REG_CONN_SP_VALID = BIT(2),
- IEEE80211_REG_CONN_SP_VALUE = BIT(3),
-};
-
-/* transmit power interpretation type of transmit power envelope element */
-enum ieee80211_tx_power_intrpt_type {
- IEEE80211_TPE_LOCAL_EIRP,
- IEEE80211_TPE_LOCAL_EIRP_PSD,
- IEEE80211_TPE_REG_CLIENT_EIRP,
- IEEE80211_TPE_REG_CLIENT_EIRP_PSD,
-};
-
-/* category type of transmit power envelope element */
-enum ieee80211_tx_power_category_6ghz {
- IEEE80211_TPE_CAT_6GHZ_DEFAULT = 0,
- IEEE80211_TPE_CAT_6GHZ_SUBORDINATE = 1,
-};
-
-/*
- * For IEEE80211_TPE_LOCAL_EIRP / IEEE80211_TPE_REG_CLIENT_EIRP,
- * setting to 63.5 dBm means no constraint.
- */
-#define IEEE80211_TPE_MAX_TX_PWR_NO_CONSTRAINT 127
-
-/*
- * For IEEE80211_TPE_LOCAL_EIRP_PSD / IEEE80211_TPE_REG_CLIENT_EIRP_PSD,
- * setting to 127 indicates no PSD limit for the 20 MHz channel.
- */
-#define IEEE80211_TPE_PSD_NO_LIMIT 127
-
-/**
- * struct ieee80211_tx_pwr_env - Transmit Power Envelope
- * @info: Transmit Power Information field
- * @variable: Maximum Transmit Power field
- *
- * This structure represents the payload of the "Transmit Power
- * Envelope element" as described in IEEE Std 802.11ax-2021 section
- * 9.4.2.161
- */
-struct ieee80211_tx_pwr_env {
- u8 info;
- u8 variable[];
-} __packed;
-
-#define IEEE80211_TX_PWR_ENV_INFO_COUNT 0x7
-#define IEEE80211_TX_PWR_ENV_INFO_INTERPRET 0x38
-#define IEEE80211_TX_PWR_ENV_INFO_CATEGORY 0xC0
-
-#define IEEE80211_TX_PWR_ENV_EXT_COUNT 0xF
-
-static inline bool ieee80211_valid_tpe_element(const u8 *data, u8 len)
-{
- const struct ieee80211_tx_pwr_env *env = (const void *)data;
- u8 count, interpret, category;
- u8 needed = sizeof(*env);
- u8 N; /* also called N in the spec */
-
- if (len < needed)
- return false;
-
- count = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_COUNT);
- interpret = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_INTERPRET);
- category = u8_get_bits(env->info, IEEE80211_TX_PWR_ENV_INFO_CATEGORY);
-
- switch (category) {
- case IEEE80211_TPE_CAT_6GHZ_DEFAULT:
- case IEEE80211_TPE_CAT_6GHZ_SUBORDINATE:
- break;
- default:
- return false;
- }
-
- switch (interpret) {
- case IEEE80211_TPE_LOCAL_EIRP:
- case IEEE80211_TPE_REG_CLIENT_EIRP:
- if (count > 3)
- return false;
-
- /* count == 0 encodes 1 value for 20 MHz, etc. */
- needed += count + 1;
-
- if (len < needed)
- return false;
-
- /* there can be extension fields not accounted for in 'count' */
-
- return true;
- case IEEE80211_TPE_LOCAL_EIRP_PSD:
- case IEEE80211_TPE_REG_CLIENT_EIRP_PSD:
- if (count > 4)
- return false;
-
- N = count ? 1 << (count - 1) : 1;
- needed += N;
-
- if (len < needed)
- return false;
-
- if (len > needed) {
- u8 K = u8_get_bits(env->variable[N],
- IEEE80211_TX_PWR_ENV_EXT_COUNT);
-
- needed += 1 + K;
- if (len < needed)
- return false;
- }
-
- return true;
- }
-
- return false;
-}
-
-/*
- * ieee80211_he_oper_size - calculate 802.11ax HE Operations IE size
- * @he_oper_ie: byte data of the He Operations IE, stating from the byte
- * after the ext ID byte. It is assumed that he_oper_ie has at least
- * sizeof(struct ieee80211_he_operation) bytes, the caller must have
- * validated this.
- * @return the actual size of the IE data (not including header), or 0 on error
- */
-static inline u8
-ieee80211_he_oper_size(const u8 *he_oper_ie)
-{
- const struct ieee80211_he_operation *he_oper = (const void *)he_oper_ie;
- u8 oper_len = sizeof(struct ieee80211_he_operation);
- u32 he_oper_params;
-
- /* Make sure the input is not NULL */
- if (!he_oper_ie)
- return 0;
-
- /* Calc required length */
- he_oper_params = le32_to_cpu(he_oper->he_oper_params);
- if (he_oper_params & IEEE80211_HE_OPERATION_VHT_OPER_INFO)
- oper_len += 3;
- if (he_oper_params & IEEE80211_HE_OPERATION_CO_HOSTED_BSS)
- oper_len++;
- if (he_oper_params & IEEE80211_HE_OPERATION_6GHZ_OP_INFO)
- oper_len += sizeof(struct ieee80211_he_6ghz_oper);
-
- /* Add the first byte (extension ID) to the total length */
- oper_len++;
-
- return oper_len;
-}
-
-/**
- * ieee80211_he_6ghz_oper - obtain 6 GHz operation field
- * @he_oper: HE operation element (must be pre-validated for size)
- * but may be %NULL
- *
- * Return: a pointer to the 6 GHz operation field, or %NULL
- */
-static inline const struct ieee80211_he_6ghz_oper *
-ieee80211_he_6ghz_oper(const struct ieee80211_he_operation *he_oper)
-{
- const u8 *ret;
- u32 he_oper_params;
-
- if (!he_oper)
- return NULL;
-
- ret = (const void *)&he_oper->optional;
-
- he_oper_params = le32_to_cpu(he_oper->he_oper_params);
-
- if (!(he_oper_params & IEEE80211_HE_OPERATION_6GHZ_OP_INFO))
- return NULL;
- if (he_oper_params & IEEE80211_HE_OPERATION_VHT_OPER_INFO)
- ret += 3;
- if (he_oper_params & IEEE80211_HE_OPERATION_CO_HOSTED_BSS)
- ret++;
-
- return (const void *)ret;
-}
-
-/* HE Spatial Reuse defines */
-#define IEEE80211_HE_SPR_PSR_DISALLOWED BIT(0)
-#define IEEE80211_HE_SPR_NON_SRG_OBSS_PD_SR_DISALLOWED BIT(1)
-#define IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT BIT(2)
-#define IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT BIT(3)
-#define IEEE80211_HE_SPR_HESIGA_SR_VAL15_ALLOWED BIT(4)
-
-/*
- * ieee80211_he_spr_size - calculate 802.11ax HE Spatial Reuse IE size
- * @he_spr_ie: byte data of the He Spatial Reuse IE, stating from the byte
- * after the ext ID byte. It is assumed that he_spr_ie has at least
- * sizeof(struct ieee80211_he_spr) bytes, the caller must have validated
- * this
- * @return the actual size of the IE data (not including header), or 0 on error
- */
-static inline u8
-ieee80211_he_spr_size(const u8 *he_spr_ie)
-{
- const struct ieee80211_he_spr *he_spr = (const void *)he_spr_ie;
- u8 spr_len = sizeof(struct ieee80211_he_spr);
- u8 he_spr_params;
-
- /* Make sure the input is not NULL */
- if (!he_spr_ie)
- return 0;
-
- /* Calc required length */
- he_spr_params = he_spr->he_sr_control;
- if (he_spr_params & IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT)
- spr_len++;
- if (he_spr_params & IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT)
- spr_len += 18;
-
- /* Add the first byte (extension ID) to the total length */
- spr_len++;
-
- return spr_len;
-}
-
/* S1G Capabilities Information field */
#define IEEE80211_S1G_CAPABILITY_LEN 15
@@ -2697,6 +1912,9 @@ ieee80211_he_spr_size(const u8 *he_spr_ie)
#define IEEE80211_EHT_OPER_CHAN_WIDTH_160MHZ 3
#define IEEE80211_EHT_OPER_CHAN_WIDTH_320MHZ 4
+/* need HE definitions for EHT functions */
+#include "ieee80211-he.h"
+
/* Calculate 802.11be EHT capabilities IE Tx/Rx EHT MCS NSS Support Field size */
static inline u8
ieee80211_eht_mcs_nss_size(const struct ieee80211_he_cap_elem *he_cap,
@@ -3815,24 +3033,6 @@ struct ieee80211_tspec_ie {
__le16 medium_time;
} __packed;
-struct ieee80211_he_6ghz_capa {
- /* uses IEEE80211_HE_6GHZ_CAP_* below */
- __le16 capa;
-} __packed;
-
-/* HE 6 GHz band capabilities */
-/* uses enum ieee80211_min_mpdu_spacing values */
-#define IEEE80211_HE_6GHZ_CAP_MIN_MPDU_START 0x0007
-/* uses enum ieee80211_vht_max_ampdu_length_exp values */
-#define IEEE80211_HE_6GHZ_CAP_MAX_AMPDU_LEN_EXP 0x0038
-/* uses IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_* values */
-#define IEEE80211_HE_6GHZ_CAP_MAX_MPDU_LEN 0x00c0
-/* WLAN_HT_CAP_SM_PS_* values */
-#define IEEE80211_HE_6GHZ_CAP_SM_PS 0x0600
-#define IEEE80211_HE_6GHZ_CAP_RD_RESPONDER 0x0800
-#define IEEE80211_HE_6GHZ_CAP_RX_ANTPAT_CONS 0x1000
-#define IEEE80211_HE_6GHZ_CAP_TX_ANTPAT_CONS 0x2000
-
/**
* ieee80211_get_qos_ctl - get pointer to qos control bytes
* @hdr: the frame
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 061/957] wifi: ieee80211: split EHT definitions out
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 060/957] wifi: ieee80211: split HE " Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 062/957] wifi: ieee80211: fix definition of EHT-MCS 15 in MRU Greg Kroah-Hartman
` (901 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 86bc0c662322b4749cd666678d2fdce7015bcae3 ]
The ieee80211.h file has gotten very long, continue splitting
it by putting EHT definitions into a separate file.
Link: https://patch.msgid.link/20251105153843.bf77fe169140.I691267e0edd914c604a5bfd447d33be00044c9b4@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: cb0caadb64ca ("wifi: ieee80211: fix definition of EHT-MCS 15 in MRU")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211-eht.h | 1182 +++++++++++++++++++++++++++++++++
include/linux/ieee80211.h | 1164 +-------------------------------
2 files changed, 1184 insertions(+), 1162 deletions(-)
create mode 100644 include/linux/ieee80211-eht.h
diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
new file mode 100644
index 0000000000000..f9782e46c5e52
--- /dev/null
+++ b/include/linux/ieee80211-eht.h
@@ -0,0 +1,1182 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * IEEE 802.11 EHT definitions
+ *
+ * Copyright (c) 2001-2002, SSH Communications Security Corp and Jouni Malinen
+ * <jkmaline@cc.hut.fi>
+ * Copyright (c) 2002-2003, Jouni Malinen <jkmaline@cc.hut.fi>
+ * Copyright (c) 2005, Devicescape Software, Inc.
+ * Copyright (c) 2006, Michael Wu <flamingice@sourmilk.net>
+ * Copyright (c) 2013 - 2014 Intel Mobile Communications GmbH
+ * Copyright (c) 2016 - 2017 Intel Deutschland GmbH
+ * Copyright (c) 2018 - 2025 Intel Corporation
+ */
+
+#ifndef LINUX_IEEE80211_EHT_H
+#define LINUX_IEEE80211_EHT_H
+
+#include <linux/types.h>
+#include <linux/if_ether.h>
+/* need HE definitions for the inlines here */
+#include <linux/ieee80211-he.h>
+
+#define IEEE80211_TTLM_MAX_CNT 2
+#define IEEE80211_TTLM_CONTROL_DIRECTION 0x03
+#define IEEE80211_TTLM_CONTROL_DEF_LINK_MAP 0x04
+#define IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT 0x08
+#define IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT 0x10
+#define IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE 0x20
+
+#define IEEE80211_TTLM_DIRECTION_DOWN 0
+#define IEEE80211_TTLM_DIRECTION_UP 1
+#define IEEE80211_TTLM_DIRECTION_BOTH 2
+
+/**
+ * struct ieee80211_ttlm_elem - TID-To-Link Mapping element
+ *
+ * Defined in section 9.4.2.314 in P802.11be_D4
+ *
+ * @control: the first part of control field
+ * @optional: the second part of control field
+ */
+struct ieee80211_ttlm_elem {
+ u8 control;
+ u8 optional[];
+} __packed;
+
+#define IEEE80211_EHT_MCS_NSS_RX 0x0f
+#define IEEE80211_EHT_MCS_NSS_TX 0xf0
+
+/**
+ * struct ieee80211_eht_mcs_nss_supp_20mhz_only - EHT 20MHz only station max
+ * supported NSS for per MCS.
+ *
+ * For each field below, bits 0 - 3 indicate the maximal number of spatial
+ * streams for Rx, and bits 4 - 7 indicate the maximal number of spatial streams
+ * for Tx.
+ *
+ * @rx_tx_mcs7_max_nss: indicates the maximum number of spatial streams
+ * supported for reception and the maximum number of spatial streams
+ * supported for transmission for MCS 0 - 7.
+ * @rx_tx_mcs9_max_nss: indicates the maximum number of spatial streams
+ * supported for reception and the maximum number of spatial streams
+ * supported for transmission for MCS 8 - 9.
+ * @rx_tx_mcs11_max_nss: indicates the maximum number of spatial streams
+ * supported for reception and the maximum number of spatial streams
+ * supported for transmission for MCS 10 - 11.
+ * @rx_tx_mcs13_max_nss: indicates the maximum number of spatial streams
+ * supported for reception and the maximum number of spatial streams
+ * supported for transmission for MCS 12 - 13.
+ * @rx_tx_max_nss: array of the previous fields for easier loop access
+ */
+struct ieee80211_eht_mcs_nss_supp_20mhz_only {
+ union {
+ struct {
+ u8 rx_tx_mcs7_max_nss;
+ u8 rx_tx_mcs9_max_nss;
+ u8 rx_tx_mcs11_max_nss;
+ u8 rx_tx_mcs13_max_nss;
+ };
+ u8 rx_tx_max_nss[4];
+ };
+};
+
+/**
+ * struct ieee80211_eht_mcs_nss_supp_bw - EHT max supported NSS per MCS (except
+ * 20MHz only stations).
+ *
+ * For each field below, bits 0 - 3 indicate the maximal number of spatial
+ * streams for Rx, and bits 4 - 7 indicate the maximal number of spatial streams
+ * for Tx.
+ *
+ * @rx_tx_mcs9_max_nss: indicates the maximum number of spatial streams
+ * supported for reception and the maximum number of spatial streams
+ * supported for transmission for MCS 0 - 9.
+ * @rx_tx_mcs11_max_nss: indicates the maximum number of spatial streams
+ * supported for reception and the maximum number of spatial streams
+ * supported for transmission for MCS 10 - 11.
+ * @rx_tx_mcs13_max_nss: indicates the maximum number of spatial streams
+ * supported for reception and the maximum number of spatial streams
+ * supported for transmission for MCS 12 - 13.
+ * @rx_tx_max_nss: array of the previous fields for easier loop access
+ */
+struct ieee80211_eht_mcs_nss_supp_bw {
+ union {
+ struct {
+ u8 rx_tx_mcs9_max_nss;
+ u8 rx_tx_mcs11_max_nss;
+ u8 rx_tx_mcs13_max_nss;
+ };
+ u8 rx_tx_max_nss[3];
+ };
+};
+
+/**
+ * struct ieee80211_eht_cap_elem_fixed - EHT capabilities fixed data
+ *
+ * This structure is the "EHT Capabilities element" fixed fields as
+ * described in P802.11be_D2.0 section 9.4.2.313.
+ *
+ * @mac_cap_info: MAC capabilities, see IEEE80211_EHT_MAC_CAP*
+ * @phy_cap_info: PHY capabilities, see IEEE80211_EHT_PHY_CAP*
+ */
+struct ieee80211_eht_cap_elem_fixed {
+ u8 mac_cap_info[2];
+ u8 phy_cap_info[9];
+} __packed;
+
+/**
+ * struct ieee80211_eht_cap_elem - EHT capabilities element
+ * @fixed: fixed parts, see &ieee80211_eht_cap_elem_fixed
+ * @optional: optional parts
+ */
+struct ieee80211_eht_cap_elem {
+ struct ieee80211_eht_cap_elem_fixed fixed;
+
+ /*
+ * Followed by:
+ * Supported EHT-MCS And NSS Set field: 4, 3, 6 or 9 octets.
+ * EHT PPE Thresholds field: variable length.
+ */
+ u8 optional[];
+} __packed;
+
+#define IEEE80211_EHT_OPER_INFO_PRESENT 0x01
+#define IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT 0x02
+#define IEEE80211_EHT_OPER_EHT_DEF_PE_DURATION 0x04
+#define IEEE80211_EHT_OPER_GROUP_ADDRESSED_BU_IND_LIMIT 0x08
+#define IEEE80211_EHT_OPER_GROUP_ADDRESSED_BU_IND_EXP_MASK 0x30
+#define IEEE80211_EHT_OPER_MCS15_DISABLE 0x40
+
+/**
+ * struct ieee80211_eht_operation - eht operation element
+ *
+ * This structure is the "EHT Operation Element" fields as
+ * described in P802.11be_D2.0 section 9.4.2.311
+ *
+ * @params: EHT operation element parameters. See &IEEE80211_EHT_OPER_*
+ * @basic_mcs_nss: indicates the EHT-MCSs for each number of spatial streams in
+ * EHT PPDUs that are supported by all EHT STAs in the BSS in transmit and
+ * receive.
+ * @optional: optional parts
+ */
+struct ieee80211_eht_operation {
+ u8 params;
+ struct ieee80211_eht_mcs_nss_supp_20mhz_only basic_mcs_nss;
+ u8 optional[];
+} __packed;
+
+/**
+ * struct ieee80211_eht_operation_info - eht operation information
+ *
+ * @control: EHT operation information control.
+ * @ccfs0: defines a channel center frequency for a 20, 40, 80, 160, or 320 MHz
+ * EHT BSS.
+ * @ccfs1: defines a channel center frequency for a 160 or 320 MHz EHT BSS.
+ * @optional: optional parts
+ */
+struct ieee80211_eht_operation_info {
+ u8 control;
+ u8 ccfs0;
+ u8 ccfs1;
+ u8 optional[];
+} __packed;
+
+/* EHT MAC capabilities as defined in P802.11be_D2.0 section 9.4.2.313.2 */
+#define IEEE80211_EHT_MAC_CAP0_EPCS_PRIO_ACCESS 0x01
+#define IEEE80211_EHT_MAC_CAP0_OM_CONTROL 0x02
+#define IEEE80211_EHT_MAC_CAP0_TRIG_TXOP_SHARING_MODE1 0x04
+#define IEEE80211_EHT_MAC_CAP0_TRIG_TXOP_SHARING_MODE2 0x08
+#define IEEE80211_EHT_MAC_CAP0_RESTRICTED_TWT 0x10
+#define IEEE80211_EHT_MAC_CAP0_SCS_TRAFFIC_DESC 0x20
+#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_MASK 0xc0
+#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_3895 0
+#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_7991 1
+#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_11454 2
+
+#define IEEE80211_EHT_MAC_CAP1_MAX_AMPDU_LEN_MASK 0x01
+#define IEEE80211_EHT_MAC_CAP1_EHT_TRS 0x02
+#define IEEE80211_EHT_MAC_CAP1_TXOP_RET 0x04
+#define IEEE80211_EHT_MAC_CAP1_TWO_BQRS 0x08
+#define IEEE80211_EHT_MAC_CAP1_EHT_LINK_ADAPT_MASK 0x30
+#define IEEE80211_EHT_MAC_CAP1_UNSOL_EPCS_PRIO_ACCESS 0x40
+
+/* EHT PHY capabilities as defined in P802.11be_D2.0 section 9.4.2.313.3 */
+#define IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ 0x02
+#define IEEE80211_EHT_PHY_CAP0_242_TONE_RU_GT20MHZ 0x04
+#define IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI 0x08
+#define IEEE80211_EHT_PHY_CAP0_PARTIAL_BW_UL_MU_MIMO 0x10
+#define IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER 0x20
+#define IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMEE 0x40
+
+/* EHT beamformee number of spatial streams <= 80MHz is split */
+#define IEEE80211_EHT_PHY_CAP0_BEAMFORMEE_SS_80MHZ_MASK 0x80
+#define IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_80MHZ_MASK 0x03
+
+#define IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK 0x1c
+#define IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK 0xe0
+
+#define IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_80MHZ_MASK 0x07
+#define IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK 0x38
+
+/* EHT number of sounding dimensions for 320MHz is split */
+#define IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK 0xc0
+#define IEEE80211_EHT_PHY_CAP3_SOUNDING_DIM_320MHZ_MASK 0x01
+#define IEEE80211_EHT_PHY_CAP3_NG_16_SU_FEEDBACK 0x02
+#define IEEE80211_EHT_PHY_CAP3_NG_16_MU_FEEDBACK 0x04
+#define IEEE80211_EHT_PHY_CAP3_CODEBOOK_4_2_SU_FDBK 0x08
+#define IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK 0x10
+#define IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK 0x20
+#define IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK 0x40
+#define IEEE80211_EHT_PHY_CAP3_TRIG_CQI_FDBK 0x80
+
+#define IEEE80211_EHT_PHY_CAP4_PART_BW_DL_MU_MIMO 0x01
+#define IEEE80211_EHT_PHY_CAP4_PSR_SR_SUPP 0x02
+#define IEEE80211_EHT_PHY_CAP4_POWER_BOOST_FACT_SUPP 0x04
+#define IEEE80211_EHT_PHY_CAP4_EHT_MU_PPDU_4_EHT_LTF_08_GI 0x08
+#define IEEE80211_EHT_PHY_CAP4_MAX_NC_MASK 0xf0
+
+#define IEEE80211_EHT_PHY_CAP5_NON_TRIG_CQI_FEEDBACK 0x01
+#define IEEE80211_EHT_PHY_CAP5_TX_LESS_242_TONE_RU_SUPP 0x02
+#define IEEE80211_EHT_PHY_CAP5_RX_LESS_242_TONE_RU_SUPP 0x04
+#define IEEE80211_EHT_PHY_CAP5_PPE_THRESHOLD_PRESENT 0x08
+#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_MASK 0x30
+#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_0US 0
+#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_8US 1
+#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_16US 2
+#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_20US 3
+
+/* Maximum number of supported EHT LTF is split */
+#define IEEE80211_EHT_PHY_CAP5_MAX_NUM_SUPP_EHT_LTF_MASK 0xc0
+#define IEEE80211_EHT_PHY_CAP5_SUPP_EXTRA_EHT_LTF 0x40
+#define IEEE80211_EHT_PHY_CAP6_MAX_NUM_SUPP_EHT_LTF_MASK 0x07
+
+#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_80MHZ 0x08
+#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_160MHZ 0x30
+#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_320MHZ 0x40
+#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_MASK 0x78
+#define IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP 0x80
+
+#define IEEE80211_EHT_PHY_CAP7_20MHZ_STA_RX_NDP_WIDER_BW 0x01
+#define IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ 0x02
+#define IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ 0x04
+#define IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ 0x08
+#define IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ 0x10
+#define IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ 0x20
+#define IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ 0x40
+#define IEEE80211_EHT_PHY_CAP7_TB_SOUNDING_FDBK_RATE_LIMIT 0x80
+
+#define IEEE80211_EHT_PHY_CAP8_RX_1024QAM_WIDER_BW_DL_OFDMA 0x01
+#define IEEE80211_EHT_PHY_CAP8_RX_4096QAM_WIDER_BW_DL_OFDMA 0x02
+
+/*
+ * EHT operation channel width as defined in P802.11be_D2.0 section 9.4.2.311
+ */
+#define IEEE80211_EHT_OPER_CHAN_WIDTH 0x7
+#define IEEE80211_EHT_OPER_CHAN_WIDTH_20MHZ 0
+#define IEEE80211_EHT_OPER_CHAN_WIDTH_40MHZ 1
+#define IEEE80211_EHT_OPER_CHAN_WIDTH_80MHZ 2
+#define IEEE80211_EHT_OPER_CHAN_WIDTH_160MHZ 3
+#define IEEE80211_EHT_OPER_CHAN_WIDTH_320MHZ 4
+
+/* Calculate 802.11be EHT capabilities IE Tx/Rx EHT MCS NSS Support Field size */
+static inline u8
+ieee80211_eht_mcs_nss_size(const struct ieee80211_he_cap_elem *he_cap,
+ const struct ieee80211_eht_cap_elem_fixed *eht_cap,
+ bool from_ap)
+{
+ u8 count = 0;
+
+ /* on 2.4 GHz, if it supports 40 MHz, the result is 3 */
+ if (he_cap->phy_cap_info[0] &
+ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G)
+ return 3;
+
+ /* on 2.4 GHz, these three bits are reserved, so should be 0 */
+ if (he_cap->phy_cap_info[0] &
+ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G)
+ count += 3;
+
+ if (he_cap->phy_cap_info[0] &
+ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)
+ count += 3;
+
+ if (eht_cap->phy_cap_info[0] & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ)
+ count += 3;
+
+ if (count)
+ return count;
+
+ return from_ap ? 3 : 4;
+}
+
+/* 802.11be EHT PPE Thresholds */
+#define IEEE80211_EHT_PPE_THRES_NSS_POS 0
+#define IEEE80211_EHT_PPE_THRES_NSS_MASK 0xf
+#define IEEE80211_EHT_PPE_THRES_RU_INDEX_BITMASK_MASK 0x1f0
+#define IEEE80211_EHT_PPE_THRES_INFO_PPET_SIZE 3
+#define IEEE80211_EHT_PPE_THRES_INFO_HEADER_SIZE 9
+
+/*
+ * Calculate 802.11be EHT capabilities IE EHT field size
+ */
+static inline u8
+ieee80211_eht_ppe_size(u16 ppe_thres_hdr, const u8 *phy_cap_info)
+{
+ u32 n;
+
+ if (!(phy_cap_info[5] &
+ IEEE80211_EHT_PHY_CAP5_PPE_THRESHOLD_PRESENT))
+ return 0;
+
+ n = hweight16(ppe_thres_hdr &
+ IEEE80211_EHT_PPE_THRES_RU_INDEX_BITMASK_MASK);
+ n *= 1 + u16_get_bits(ppe_thres_hdr, IEEE80211_EHT_PPE_THRES_NSS_MASK);
+
+ /*
+ * Each pair is 6 bits, and we need to add the 9 "header" bits to the
+ * total size.
+ */
+ n = n * IEEE80211_EHT_PPE_THRES_INFO_PPET_SIZE * 2 +
+ IEEE80211_EHT_PPE_THRES_INFO_HEADER_SIZE;
+ return DIV_ROUND_UP(n, 8);
+}
+
+static inline bool
+ieee80211_eht_capa_size_ok(const u8 *he_capa, const u8 *data, u8 len,
+ bool from_ap)
+{
+ const struct ieee80211_eht_cap_elem_fixed *elem = (const void *)data;
+ u8 needed = sizeof(struct ieee80211_eht_cap_elem_fixed);
+
+ if (len < needed || !he_capa)
+ return false;
+
+ needed += ieee80211_eht_mcs_nss_size((const void *)he_capa,
+ (const void *)data,
+ from_ap);
+ if (len < needed)
+ return false;
+
+ if (elem->phy_cap_info[5] &
+ IEEE80211_EHT_PHY_CAP5_PPE_THRESHOLD_PRESENT) {
+ u16 ppe_thres_hdr;
+
+ if (len < needed + sizeof(ppe_thres_hdr))
+ return false;
+
+ ppe_thres_hdr = get_unaligned_le16(data + needed);
+ needed += ieee80211_eht_ppe_size(ppe_thres_hdr,
+ elem->phy_cap_info);
+ }
+
+ return len >= needed;
+}
+
+static inline bool
+ieee80211_eht_oper_size_ok(const u8 *data, u8 len)
+{
+ const struct ieee80211_eht_operation *elem = (const void *)data;
+ u8 needed = sizeof(*elem);
+
+ if (len < needed)
+ return false;
+
+ if (elem->params & IEEE80211_EHT_OPER_INFO_PRESENT) {
+ needed += 3;
+
+ if (elem->params &
+ IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT)
+ needed += 2;
+ }
+
+ return len >= needed;
+}
+
+/* must validate ieee80211_eht_oper_size_ok() first */
+static inline u16
+ieee80211_eht_oper_dis_subchan_bitmap(const struct ieee80211_eht_operation *eht_oper)
+{
+ const struct ieee80211_eht_operation_info *info =
+ (const void *)eht_oper->optional;
+
+ if (!(eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT))
+ return 0;
+
+ if (!(eht_oper->params & IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT))
+ return 0;
+
+ return get_unaligned_le16(info->optional);
+}
+
+#define IEEE80211_BW_IND_DIS_SUBCH_PRESENT BIT(1)
+
+struct ieee80211_bandwidth_indication {
+ u8 params;
+ struct ieee80211_eht_operation_info info;
+} __packed;
+
+static inline bool
+ieee80211_bandwidth_indication_size_ok(const u8 *data, u8 len)
+{
+ const struct ieee80211_bandwidth_indication *bwi = (const void *)data;
+
+ if (len < sizeof(*bwi))
+ return false;
+
+ if (bwi->params & IEEE80211_BW_IND_DIS_SUBCH_PRESENT &&
+ len < sizeof(*bwi) + 2)
+ return false;
+
+ return true;
+}
+
+/* Protected EHT action codes */
+enum ieee80211_protected_eht_actioncode {
+ WLAN_PROTECTED_EHT_ACTION_TTLM_REQ = 0,
+ WLAN_PROTECTED_EHT_ACTION_TTLM_RES = 1,
+ WLAN_PROTECTED_EHT_ACTION_TTLM_TEARDOWN = 2,
+ WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_REQ = 3,
+ WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_RESP = 4,
+ WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_TEARDOWN = 5,
+ WLAN_PROTECTED_EHT_ACTION_EML_OP_MODE_NOTIF = 6,
+ WLAN_PROTECTED_EHT_ACTION_LINK_RECOMMEND = 7,
+ WLAN_PROTECTED_EHT_ACTION_ML_OP_UPDATE_REQ = 8,
+ WLAN_PROTECTED_EHT_ACTION_ML_OP_UPDATE_RESP = 9,
+ WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_NOTIF = 10,
+ WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_REQ = 11,
+ WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_RESP = 12,
+};
+
+/* multi-link device */
+#define IEEE80211_MLD_MAX_NUM_LINKS 15
+
+#define IEEE80211_ML_CONTROL_TYPE 0x0007
+#define IEEE80211_ML_CONTROL_TYPE_BASIC 0
+#define IEEE80211_ML_CONTROL_TYPE_PREQ 1
+#define IEEE80211_ML_CONTROL_TYPE_RECONF 2
+#define IEEE80211_ML_CONTROL_TYPE_TDLS 3
+#define IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS 4
+#define IEEE80211_ML_CONTROL_PRESENCE_MASK 0xfff0
+
+struct ieee80211_multi_link_elem {
+ __le16 control;
+ u8 variable[];
+} __packed;
+
+#define IEEE80211_MLC_BASIC_PRES_LINK_ID 0x0010
+#define IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT 0x0020
+#define IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY 0x0040
+#define IEEE80211_MLC_BASIC_PRES_EML_CAPA 0x0080
+#define IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP 0x0100
+#define IEEE80211_MLC_BASIC_PRES_MLD_ID 0x0200
+#define IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP 0x0400
+
+#define IEEE80211_MED_SYNC_DELAY_DURATION 0x00ff
+#define IEEE80211_MED_SYNC_DELAY_SYNC_OFDM_ED_THRESH 0x0f00
+#define IEEE80211_MED_SYNC_DELAY_SYNC_MAX_NUM_TXOPS 0xf000
+
+/*
+ * Described in P802.11be_D3.0
+ * dot11MSDTimerDuration should default to 5484 (i.e. 171.375)
+ * dot11MSDOFDMEDthreshold defaults to -72 (i.e. 0)
+ * dot11MSDTXOPMAX defaults to 1
+ */
+#define IEEE80211_MED_SYNC_DELAY_DEFAULT 0x10ac
+
+#define IEEE80211_EML_CAP_EMLSR_SUPP 0x0001
+#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY 0x000e
+#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_0US 0
+#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_32US 1
+#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_64US 2
+#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_128US 3
+#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_256US 4
+#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY 0x0070
+#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_0US 0
+#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_16US 1
+#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_32US 2
+#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_64US 3
+#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_128US 4
+#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_256US 5
+#define IEEE80211_EML_CAP_EMLMR_SUPPORT 0x0080
+#define IEEE80211_EML_CAP_EMLMR_DELAY 0x0700
+#define IEEE80211_EML_CAP_EMLMR_DELAY_0US 0
+#define IEEE80211_EML_CAP_EMLMR_DELAY_32US 1
+#define IEEE80211_EML_CAP_EMLMR_DELAY_64US 2
+#define IEEE80211_EML_CAP_EMLMR_DELAY_128US 3
+#define IEEE80211_EML_CAP_EMLMR_DELAY_256US 4
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT 0x7800
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_0 0
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_128US 1
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_256US 2
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_512US 3
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_1TU 4
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_2TU 5
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_4TU 6
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_8TU 7
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_16TU 8
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_32TU 9
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_64TU 10
+#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_128TU 11
+
+#define IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS 0x000f
+#define IEEE80211_MLD_CAP_OP_SRS_SUPPORT 0x0010
+#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP 0x0060
+#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_NO_SUPP 0
+#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP_SAME 1
+#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_RESERVED 2
+#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP_DIFF 3
+#define IEEE80211_MLD_CAP_OP_FREQ_SEP_TYPE_IND 0x0f80
+#define IEEE80211_MLD_CAP_OP_AAR_SUPPORT 0x1000
+#define IEEE80211_MLD_CAP_OP_LINK_RECONF_SUPPORT 0x2000
+#define IEEE80211_MLD_CAP_OP_ALIGNED_TWT_SUPPORT 0x4000
+
+struct ieee80211_mle_basic_common_info {
+ u8 len;
+ u8 mld_mac_addr[ETH_ALEN];
+ u8 variable[];
+} __packed;
+
+#define IEEE80211_MLC_PREQ_PRES_MLD_ID 0x0010
+
+struct ieee80211_mle_preq_common_info {
+ u8 len;
+ u8 variable[];
+} __packed;
+
+#define IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR 0x0010
+#define IEEE80211_MLC_RECONF_PRES_EML_CAPA 0x0020
+#define IEEE80211_MLC_RECONF_PRES_MLD_CAPA_OP 0x0040
+#define IEEE80211_MLC_RECONF_PRES_EXT_MLD_CAPA_OP 0x0080
+
+/* no fixed fields in RECONF */
+
+struct ieee80211_mle_tdls_common_info {
+ u8 len;
+ u8 ap_mld_mac_addr[ETH_ALEN];
+} __packed;
+
+#define IEEE80211_MLC_PRIO_ACCESS_PRES_AP_MLD_MAC_ADDR 0x0010
+
+/* no fixed fields in PRIO_ACCESS */
+
+/**
+ * ieee80211_mle_common_size - check multi-link element common size
+ * @data: multi-link element, must already be checked for size using
+ * ieee80211_mle_size_ok()
+ * Return: the size of the multi-link element's "common" subfield
+ */
+static inline u8 ieee80211_mle_common_size(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+
+ switch (u16_get_bits(control, IEEE80211_ML_CONTROL_TYPE)) {
+ case IEEE80211_ML_CONTROL_TYPE_BASIC:
+ case IEEE80211_ML_CONTROL_TYPE_PREQ:
+ case IEEE80211_ML_CONTROL_TYPE_TDLS:
+ case IEEE80211_ML_CONTROL_TYPE_RECONF:
+ case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
+ /*
+ * The length is the first octet pointed by mle->variable so no
+ * need to add anything
+ */
+ break;
+ default:
+ WARN_ON(1);
+ return 0;
+ }
+
+ return sizeof(*mle) + mle->variable[0];
+}
+
+/**
+ * ieee80211_mle_get_link_id - returns the link ID
+ * @data: the basic multi link element
+ * Return: the link ID, or -1 if not present
+ *
+ * The element is assumed to be of the correct type (BASIC) and big enough,
+ * this must be checked using ieee80211_mle_type_ok().
+ */
+static inline int ieee80211_mle_get_link_id(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+ const u8 *common = mle->variable;
+
+ /* common points now at the beginning of ieee80211_mle_basic_common_info */
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+
+ if (!(control & IEEE80211_MLC_BASIC_PRES_LINK_ID))
+ return -1;
+
+ return *common;
+}
+
+/**
+ * ieee80211_mle_get_bss_param_ch_cnt - returns the BSS parameter change count
+ * @data: pointer to the basic multi link element
+ * Return: the BSS Parameter Change Count field value, or -1 if not present
+ *
+ * The element is assumed to be of the correct type (BASIC) and big enough,
+ * this must be checked using ieee80211_mle_type_ok().
+ */
+static inline int
+ieee80211_mle_get_bss_param_ch_cnt(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+ const u8 *common = mle->variable;
+
+ /* common points now at the beginning of ieee80211_mle_basic_common_info */
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+
+ if (!(control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT))
+ return -1;
+
+ if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
+ common += 1;
+
+ return *common;
+}
+
+/**
+ * ieee80211_mle_get_eml_med_sync_delay - returns the medium sync delay
+ * @data: pointer to the multi-link element
+ * Return: the medium synchronization delay field value from the multi-link
+ * element, or the default value (%IEEE80211_MED_SYNC_DELAY_DEFAULT)
+ * if not present
+ *
+ * The element is assumed to be of the correct type (BASIC) and big enough,
+ * this must be checked using ieee80211_mle_type_ok().
+ */
+static inline u16 ieee80211_mle_get_eml_med_sync_delay(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+ const u8 *common = mle->variable;
+
+ /* common points now at the beginning of ieee80211_mle_basic_common_info */
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+
+ if (!(control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY))
+ return IEEE80211_MED_SYNC_DELAY_DEFAULT;
+
+ if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
+ common += 1;
+
+ return get_unaligned_le16(common);
+}
+
+/**
+ * ieee80211_mle_get_eml_cap - returns the EML capability
+ * @data: pointer to the multi-link element
+ * Return: the EML capability field value from the multi-link element,
+ * or 0 if not present
+ *
+ * The element is assumed to be of the correct type (BASIC) and big enough,
+ * this must be checked using ieee80211_mle_type_ok().
+ */
+static inline u16 ieee80211_mle_get_eml_cap(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+ const u8 *common = mle->variable;
+
+ /* common points now at the beginning of ieee80211_mle_basic_common_info */
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+
+ if (!(control & IEEE80211_MLC_BASIC_PRES_EML_CAPA))
+ return 0;
+
+ if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
+ common += 2;
+
+ return get_unaligned_le16(common);
+}
+
+/**
+ * ieee80211_mle_get_mld_capa_op - returns the MLD capabilities and operations.
+ * @data: pointer to the multi-link element
+ * Return: the MLD capabilities and operations field value from the multi-link
+ * element, or 0 if not present
+ *
+ * The element is assumed to be of the correct type (BASIC) and big enough,
+ * this must be checked using ieee80211_mle_type_ok().
+ */
+static inline u16 ieee80211_mle_get_mld_capa_op(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+ const u8 *common = mle->variable;
+
+ /*
+ * common points now at the beginning of
+ * ieee80211_mle_basic_common_info
+ */
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+
+ if (!(control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP))
+ return 0;
+
+ if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
+ common += 2;
+
+ return get_unaligned_le16(common);
+}
+
+/* Defined in Figure 9-1074t in P802.11be_D7.0 */
+#define IEEE80211_EHT_ML_EXT_MLD_CAPA_OP_PARAM_UPDATE 0x0001
+#define IEEE80211_EHT_ML_EXT_MLD_CAPA_OP_RECO_MAX_LINKS_MASK 0x001e
+#define IEEE80211_EHT_ML_EXT_MLD_CAPA_NSTR_UPDATE 0x0020
+#define IEEE80211_EHT_ML_EXT_MLD_CAPA_EMLSR_ENA_ON_ONE_LINK 0x0040
+#define IEEE80211_EHT_ML_EXT_MLD_CAPA_BTM_MLD_RECO_MULTI_AP 0x0080
+
+/**
+ * ieee80211_mle_get_ext_mld_capa_op - returns the extended MLD capabilities
+ * and operations.
+ * @data: pointer to the multi-link element
+ * Return: the extended MLD capabilities and operations field value from
+ * the multi-link element, or 0 if not present
+ *
+ * The element is assumed to be of the correct type (BASIC) and big enough,
+ * this must be checked using ieee80211_mle_type_ok().
+ */
+static inline u16 ieee80211_mle_get_ext_mld_capa_op(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+ const u8 *common = mle->variable;
+
+ /*
+ * common points now at the beginning of
+ * ieee80211_mle_basic_common_info
+ */
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+
+ if (!(control & IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP))
+ return 0;
+
+ if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_MLD_ID)
+ common += 1;
+
+ return get_unaligned_le16(common);
+}
+
+/**
+ * ieee80211_mle_get_mld_id - returns the MLD ID
+ * @data: pointer to the multi-link element
+ * Return: The MLD ID in the given multi-link element, or 0 if not present
+ *
+ * The element is assumed to be of the correct type (BASIC) and big enough,
+ * this must be checked using ieee80211_mle_type_ok().
+ */
+static inline u8 ieee80211_mle_get_mld_id(const u8 *data)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control = le16_to_cpu(mle->control);
+ const u8 *common = mle->variable;
+
+ /*
+ * common points now at the beginning of
+ * ieee80211_mle_basic_common_info
+ */
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+
+ if (!(control & IEEE80211_MLC_BASIC_PRES_MLD_ID))
+ return 0;
+
+ if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)
+ common += 2;
+
+ return *common;
+}
+
+/**
+ * ieee80211_mle_size_ok - validate multi-link element size
+ * @data: pointer to the element data
+ * @len: length of the containing element
+ * Return: whether or not the multi-link element size is OK
+ */
+static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u8 fixed = sizeof(*mle);
+ u8 common = 0;
+ bool check_common_len = false;
+ u16 control;
+
+ if (!data || len < fixed)
+ return false;
+
+ control = le16_to_cpu(mle->control);
+
+ switch (u16_get_bits(control, IEEE80211_ML_CONTROL_TYPE)) {
+ case IEEE80211_ML_CONTROL_TYPE_BASIC:
+ common += sizeof(struct ieee80211_mle_basic_common_info);
+ check_common_len = true;
+ if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)
+ common += 2;
+ if (control & IEEE80211_MLC_BASIC_PRES_MLD_ID)
+ common += 1;
+ if (control & IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP)
+ common += 2;
+ break;
+ case IEEE80211_ML_CONTROL_TYPE_PREQ:
+ common += sizeof(struct ieee80211_mle_preq_common_info);
+ if (control & IEEE80211_MLC_PREQ_PRES_MLD_ID)
+ common += 1;
+ check_common_len = true;
+ break;
+ case IEEE80211_ML_CONTROL_TYPE_RECONF:
+ if (control & IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR)
+ common += ETH_ALEN;
+ if (control & IEEE80211_MLC_RECONF_PRES_EML_CAPA)
+ common += 2;
+ if (control & IEEE80211_MLC_RECONF_PRES_MLD_CAPA_OP)
+ common += 2;
+ if (control & IEEE80211_MLC_RECONF_PRES_EXT_MLD_CAPA_OP)
+ common += 2;
+ break;
+ case IEEE80211_ML_CONTROL_TYPE_TDLS:
+ common += sizeof(struct ieee80211_mle_tdls_common_info);
+ check_common_len = true;
+ break;
+ case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
+ common = ETH_ALEN + 1;
+ break;
+ default:
+ /* we don't know this type */
+ return true;
+ }
+
+ if (len < fixed + common)
+ return false;
+
+ if (!check_common_len)
+ return true;
+
+ /* if present, common length is the first octet there */
+ return mle->variable[0] >= common;
+}
+
+/**
+ * ieee80211_mle_type_ok - validate multi-link element type and size
+ * @data: pointer to the element data
+ * @type: expected type of the element
+ * @len: length of the containing element
+ * Return: whether or not the multi-link element type matches and size is OK
+ */
+static inline bool ieee80211_mle_type_ok(const u8 *data, u8 type, size_t len)
+{
+ const struct ieee80211_multi_link_elem *mle = (const void *)data;
+ u16 control;
+
+ if (!ieee80211_mle_size_ok(data, len))
+ return false;
+
+ control = le16_to_cpu(mle->control);
+
+ if (u16_get_bits(control, IEEE80211_ML_CONTROL_TYPE) == type)
+ return true;
+
+ return false;
+}
+
+enum ieee80211_mle_subelems {
+ IEEE80211_MLE_SUBELEM_PER_STA_PROFILE = 0,
+ IEEE80211_MLE_SUBELEM_FRAGMENT = 254,
+};
+
+#define IEEE80211_MLE_STA_CONTROL_LINK_ID 0x000f
+#define IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE 0x0010
+#define IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT 0x0020
+#define IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT 0x0040
+#define IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT 0x0080
+#define IEEE80211_MLE_STA_CONTROL_DTIM_INFO_PRESENT 0x0100
+#define IEEE80211_MLE_STA_CONTROL_NSTR_LINK_PAIR_PRESENT 0x0200
+#define IEEE80211_MLE_STA_CONTROL_NSTR_BITMAP_SIZE 0x0400
+#define IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT 0x0800
+
+struct ieee80211_mle_per_sta_profile {
+ __le16 control;
+ u8 sta_info_len;
+ u8 variable[];
+} __packed;
+
+/**
+ * ieee80211_mle_basic_sta_prof_size_ok - validate basic multi-link element sta
+ * profile size
+ * @data: pointer to the sub element data
+ * @len: length of the containing sub element
+ * Return: %true if the STA profile is large enough, %false otherwise
+ */
+static inline bool ieee80211_mle_basic_sta_prof_size_ok(const u8 *data,
+ size_t len)
+{
+ const struct ieee80211_mle_per_sta_profile *prof = (const void *)data;
+ u16 control;
+ u8 fixed = sizeof(*prof);
+ u8 info_len = 1;
+
+ if (len < fixed)
+ return false;
+
+ control = le16_to_cpu(prof->control);
+
+ if (control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)
+ info_len += 6;
+ if (control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT)
+ info_len += 2;
+ if (control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT)
+ info_len += 8;
+ if (control & IEEE80211_MLE_STA_CONTROL_DTIM_INFO_PRESENT)
+ info_len += 2;
+ if (control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE &&
+ control & IEEE80211_MLE_STA_CONTROL_NSTR_LINK_PAIR_PRESENT) {
+ if (control & IEEE80211_MLE_STA_CONTROL_NSTR_BITMAP_SIZE)
+ info_len += 2;
+ else
+ info_len += 1;
+ }
+ if (control & IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT)
+ info_len += 1;
+
+ return prof->sta_info_len >= info_len &&
+ fixed + prof->sta_info_len - 1 <= len;
+}
+
+/**
+ * ieee80211_mle_basic_sta_prof_bss_param_ch_cnt - get per-STA profile BSS
+ * parameter change count
+ * @prof: the per-STA profile, having been checked with
+ * ieee80211_mle_basic_sta_prof_size_ok() for the correct length
+ *
+ * Return: The BSS parameter change count value if present, 0 otherwise.
+ */
+static inline u8
+ieee80211_mle_basic_sta_prof_bss_param_ch_cnt(const struct ieee80211_mle_per_sta_profile *prof)
+{
+ u16 control = le16_to_cpu(prof->control);
+ const u8 *pos = prof->variable;
+
+ if (!(control & IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT))
+ return 0;
+
+ if (control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)
+ pos += 6;
+ if (control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT)
+ pos += 2;
+ if (control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT)
+ pos += 8;
+ if (control & IEEE80211_MLE_STA_CONTROL_DTIM_INFO_PRESENT)
+ pos += 2;
+ if (control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE &&
+ control & IEEE80211_MLE_STA_CONTROL_NSTR_LINK_PAIR_PRESENT) {
+ if (control & IEEE80211_MLE_STA_CONTROL_NSTR_BITMAP_SIZE)
+ pos += 2;
+ else
+ pos += 1;
+ }
+
+ return *pos;
+}
+
+#define IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID 0x000f
+#define IEEE80211_MLE_STA_RECONF_CONTROL_COMPLETE_PROFILE 0x0010
+#define IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT 0x0020
+#define IEEE80211_MLE_STA_RECONF_CONTROL_AP_REM_TIMER_PRESENT 0x0040
+#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE 0x0780
+#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_AP_REM 0
+#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_OP_PARAM_UPDATE 1
+#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_ADD_LINK 2
+#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_DEL_LINK 3
+#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_NSTR_STATUS 4
+#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_PARAMS_PRESENT 0x0800
+
+/**
+ * ieee80211_mle_reconf_sta_prof_size_ok - validate reconfiguration multi-link
+ * element sta profile size.
+ * @data: pointer to the sub element data
+ * @len: length of the containing sub element
+ * Return: %true if the STA profile is large enough, %false otherwise
+ */
+static inline bool ieee80211_mle_reconf_sta_prof_size_ok(const u8 *data,
+ size_t len)
+{
+ const struct ieee80211_mle_per_sta_profile *prof = (const void *)data;
+ u16 control;
+ u8 fixed = sizeof(*prof);
+ u8 info_len = 1;
+
+ if (len < fixed)
+ return false;
+
+ control = le16_to_cpu(prof->control);
+
+ if (control & IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT)
+ info_len += ETH_ALEN;
+ if (control & IEEE80211_MLE_STA_RECONF_CONTROL_AP_REM_TIMER_PRESENT)
+ info_len += 2;
+ if (control & IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_PARAMS_PRESENT)
+ info_len += 2;
+
+ return prof->sta_info_len >= info_len &&
+ fixed + prof->sta_info_len - 1 <= len;
+}
+
+#define IEEE80211_MLE_STA_EPCS_CONTROL_LINK_ID 0x000f
+#define IEEE80211_EPCS_ENA_RESP_BODY_LEN 3
+
+static inline bool ieee80211_tid_to_link_map_size_ok(const u8 *data, size_t len)
+{
+ const struct ieee80211_ttlm_elem *t2l = (const void *)data;
+ u8 control, fixed = sizeof(*t2l), elem_len = 0;
+
+ if (len < fixed)
+ return false;
+
+ control = t2l->control;
+
+ if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT)
+ elem_len += 2;
+ if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT)
+ elem_len += 3;
+
+ if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) {
+ u8 bm_size;
+
+ elem_len += 1;
+ if (len < fixed + elem_len)
+ return false;
+
+ if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
+ bm_size = 1;
+ else
+ bm_size = 2;
+
+ elem_len += hweight8(t2l->optional[0]) * bm_size;
+ }
+
+ return len >= fixed + elem_len;
+}
+
+/**
+ * ieee80211_emlsr_pad_delay_in_us - Fetch the EMLSR Padding delay
+ * in microseconds
+ * @eml_cap: EML capabilities field value from common info field of
+ * the Multi-link element
+ * Return: the EMLSR Padding delay (in microseconds) encoded in the
+ * EML Capabilities field
+ */
+
+static inline u32 ieee80211_emlsr_pad_delay_in_us(u16 eml_cap)
+{
+ /* IEEE Std 802.11be-2024 Table 9-417i—Encoding of the EMLSR
+ * Padding Delay subfield.
+ */
+ u32 pad_delay = u16_get_bits(eml_cap,
+ IEEE80211_EML_CAP_EMLSR_PADDING_DELAY);
+
+ if (!pad_delay ||
+ pad_delay > IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_256US)
+ return 0;
+
+ return 32 * (1 << (pad_delay - 1));
+}
+
+/**
+ * ieee80211_emlsr_trans_delay_in_us - Fetch the EMLSR Transition
+ * delay in microseconds
+ * @eml_cap: EML capabilities field value from common info field of
+ * the Multi-link element
+ * Return: the EMLSR Transition delay (in microseconds) encoded in the
+ * EML Capabilities field
+ */
+
+static inline u32 ieee80211_emlsr_trans_delay_in_us(u16 eml_cap)
+{
+ /* IEEE Std 802.11be-2024 Table 9-417j—Encoding of the EMLSR
+ * Transition Delay subfield.
+ */
+ u32 trans_delay =
+ u16_get_bits(eml_cap,
+ IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY);
+
+ /* invalid values also just use 0 */
+ if (!trans_delay ||
+ trans_delay > IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_256US)
+ return 0;
+
+ return 16 * (1 << (trans_delay - 1));
+}
+
+/**
+ * ieee80211_eml_trans_timeout_in_us - Fetch the EMLSR Transition
+ * timeout value in microseconds
+ * @eml_cap: EML capabilities field value from common info field of
+ * the Multi-link element
+ * Return: the EMLSR Transition timeout (in microseconds) encoded in
+ * the EML Capabilities field
+ */
+
+static inline u32 ieee80211_eml_trans_timeout_in_us(u16 eml_cap)
+{
+ /* IEEE Std 802.11be-2024 Table 9-417m—Encoding of the
+ * Transition Timeout subfield.
+ */
+ u8 timeout = u16_get_bits(eml_cap,
+ IEEE80211_EML_CAP_TRANSITION_TIMEOUT);
+
+ /* invalid values also just use 0 */
+ if (!timeout || timeout > IEEE80211_EML_CAP_TRANSITION_TIMEOUT_128TU)
+ return 0;
+
+ return 128 * (1 << (timeout - 1));
+}
+
+#define for_each_mle_subelement(_elem, _data, _len) \
+ if (ieee80211_mle_size_ok(_data, _len)) \
+ for_each_element(_elem, \
+ _data + ieee80211_mle_common_size(_data),\
+ _len - ieee80211_mle_common_size(_data))
+
+#endif /* LINUX_IEEE80211_H */
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 2f3d0412ca759..992a0c09c1e53 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -1141,30 +1141,6 @@ ieee80211_s1g_optional_len(__le16 fc)
return len;
}
-#define IEEE80211_TTLM_MAX_CNT 2
-#define IEEE80211_TTLM_CONTROL_DIRECTION 0x03
-#define IEEE80211_TTLM_CONTROL_DEF_LINK_MAP 0x04
-#define IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT 0x08
-#define IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT 0x10
-#define IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE 0x20
-
-#define IEEE80211_TTLM_DIRECTION_DOWN 0
-#define IEEE80211_TTLM_DIRECTION_UP 1
-#define IEEE80211_TTLM_DIRECTION_BOTH 2
-
-/**
- * struct ieee80211_ttlm_elem - TID-To-Link Mapping element
- *
- * Defined in section 9.4.2.314 in P802.11be_D4
- *
- * @control: the first part of control field
- * @optional: the second part of control field
- */
-struct ieee80211_ttlm_elem {
- u8 control;
- u8 optional[];
-} __packed;
-
/**
* struct ieee80211_bss_load_elem - BSS Load elemen
*
@@ -1591,144 +1567,6 @@ struct ieee80211_p2p_noa_attr {
#define IEEE80211_P2P_OPPPS_ENABLE_BIT BIT(7)
#define IEEE80211_P2P_OPPPS_CTWINDOW_MASK 0x7F
-#define IEEE80211_EHT_MCS_NSS_RX 0x0f
-#define IEEE80211_EHT_MCS_NSS_TX 0xf0
-
-/**
- * struct ieee80211_eht_mcs_nss_supp_20mhz_only - EHT 20MHz only station max
- * supported NSS for per MCS.
- *
- * For each field below, bits 0 - 3 indicate the maximal number of spatial
- * streams for Rx, and bits 4 - 7 indicate the maximal number of spatial streams
- * for Tx.
- *
- * @rx_tx_mcs7_max_nss: indicates the maximum number of spatial streams
- * supported for reception and the maximum number of spatial streams
- * supported for transmission for MCS 0 - 7.
- * @rx_tx_mcs9_max_nss: indicates the maximum number of spatial streams
- * supported for reception and the maximum number of spatial streams
- * supported for transmission for MCS 8 - 9.
- * @rx_tx_mcs11_max_nss: indicates the maximum number of spatial streams
- * supported for reception and the maximum number of spatial streams
- * supported for transmission for MCS 10 - 11.
- * @rx_tx_mcs13_max_nss: indicates the maximum number of spatial streams
- * supported for reception and the maximum number of spatial streams
- * supported for transmission for MCS 12 - 13.
- * @rx_tx_max_nss: array of the previous fields for easier loop access
- */
-struct ieee80211_eht_mcs_nss_supp_20mhz_only {
- union {
- struct {
- u8 rx_tx_mcs7_max_nss;
- u8 rx_tx_mcs9_max_nss;
- u8 rx_tx_mcs11_max_nss;
- u8 rx_tx_mcs13_max_nss;
- };
- u8 rx_tx_max_nss[4];
- };
-};
-
-/**
- * struct ieee80211_eht_mcs_nss_supp_bw - EHT max supported NSS per MCS (except
- * 20MHz only stations).
- *
- * For each field below, bits 0 - 3 indicate the maximal number of spatial
- * streams for Rx, and bits 4 - 7 indicate the maximal number of spatial streams
- * for Tx.
- *
- * @rx_tx_mcs9_max_nss: indicates the maximum number of spatial streams
- * supported for reception and the maximum number of spatial streams
- * supported for transmission for MCS 0 - 9.
- * @rx_tx_mcs11_max_nss: indicates the maximum number of spatial streams
- * supported for reception and the maximum number of spatial streams
- * supported for transmission for MCS 10 - 11.
- * @rx_tx_mcs13_max_nss: indicates the maximum number of spatial streams
- * supported for reception and the maximum number of spatial streams
- * supported for transmission for MCS 12 - 13.
- * @rx_tx_max_nss: array of the previous fields for easier loop access
- */
-struct ieee80211_eht_mcs_nss_supp_bw {
- union {
- struct {
- u8 rx_tx_mcs9_max_nss;
- u8 rx_tx_mcs11_max_nss;
- u8 rx_tx_mcs13_max_nss;
- };
- u8 rx_tx_max_nss[3];
- };
-};
-
-/**
- * struct ieee80211_eht_cap_elem_fixed - EHT capabilities fixed data
- *
- * This structure is the "EHT Capabilities element" fixed fields as
- * described in P802.11be_D2.0 section 9.4.2.313.
- *
- * @mac_cap_info: MAC capabilities, see IEEE80211_EHT_MAC_CAP*
- * @phy_cap_info: PHY capabilities, see IEEE80211_EHT_PHY_CAP*
- */
-struct ieee80211_eht_cap_elem_fixed {
- u8 mac_cap_info[2];
- u8 phy_cap_info[9];
-} __packed;
-
-/**
- * struct ieee80211_eht_cap_elem - EHT capabilities element
- * @fixed: fixed parts, see &ieee80211_eht_cap_elem_fixed
- * @optional: optional parts
- */
-struct ieee80211_eht_cap_elem {
- struct ieee80211_eht_cap_elem_fixed fixed;
-
- /*
- * Followed by:
- * Supported EHT-MCS And NSS Set field: 4, 3, 6 or 9 octets.
- * EHT PPE Thresholds field: variable length.
- */
- u8 optional[];
-} __packed;
-
-#define IEEE80211_EHT_OPER_INFO_PRESENT 0x01
-#define IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT 0x02
-#define IEEE80211_EHT_OPER_EHT_DEF_PE_DURATION 0x04
-#define IEEE80211_EHT_OPER_GROUP_ADDRESSED_BU_IND_LIMIT 0x08
-#define IEEE80211_EHT_OPER_GROUP_ADDRESSED_BU_IND_EXP_MASK 0x30
-#define IEEE80211_EHT_OPER_MCS15_DISABLE 0x40
-
-/**
- * struct ieee80211_eht_operation - eht operation element
- *
- * This structure is the "EHT Operation Element" fields as
- * described in P802.11be_D2.0 section 9.4.2.311
- *
- * @params: EHT operation element parameters. See &IEEE80211_EHT_OPER_*
- * @basic_mcs_nss: indicates the EHT-MCSs for each number of spatial streams in
- * EHT PPDUs that are supported by all EHT STAs in the BSS in transmit and
- * receive.
- * @optional: optional parts
- */
-struct ieee80211_eht_operation {
- u8 params;
- struct ieee80211_eht_mcs_nss_supp_20mhz_only basic_mcs_nss;
- u8 optional[];
-} __packed;
-
-/**
- * struct ieee80211_eht_operation_info - eht operation information
- *
- * @control: EHT operation information control.
- * @ccfs0: defines a channel center frequency for a 20, 40, 80, 160, or 320 MHz
- * EHT BSS.
- * @ccfs1: defines a channel center frequency for a 160 or 320 MHz EHT BSS.
- * @optional: optional parts
- */
-struct ieee80211_eht_operation_info {
- u8 control;
- u8 ccfs0;
- u8 ccfs1;
- u8 optional[];
-} __packed;
-
/* S1G Capabilities Information field */
#define IEEE80211_S1G_CAPABILITY_LEN 15
@@ -1815,258 +1653,6 @@ struct ieee80211_eht_operation_info {
#define S1G_2M_PRIMARY_LOCATION_LOWER 0
#define S1G_2M_PRIMARY_LOCATION_UPPER 1
-/* EHT MAC capabilities as defined in P802.11be_D2.0 section 9.4.2.313.2 */
-#define IEEE80211_EHT_MAC_CAP0_EPCS_PRIO_ACCESS 0x01
-#define IEEE80211_EHT_MAC_CAP0_OM_CONTROL 0x02
-#define IEEE80211_EHT_MAC_CAP0_TRIG_TXOP_SHARING_MODE1 0x04
-#define IEEE80211_EHT_MAC_CAP0_TRIG_TXOP_SHARING_MODE2 0x08
-#define IEEE80211_EHT_MAC_CAP0_RESTRICTED_TWT 0x10
-#define IEEE80211_EHT_MAC_CAP0_SCS_TRAFFIC_DESC 0x20
-#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_MASK 0xc0
-#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_3895 0
-#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_7991 1
-#define IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_11454 2
-
-#define IEEE80211_EHT_MAC_CAP1_MAX_AMPDU_LEN_MASK 0x01
-#define IEEE80211_EHT_MAC_CAP1_EHT_TRS 0x02
-#define IEEE80211_EHT_MAC_CAP1_TXOP_RET 0x04
-#define IEEE80211_EHT_MAC_CAP1_TWO_BQRS 0x08
-#define IEEE80211_EHT_MAC_CAP1_EHT_LINK_ADAPT_MASK 0x30
-#define IEEE80211_EHT_MAC_CAP1_UNSOL_EPCS_PRIO_ACCESS 0x40
-
-/* EHT PHY capabilities as defined in P802.11be_D2.0 section 9.4.2.313.3 */
-#define IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ 0x02
-#define IEEE80211_EHT_PHY_CAP0_242_TONE_RU_GT20MHZ 0x04
-#define IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI 0x08
-#define IEEE80211_EHT_PHY_CAP0_PARTIAL_BW_UL_MU_MIMO 0x10
-#define IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER 0x20
-#define IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMEE 0x40
-
-/* EHT beamformee number of spatial streams <= 80MHz is split */
-#define IEEE80211_EHT_PHY_CAP0_BEAMFORMEE_SS_80MHZ_MASK 0x80
-#define IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_80MHZ_MASK 0x03
-
-#define IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK 0x1c
-#define IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK 0xe0
-
-#define IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_80MHZ_MASK 0x07
-#define IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK 0x38
-
-/* EHT number of sounding dimensions for 320MHz is split */
-#define IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK 0xc0
-#define IEEE80211_EHT_PHY_CAP3_SOUNDING_DIM_320MHZ_MASK 0x01
-#define IEEE80211_EHT_PHY_CAP3_NG_16_SU_FEEDBACK 0x02
-#define IEEE80211_EHT_PHY_CAP3_NG_16_MU_FEEDBACK 0x04
-#define IEEE80211_EHT_PHY_CAP3_CODEBOOK_4_2_SU_FDBK 0x08
-#define IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK 0x10
-#define IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK 0x20
-#define IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK 0x40
-#define IEEE80211_EHT_PHY_CAP3_TRIG_CQI_FDBK 0x80
-
-#define IEEE80211_EHT_PHY_CAP4_PART_BW_DL_MU_MIMO 0x01
-#define IEEE80211_EHT_PHY_CAP4_PSR_SR_SUPP 0x02
-#define IEEE80211_EHT_PHY_CAP4_POWER_BOOST_FACT_SUPP 0x04
-#define IEEE80211_EHT_PHY_CAP4_EHT_MU_PPDU_4_EHT_LTF_08_GI 0x08
-#define IEEE80211_EHT_PHY_CAP4_MAX_NC_MASK 0xf0
-
-#define IEEE80211_EHT_PHY_CAP5_NON_TRIG_CQI_FEEDBACK 0x01
-#define IEEE80211_EHT_PHY_CAP5_TX_LESS_242_TONE_RU_SUPP 0x02
-#define IEEE80211_EHT_PHY_CAP5_RX_LESS_242_TONE_RU_SUPP 0x04
-#define IEEE80211_EHT_PHY_CAP5_PPE_THRESHOLD_PRESENT 0x08
-#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_MASK 0x30
-#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_0US 0
-#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_8US 1
-#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_16US 2
-#define IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_20US 3
-
-/* Maximum number of supported EHT LTF is split */
-#define IEEE80211_EHT_PHY_CAP5_MAX_NUM_SUPP_EHT_LTF_MASK 0xc0
-#define IEEE80211_EHT_PHY_CAP5_SUPP_EXTRA_EHT_LTF 0x40
-#define IEEE80211_EHT_PHY_CAP6_MAX_NUM_SUPP_EHT_LTF_MASK 0x07
-
-#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_80MHZ 0x08
-#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_160MHZ 0x30
-#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_320MHZ 0x40
-#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_MASK 0x78
-#define IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP 0x80
-
-#define IEEE80211_EHT_PHY_CAP7_20MHZ_STA_RX_NDP_WIDER_BW 0x01
-#define IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ 0x02
-#define IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ 0x04
-#define IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ 0x08
-#define IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ 0x10
-#define IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ 0x20
-#define IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ 0x40
-#define IEEE80211_EHT_PHY_CAP7_TB_SOUNDING_FDBK_RATE_LIMIT 0x80
-
-#define IEEE80211_EHT_PHY_CAP8_RX_1024QAM_WIDER_BW_DL_OFDMA 0x01
-#define IEEE80211_EHT_PHY_CAP8_RX_4096QAM_WIDER_BW_DL_OFDMA 0x02
-
-/*
- * EHT operation channel width as defined in P802.11be_D2.0 section 9.4.2.311
- */
-#define IEEE80211_EHT_OPER_CHAN_WIDTH 0x7
-#define IEEE80211_EHT_OPER_CHAN_WIDTH_20MHZ 0
-#define IEEE80211_EHT_OPER_CHAN_WIDTH_40MHZ 1
-#define IEEE80211_EHT_OPER_CHAN_WIDTH_80MHZ 2
-#define IEEE80211_EHT_OPER_CHAN_WIDTH_160MHZ 3
-#define IEEE80211_EHT_OPER_CHAN_WIDTH_320MHZ 4
-
-/* need HE definitions for EHT functions */
-#include "ieee80211-he.h"
-
-/* Calculate 802.11be EHT capabilities IE Tx/Rx EHT MCS NSS Support Field size */
-static inline u8
-ieee80211_eht_mcs_nss_size(const struct ieee80211_he_cap_elem *he_cap,
- const struct ieee80211_eht_cap_elem_fixed *eht_cap,
- bool from_ap)
-{
- u8 count = 0;
-
- /* on 2.4 GHz, if it supports 40 MHz, the result is 3 */
- if (he_cap->phy_cap_info[0] &
- IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G)
- return 3;
-
- /* on 2.4 GHz, these three bits are reserved, so should be 0 */
- if (he_cap->phy_cap_info[0] &
- IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G)
- count += 3;
-
- if (he_cap->phy_cap_info[0] &
- IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)
- count += 3;
-
- if (eht_cap->phy_cap_info[0] & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ)
- count += 3;
-
- if (count)
- return count;
-
- return from_ap ? 3 : 4;
-}
-
-/* 802.11be EHT PPE Thresholds */
-#define IEEE80211_EHT_PPE_THRES_NSS_POS 0
-#define IEEE80211_EHT_PPE_THRES_NSS_MASK 0xf
-#define IEEE80211_EHT_PPE_THRES_RU_INDEX_BITMASK_MASK 0x1f0
-#define IEEE80211_EHT_PPE_THRES_INFO_PPET_SIZE 3
-#define IEEE80211_EHT_PPE_THRES_INFO_HEADER_SIZE 9
-
-/*
- * Calculate 802.11be EHT capabilities IE EHT field size
- */
-static inline u8
-ieee80211_eht_ppe_size(u16 ppe_thres_hdr, const u8 *phy_cap_info)
-{
- u32 n;
-
- if (!(phy_cap_info[5] &
- IEEE80211_EHT_PHY_CAP5_PPE_THRESHOLD_PRESENT))
- return 0;
-
- n = hweight16(ppe_thres_hdr &
- IEEE80211_EHT_PPE_THRES_RU_INDEX_BITMASK_MASK);
- n *= 1 + u16_get_bits(ppe_thres_hdr, IEEE80211_EHT_PPE_THRES_NSS_MASK);
-
- /*
- * Each pair is 6 bits, and we need to add the 9 "header" bits to the
- * total size.
- */
- n = n * IEEE80211_EHT_PPE_THRES_INFO_PPET_SIZE * 2 +
- IEEE80211_EHT_PPE_THRES_INFO_HEADER_SIZE;
- return DIV_ROUND_UP(n, 8);
-}
-
-static inline bool
-ieee80211_eht_capa_size_ok(const u8 *he_capa, const u8 *data, u8 len,
- bool from_ap)
-{
- const struct ieee80211_eht_cap_elem_fixed *elem = (const void *)data;
- u8 needed = sizeof(struct ieee80211_eht_cap_elem_fixed);
-
- if (len < needed || !he_capa)
- return false;
-
- needed += ieee80211_eht_mcs_nss_size((const void *)he_capa,
- (const void *)data,
- from_ap);
- if (len < needed)
- return false;
-
- if (elem->phy_cap_info[5] &
- IEEE80211_EHT_PHY_CAP5_PPE_THRESHOLD_PRESENT) {
- u16 ppe_thres_hdr;
-
- if (len < needed + sizeof(ppe_thres_hdr))
- return false;
-
- ppe_thres_hdr = get_unaligned_le16(data + needed);
- needed += ieee80211_eht_ppe_size(ppe_thres_hdr,
- elem->phy_cap_info);
- }
-
- return len >= needed;
-}
-
-static inline bool
-ieee80211_eht_oper_size_ok(const u8 *data, u8 len)
-{
- const struct ieee80211_eht_operation *elem = (const void *)data;
- u8 needed = sizeof(*elem);
-
- if (len < needed)
- return false;
-
- if (elem->params & IEEE80211_EHT_OPER_INFO_PRESENT) {
- needed += 3;
-
- if (elem->params &
- IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT)
- needed += 2;
- }
-
- return len >= needed;
-}
-
-/* must validate ieee80211_eht_oper_size_ok() first */
-static inline u16
-ieee80211_eht_oper_dis_subchan_bitmap(const struct ieee80211_eht_operation *eht_oper)
-{
- const struct ieee80211_eht_operation_info *info =
- (const void *)eht_oper->optional;
-
- if (!(eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT))
- return 0;
-
- if (!(eht_oper->params & IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT))
- return 0;
-
- return get_unaligned_le16(info->optional);
-}
-
-#define IEEE80211_BW_IND_DIS_SUBCH_PRESENT BIT(1)
-
-struct ieee80211_bandwidth_indication {
- u8 params;
- struct ieee80211_eht_operation_info info;
-} __packed;
-
-static inline bool
-ieee80211_bandwidth_indication_size_ok(const u8 *data, u8 len)
-{
- const struct ieee80211_bandwidth_indication *bwi = (const void *)data;
-
- if (len < sizeof(*bwi))
- return false;
-
- if (bwi->params & IEEE80211_BW_IND_DIS_SUBCH_PRESENT &&
- len < sizeof(*bwi) + 2)
- return false;
-
- return true;
-}
-
#define LISTEN_INT_USF GENMASK(15, 14)
#define LISTEN_INT_UI GENMASK(13, 0)
@@ -2587,23 +2173,6 @@ enum ieee80211_unprotected_wnm_actioncode {
WLAN_UNPROTECTED_WNM_ACTION_TIMING_MEASUREMENT_RESPONSE = 1,
};
-/* Protected EHT action codes */
-enum ieee80211_protected_eht_actioncode {
- WLAN_PROTECTED_EHT_ACTION_TTLM_REQ = 0,
- WLAN_PROTECTED_EHT_ACTION_TTLM_RES = 1,
- WLAN_PROTECTED_EHT_ACTION_TTLM_TEARDOWN = 2,
- WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_REQ = 3,
- WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_RESP = 4,
- WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_TEARDOWN = 5,
- WLAN_PROTECTED_EHT_ACTION_EML_OP_MODE_NOTIF = 6,
- WLAN_PROTECTED_EHT_ACTION_LINK_RECOMMEND = 7,
- WLAN_PROTECTED_EHT_ACTION_ML_OP_UPDATE_REQ = 8,
- WLAN_PROTECTED_EHT_ACTION_ML_OP_UPDATE_RESP = 9,
- WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_NOTIF = 10,
- WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_REQ = 11,
- WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_RESP = 12,
-};
-
/* Security key length */
enum ieee80211_key_len {
WLAN_KEY_LEN_WEP40 = 5,
@@ -3855,737 +3424,6 @@ struct ieee80211_tbtt_info_ge_11 {
struct ieee80211_rnr_mld_params mld_params;
} __packed;
-/* multi-link device */
-#define IEEE80211_MLD_MAX_NUM_LINKS 15
-
-#define IEEE80211_ML_CONTROL_TYPE 0x0007
-#define IEEE80211_ML_CONTROL_TYPE_BASIC 0
-#define IEEE80211_ML_CONTROL_TYPE_PREQ 1
-#define IEEE80211_ML_CONTROL_TYPE_RECONF 2
-#define IEEE80211_ML_CONTROL_TYPE_TDLS 3
-#define IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS 4
-#define IEEE80211_ML_CONTROL_PRESENCE_MASK 0xfff0
-
-struct ieee80211_multi_link_elem {
- __le16 control;
- u8 variable[];
-} __packed;
-
-#define IEEE80211_MLC_BASIC_PRES_LINK_ID 0x0010
-#define IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT 0x0020
-#define IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY 0x0040
-#define IEEE80211_MLC_BASIC_PRES_EML_CAPA 0x0080
-#define IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP 0x0100
-#define IEEE80211_MLC_BASIC_PRES_MLD_ID 0x0200
-#define IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP 0x0400
-
-#define IEEE80211_MED_SYNC_DELAY_DURATION 0x00ff
-#define IEEE80211_MED_SYNC_DELAY_SYNC_OFDM_ED_THRESH 0x0f00
-#define IEEE80211_MED_SYNC_DELAY_SYNC_MAX_NUM_TXOPS 0xf000
-
-/*
- * Described in P802.11be_D3.0
- * dot11MSDTimerDuration should default to 5484 (i.e. 171.375)
- * dot11MSDOFDMEDthreshold defaults to -72 (i.e. 0)
- * dot11MSDTXOPMAX defaults to 1
- */
-#define IEEE80211_MED_SYNC_DELAY_DEFAULT 0x10ac
-
-#define IEEE80211_EML_CAP_EMLSR_SUPP 0x0001
-#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY 0x000e
-#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_0US 0
-#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_32US 1
-#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_64US 2
-#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_128US 3
-#define IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_256US 4
-#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY 0x0070
-#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_0US 0
-#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_16US 1
-#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_32US 2
-#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_64US 3
-#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_128US 4
-#define IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_256US 5
-#define IEEE80211_EML_CAP_EMLMR_SUPPORT 0x0080
-#define IEEE80211_EML_CAP_EMLMR_DELAY 0x0700
-#define IEEE80211_EML_CAP_EMLMR_DELAY_0US 0
-#define IEEE80211_EML_CAP_EMLMR_DELAY_32US 1
-#define IEEE80211_EML_CAP_EMLMR_DELAY_64US 2
-#define IEEE80211_EML_CAP_EMLMR_DELAY_128US 3
-#define IEEE80211_EML_CAP_EMLMR_DELAY_256US 4
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT 0x7800
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_0 0
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_128US 1
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_256US 2
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_512US 3
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_1TU 4
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_2TU 5
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_4TU 6
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_8TU 7
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_16TU 8
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_32TU 9
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_64TU 10
-#define IEEE80211_EML_CAP_TRANSITION_TIMEOUT_128TU 11
-
-#define IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS 0x000f
-#define IEEE80211_MLD_CAP_OP_SRS_SUPPORT 0x0010
-#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP 0x0060
-#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_NO_SUPP 0
-#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP_SAME 1
-#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_RESERVED 2
-#define IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP_DIFF 3
-#define IEEE80211_MLD_CAP_OP_FREQ_SEP_TYPE_IND 0x0f80
-#define IEEE80211_MLD_CAP_OP_AAR_SUPPORT 0x1000
-#define IEEE80211_MLD_CAP_OP_LINK_RECONF_SUPPORT 0x2000
-#define IEEE80211_MLD_CAP_OP_ALIGNED_TWT_SUPPORT 0x4000
-
-struct ieee80211_mle_basic_common_info {
- u8 len;
- u8 mld_mac_addr[ETH_ALEN];
- u8 variable[];
-} __packed;
-
-#define IEEE80211_MLC_PREQ_PRES_MLD_ID 0x0010
-
-struct ieee80211_mle_preq_common_info {
- u8 len;
- u8 variable[];
-} __packed;
-
-#define IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR 0x0010
-#define IEEE80211_MLC_RECONF_PRES_EML_CAPA 0x0020
-#define IEEE80211_MLC_RECONF_PRES_MLD_CAPA_OP 0x0040
-#define IEEE80211_MLC_RECONF_PRES_EXT_MLD_CAPA_OP 0x0080
-
-/* no fixed fields in RECONF */
-
-struct ieee80211_mle_tdls_common_info {
- u8 len;
- u8 ap_mld_mac_addr[ETH_ALEN];
-} __packed;
-
-#define IEEE80211_MLC_PRIO_ACCESS_PRES_AP_MLD_MAC_ADDR 0x0010
-
-/* no fixed fields in PRIO_ACCESS */
-
-/**
- * ieee80211_mle_common_size - check multi-link element common size
- * @data: multi-link element, must already be checked for size using
- * ieee80211_mle_size_ok()
- * Return: the size of the multi-link element's "common" subfield
- */
-static inline u8 ieee80211_mle_common_size(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
-
- switch (u16_get_bits(control, IEEE80211_ML_CONTROL_TYPE)) {
- case IEEE80211_ML_CONTROL_TYPE_BASIC:
- case IEEE80211_ML_CONTROL_TYPE_PREQ:
- case IEEE80211_ML_CONTROL_TYPE_TDLS:
- case IEEE80211_ML_CONTROL_TYPE_RECONF:
- case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
- /*
- * The length is the first octet pointed by mle->variable so no
- * need to add anything
- */
- break;
- default:
- WARN_ON(1);
- return 0;
- }
-
- return sizeof(*mle) + mle->variable[0];
-}
-
-/**
- * ieee80211_mle_get_link_id - returns the link ID
- * @data: the basic multi link element
- * Return: the link ID, or -1 if not present
- *
- * The element is assumed to be of the correct type (BASIC) and big enough,
- * this must be checked using ieee80211_mle_type_ok().
- */
-static inline int ieee80211_mle_get_link_id(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
- const u8 *common = mle->variable;
-
- /* common points now at the beginning of ieee80211_mle_basic_common_info */
- common += sizeof(struct ieee80211_mle_basic_common_info);
-
- if (!(control & IEEE80211_MLC_BASIC_PRES_LINK_ID))
- return -1;
-
- return *common;
-}
-
-/**
- * ieee80211_mle_get_bss_param_ch_cnt - returns the BSS parameter change count
- * @data: pointer to the basic multi link element
- * Return: the BSS Parameter Change Count field value, or -1 if not present
- *
- * The element is assumed to be of the correct type (BASIC) and big enough,
- * this must be checked using ieee80211_mle_type_ok().
- */
-static inline int
-ieee80211_mle_get_bss_param_ch_cnt(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
- const u8 *common = mle->variable;
-
- /* common points now at the beginning of ieee80211_mle_basic_common_info */
- common += sizeof(struct ieee80211_mle_basic_common_info);
-
- if (!(control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT))
- return -1;
-
- if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
- common += 1;
-
- return *common;
-}
-
-/**
- * ieee80211_mle_get_eml_med_sync_delay - returns the medium sync delay
- * @data: pointer to the multi-link element
- * Return: the medium synchronization delay field value from the multi-link
- * element, or the default value (%IEEE80211_MED_SYNC_DELAY_DEFAULT)
- * if not present
- *
- * The element is assumed to be of the correct type (BASIC) and big enough,
- * this must be checked using ieee80211_mle_type_ok().
- */
-static inline u16 ieee80211_mle_get_eml_med_sync_delay(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
- const u8 *common = mle->variable;
-
- /* common points now at the beginning of ieee80211_mle_basic_common_info */
- common += sizeof(struct ieee80211_mle_basic_common_info);
-
- if (!(control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY))
- return IEEE80211_MED_SYNC_DELAY_DEFAULT;
-
- if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
- common += 1;
-
- return get_unaligned_le16(common);
-}
-
-/**
- * ieee80211_mle_get_eml_cap - returns the EML capability
- * @data: pointer to the multi-link element
- * Return: the EML capability field value from the multi-link element,
- * or 0 if not present
- *
- * The element is assumed to be of the correct type (BASIC) and big enough,
- * this must be checked using ieee80211_mle_type_ok().
- */
-static inline u16 ieee80211_mle_get_eml_cap(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
- const u8 *common = mle->variable;
-
- /* common points now at the beginning of ieee80211_mle_basic_common_info */
- common += sizeof(struct ieee80211_mle_basic_common_info);
-
- if (!(control & IEEE80211_MLC_BASIC_PRES_EML_CAPA))
- return 0;
-
- if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
- common += 2;
-
- return get_unaligned_le16(common);
-}
-
-/**
- * ieee80211_mle_get_mld_capa_op - returns the MLD capabilities and operations.
- * @data: pointer to the multi-link element
- * Return: the MLD capabilities and operations field value from the multi-link
- * element, or 0 if not present
- *
- * The element is assumed to be of the correct type (BASIC) and big enough,
- * this must be checked using ieee80211_mle_type_ok().
- */
-static inline u16 ieee80211_mle_get_mld_capa_op(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
- const u8 *common = mle->variable;
-
- /*
- * common points now at the beginning of
- * ieee80211_mle_basic_common_info
- */
- common += sizeof(struct ieee80211_mle_basic_common_info);
-
- if (!(control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP))
- return 0;
-
- if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
- common += 2;
-
- return get_unaligned_le16(common);
-}
-
-/* Defined in Figure 9-1074t in P802.11be_D7.0 */
-#define IEEE80211_EHT_ML_EXT_MLD_CAPA_OP_PARAM_UPDATE 0x0001
-#define IEEE80211_EHT_ML_EXT_MLD_CAPA_OP_RECO_MAX_LINKS_MASK 0x001e
-#define IEEE80211_EHT_ML_EXT_MLD_CAPA_NSTR_UPDATE 0x0020
-#define IEEE80211_EHT_ML_EXT_MLD_CAPA_EMLSR_ENA_ON_ONE_LINK 0x0040
-#define IEEE80211_EHT_ML_EXT_MLD_CAPA_BTM_MLD_RECO_MULTI_AP 0x0080
-
-/**
- * ieee80211_mle_get_ext_mld_capa_op - returns the extended MLD capabilities
- * and operations.
- * @data: pointer to the multi-link element
- * Return: the extended MLD capabilities and operations field value from
- * the multi-link element, or 0 if not present
- *
- * The element is assumed to be of the correct type (BASIC) and big enough,
- * this must be checked using ieee80211_mle_type_ok().
- */
-static inline u16 ieee80211_mle_get_ext_mld_capa_op(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
- const u8 *common = mle->variable;
-
- /*
- * common points now at the beginning of
- * ieee80211_mle_basic_common_info
- */
- common += sizeof(struct ieee80211_mle_basic_common_info);
-
- if (!(control & IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP))
- return 0;
-
- if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_MLD_ID)
- common += 1;
-
- return get_unaligned_le16(common);
-}
-
-/**
- * ieee80211_mle_get_mld_id - returns the MLD ID
- * @data: pointer to the multi-link element
- * Return: The MLD ID in the given multi-link element, or 0 if not present
- *
- * The element is assumed to be of the correct type (BASIC) and big enough,
- * this must be checked using ieee80211_mle_type_ok().
- */
-static inline u8 ieee80211_mle_get_mld_id(const u8 *data)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control = le16_to_cpu(mle->control);
- const u8 *common = mle->variable;
-
- /*
- * common points now at the beginning of
- * ieee80211_mle_basic_common_info
- */
- common += sizeof(struct ieee80211_mle_basic_common_info);
-
- if (!(control & IEEE80211_MLC_BASIC_PRES_MLD_ID))
- return 0;
-
- if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)
- common += 2;
-
- return *common;
-}
-
-/**
- * ieee80211_mle_size_ok - validate multi-link element size
- * @data: pointer to the element data
- * @len: length of the containing element
- * Return: whether or not the multi-link element size is OK
- */
-static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u8 fixed = sizeof(*mle);
- u8 common = 0;
- bool check_common_len = false;
- u16 control;
-
- if (!data || len < fixed)
- return false;
-
- control = le16_to_cpu(mle->control);
-
- switch (u16_get_bits(control, IEEE80211_ML_CONTROL_TYPE)) {
- case IEEE80211_ML_CONTROL_TYPE_BASIC:
- common += sizeof(struct ieee80211_mle_basic_common_info);
- check_common_len = true;
- if (control & IEEE80211_MLC_BASIC_PRES_LINK_ID)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_EML_CAPA)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)
- common += 2;
- if (control & IEEE80211_MLC_BASIC_PRES_MLD_ID)
- common += 1;
- if (control & IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP)
- common += 2;
- break;
- case IEEE80211_ML_CONTROL_TYPE_PREQ:
- common += sizeof(struct ieee80211_mle_preq_common_info);
- if (control & IEEE80211_MLC_PREQ_PRES_MLD_ID)
- common += 1;
- check_common_len = true;
- break;
- case IEEE80211_ML_CONTROL_TYPE_RECONF:
- if (control & IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR)
- common += ETH_ALEN;
- if (control & IEEE80211_MLC_RECONF_PRES_EML_CAPA)
- common += 2;
- if (control & IEEE80211_MLC_RECONF_PRES_MLD_CAPA_OP)
- common += 2;
- if (control & IEEE80211_MLC_RECONF_PRES_EXT_MLD_CAPA_OP)
- common += 2;
- break;
- case IEEE80211_ML_CONTROL_TYPE_TDLS:
- common += sizeof(struct ieee80211_mle_tdls_common_info);
- check_common_len = true;
- break;
- case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
- common = ETH_ALEN + 1;
- break;
- default:
- /* we don't know this type */
- return true;
- }
-
- if (len < fixed + common)
- return false;
-
- if (!check_common_len)
- return true;
-
- /* if present, common length is the first octet there */
- return mle->variable[0] >= common;
-}
-
-/**
- * ieee80211_mle_type_ok - validate multi-link element type and size
- * @data: pointer to the element data
- * @type: expected type of the element
- * @len: length of the containing element
- * Return: whether or not the multi-link element type matches and size is OK
- */
-static inline bool ieee80211_mle_type_ok(const u8 *data, u8 type, size_t len)
-{
- const struct ieee80211_multi_link_elem *mle = (const void *)data;
- u16 control;
-
- if (!ieee80211_mle_size_ok(data, len))
- return false;
-
- control = le16_to_cpu(mle->control);
-
- if (u16_get_bits(control, IEEE80211_ML_CONTROL_TYPE) == type)
- return true;
-
- return false;
-}
-
-enum ieee80211_mle_subelems {
- IEEE80211_MLE_SUBELEM_PER_STA_PROFILE = 0,
- IEEE80211_MLE_SUBELEM_FRAGMENT = 254,
-};
-
-#define IEEE80211_MLE_STA_CONTROL_LINK_ID 0x000f
-#define IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE 0x0010
-#define IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT 0x0020
-#define IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT 0x0040
-#define IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT 0x0080
-#define IEEE80211_MLE_STA_CONTROL_DTIM_INFO_PRESENT 0x0100
-#define IEEE80211_MLE_STA_CONTROL_NSTR_LINK_PAIR_PRESENT 0x0200
-#define IEEE80211_MLE_STA_CONTROL_NSTR_BITMAP_SIZE 0x0400
-#define IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT 0x0800
-
-struct ieee80211_mle_per_sta_profile {
- __le16 control;
- u8 sta_info_len;
- u8 variable[];
-} __packed;
-
-/**
- * ieee80211_mle_basic_sta_prof_size_ok - validate basic multi-link element sta
- * profile size
- * @data: pointer to the sub element data
- * @len: length of the containing sub element
- * Return: %true if the STA profile is large enough, %false otherwise
- */
-static inline bool ieee80211_mle_basic_sta_prof_size_ok(const u8 *data,
- size_t len)
-{
- const struct ieee80211_mle_per_sta_profile *prof = (const void *)data;
- u16 control;
- u8 fixed = sizeof(*prof);
- u8 info_len = 1;
-
- if (len < fixed)
- return false;
-
- control = le16_to_cpu(prof->control);
-
- if (control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)
- info_len += 6;
- if (control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT)
- info_len += 2;
- if (control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT)
- info_len += 8;
- if (control & IEEE80211_MLE_STA_CONTROL_DTIM_INFO_PRESENT)
- info_len += 2;
- if (control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE &&
- control & IEEE80211_MLE_STA_CONTROL_NSTR_LINK_PAIR_PRESENT) {
- if (control & IEEE80211_MLE_STA_CONTROL_NSTR_BITMAP_SIZE)
- info_len += 2;
- else
- info_len += 1;
- }
- if (control & IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT)
- info_len += 1;
-
- return prof->sta_info_len >= info_len &&
- fixed + prof->sta_info_len - 1 <= len;
-}
-
-/**
- * ieee80211_mle_basic_sta_prof_bss_param_ch_cnt - get per-STA profile BSS
- * parameter change count
- * @prof: the per-STA profile, having been checked with
- * ieee80211_mle_basic_sta_prof_size_ok() for the correct length
- *
- * Return: The BSS parameter change count value if present, 0 otherwise.
- */
-static inline u8
-ieee80211_mle_basic_sta_prof_bss_param_ch_cnt(const struct ieee80211_mle_per_sta_profile *prof)
-{
- u16 control = le16_to_cpu(prof->control);
- const u8 *pos = prof->variable;
-
- if (!(control & IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT))
- return 0;
-
- if (control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)
- pos += 6;
- if (control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT)
- pos += 2;
- if (control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT)
- pos += 8;
- if (control & IEEE80211_MLE_STA_CONTROL_DTIM_INFO_PRESENT)
- pos += 2;
- if (control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE &&
- control & IEEE80211_MLE_STA_CONTROL_NSTR_LINK_PAIR_PRESENT) {
- if (control & IEEE80211_MLE_STA_CONTROL_NSTR_BITMAP_SIZE)
- pos += 2;
- else
- pos += 1;
- }
-
- return *pos;
-}
-
-#define IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID 0x000f
-#define IEEE80211_MLE_STA_RECONF_CONTROL_COMPLETE_PROFILE 0x0010
-#define IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT 0x0020
-#define IEEE80211_MLE_STA_RECONF_CONTROL_AP_REM_TIMER_PRESENT 0x0040
-#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE 0x0780
-#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_AP_REM 0
-#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_OP_PARAM_UPDATE 1
-#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_ADD_LINK 2
-#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_DEL_LINK 3
-#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_NSTR_STATUS 4
-#define IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_PARAMS_PRESENT 0x0800
-
-/**
- * ieee80211_mle_reconf_sta_prof_size_ok - validate reconfiguration multi-link
- * element sta profile size.
- * @data: pointer to the sub element data
- * @len: length of the containing sub element
- * Return: %true if the STA profile is large enough, %false otherwise
- */
-static inline bool ieee80211_mle_reconf_sta_prof_size_ok(const u8 *data,
- size_t len)
-{
- const struct ieee80211_mle_per_sta_profile *prof = (const void *)data;
- u16 control;
- u8 fixed = sizeof(*prof);
- u8 info_len = 1;
-
- if (len < fixed)
- return false;
-
- control = le16_to_cpu(prof->control);
-
- if (control & IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT)
- info_len += ETH_ALEN;
- if (control & IEEE80211_MLE_STA_RECONF_CONTROL_AP_REM_TIMER_PRESENT)
- info_len += 2;
- if (control & IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_PARAMS_PRESENT)
- info_len += 2;
-
- return prof->sta_info_len >= info_len &&
- fixed + prof->sta_info_len - 1 <= len;
-}
-
-#define IEEE80211_MLE_STA_EPCS_CONTROL_LINK_ID 0x000f
-#define IEEE80211_EPCS_ENA_RESP_BODY_LEN 3
-
-static inline bool ieee80211_tid_to_link_map_size_ok(const u8 *data, size_t len)
-{
- const struct ieee80211_ttlm_elem *t2l = (const void *)data;
- u8 control, fixed = sizeof(*t2l), elem_len = 0;
-
- if (len < fixed)
- return false;
-
- control = t2l->control;
-
- if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT)
- elem_len += 2;
- if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT)
- elem_len += 3;
-
- if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) {
- u8 bm_size;
-
- elem_len += 1;
- if (len < fixed + elem_len)
- return false;
-
- if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
- bm_size = 1;
- else
- bm_size = 2;
-
- elem_len += hweight8(t2l->optional[0]) * bm_size;
- }
-
- return len >= fixed + elem_len;
-}
-
-/**
- * ieee80211_emlsr_pad_delay_in_us - Fetch the EMLSR Padding delay
- * in microseconds
- * @eml_cap: EML capabilities field value from common info field of
- * the Multi-link element
- * Return: the EMLSR Padding delay (in microseconds) encoded in the
- * EML Capabilities field
- */
-
-static inline u32 ieee80211_emlsr_pad_delay_in_us(u16 eml_cap)
-{
- /* IEEE Std 802.11be-2024 Table 9-417i—Encoding of the EMLSR
- * Padding Delay subfield.
- */
- u32 pad_delay = u16_get_bits(eml_cap,
- IEEE80211_EML_CAP_EMLSR_PADDING_DELAY);
-
- if (!pad_delay ||
- pad_delay > IEEE80211_EML_CAP_EMLSR_PADDING_DELAY_256US)
- return 0;
-
- return 32 * (1 << (pad_delay - 1));
-}
-
-/**
- * ieee80211_emlsr_trans_delay_in_us - Fetch the EMLSR Transition
- * delay in microseconds
- * @eml_cap: EML capabilities field value from common info field of
- * the Multi-link element
- * Return: the EMLSR Transition delay (in microseconds) encoded in the
- * EML Capabilities field
- */
-
-static inline u32 ieee80211_emlsr_trans_delay_in_us(u16 eml_cap)
-{
- /* IEEE Std 802.11be-2024 Table 9-417j—Encoding of the EMLSR
- * Transition Delay subfield.
- */
- u32 trans_delay =
- u16_get_bits(eml_cap,
- IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY);
-
- /* invalid values also just use 0 */
- if (!trans_delay ||
- trans_delay > IEEE80211_EML_CAP_EMLSR_TRANSITION_DELAY_256US)
- return 0;
-
- return 16 * (1 << (trans_delay - 1));
-}
-
-/**
- * ieee80211_eml_trans_timeout_in_us - Fetch the EMLSR Transition
- * timeout value in microseconds
- * @eml_cap: EML capabilities field value from common info field of
- * the Multi-link element
- * Return: the EMLSR Transition timeout (in microseconds) encoded in
- * the EML Capabilities field
- */
-
-static inline u32 ieee80211_eml_trans_timeout_in_us(u16 eml_cap)
-{
- /* IEEE Std 802.11be-2024 Table 9-417m—Encoding of the
- * Transition Timeout subfield.
- */
- u8 timeout = u16_get_bits(eml_cap,
- IEEE80211_EML_CAP_TRANSITION_TIMEOUT);
-
- /* invalid values also just use 0 */
- if (!timeout || timeout > IEEE80211_EML_CAP_TRANSITION_TIMEOUT_128TU)
- return 0;
-
- return 128 * (1 << (timeout - 1));
-}
-
-#define for_each_mle_subelement(_elem, _data, _len) \
- if (ieee80211_mle_size_ok(_data, _len)) \
- for_each_element(_elem, \
- _data + ieee80211_mle_common_size(_data),\
- _len - ieee80211_mle_common_size(_data))
-
/* NAN operation mode, as defined in Wi-Fi Aware (TM) specification Table 81 */
#define NAN_OP_MODE_PHY_MODE_VHT 0x01
#define NAN_OP_MODE_PHY_MODE_HE 0x10
@@ -4605,6 +3443,8 @@ static inline u32 ieee80211_eml_trans_timeout_in_us(u16 eml_cap)
#include "ieee80211-ht.h"
#include "ieee80211-vht.h"
+#include "ieee80211-he.h"
+#include "ieee80211-eht.h"
#include "ieee80211-mesh.h"
#endif /* LINUX_IEEE80211_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 062/957] wifi: ieee80211: fix definition of EHT-MCS 15 in MRU
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 061/957] wifi: ieee80211: split EHT " Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 063/957] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
` (900 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shayne Chen, Johannes Berg,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shayne Chen <shayne.chen@mediatek.com>
[ Upstream commit cb0caadb64ca0894c4a24e1a34841f260d462f90 ]
According to the definition in IEEE Std 802.11be-2024, Table 9-417r, each
bit indicates support for the transmission and reception of EHT-MCS 15 in:
- B0: 52+26-tone and 106+26-tone MRUs.
- B1: a 484+242-tone MRU if 80 MHz is supported.
- B2: a 996+484-tone MRU and a 996+484+242-tone MRU if 160 MHz is
supported.
- B3: a 3×996-tone MRU if 320 MHz is supported.
Fixes: 6239da18d2f9 ("wifi: mac80211: adjust EHT capa when lowering bandwidth")
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20260313062150.3165433-1-shayne.chen@mediatek.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211-eht.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
index f9782e46c5e52..cd9abf5193966 100644
--- a/include/linux/ieee80211-eht.h
+++ b/include/linux/ieee80211-eht.h
@@ -251,8 +251,8 @@ struct ieee80211_eht_operation_info {
#define IEEE80211_EHT_PHY_CAP5_SUPP_EXTRA_EHT_LTF 0x40
#define IEEE80211_EHT_PHY_CAP6_MAX_NUM_SUPP_EHT_LTF_MASK 0x07
-#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_80MHZ 0x08
-#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_160MHZ 0x30
+#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_80MHZ 0x10
+#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_160MHZ 0x20
#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_320MHZ 0x40
#define IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_MASK 0x78
#define IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP 0x80
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 063/957] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 062/957] wifi: ieee80211: fix definition of EHT-MCS 15 in MRU Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 064/957] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
` (899 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Cai Xinchen,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit 12589892f41c4c645c80ef9f036f7451a6045624 ]
Since the commit 84cba72956fd ("dpaa2-switch: integrate
the MAC endpoint support") included dpaa2-mac.o in the driver,
but it didn't select PCS_LYNX, PHYLINK and FSL_XGMAC_MDIO. it
will lead to link error, such as
undefined reference to `phylink_ethtool_ksettings_set'
undefined reference to `lynx_pcs_create_fwnode'
And the same reason as the commit d2624e70a2f53 ("dpaa2-eth: select
XGMAC_MDIO for MDIO bus support"), enable the FSL_XGMAC_MDIO Kconfig
option in order to have MDIO access to internal and external PHYs.
Because dpaa2-switch uses fsl_mc_driver APIs, add depends on FSL_MC_BUS
&& FSL_MC_DPIO as FSL_DPAA2_SWITCH do.
FSL_XGMAC_MDIO and FSL_MC_BUS depend on OF, thus the dependence of
FSL_MC_BUS can satisfy FSL_XGMAC_MDIO's OF requirement.
Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support")
Suggested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Link: https://patch.msgid.link/20260312065907.476663-2-caixinchen1@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/Kconfig | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/freescale/dpaa2/Kconfig b/drivers/net/ethernet/freescale/dpaa2/Kconfig
index d029b69c3f183..36280e5d99e1f 100644
--- a/drivers/net/ethernet/freescale/dpaa2/Kconfig
+++ b/drivers/net/ethernet/freescale/dpaa2/Kconfig
@@ -34,6 +34,10 @@ config FSL_DPAA2_SWITCH
tristate "Freescale DPAA2 Ethernet Switch"
depends on BRIDGE || BRIDGE=n
depends on NET_SWITCHDEV
+ depends on FSL_MC_BUS && FSL_MC_DPIO
+ select PHYLINK
+ select PCS_LYNX
+ select FSL_XGMAC_MDIO
help
Driver for Freescale DPAA2 Ethernet Switch. This driver manages
switch objects discovered on the Freeescale MC bus.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 064/957] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 063/957] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 065/957] s390/bpf: Zero-extend bpf prog return values and kfunc arguments Greg Kroah-Hartman
` (898 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ioana Ciornei, Cai Xinchen,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit 97daf00745f7f9f261b0e91418de6e79d7826c36 ]
CONFIG_FSL_DPAA2_ETH and CONFIG_FSL_DPAA2_SWITCH are not
associated, but the compilation of FSL_DPAA2_SWITCH depends on
the compilation of the dpaa2 folder. The files controlled by
CONFIG_FSL_DPAA2_SWITCH in the dpaa2 folder are not controlled
by CONFIG_FSL_DPAA2_ETH, except for the files controlled by
CONFIG_FSL_DPAA2_SWITCH. Therefore, removing the restriction will
not affect the compilation of the files in the directory.
Fixes: f48298d3fbfaa ("staging: dpaa2-switch: move the driver out of staging")
Suggested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Link: https://patch.msgid.link/20260312065907.476663-3-caixinchen1@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/Makefile | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/Makefile b/drivers/net/ethernet/freescale/Makefile
index de7b318422330..d0a259e47960f 100644
--- a/drivers/net/ethernet/freescale/Makefile
+++ b/drivers/net/ethernet/freescale/Makefile
@@ -22,6 +22,5 @@ ucc_geth_driver-objs := ucc_geth.o ucc_geth_ethtool.o
obj-$(CONFIG_FSL_FMAN) += fman/
obj-$(CONFIG_FSL_DPAA_ETH) += dpaa/
-obj-$(CONFIG_FSL_DPAA2_ETH) += dpaa2/
-
+obj-y += dpaa2/
obj-y += enetc/
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 065/957] s390/bpf: Zero-extend bpf prog return values and kfunc arguments
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 064/957] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 066/957] powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy Greg Kroah-Hartman
` (897 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Bathini, Ilya Leoshkevich,
Ihor Solodrai, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Leoshkevich <iii@linux.ibm.com>
[ Upstream commit 202e42e4aa890172366354b233c42c73107a3f59 ]
s390x ABI requires callers to zero-extend unsigned arguments and
sign-extend signed arguments, and callees to zero-extend unsigned
return values and sign-extend signed return values.
s390 BPF JIT currently implements only sign extension. Fix this
omission and implement zero extension too.
Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()")
Reported-by: Hari Bathini <hbathini@linux.ibm.com>
Closes: https://lore.kernel.org/bpf/20260312080113.843408-1-hbathini@linux.ibm.com/
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Link: https://lore.kernel.org/r/20260313174807.581826-1-iii@linux.ibm.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/net/bpf_jit_comp.c | 39 ++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index cf461d76e9da3..d7cdd907ac797 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -831,25 +831,34 @@ static int bpf_jit_probe_post(struct bpf_jit *jit, struct bpf_prog *fp,
}
/*
- * Sign-extend the register if necessary
+ * Sign- or zero-extend the register if necessary
*/
-static int sign_extend(struct bpf_jit *jit, int r, u8 size, u8 flags)
+static int sign_zero_extend(struct bpf_jit *jit, int r, u8 size, u8 flags)
{
- if (!(flags & BTF_FMODEL_SIGNED_ARG))
- return 0;
-
switch (size) {
case 1:
- /* lgbr %r,%r */
- EMIT4(0xb9060000, r, r);
+ if (flags & BTF_FMODEL_SIGNED_ARG)
+ /* lgbr %r,%r */
+ EMIT4(0xb9060000, r, r);
+ else
+ /* llgcr %r,%r */
+ EMIT4(0xb9840000, r, r);
return 0;
case 2:
- /* lghr %r,%r */
- EMIT4(0xb9070000, r, r);
+ if (flags & BTF_FMODEL_SIGNED_ARG)
+ /* lghr %r,%r */
+ EMIT4(0xb9070000, r, r);
+ else
+ /* llghr %r,%r */
+ EMIT4(0xb9850000, r, r);
return 0;
case 4:
- /* lgfr %r,%r */
- EMIT4(0xb9140000, r, r);
+ if (flags & BTF_FMODEL_SIGNED_ARG)
+ /* lgfr %r,%r */
+ EMIT4(0xb9140000, r, r);
+ else
+ /* llgfr %r,%r */
+ EMIT4(0xb9160000, r, r);
return 0;
case 8:
return 0;
@@ -1799,9 +1808,9 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
return -1;
for (j = 0; j < m->nr_args; j++) {
- if (sign_extend(jit, BPF_REG_1 + j,
- m->arg_size[j],
- m->arg_flags[j]))
+ if (sign_zero_extend(jit, BPF_REG_1 + j,
+ m->arg_size[j],
+ m->arg_flags[j]))
return -1;
}
}
@@ -2555,7 +2564,7 @@ static int invoke_bpf_prog(struct bpf_tramp_jit *tjit,
EMIT6_PCREL_RILB_PTR(0xc0050000, REG_14, p->bpf_func);
/* stg %r2,retval_off(%r15) */
if (save_ret) {
- if (sign_extend(jit, REG_2, m->ret_size, m->ret_flags))
+ if (sign_zero_extend(jit, REG_2, m->ret_size, m->ret_flags))
return -1;
EMIT6_DISP_LH(0xe3000000, 0x0024, REG_2, REG_0, REG_15,
tjit->retval_off);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 066/957] powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 065/957] s390/bpf: Zero-extend bpf prog return values and kfunc arguments Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 067/957] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
` (896 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy (CS GROUP),
Ritesh Harjani (IBM), Venkat Rao Bagalkote, Madhavan Srinivasan,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
[ Upstream commit fda4d71651f71c44b35829d13f3c8bf920032f77 ]
powerpc uses pt_frag_refcount as a reference counter for tracking it's
pte and pmd page table fragments. For PTE table, in case of Hash with
64K pagesize, we have 16 fragments of 4K size in one 64K page.
Patch series [1] "mm: free retracted page table by RCU"
added pte_free_defer() to defer the freeing of PTE tables when
retract_page_tables() is called for madvise MADV_COLLAPSE on shmem
range.
[1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/
pte_free_defer() sets the active flag on the corresponding fragment's
folio & calls pte_fragment_free(), which reduces the pt_frag_refcount.
When pt_frag_refcount reaches 0 (no active fragment using the folio), it
checks if the folio active flag is set, if set, it calls call_rcu to
free the folio, it the active flag is unset then it calls pte_free_now().
Now, this can lead to following problem in a corner case...
[ 265.351553][ T183] BUG: Bad page state in process a.out pfn:20d62
[ 265.353555][ T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62
[ 265.355457][ T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff)
[ 265.358719][ T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000
[ 265.360177][ T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000
[ 265.361438][ T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 265.362572][ T183] Modules linked in:
[ 265.364622][ T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY
[ 265.364785][ T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries
[ 265.364908][ T183] Call Trace:
[ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable)
[ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8
[ 265.365384][ T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08
[ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310
[ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218
[ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820
[ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300
[ 265.366244][ T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508
[ 265.366421][ T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148
[ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178
[ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0
[ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec
The bad page state error occurs when such a folio gets freed (with
active flag set), from do_exit() path in parallel.
... this can happen when the pte fragment was allocated from this folio,
but when all the fragments get freed, the pte_frag_refcount still had some
unused fragments. Now, if this process exits, with such folio as it's cached
pte_frag in mm->context, then during pte_frag_destroy(), we simply call
pagetable_dtor() and pagetable_free(), meaning it doesn't clear the
active flag. This, can lead to the above bug. Since we are anyway in
do_exit() path, then if the refcount is 0, then I guess it should be
ok to simply clear the folio active flag before calling pagetable_dtor()
& pagetable_free().
Fixes: 32cc0b7c9d50 ("powerpc: add pte_free_defer() for pgtables sharing page")
Reviewed-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/ee13e7f99b8f258019da2b37655b998e73e5ef8b.1773078178.git.ritesh.list@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/pgtable-frag.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/mm/pgtable-frag.c b/arch/powerpc/mm/pgtable-frag.c
index 77e55eac16e42..ae742564a3d56 100644
--- a/arch/powerpc/mm/pgtable-frag.c
+++ b/arch/powerpc/mm/pgtable-frag.c
@@ -25,6 +25,7 @@ void pte_frag_destroy(void *pte_frag)
count = ((unsigned long)pte_frag & ~PAGE_MASK) >> PTE_FRAG_SIZE_SHIFT;
/* We allow PTE_FRAG_NR fragments from a PTE page */
if (atomic_sub_and_test(PTE_FRAG_NR - count, &ptdesc->pt_frag_refcount)) {
+ folio_clear_active(ptdesc_folio(ptdesc));
pagetable_dtor(ptdesc);
pagetable_free(ptdesc);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 067/957] params: Replace __modinit with __init_or_module
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 066/957] powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 068/957] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
` (895 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Aaron Tomlin,
Daniel Gomez, Sami Tolvanen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit 3cb0c3bdea5388519bc1bf575dca6421b133302b ]
Remove the custom __modinit macro from kernel/params.c and instead use the
common __init_or_module macro from include/linux/module.h. Both provide the
same functionality.
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Aaron Tomlin <atomlin@atomlin.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Stable-dep-of: deffe1edba62 ("module: Fix freeing of charp module parameters when CONFIG_SYSFS=n")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/params.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/kernel/params.c b/kernel/params.c
index b96cfd693c996..7c2242f64bf08 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -596,12 +596,6 @@ static ssize_t param_attr_store(const struct module_attribute *mattr,
}
#endif
-#ifdef CONFIG_MODULES
-#define __modinit
-#else
-#define __modinit __init
-#endif
-
#ifdef CONFIG_SYSFS
void kernel_param_lock(struct module *mod)
{
@@ -626,9 +620,9 @@ EXPORT_SYMBOL(kernel_param_unlock);
* create file in sysfs. Returns an error on out of memory. Always cleans up
* if there's an error.
*/
-static __modinit int add_sysfs_param(struct module_kobject *mk,
- const struct kernel_param *kp,
- const char *name)
+static __init_or_module int add_sysfs_param(struct module_kobject *mk,
+ const struct kernel_param *kp,
+ const char *name)
{
struct module_param_attrs *new_mp;
struct attribute **new_attrs;
@@ -761,7 +755,8 @@ void destroy_params(const struct kernel_param *params, unsigned num)
params[i].ops->free(params[i].arg);
}
-struct module_kobject __modinit * lookup_or_create_module_kobject(const char *name)
+struct module_kobject * __init_or_module
+lookup_or_create_module_kobject(const char *name)
{
struct module_kobject *mk;
struct kobject *kobj;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 068/957] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 067/957] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 069/957] wifi: libertas: use USB anchors for tracking in-flight URBs Greg Kroah-Hartman
` (894 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Sami Tolvanen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit deffe1edba626d474fef38007c03646ca5876a0e ]
When setting a charp module parameter, the param_set_charp() function
allocates memory to store a copy of the input value. Later, when the module
is potentially unloaded, the destroy_params() function is called to free
this allocated memory.
However, destroy_params() is available only when CONFIG_SYSFS=y, otherwise
only a dummy variant is present. In the unlikely case that the kernel is
configured with CONFIG_MODULES=y and CONFIG_SYSFS=n, this results in
a memory leak of charp values when a module is unloaded.
Fix this issue by making destroy_params() always available when
CONFIG_MODULES=y. Rename the function to module_destroy_params() to clarify
that it is intended for use by the module loader.
Fixes: e180a6b7759a ("param: fix charp parameters set via sysfs")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/moduleparam.h | 11 +++--------
kernel/module/main.c | 4 ++--
kernel/params.c | 27 ++++++++++++++++++---------
3 files changed, 23 insertions(+), 19 deletions(-)
diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
index 6907aedc4f748..77775fd821407 100644
--- a/include/linux/moduleparam.h
+++ b/include/linux/moduleparam.h
@@ -414,14 +414,9 @@ extern char *parse_args(const char *name,
void *arg, parse_unknown_fn unknown);
/* Called by module remove. */
-#ifdef CONFIG_SYSFS
-extern void destroy_params(const struct kernel_param *params, unsigned num);
-#else
-static inline void destroy_params(const struct kernel_param *params,
- unsigned num)
-{
-}
-#endif /* !CONFIG_SYSFS */
+#ifdef CONFIG_MODULES
+void module_destroy_params(const struct kernel_param *params, unsigned int num);
+#endif
/* All the helper functions */
/* The macros to do compile-time type checking stolen from Jakub
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 66d4efbddfffe..3745cd02c8479 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -1408,7 +1408,7 @@ static void free_module(struct module *mod)
module_unload_free(mod);
/* Free any allocated parameters. */
- destroy_params(mod->kp, mod->num_kp);
+ module_destroy_params(mod->kp, mod->num_kp);
if (is_livepatch_module(mod))
free_module_elf(mod);
@@ -3519,7 +3519,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
mod_sysfs_teardown(mod);
coming_cleanup:
mod->state = MODULE_STATE_GOING;
- destroy_params(mod->kp, mod->num_kp);
+ module_destroy_params(mod->kp, mod->num_kp);
blocking_notifier_call_chain(&module_notify_list,
MODULE_STATE_GOING, mod);
klp_module_going(mod);
diff --git a/kernel/params.c b/kernel/params.c
index 7c2242f64bf08..8942884e21c43 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -746,15 +746,6 @@ void module_param_sysfs_remove(struct module *mod)
}
#endif
-void destroy_params(const struct kernel_param *params, unsigned num)
-{
- unsigned int i;
-
- for (i = 0; i < num; i++)
- if (params[i].ops->free)
- params[i].ops->free(params[i].arg);
-}
-
struct module_kobject * __init_or_module
lookup_or_create_module_kobject(const char *name)
{
@@ -986,3 +977,21 @@ static int __init param_sysfs_builtin_init(void)
late_initcall(param_sysfs_builtin_init);
#endif /* CONFIG_SYSFS */
+
+#ifdef CONFIG_MODULES
+
+/*
+ * module_destroy_params - free all parameters for one module
+ * @params: module parameters (array)
+ * @num: number of module parameters
+ */
+void module_destroy_params(const struct kernel_param *params, unsigned int num)
+{
+ unsigned int i;
+
+ for (i = 0; i < num; i++)
+ if (params[i].ops->free)
+ params[i].ops->free(params[i].arg);
+}
+
+#endif /* CONFIG_MODULES */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 069/957] wifi: libertas: use USB anchors for tracking in-flight URBs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 068/957] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 070/957] wifi: libertas: dont kill URBs in interrupt context Greg Kroah-Hartman
` (893 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heitor Alves de Siqueira,
Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
[ Upstream commit a57f35fc19add4dfe33703af575a2c19c2cef9c7 ]
The libertas driver currently handles URB lifecycles manually, which
makes it non-trivial to check if specific URBs are pending or not. Add
anchors for TX/RX URBs, and use those to track in-flight requests.
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260313-libertas-usb-anchors-v1-1-915afbe988d7@igalia.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: 7c5c2b661bdb ("wifi: libertas: don't kill URBs in interrupt context")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/marvell/libertas/if_usb.c | 27 ++++++++++++-------
.../net/wireless/marvell/libertas/if_usb.h | 3 +++
2 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c
index 924ab93b7b671..60bfff523b918 100644
--- a/drivers/net/wireless/marvell/libertas/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas/if_usb.c
@@ -114,8 +114,8 @@ static void if_usb_write_bulk_callback(struct urb *urb)
static void if_usb_free(struct if_usb_card *cardp)
{
/* Unlink tx & rx urb */
- usb_kill_urb(cardp->tx_urb);
- usb_kill_urb(cardp->rx_urb);
+ usb_kill_anchored_urbs(&cardp->tx_submitted);
+ usb_kill_anchored_urbs(&cardp->rx_submitted);
usb_free_urb(cardp->tx_urb);
cardp->tx_urb = NULL;
@@ -221,6 +221,9 @@ static int if_usb_probe(struct usb_interface *intf,
udev->descriptor.bDeviceSubClass,
udev->descriptor.bDeviceProtocol);
+ init_usb_anchor(&cardp->rx_submitted);
+ init_usb_anchor(&cardp->tx_submitted);
+
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;
if (usb_endpoint_is_bulk_in(endpoint)) {
@@ -426,7 +429,7 @@ static int usb_tx_block(struct if_usb_card *cardp, uint8_t *payload, uint16_t nb
goto tx_ret;
}
- usb_kill_urb(cardp->tx_urb);
+ usb_kill_anchored_urbs(&cardp->tx_submitted);
usb_fill_bulk_urb(cardp->tx_urb, cardp->udev,
usb_sndbulkpipe(cardp->udev,
@@ -435,8 +438,10 @@ static int usb_tx_block(struct if_usb_card *cardp, uint8_t *payload, uint16_t nb
cardp->tx_urb->transfer_flags |= URB_ZERO_PACKET;
+ usb_anchor_urb(cardp->tx_urb, &cardp->tx_submitted);
if ((ret = usb_submit_urb(cardp->tx_urb, GFP_ATOMIC))) {
lbs_deb_usbd(&cardp->udev->dev, "usb_submit_urb failed: %d\n", ret);
+ usb_unanchor_urb(cardp->tx_urb);
} else {
lbs_deb_usb2(&cardp->udev->dev, "usb_submit_urb success\n");
ret = 0;
@@ -467,8 +472,10 @@ static int __if_usb_submit_rx_urb(struct if_usb_card *cardp,
cardp);
lbs_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n", cardp->rx_urb);
+ usb_anchor_urb(cardp->rx_urb, &cardp->rx_submitted);
if ((ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC))) {
lbs_deb_usbd(&cardp->udev->dev, "Submit Rx URB failed: %d\n", ret);
+ usb_unanchor_urb(cardp->rx_urb);
kfree_skb(skb);
cardp->rx_skb = NULL;
ret = -1;
@@ -838,8 +845,8 @@ static void if_usb_prog_firmware(struct lbs_private *priv, int ret,
}
/* Cancel any pending usb business */
- usb_kill_urb(cardp->rx_urb);
- usb_kill_urb(cardp->tx_urb);
+ usb_kill_anchored_urbs(&cardp->rx_submitted);
+ usb_kill_anchored_urbs(&cardp->tx_submitted);
cardp->fwlastblksent = 0;
cardp->fwdnldover = 0;
@@ -869,8 +876,8 @@ static void if_usb_prog_firmware(struct lbs_private *priv, int ret,
if (cardp->bootcmdresp == BOOT_CMD_RESP_NOT_SUPPORTED) {
/* Return to normal operation */
ret = -EOPNOTSUPP;
- usb_kill_urb(cardp->rx_urb);
- usb_kill_urb(cardp->tx_urb);
+ usb_kill_anchored_urbs(&cardp->rx_submitted);
+ usb_kill_anchored_urbs(&cardp->tx_submitted);
if (if_usb_submit_rx_urb(cardp) < 0)
ret = -EIO;
goto done;
@@ -900,7 +907,7 @@ static void if_usb_prog_firmware(struct lbs_private *priv, int ret,
wait_event_interruptible(cardp->fw_wq, cardp->surprise_removed || cardp->fwdnldover);
timer_delete_sync(&cardp->fw_timeout);
- usb_kill_urb(cardp->rx_urb);
+ usb_kill_anchored_urbs(&cardp->rx_submitted);
if (!cardp->fwdnldover) {
pr_info("failed to load fw, resetting device!\n");
@@ -960,8 +967,8 @@ static int if_usb_suspend(struct usb_interface *intf, pm_message_t message)
goto out;
/* Unlink tx & rx urb */
- usb_kill_urb(cardp->tx_urb);
- usb_kill_urb(cardp->rx_urb);
+ usb_kill_anchored_urbs(&cardp->tx_submitted);
+ usb_kill_anchored_urbs(&cardp->rx_submitted);
out:
return ret;
diff --git a/drivers/net/wireless/marvell/libertas/if_usb.h b/drivers/net/wireless/marvell/libertas/if_usb.h
index 7d0daeb33c3f7..a0cd36197c2b0 100644
--- a/drivers/net/wireless/marvell/libertas/if_usb.h
+++ b/drivers/net/wireless/marvell/libertas/if_usb.h
@@ -48,6 +48,9 @@ struct if_usb_card {
struct urb *rx_urb, *tx_urb;
struct lbs_private *priv;
+ struct usb_anchor rx_submitted;
+ struct usb_anchor tx_submitted;
+
struct sk_buff *rx_skb;
uint8_t ep_in;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 070/957] wifi: libertas: dont kill URBs in interrupt context
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 069/957] wifi: libertas: use USB anchors for tracking in-flight URBs Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 071/957] tools/nolibc: implement %m if errno is not defined Greg Kroah-Hartman
` (892 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+74afbb6355826ffc2239,
Heitor Alves de Siqueira, Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
[ Upstream commit 7c5c2b661bdb78c1472b8833265c9ed1ee880039 ]
Serialization for the TX path was enforced by calling
usb_kill_urb()/usb_kill_anchored_urbs(), to prevent transmission before
a previous URB was completed. usb_tx_block() can be called from
interrupt context (e.g. in the HCD giveback path), so we can't always
use it to kill in-flight URBs.
Prevent sleeping during interrupt context by checking the tx_submitted
anchor for existing URBs. We now return -EBUSY, to indicate there's
a pending request.
Reported-by: syzbot+74afbb6355826ffc2239@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=74afbb6355826ffc2239
Fixes: d66676e6ca96 ("wifi: libertas: fix WARNING in usb_tx_block")
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260313-libertas-usb-anchors-v1-2-915afbe988d7@igalia.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/libertas/if_usb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c
index 60bfff523b918..f6b9a3c43c93c 100644
--- a/drivers/net/wireless/marvell/libertas/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas/if_usb.c
@@ -429,7 +429,12 @@ static int usb_tx_block(struct if_usb_card *cardp, uint8_t *payload, uint16_t nb
goto tx_ret;
}
- usb_kill_anchored_urbs(&cardp->tx_submitted);
+ /* check if there are pending URBs */
+ if (!usb_anchor_empty(&cardp->tx_submitted)) {
+ lbs_deb_usbd(&cardp->udev->dev, "%s failed: pending URB\n", __func__);
+ ret = -EBUSY;
+ goto tx_ret;
+ }
usb_fill_bulk_urb(cardp->tx_urb, cardp->udev,
usb_sndbulkpipe(cardp->udev,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 071/957] tools/nolibc: implement %m if errno is not defined
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 070/957] wifi: libertas: dont kill URBs in interrupt context Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 072/957] tools/nolibc/printf: Change variables c to ch and tmpbuf[] to outbuf[] Greg Kroah-Hartman
` (891 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Thomas Weißschuh,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit fbd1b7f6b322a63b21ebbf00c732a17bb8bdb5d4 ]
For improved compatibility, print %m as "unknown error" when nolibc is
compiled using NOLIBC_IGNORE_ERRNO.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Stable-dep-of: 4045e7b19bbf ("tools/nolibc/printf: Move snprintf length check to callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/stdio.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/include/nolibc/stdio.h b/tools/include/nolibc/stdio.h
index 724d05ce69624..1f16dab2ac884 100644
--- a/tools/include/nolibc/stdio.h
+++ b/tools/include/nolibc/stdio.h
@@ -321,11 +321,13 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
if (!outstr)
outstr="(null)";
}
-#ifndef NOLIBC_IGNORE_ERRNO
else if (c == 'm') {
+#ifdef NOLIBC_IGNORE_ERRNO
+ outstr = "unknown error";
+#else
outstr = strerror(errno);
- }
#endif /* NOLIBC_IGNORE_ERRNO */
+ }
else if (c == '%') {
/* queue it verbatim */
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 072/957] tools/nolibc/printf: Change variables c to ch and tmpbuf[] to outbuf[]
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 071/957] tools/nolibc: implement %m if errno is not defined Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 073/957] tools/nolibc/printf: Move snprintf length check to callback Greg Kroah-Hartman
` (890 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Laight, Willy Tarreau,
Thomas Weißschuh, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Laight <david.laight.linux@gmail.com>
[ Upstream commit f675ae28fcdf7db93a8c1a6964f062725b1e06a0 ]
Changing 'c' makes the code slightly easier to read because the variable
stands out from the single character literals (especially 'c').
Change tmpbuf[] to outbuf[] because 'out' points into it.
The following patches pretty much rewrite the function so the
churn is limited.
Signed-off-by: David Laight <david.laight.linux@gmail.com>
Acked-by: Willy Tarreau <w@1wt.eu>
Link: https://patch.msgid.link/20260223101735.2922-7-david.laight.linux@gmail.com
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Stable-dep-of: 4045e7b19bbf ("tools/nolibc/printf: Move snprintf length check to callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/stdio.h | 38 ++++++++++++++++++------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/tools/include/nolibc/stdio.h b/tools/include/nolibc/stdio.h
index 1f16dab2ac884..aff11d6069f6f 100644
--- a/tools/include/nolibc/stdio.h
+++ b/tools/include/nolibc/stdio.h
@@ -250,16 +250,16 @@ typedef int (*__nolibc_printf_cb)(intptr_t state, const char *buf, size_t size);
static __attribute__((unused, format(printf, 4, 0)))
int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char *fmt, va_list args)
{
- char escape, lpref, c;
+ char escape, lpref, ch;
unsigned long long v;
unsigned int written, width;
size_t len, ofs, w;
- char tmpbuf[21];
+ char outbuf[21];
const char *outstr;
written = ofs = escape = lpref = 0;
while (1) {
- c = fmt[ofs++];
+ ch = fmt[ofs++];
width = 0;
if (escape) {
@@ -267,17 +267,17 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
escape = 0;
/* width */
- while (c >= '0' && c <= '9') {
+ while (ch >= '0' && ch <= '9') {
width *= 10;
- width += c - '0';
+ width += ch - '0';
- c = fmt[ofs++];
+ ch = fmt[ofs++];
}
- if (c == 'c' || c == 'd' || c == 'u' || c == 'x' || c == 'p') {
- char *out = tmpbuf;
+ if (ch == 'c' || ch == 'd' || ch == 'u' || ch == 'x' || ch == 'p') {
+ char *out = outbuf;
- if (c == 'p')
+ if (ch == 'p')
v = va_arg(args, unsigned long);
else if (lpref) {
if (lpref > 1)
@@ -287,7 +287,7 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
} else
v = va_arg(args, unsigned int);
- if (c == 'd') {
+ if (ch == 'd') {
/* sign-extend the value */
if (lpref == 0)
v = (long long)(int)v;
@@ -295,7 +295,7 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
v = (long long)(long)v;
}
- switch (c) {
+ switch (ch) {
case 'c':
out[0] = v;
out[1] = 0;
@@ -314,30 +314,30 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
u64toh_r(v, out);
break;
}
- outstr = tmpbuf;
+ outstr = outbuf;
}
- else if (c == 's') {
+ else if (ch == 's') {
outstr = va_arg(args, char *);
if (!outstr)
outstr="(null)";
}
- else if (c == 'm') {
+ else if (ch == 'm') {
#ifdef NOLIBC_IGNORE_ERRNO
outstr = "unknown error";
#else
outstr = strerror(errno);
#endif /* NOLIBC_IGNORE_ERRNO */
}
- else if (c == '%') {
+ else if (ch == '%') {
/* queue it verbatim */
continue;
}
else {
/* modifiers or final 0 */
- if (c == 'l') {
+ if (ch == 'l') {
/* long format prefix, maintain the escape */
lpref++;
- } else if (c == 'j') {
+ } else if (ch == 'j') {
lpref = 2;
}
escape = 1;
@@ -348,7 +348,7 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
}
/* not an escape sequence */
- if (c == 0 || c == '%') {
+ if (ch == 0 || ch == '%') {
/* flush pending data on escape or end */
escape = 1;
lpref = 0;
@@ -369,7 +369,7 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
written += len;
do_escape:
- if (c == 0)
+ if (ch == 0)
break;
fmt += ofs;
ofs = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 073/957] tools/nolibc/printf: Move snprintf length check to callback
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 072/957] tools/nolibc/printf: Change variables c to ch and tmpbuf[] to outbuf[] Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 074/957] wifi: mt76: mt7996: fix the behavior of radar detection Greg Kroah-Hartman
` (889 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Laight, Willy Tarreau,
Thomas Weißschuh, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Laight <david.laight.linux@gmail.com>
[ Upstream commit 4045e7b19bbf7338452cda11e64cfe7ae3361964 ]
Move output truncation to the snprintf() callback.
This simplifies the main code and fixes truncation of padded fields.
Add a zero length callback to 'finalise' the buffer rather than
doing it in snprintf() itself.
Fixes: e90ce42e81381 ("tools/nolibc: implement width padding in printf()")
Signed-off-by: David Laight <david.laight.linux@gmail.com>
Acked-by: Willy Tarreau <w@1wt.eu>
Link: https://patch.msgid.link/20260302101815.3043-3-david.laight.linux@gmail.com
[Thomas: clean up Fixes trailer]
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/stdio.h | 94 +++++++++++++++++++++++++-----------
1 file changed, 67 insertions(+), 27 deletions(-)
diff --git a/tools/include/nolibc/stdio.h b/tools/include/nolibc/stdio.h
index aff11d6069f6f..a2fc7c8706dfa 100644
--- a/tools/include/nolibc/stdio.h
+++ b/tools/include/nolibc/stdio.h
@@ -244,16 +244,25 @@ char *fgets(char *s, int size, FILE *stream)
* - %[l*]{d,u,c,x,p}
* - %s
* - unknown modifiers are ignored.
+ *
+ * Called by vfprintf() and snprintf() to do the actual formatting.
+ * The callers provide a callback function to save the formatted data.
+ * The callback function is called multiple times:
+ * - for each group of literal characters in the format string.
+ * - for field padding.
+ * - for each conversion specifier.
+ * - with (NULL, 0) at the end of the __nolibc_printf.
+ * If the callback returns non-zero __nolibc_printf() immediately returns -1.
*/
-typedef int (*__nolibc_printf_cb)(intptr_t state, const char *buf, size_t size);
+typedef int (*__nolibc_printf_cb)(void *state, const char *buf, size_t size);
-static __attribute__((unused, format(printf, 4, 0)))
-int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char *fmt, va_list args)
+static __attribute__((unused, format(printf, 3, 0)))
+int __nolibc_printf(__nolibc_printf_cb cb, void *state, const char *fmt, va_list args)
{
char escape, lpref, ch;
unsigned long long v;
unsigned int written, width;
- size_t len, ofs, w;
+ size_t len, ofs;
char outbuf[21];
const char *outstr;
@@ -355,17 +364,13 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
outstr = fmt;
len = ofs - 1;
flush_str:
- if (n) {
- w = len < n ? len : n;
- n -= w;
- while (width-- > w) {
- if (cb(state, " ", 1) != 0)
- return -1;
- written += 1;
- }
- if (cb(state, outstr, w) != 0)
+ while (width-- > len) {
+ if (cb(state, " ", 1) != 0)
return -1;
+ written += 1;
}
+ if (cb(state, outstr, len) != 0)
+ return -1;
written += len;
do_escape:
@@ -378,18 +383,25 @@ int __nolibc_printf(__nolibc_printf_cb cb, intptr_t state, size_t n, const char
/* literal char, just queue it */
}
+
+ /* Request a final '\0' be added to the snprintf() output.
+ * This may be the only call of the cb() function.
+ */
+ if (cb(state, NULL, 0) != 0)
+ return -1;
+
return written;
}
-static int __nolibc_fprintf_cb(intptr_t state, const char *buf, size_t size)
+static int __nolibc_fprintf_cb(void *stream, const char *buf, size_t size)
{
- return _fwrite(buf, size, (FILE *)state);
+ return _fwrite(buf, size, stream);
}
static __attribute__((unused, format(printf, 2, 0)))
int vfprintf(FILE *stream, const char *fmt, va_list args)
{
- return __nolibc_printf(__nolibc_fprintf_cb, (intptr_t)stream, SIZE_MAX, fmt, args);
+ return __nolibc_printf(__nolibc_fprintf_cb, stream, fmt, args);
}
static __attribute__((unused, format(printf, 1, 0)))
@@ -447,26 +459,54 @@ int dprintf(int fd, const char *fmt, ...)
return ret;
}
-static int __nolibc_sprintf_cb(intptr_t _state, const char *buf, size_t size)
+struct __nolibc_sprintf_cb_state {
+ char *buf;
+ size_t space;
+};
+
+static int __nolibc_sprintf_cb(void *v_state, const char *buf, size_t size)
{
- char **state = (char **)_state;
+ struct __nolibc_sprintf_cb_state *state = v_state;
+ size_t space = state->space;
+ char *tgt;
+
+ /* Truncate the request to fit in the output buffer space.
+ * The last byte is reserved for the terminating '\0'.
+ * state->space can only be zero for snprintf(NULL, 0, fmt, args)
+ * so this normally lets through calls with 'size == 0'.
+ */
+ if (size >= space) {
+ if (space <= 1)
+ return 0;
+ size = space - 1;
+ }
+ tgt = state->buf;
+
+ /* __nolibc_printf() ends with cb(state, NULL, 0) to request the output
+ * buffer be '\0' terminated.
+ * That will be the only cb() call for, eg, snprintf(buf, sz, "").
+ * Zero lengths can occur at other times (eg "%s" for an empty string).
+ * Unconditionally write the '\0' byte to reduce code size, it is
+ * normally overwritten by the data being output.
+ * There is no point adding a '\0' after copied data - there is always
+ * another call.
+ */
+ *tgt = '\0';
+ if (size) {
+ state->space = space - size;
+ state->buf = tgt + size;
+ memcpy(tgt, buf, size);
+ }
- memcpy(*state, buf, size);
- *state += size;
return 0;
}
static __attribute__((unused, format(printf, 3, 0)))
int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
{
- char *state = buf;
- int ret;
+ struct __nolibc_sprintf_cb_state state = { .buf = buf, .space = size };
- ret = __nolibc_printf(__nolibc_sprintf_cb, (intptr_t)&state, size, fmt, args);
- if (ret < 0)
- return ret;
- buf[(size_t)ret < size ? (size_t)ret : size - 1] = '\0';
- return ret;
+ return __nolibc_printf(__nolibc_sprintf_cb, &state, fmt, args);
}
static __attribute__((unused, format(printf, 3, 4)))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 074/957] wifi: mt76: mt7996: fix the behavior of radar detection
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 073/957] tools/nolibc/printf: Move snprintf length check to callback Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 075/957] wifi: mt76: mt7996: fix iface combination for different chipsets Greg Kroah-Hartman
` (888 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shayne Chen, StanleyYP Wang,
Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
[ Upstream commit 45a09251d610f3b8a1fb02039146e42f1f4efe90 ]
RDD_DET_MODE is a firmware command intended for testing and does not
pause TX after radar detection, so remove it from the normal flow;
instead, use the MAC_ENABLE_CTRL firmware command to resume TX after
the radar-triggered channel switch completes.
Fixes: 1529e335f93d ("wifi: mt76: mt7996: rework radar HWRDD idx")
Co-developed-by: Shayne Chen <shayne.chen@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Signed-off-by: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
Link: https://patch.msgid.link/20251215063728.3013365-2-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7996/mac.c | 8 +--
.../net/wireless/mediatek/mt76/mt7996/main.c | 20 ++++++++
.../net/wireless/mediatek/mt76/mt7996/mcu.c | 49 ++++++++++++++++---
.../net/wireless/mediatek/mt76/mt7996/mcu.h | 1 +
.../wireless/mediatek/mt76/mt7996/mt7996.h | 2 +
5 files changed, 68 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 0958961d2758e..24b404f35409b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -2944,7 +2944,7 @@ static void mt7996_dfs_stop_radar_detector(struct mt7996_phy *phy)
static int mt7996_dfs_start_rdd(struct mt7996_dev *dev, int rdd_idx)
{
- int err, region;
+ int region;
switch (dev->mt76.region) {
case NL80211_DFS_ETSI:
@@ -2959,11 +2959,7 @@ static int mt7996_dfs_start_rdd(struct mt7996_dev *dev, int rdd_idx)
break;
}
- err = mt7996_mcu_rdd_cmd(dev, RDD_START, rdd_idx, region);
- if (err < 0)
- return err;
-
- return mt7996_mcu_rdd_cmd(dev, RDD_DET_MODE, rdd_idx, 1);
+ return mt7996_mcu_rdd_cmd(dev, RDD_START, rdd_idx, region);
}
static int mt7996_dfs_start_radar_detector(struct mt7996_phy *phy)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 2ad52ae2c5f55..2c8a088a170c6 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -79,6 +79,7 @@ static void mt7996_stop_phy(struct mt7996_phy *phy)
mutex_lock(&dev->mt76.mutex);
+ mt7996_mcu_rdd_resume_tx(phy);
mt7996_mcu_set_radio_en(phy, false);
clear_bit(MT76_STATE_RUNNING, &phy->mt76->state);
@@ -933,6 +934,24 @@ mt7996_channel_switch_beacon(struct ieee80211_hw *hw,
mutex_unlock(&dev->mt76.mutex);
}
+static int
+mt7996_post_channel_switch(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ struct ieee80211_bss_conf *link_conf)
+{
+ struct cfg80211_chan_def *chandef = &link_conf->chanreq.oper;
+ struct mt7996_dev *dev = mt7996_hw_dev(hw);
+ struct mt7996_phy *phy = mt7996_band_phy(dev, chandef->chan->band);
+ int ret;
+
+ mutex_lock(&dev->mt76.mutex);
+
+ ret = mt7996_mcu_rdd_resume_tx(phy);
+
+ mutex_unlock(&dev->mt76.mutex);
+
+ return ret;
+}
+
static int
mt7996_mac_sta_init_link(struct mt7996_dev *dev,
struct ieee80211_bss_conf *link_conf,
@@ -2295,6 +2314,7 @@ const struct ieee80211_ops mt7996_ops = {
.release_buffered_frames = mt76_release_buffered_frames,
.get_txpower = mt7996_get_txpower,
.channel_switch_beacon = mt7996_channel_switch_beacon,
+ .post_channel_switch = mt7996_post_channel_switch,
.get_stats = mt7996_get_stats,
.get_et_sset_count = mt7996_get_et_sset_count,
.get_et_stats = mt7996_get_et_stats,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index 5bde9959bbb99..321098496a39e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -413,24 +413,32 @@ mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb)
break;
case MT_RDD_IDX_BACKGROUND:
if (!dev->rdd2_phy)
- return;
+ goto err;
mphy = dev->rdd2_phy->mt76;
break;
default:
- dev_err(dev->mt76.dev, "Unknown RDD idx %d\n", r->rdd_idx);
- return;
+ goto err;
}
if (!mphy)
- return;
+ goto err;
- if (r->rdd_idx == MT_RDD_IDX_BACKGROUND)
+ if (r->rdd_idx == MT_RDD_IDX_BACKGROUND) {
cfg80211_background_radar_event(mphy->hw->wiphy,
&dev->rdd2_chandef,
GFP_ATOMIC);
- else
+ } else {
+ struct mt7996_phy *phy = mphy->priv;
+
+ phy->rdd_tx_paused = true;
ieee80211_radar_detected(mphy->hw, NULL);
+ }
dev->hw_pattern++;
+
+ return;
+
+err:
+ dev_err(dev->mt76.dev, "Invalid RDD idx %d\n", r->rdd_idx);
}
static void
@@ -4554,6 +4562,35 @@ int mt7996_mcu_set_radio_en(struct mt7996_phy *phy, bool enable)
&req, sizeof(req), true);
}
+int mt7996_mcu_rdd_resume_tx(struct mt7996_phy *phy)
+{
+ struct {
+ u8 band_idx;
+ u8 _rsv[3];
+
+ __le16 tag;
+ __le16 len;
+ u8 mac_enable;
+ u8 _rsv2[3];
+ } __packed req = {
+ .band_idx = phy->mt76->band_idx,
+ .tag = cpu_to_le16(UNI_BAND_CONFIG_MAC_ENABLE_CTRL),
+ .len = cpu_to_le16(sizeof(req) - 4),
+ .mac_enable = 2,
+ };
+ int ret;
+
+ if (!phy->rdd_tx_paused)
+ return 0;
+
+ ret = mt76_mcu_send_msg(&phy->dev->mt76, MCU_WM_UNI_CMD(BAND_CONFIG),
+ &req, sizeof(req), true);
+ if (!ret)
+ phy->rdd_tx_paused = false;
+
+ return ret;
+}
+
int mt7996_mcu_rdd_cmd(struct mt7996_dev *dev, int cmd, u8 rdd_idx, u8 val)
{
struct {
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
index c841da1c60e5d..abfd7e5a775b3 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
@@ -837,6 +837,7 @@ enum {
enum {
UNI_BAND_CONFIG_RADIO_ENABLE,
UNI_BAND_CONFIG_RTS_THRESHOLD = 0x08,
+ UNI_BAND_CONFIG_MAC_ENABLE_CTRL = 0x0c,
};
enum {
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
index b942928c79e28..6190fbcd4df7e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
@@ -376,6 +376,7 @@ struct mt7996_phy {
bool has_aux_rx;
bool counter_reset;
+ bool rdd_tx_paused;
};
struct mt7996_dev {
@@ -725,6 +726,7 @@ int mt7996_mcu_get_temperature(struct mt7996_phy *phy);
int mt7996_mcu_set_thermal_throttling(struct mt7996_phy *phy, u8 state);
int mt7996_mcu_set_thermal_protect(struct mt7996_phy *phy, bool enable);
int mt7996_mcu_set_txpower_sku(struct mt7996_phy *phy);
+int mt7996_mcu_rdd_resume_tx(struct mt7996_phy *phy);
int mt7996_mcu_rdd_cmd(struct mt7996_dev *dev, int cmd, u8 rdd_idx, u8 val);
int mt7996_mcu_rdd_background_enable(struct mt7996_phy *phy,
struct cfg80211_chan_def *chandef);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 075/957] wifi: mt76: mt7996: fix iface combination for different chipsets
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 074/957] wifi: mt76: mt7996: fix the behavior of radar detection Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 076/957] wifi: mt76: mt7996: Set mtxq->wcid just for primary link Greg Kroah-Hartman
` (887 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shayne Chen, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shayne Chen <shayne.chen@mediatek.com>
[ Upstream commit 5ef0e8e2653b1ba325eb883ffb94073f19cb669a ]
MT7992 and MT7990 support up to 19 interfaces per band and 32 in total.
Fixes: 8df63a4bbe3d ("wifi: mt76: mt7996: adjust interface num and wtbl size for mt7992")
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20251215063728.3013365-7-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7996/init.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
index b136b9a669769..e26f8e9e4f8fc 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
@@ -34,6 +34,20 @@ static const struct ieee80211_iface_combination if_comb_global = {
BIT(NL80211_CHAN_WIDTH_40) |
BIT(NL80211_CHAN_WIDTH_80) |
BIT(NL80211_CHAN_WIDTH_160),
+ .beacon_int_min_gcd = 100,
+};
+
+static const struct ieee80211_iface_combination if_comb_global_7992 = {
+ .limits = &if_limits_global,
+ .n_limits = 1,
+ .max_interfaces = 32,
+ .num_different_channels = MT7996_MAX_RADIOS - 1,
+ .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) |
+ BIT(NL80211_CHAN_WIDTH_20) |
+ BIT(NL80211_CHAN_WIDTH_40) |
+ BIT(NL80211_CHAN_WIDTH_80) |
+ BIT(NL80211_CHAN_WIDTH_160),
+ .beacon_int_min_gcd = 100,
};
static const struct ieee80211_iface_limit if_limits[] = {
@@ -485,7 +499,8 @@ mt7996_init_wiphy(struct ieee80211_hw *hw, struct mtk_wed_device *wed)
hw->vif_data_size = sizeof(struct mt7996_vif);
hw->chanctx_data_size = sizeof(struct mt76_chanctx);
- wiphy->iface_combinations = &if_comb_global;
+ wiphy->iface_combinations = is_mt7996(&dev->mt76) ? &if_comb_global :
+ &if_comb_global_7992;
wiphy->n_iface_combinations = 1;
wiphy->radio = dev->radios;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 076/957] wifi: mt76: mt7996: Set mtxq->wcid just for primary link
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 075/957] wifi: mt76: mt7996: fix iface combination for different chipsets Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 077/957] wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in mt7996_vif_link_remove() Greg Kroah-Hartman
` (886 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 654abcbe4528f74428b69292fad5c4224414fa1b ]
Set WCID index in mt76_txq struct just for the primary link in
mt7996_vif_link_add routine.
Fixes: 69d54ce7491d0 ("wifi: mt76: mt7996: switch to single multi-radio wiphy")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251205-mt76-txq-wicd-fix-v2-1-f19ba48af7c1@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/main.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 2c8a088a170c6..44c52062c640b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -301,7 +301,6 @@ int mt7996_vif_link_add(struct mt76_phy *mphy, struct ieee80211_vif *vif,
.cmd = SET_KEY,
.link_id = link_conf->link_id,
};
- struct mt76_txq *mtxq;
int mld_idx, idx, ret;
mlink->idx = __ffs64(~dev->mt76.vif_mask);
@@ -344,11 +343,6 @@ int mt7996_vif_link_add(struct mt76_phy *mphy, struct ieee80211_vif *vif,
mt7996_mac_wtbl_update(dev, idx,
MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
- if (vif->txq) {
- mtxq = (struct mt76_txq *)vif->txq->drv_priv;
- mtxq->wcid = idx;
- }
-
if (vif->type != NL80211_IFTYPE_AP &&
(!mlink->omac_idx || mlink->omac_idx > 3))
vif->offload_flags = 0;
@@ -371,9 +365,13 @@ int mt7996_vif_link_add(struct mt76_phy *mphy, struct ieee80211_vif *vif,
ieee80211_iter_keys(mphy->hw, vif, mt7996_key_iter, &it);
- if (!mlink->wcid->offchannel &&
- mvif->mt76.deflink_id == IEEE80211_LINK_UNSPECIFIED)
+ if (vif->txq && !mlink->wcid->offchannel &&
+ mvif->mt76.deflink_id == IEEE80211_LINK_UNSPECIFIED) {
+ struct mt76_txq *mtxq = (struct mt76_txq *)vif->txq->drv_priv;
+
mvif->mt76.deflink_id = link_conf->link_id;
+ mtxq->wcid = idx;
+ }
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 077/957] wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in mt7996_vif_link_remove()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 076/957] wifi: mt76: mt7996: Set mtxq->wcid just for primary link Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 078/957] wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link() Greg Kroah-Hartman
` (885 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 751a2679b15e3a0fa8fc9175862f0ec40643db68 ]
Reset WCID index in mt76_txq struct if primary link is removed in
mt7996_vif_link_remove routine.
Fixes: a3316d2fc669f ("wifi: mt76: mt7996: set vif default link_id adding/removing vif links")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251205-mt76-txq-wicd-fix-v2-2-f19ba48af7c1@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7996/main.c | 21 ++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 44c52062c640b..5d4b1d8f3335b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -402,17 +402,28 @@ void mt7996_vif_link_remove(struct mt76_phy *mphy, struct ieee80211_vif *vif,
rcu_assign_pointer(dev->mt76.wcid[idx], NULL);
- if (!mlink->wcid->offchannel &&
+ if (vif->txq && !mlink->wcid->offchannel &&
mvif->mt76.deflink_id == link_conf->link_id) {
struct ieee80211_bss_conf *iter;
+ struct mt76_txq *mtxq;
unsigned int link_id;
mvif->mt76.deflink_id = IEEE80211_LINK_UNSPECIFIED;
+ mtxq = (struct mt76_txq *)vif->txq->drv_priv;
+ /* Primary link will be removed, look for a new one */
for_each_vif_active_link(vif, iter, link_id) {
- if (link_id != IEEE80211_LINK_UNSPECIFIED) {
- mvif->mt76.deflink_id = link_id;
- break;
- }
+ struct mt7996_vif_link *link;
+
+ if (link_id == link_conf->link_id)
+ continue;
+
+ link = mt7996_vif_link(dev, vif, link_id);
+ if (!link)
+ continue;
+
+ mtxq->wcid = link->msta_link.wcid.idx;
+ mvif->mt76.deflink_id = link_id;
+ break;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 078/957] wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 077/957] wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in mt7996_vif_link_remove() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 079/957] wifi: mt76: mt7996: Reset ampdu_state state in case of failure in mt7996_tx_check_aggr() Greg Kroah-Hartman
` (884 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 88973240dc7c976dd320b36a9e6d925c9be083ae ]
Clear WCID pointer removing the sta link in mt7996_mac_sta_deinit_link
routine.
Fixes: dd82a9e02c054 ("wifi: mt76: mt7996: Rely on mt7996_sta_link in sta_add/sta_remove callbacks")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251205-mt76-txq-wicd-fix-v2-4-f19ba48af7c1@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 5d4b1d8f3335b..589b228a4eb0c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -1032,6 +1032,7 @@ void mt7996_mac_sta_deinit_link(struct mt7996_dev *dev,
list_del_init(&msta_link->rc_list);
spin_unlock_bh(&dev->mt76.sta_poll_lock);
+ rcu_assign_pointer(dev->mt76.wcid[msta_link->wcid.idx], NULL);
mt76_wcid_cleanup(&dev->mt76, &msta_link->wcid);
mt76_wcid_mask_clear(dev->mt76.wcid_mask, msta_link->wcid.idx);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 079/957] wifi: mt76: mt7996: Reset ampdu_state state in case of failure in mt7996_tx_check_aggr()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 078/957] wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 080/957] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() Greg Kroah-Hartman
` (883 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit c0747db7c10c2dfbdcff0e8e97021e3df1f1e362 ]
Reset the ampdu_state configured state if ieee80211_start_tx_ba_session
routine fails in mt7996_tx_check_aggr()
Fixes: 98686cd21624c ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251214-mt7996-aggr-check-fix-v1-1-33a8b62ec0fc@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 24b404f35409b..15d796702a589 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1243,8 +1243,9 @@ mt7996_tx_check_aggr(struct ieee80211_link_sta *link_sta,
if (unlikely(fc != (IEEE80211_FTYPE_DATA | IEEE80211_STYPE_QOS_DATA)))
return;
- if (!test_and_set_bit(tid, &wcid->ampdu_state))
- ieee80211_start_tx_ba_session(link_sta->sta, tid, 0);
+ if (!test_and_set_bit(tid, &wcid->ampdu_state) &&
+ ieee80211_start_tx_ba_session(link_sta->sta, tid, 0))
+ clear_bit(tid, &wcid->ampdu_state);
}
static void
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 080/957] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 079/957] wifi: mt76: mt7996: Reset ampdu_state state in case of failure in mt7996_tx_check_aggr() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 081/957] wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control Greg Kroah-Hartman
` (882 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Wang, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
[ Upstream commit 53ffffeb9624ffab6d9a3b1da8635a23f1172b5e ]
Reset ampdu_state if ieee80211_start_tx_ba_session() fails in
mt76_connac2_tx_check_aggr(), otherwise the driver may incorrectly
assume aggregation is active and skip future BA setup attempts.
Fixes: 163f4d22c118 ("mt76: mt7921: add MAC support")
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20251216005930.9412-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
index 837bd0f136fa1..b78cfa1324f3f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
@@ -1150,8 +1150,10 @@ void mt76_connac2_tx_check_aggr(struct ieee80211_sta *sta, __le32 *txwi)
return;
wcid = (struct mt76_wcid *)sta->drv_priv;
- if (!test_and_set_bit(tid, &wcid->ampdu_state))
- ieee80211_start_tx_ba_session(sta, tid, 0);
+ if (!test_and_set_bit(tid, &wcid->ampdu_state)) {
+ if (ieee80211_start_tx_ba_session(sta, tid, 0))
+ clear_bit(tid, &wcid->ampdu_state);
+ }
}
EXPORT_SYMBOL_GPL(mt76_connac2_tx_check_aggr);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 081/957] wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 080/957] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 082/957] wifi: mt76: mt7615: fix use_cts_prot support Greg Kroah-Hartman
` (881 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Yen, Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Yen <leon.yen@mediatek.com>
[ Upstream commit 1695f662329faa07c860c73453c097823852df28 ]
The selection of MLO mode should depend on the capabilities of the STA
rather than those of the peer AP to avoid compatibility issues with
certain APs, such as Xiaomi BE5000 WiFi7 router.
Fixes: 69acd6d910b0c ("wifi: mt76: mt7925: add mt7925_change_vif_links")
Signed-off-by: Leon Yen <leon.yen@mediatek.com>
Link: https://patch.msgid.link/20251211123836.4169436-1-leon.yen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 9 ++++++---
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 4 ++--
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index ac3d485a2f78f..d1f63c81ceb99 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -533,7 +533,7 @@ static int mt7925_set_mlo_roc(struct mt792x_phy *phy,
phy->roc_grant = false;
- err = mt7925_mcu_set_mlo_roc(mconf, sel_links, 5, ++phy->roc_token_id);
+ err = mt7925_mcu_set_mlo_roc(phy, mconf, sel_links, 5, ++phy->roc_token_id);
if (err < 0) {
clear_bit(MT76_STATE_ROC, &phy->mt76->state);
goto out;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index e44c9ba168878..130f1742546bc 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -1243,8 +1243,8 @@ int mt7925_mcu_add_key(struct mt76_dev *dev, struct ieee80211_vif *vif,
return mt76_mcu_skb_send_msg(dev, skb, mcu_cmd, true);
}
-int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *mconf, u16 sel_links,
- int duration, u8 token_id)
+int mt7925_mcu_set_mlo_roc(struct mt792x_phy *phy, struct mt792x_bss_conf *mconf,
+ u16 sel_links, int duration, u8 token_id)
{
struct mt792x_vif *mvif = mconf->vif;
struct ieee80211_vif *vif = container_of((void *)mvif,
@@ -1279,6 +1279,8 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *mconf, u16 sel_links,
.roc[1].len = cpu_to_le16(sizeof(struct roc_acquire_tlv))
};
+ struct wiphy *wiphy = phy->mt76->hw->wiphy;
+
if (!mconf || hweight16(vif->valid_links) < 2 ||
hweight16(sel_links) != 2)
return -EPERM;
@@ -1301,7 +1303,8 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *mconf, u16 sel_links,
is_AG_band |= links[i].chan->band == NL80211_BAND_2GHZ;
}
- if (vif->cfg.eml_cap & IEEE80211_EML_CAP_EMLSR_SUPP)
+ if (!(wiphy->iftype_ext_capab[0].mld_capa_and_ops &
+ IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS))
type = is_AG_band ? MT7925_ROC_REQ_MLSR_AG :
MT7925_ROC_REQ_MLSR_AA;
else
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
index 1b165d0d8bd39..1c5ab3ea247d8 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
@@ -345,8 +345,8 @@ int mt7925_set_tx_sar_pwr(struct ieee80211_hw *hw,
int mt7925_mcu_regval(struct mt792x_dev *dev, u32 regidx, u32 *val, bool set);
int mt7925_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2,
enum environment_cap env_cap);
-int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *mconf, u16 sel_links,
- int duration, u8 token_id);
+int mt7925_mcu_set_mlo_roc(struct mt792x_phy *phy, struct mt792x_bss_conf *mconf,
+ u16 sel_links, int duration, u8 token_id);
int mt7925_mcu_set_roc(struct mt792x_phy *phy, struct mt792x_bss_conf *mconf,
struct ieee80211_channel *chan, int duration,
enum mt7925_roc_req type, u8 token_id);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 082/957] wifi: mt76: mt7615: fix use_cts_prot support
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 081/957] wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 083/957] wifi: mt76: mt7915: " Greg Kroah-Hartman
` (880 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryder Lee, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryder Lee <ryder.lee@mediatek.com>
[ Upstream commit 1974a67d9b65c29a0a9426e32e8cd8c056de48b7 ]
Driver should not directly write WTBL to prevent overwritten issues.
With this fix, when driver needs to adjust its behavior for compatibility,
especially concerning older 11g/n devices, by enabling or disabling CTS
protection frames, often for hidden SSIDs or to manage legacy clients.
Fixes: e34235ccc5e3 ("wifi: mt76: mt7615: enable use_cts_prot support")
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Link: https://patch.msgid.link/edb87088b0111b32fafc6c4179f54a5286dd37d8.1768879119.git.ryder.lee@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7615/mac.c | 15 ------
.../net/wireless/mediatek/mt76/mt7615/main.c | 7 +--
.../net/wireless/mediatek/mt76/mt7615/mcu.c | 47 +++++++++++++++++++
.../wireless/mediatek/mt76/mt7615/mt7615.h | 5 +-
.../net/wireless/mediatek/mt76/mt7615/regs.h | 2 -
5 files changed, 53 insertions(+), 23 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index f8d2cc94b742c..13c9dbeaee84e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -1167,21 +1167,6 @@ void mt7615_mac_set_rates(struct mt7615_phy *phy, struct mt7615_sta *sta,
}
EXPORT_SYMBOL_GPL(mt7615_mac_set_rates);
-void mt7615_mac_enable_rtscts(struct mt7615_dev *dev,
- struct ieee80211_vif *vif, bool enable)
-{
- struct mt7615_vif *mvif = (struct mt7615_vif *)vif->drv_priv;
- u32 addr;
-
- addr = mt7615_mac_wtbl_addr(dev, mvif->sta.wcid.idx) + 3 * 4;
-
- if (enable)
- mt76_set(dev, addr, MT_WTBL_W3_RTS);
- else
- mt76_clear(dev, addr, MT_WTBL_W3_RTS);
-}
-EXPORT_SYMBOL_GPL(mt7615_mac_enable_rtscts);
-
static int
mt7615_mac_wtbl_update_key(struct mt7615_dev *dev, struct mt76_wcid *wcid,
struct ieee80211_key_conf *key,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
index 15fe155ac3f3b..87a2e5163699c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
@@ -583,9 +583,6 @@ static void mt7615_bss_info_changed(struct ieee80211_hw *hw,
}
}
- if (changed & BSS_CHANGED_ERP_CTS_PROT)
- mt7615_mac_enable_rtscts(dev, vif, info->use_cts_prot);
-
if (changed & BSS_CHANGED_BEACON_ENABLED && info->enable_beacon) {
mt7615_mcu_add_bss_info(phy, vif, NULL, true);
mt7615_mcu_sta_add(phy, vif, NULL, true);
@@ -598,6 +595,10 @@ static void mt7615_bss_info_changed(struct ieee80211_hw *hw,
BSS_CHANGED_BEACON_ENABLED))
mt7615_mcu_add_beacon(dev, hw, vif, info->enable_beacon);
+ if (changed & BSS_CHANGED_HT || changed & BSS_CHANGED_ERP_CTS_PROT)
+ mt7615_mcu_set_protection(phy, vif, info->ht_operation_mode,
+ info->use_cts_prot);
+
if (changed & BSS_CHANGED_PS)
mt76_connac_mcu_set_vif_ps(&dev->mt76, vif);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
index 08ee2e861c4e2..91c9d787d553c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
@@ -2564,3 +2564,50 @@ int mt7615_mcu_set_roc(struct mt7615_phy *phy, struct ieee80211_vif *vif,
return mt76_mcu_send_msg(&dev->mt76, MCU_CE_CMD(SET_ROC),
&req, sizeof(req), false);
}
+
+int mt7615_mcu_set_protection(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot)
+{
+ struct mt7615_dev *dev = phy->dev;
+ struct {
+ u8 prot_idx;
+ u8 band;
+ u8 rsv[2];
+
+ bool long_nav;
+ bool prot_mm;
+ bool prot_gf;
+ bool prot_bw40;
+ bool prot_rifs;
+ bool prot_bw80;
+ bool prot_bw160;
+ u8 prot_erp_mask;
+ } __packed req = {
+ .prot_idx = 0x2,
+ .band = phy != &dev->phy,
+ };
+
+ switch (ht_mode & IEEE80211_HT_OP_MODE_PROTECTION) {
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER:
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED:
+ req.prot_mm = true;
+ req.prot_gf = true;
+ fallthrough;
+ case IEEE80211_HT_OP_MODE_PROTECTION_20MHZ:
+ req.prot_bw40 = true;
+ break;
+ }
+
+ if (ht_mode & IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT)
+ req.prot_gf = true;
+
+ if (use_cts_prot) {
+ struct mt7615_vif *mvif = (struct mt7615_vif *)vif->drv_priv;
+ u8 i = mvif->mt76.omac_idx > HW_BSSID_MAX ? HW_BSSID_0 : mvif->mt76.omac_idx;
+
+ req.prot_erp_mask = BIT(i);
+ }
+
+ return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(PROTECT_CTRL), &req,
+ sizeof(req), true);
+}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h b/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h
index 9bdd29e8d25e9..c655f64772de2 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h
@@ -466,8 +466,6 @@ void mt7615_mac_reset_counters(struct mt7615_phy *phy);
void mt7615_mac_cca_stats_reset(struct mt7615_phy *phy);
void mt7615_mac_set_scs(struct mt7615_phy *phy, bool enable);
void mt7615_mac_enable_nf(struct mt7615_dev *dev, bool ext_phy);
-void mt7615_mac_enable_rtscts(struct mt7615_dev *dev,
- struct ieee80211_vif *vif, bool enable);
void mt7615_mac_sta_poll(struct mt7615_dev *dev);
int mt7615_mac_write_txwi(struct mt7615_dev *dev, __le32 *txwi,
struct sk_buff *skb, struct mt76_wcid *wcid,
@@ -522,7 +520,8 @@ int mt7615_mcu_set_sku_en(struct mt7615_phy *phy, bool enable);
int mt7615_mcu_apply_rx_dcoc(struct mt7615_phy *phy);
int mt7615_mcu_apply_tx_dpd(struct mt7615_phy *phy);
int mt7615_dfs_init_radar_detector(struct mt7615_phy *phy);
-
+int mt7615_mcu_set_protection(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot);
int mt7615_mcu_set_roc(struct mt7615_phy *phy, struct ieee80211_vif *vif,
struct ieee80211_channel *chan, int duration);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
index 806b3887c541c..9e6d55c91b269 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/regs.h
@@ -455,8 +455,6 @@ enum mt7615_reg_base {
#define MT_WTBL_RIUCR3_RATE6 GENMASK(19, 8)
#define MT_WTBL_RIUCR3_RATE7 GENMASK(31, 20)
-#define MT_WTBL_W3_RTS BIT(22)
-
#define MT_WTBL_W5_CHANGE_BW_RATE GENMASK(7, 5)
#define MT_WTBL_W5_SHORT_GI_20 BIT(8)
#define MT_WTBL_W5_SHORT_GI_40 BIT(9)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 083/957] wifi: mt76: mt7915: fix use_cts_prot support
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 082/957] wifi: mt76: mt7615: fix use_cts_prot support Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 084/957] wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() Greg Kroah-Hartman
` (879 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryder Lee, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryder Lee <ryder.lee@mediatek.com>
[ Upstream commit 8b2c26562b95c6397e132d21f2bd3d73aaee0c0a ]
With this fix, when driver needs to adjust its behavior for compatibility,
especially concerning older 11g/n devices, by enabling or disabling CTS
protection frames, often for hidden SSIDs or to manage legacy clients.
Fixes: 150b91419d3d ("wifi: mt76: mt7915: enable use_cts_prot support")
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Link: https://patch.msgid.link/eb8db4d0bf1c89b7486e89facb788ae3e510dd8b.1768879119.git.ryder.lee@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7915/mac.c | 13 ----
.../net/wireless/mediatek/mt76/mt7915/main.c | 7 ++-
.../net/wireless/mediatek/mt76/mt7915/mcu.c | 62 +++++++++++++++++++
.../net/wireless/mediatek/mt76/mt7915/mcu.h | 11 ++++
.../wireless/mediatek/mt76/mt7915/mt7915.h | 4 ++
5 files changed, 81 insertions(+), 16 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 5caf818e82834..9364e8673eb9d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -232,19 +232,6 @@ static void mt7915_mac_sta_poll(struct mt7915_dev *dev)
rcu_read_unlock();
}
-void mt7915_mac_enable_rtscts(struct mt7915_dev *dev,
- struct ieee80211_vif *vif, bool enable)
-{
- struct mt7915_vif *mvif = (struct mt7915_vif *)vif->drv_priv;
- u32 addr;
-
- addr = mt7915_mac_wtbl_lmac_addr(dev, mvif->sta.wcid.idx, 5);
- if (enable)
- mt76_set(dev, addr, BIT(5));
- else
- mt76_clear(dev, addr, BIT(5));
-}
-
static void
mt7915_wed_check_ppe(struct mt7915_dev *dev, struct mt76_queue *q,
struct mt7915_sta *msta, struct sk_buff *skb,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index fe0639c14bf9b..6f594677474b0 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -68,7 +68,7 @@ int mt7915_run(struct ieee80211_hw *hw)
if (ret)
goto out;
- ret = mt76_connac_mcu_set_rts_thresh(&dev->mt76, 0x92b,
+ ret = mt76_connac_mcu_set_rts_thresh(&dev->mt76, MT7915_RTS_LEN_THRES,
phy->mt76->band_idx);
if (ret)
goto out;
@@ -633,8 +633,9 @@ static void mt7915_bss_info_changed(struct ieee80211_hw *hw,
if (set_sta == 1)
mt7915_mcu_add_sta(dev, vif, NULL, CONN_STATE_PORT_SECURE, false);
- if (changed & BSS_CHANGED_ERP_CTS_PROT)
- mt7915_mac_enable_rtscts(dev, vif, info->use_cts_prot);
+ if (changed & BSS_CHANGED_HT || changed & BSS_CHANGED_ERP_CTS_PROT)
+ mt7915_mcu_set_protection(phy, vif, info->ht_operation_mode,
+ info->use_cts_prot);
if (changed & BSS_CHANGED_ERP_SLOT) {
int slottime = 9;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index c1fdd3c4f1ba6..79e021ac0bdbc 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -3852,6 +3852,68 @@ int mt7915_mcu_get_rx_rate(struct mt7915_phy *phy, struct ieee80211_vif *vif,
return ret;
}
+int mt7915_mcu_set_protection(struct mt7915_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot)
+{
+ struct mt7915_dev *dev = phy->dev;
+ int len = sizeof(struct sta_req_hdr) + sizeof(struct bss_info_prot);
+ struct mt7915_vif *mvif = (struct mt7915_vif *)vif->drv_priv;
+ struct bss_info_prot *prot;
+ struct sk_buff *skb;
+ struct tlv *tlv;
+ enum {
+ PROT_NONMEMBER = BIT(1),
+ PROT_20MHZ = BIT(2),
+ PROT_NONHT_MIXED = BIT(3),
+ PROT_LEGACY_ERP = BIT(5),
+ PROT_NONGF_STA = BIT(7),
+ };
+ u32 rts_threshold;
+
+ skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mvif->mt76,
+ NULL, len);
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+
+ tlv = mt76_connac_mcu_add_tlv(skb, BSS_INFO_PROTECT_INFO,
+ sizeof(*prot));
+ prot = (struct bss_info_prot *)tlv;
+
+ switch (ht_mode & IEEE80211_HT_OP_MODE_PROTECTION) {
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER:
+ prot->prot_mode = cpu_to_le32(PROT_NONMEMBER);
+ break;
+ case IEEE80211_HT_OP_MODE_PROTECTION_20MHZ:
+ prot->prot_mode = cpu_to_le32(PROT_20MHZ);
+ break;
+ case IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED:
+ prot->prot_mode = cpu_to_le32(PROT_NONHT_MIXED);
+ break;
+ }
+
+ if (ht_mode & IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT)
+ prot->prot_mode |= cpu_to_le32(PROT_NONGF_STA);
+
+ if (use_cts_prot)
+ prot->prot_mode |= cpu_to_le32(PROT_LEGACY_ERP);
+
+ /* reuse current RTS setting */
+ rts_threshold = phy->mt76->hw->wiphy->rts_threshold;
+ if (rts_threshold == (u32)-1)
+ prot->rts_len_thres = cpu_to_le32(MT7915_RTS_LEN_THRES);
+ else
+ prot->rts_len_thres = cpu_to_le32(rts_threshold);
+
+ prot->rts_pkt_thres = 0x2;
+
+ prot->he_rts_thres = cpu_to_le16(vif->bss_conf.frame_time_rts_th);
+ if (!prot->he_rts_thres)
+ prot->he_rts_thres = cpu_to_le16(DEFAULT_HE_DURATION_RTS_THRES);
+
+ return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+ MCU_EXT_CMD(BSS_INFO_UPDATE), true);
+}
+
int mt7915_mcu_update_bss_color(struct mt7915_dev *dev, struct ieee80211_vif *vif,
struct cfg80211_he_bss_color *he_bss_color)
{
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
index 086ad89ecd914..4049ed864003d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
@@ -399,6 +399,17 @@ struct bss_info_inband_discovery {
__le16 prob_rsp_len;
} __packed __aligned(4);
+struct bss_info_prot {
+ __le16 tag;
+ __le16 len;
+ __le32 prot_type;
+ __le32 prot_mode;
+ __le32 rts_len_thres;
+ __le16 he_rts_thres;
+ u8 rts_pkt_thres;
+ u8 rsv[5];
+} __packed;
+
enum {
BSS_INFO_BCN_CSA,
BSS_INFO_BCN_BCC,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h b/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h
index 2e94347c46d62..f1194d147dc89 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mt7915.h
@@ -83,6 +83,8 @@
#define MT7915_CRIT_TEMP 110
#define MT7915_MAX_TEMP 120
+#define MT7915_RTS_LEN_THRES 0x92b
+
struct mt7915_vif;
struct mt7915_sta;
struct mt7915_dfs_pulse;
@@ -469,6 +471,8 @@ int mt7915_mcu_add_inband_discov(struct mt7915_dev *dev, struct ieee80211_vif *v
u32 changed);
int mt7915_mcu_add_beacon(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
int enable, u32 changed);
+int mt7915_mcu_set_protection(struct mt7915_phy *phy, struct ieee80211_vif *vif,
+ u8 ht_mode, bool use_cts_prot);
int mt7915_mcu_add_obss_spr(struct mt7915_phy *phy, struct ieee80211_vif *vif,
struct ieee80211_he_obss_pd *he_obss_pd);
int mt7915_mcu_add_rate_ctrl(struct mt7915_dev *dev, struct ieee80211_vif *vif,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 084/957] wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 083/957] wifi: mt76: mt7915: " Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 085/957] wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi Greg Kroah-Hartman
` (878 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Yen Hsieh, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
[ Upstream commit 83ae3a18ba957257b4c406273d2da2caeea2b439 ]
Move the NULL check for 'sta' before dereferencing it to prevent a
possible crash.
Fixes: 44eb173bdd4f ("wifi: mt76: mt7925: add link handling in mt7925_txwi_free")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250904030649.655436-4-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
index a048ab1feef05..f12b8db739653 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
@@ -845,11 +845,14 @@ static void mt7925_tx_check_aggr(struct ieee80211_sta *sta, struct sk_buff *skb,
bool is_8023;
u16 fc, tid;
+ if (!sta)
+ return;
+
link_sta = rcu_dereference(sta->link[wcid->link_id]);
if (!link_sta)
return;
- if (!sta || !(link_sta->ht_cap.ht_supported || link_sta->he_cap.has_he))
+ if (!(link_sta->ht_cap.ht_supported || link_sta->he_cap.has_he))
return;
tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 085/957] wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 084/957] wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 086/957] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor Greg Kroah-Hartman
` (877 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Yen Hsieh, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
[ Upstream commit 962eb04e67552be406c906c83099c1d736aae3b6 ]
Check for a NULL `vif` before accessing `ieee80211_vif_is_mld(vif)` to
avoid a potential kernel panic in scenarios where `vif` might not be
initialized.
Fixes: ebb1406813c6 ("wifi: mt76: mt7925: add link handling to txwi")
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250904030649.655436-3-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
index f12b8db739653..0608f0c1fd2c2 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
@@ -803,8 +803,8 @@ mt7925_mac_write_txwi(struct mt76_dev *dev, __le32 *txwi,
txwi[5] = cpu_to_le32(val);
val = MT_TXD6_DAS | FIELD_PREP(MT_TXD6_MSDU_CNT, 1);
- if (!ieee80211_vif_is_mld(vif) ||
- (q_idx >= MT_LMAC_ALTX0 && q_idx <= MT_LMAC_BCN0))
+ if (vif && (!ieee80211_vif_is_mld(vif) ||
+ (q_idx >= MT_LMAC_ALTX0 && q_idx <= MT_LMAC_BCN0)))
val |= MT_TXD6_DIS_MAT;
txwi[6] = cpu_to_le32(val);
txwi[7] = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 086/957] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 085/957] wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 087/957] wifi: mt76: mt7921: Place upper limit on station AID Greg Kroah-Hartman
` (876 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari,
AngeloGioacchino Del Regno, Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit d8db56142e531f060c938fa0b5175ed6c8cabb11 ]
The mt7996 driver currently checks the MT_RXD3_NORMAL_FCS_ERR bit in
rxd1 whereas other Connac3-based drivers(mt7925) correctly check this
bit in rxd3.
Since the MT_RXD3_NORMAL_FCS_ERR bit is defined in the fourth RX
descriptor word (rxd3), update mt7996 to use the proper descriptor
field. This change aligns mt7996 with mt7925 and the rest of the
Connac3 family.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patch.msgid.link/20251013090826.753992-1-alok.a.tiwari@oracle.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 15d796702a589..2aa8bb779b228 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -527,7 +527,7 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q,
!(csum_status & (BIT(0) | BIT(2) | BIT(3))))
skb->ip_summed = CHECKSUM_UNNECESSARY;
- if (rxd1 & MT_RXD3_NORMAL_FCS_ERR)
+ if (rxd3 & MT_RXD3_NORMAL_FCS_ERR)
status->flag |= RX_FLAG_FAILED_FCS_CRC;
if (rxd1 & MT_RXD1_NORMAL_TKIP_MIC_ERR)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 087/957] wifi: mt76: mt7921: Place upper limit on station AID
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 086/957] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 088/957] wifi: mt76: Fix memory leak destroying device Greg Kroah-Hartman
` (875 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rory Little, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rory Little <rory@candelatech.com>
[ Upstream commit 4d0bf21e3e20619d51d06c0c36207aabab8b712c ]
Any station configured with an AID over 20 causes a firmware crash.
This situation occurred in our testing using an AP interface on 7922
hardware, with a modified hostapd, sourced from Mediatek's OpenWRT
feeds.
In stock hostapd, station AIDs begin counting at 1, and this
configuration is prevented with an upper limit on associated stations.
However, the modified hostapd began allocation at 65, which caused the
firmware to crash. This fix does not allow these AIDs to work, but will
prevent the firmware crash.
This crash was only seen on IFTYPE_AP interfaces, and the fix does not
appear to have an effect on IFTYPE_STATION behavior.
Fixes: 5c14a5f944b9 ("mt76: mt7921: introduce mt7921e support")
Signed-off-by: Rory Little <rory@candelatech.com>
Link: https://patch.msgid.link/20250904000711.3033860-1-rory@candelatech.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 6 ++++++
drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h | 2 ++
2 files changed, 8 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index 5e676916593d3..ea6ff4c6bc90b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -808,6 +808,9 @@ int mt7921_mac_sta_add(struct mt76_dev *mdev, struct ieee80211_vif *vif,
struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
int ret, idx;
+ if (sta->aid > MT7921_MAX_AID)
+ return -ENOENT;
+
idx = mt76_wcid_alloc(dev->mt76.wcid_mask, MT792x_WTBL_STA - 1);
if (idx < 0)
return -ENOSPC;
@@ -851,6 +854,9 @@ int mt7921_mac_sta_event(struct mt76_dev *mdev, struct ieee80211_vif *vif,
struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv;
struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
+ if (sta->aid > MT7921_MAX_AID)
+ return -ENOENT;
+
if (ev != MT76_STA_EVENT_ASSOC)
return 0;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h b/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
index c88793fcec643..faa0d93982144 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
@@ -7,6 +7,8 @@
#include "../mt792x.h"
#include "regs.h"
+#define MT7921_MAX_AID 20
+
#define MT7921_TX_RING_SIZE 2048
#define MT7921_TX_MCU_RING_SIZE 256
#define MT7921_TX_FWDL_RING_SIZE 128
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 088/957] wifi: mt76: Fix memory leak destroying device
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 087/957] wifi: mt76: mt7921: Place upper limit on station AID Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 089/957] wifi: mt76: mt7925: cqm rssi low/high event notify Greg Kroah-Hartman
` (874 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 6b470f36616e3448d44b0ef4b1de2a3e3a31b5be ]
All MT76 rx queues have an associated page_pool even if the queue is not
associated to a NAPI (e.g. WED RRO queues with WED enabled). Destroy the
page_pool running mt76_dma_cleanup routine during module unload.
Moreover returns pages to the page pool if WED is not enabled for WED RRO
queues.
Fixes: 950d0abb5cd94 ("wifi: mt76: mt7996: add wed rx support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251208-mt76-fix-memory-leak-v1-1-cba813fc62b8@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/dma.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
index 1fa7de1d2c45e..9ef073c27f309 100644
--- a/drivers/net/wireless/mediatek/mt76/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/dma.c
@@ -878,7 +878,12 @@ mt76_dma_rx_cleanup(struct mt76_dev *dev, struct mt76_queue *q)
if (!buf)
break;
- if (!mt76_queue_is_wed_rro(q))
+ if (mtk_wed_device_active(&dev->mmio.wed) &&
+ mt76_queue_is_wed_rro(q))
+ continue;
+
+ if (!mt76_queue_is_wed_rro_rxdmad_c(q) &&
+ !mt76_queue_is_wed_rro_ind(q))
mt76_put_page_pool_buf(buf, false);
} while (1);
@@ -1169,10 +1174,6 @@ void mt76_dma_cleanup(struct mt76_dev *dev)
mt76_for_each_q_rx(dev, i) {
struct mt76_queue *q = &dev->q_rx[i];
- if (mtk_wed_device_active(&dev->mmio.wed) &&
- mt76_queue_is_wed_rro(q))
- continue;
-
netif_napi_del(&dev->napi[i]);
mt76_dma_rx_cleanup(dev, q);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 089/957] wifi: mt76: mt7925: cqm rssi low/high event notify
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 088/957] wifi: mt76: Fix memory leak destroying device Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 090/957] wifi: mt76: mt7925: drop puncturing handling from BSS change path Greg Kroah-Hartman
` (873 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jack Kao, Ming Yen Hsieh,
Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Kao <jack.kao@mediatek.com>
[ Upstream commit 2a035ae2062f38dc5183002d1c5a64ca682170c1 ]
The implementation amounts to setting the driver flag
IEEE80211_VIF_SUPPORTS_CQM_RSSI, and then providing
mechanisms for continuously updating enough information
to be able to provide notifications to userspace when
RSSI drops below a certain threshold
Signed-off-by: Jack Kao <jack.kao@mediatek.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20251001012506.2168037-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Stable-dep-of: 59a1864509d0 ("wifi: mt76: mt7925: drop puncturing handling from BSS change path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/mediatek/mt76/mt76_connac_mcu.h | 2 +
.../net/wireless/mediatek/mt76/mt7925/main.c | 6 ++
.../net/wireless/mediatek/mt76/mt7925/mcu.c | 82 +++++++++++++++++++
.../net/wireless/mediatek/mt76/mt7925/mcu.h | 8 ++
.../wireless/mediatek/mt76/mt7925/mt7925.h | 7 ++
5 files changed, 105 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
index 27daf419560a5..0b02f34c40a40 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
@@ -1062,6 +1062,7 @@ enum {
MCU_UNI_EVENT_ROC = 0x27,
MCU_UNI_EVENT_TX_DONE = 0x2d,
MCU_UNI_EVENT_THERMAL = 0x35,
+ MCU_UNI_EVENT_RSSI_MONITOR = 0x41,
MCU_UNI_EVENT_NIC_CAPAB = 0x43,
MCU_UNI_EVENT_WED_RRO = 0x57,
MCU_UNI_EVENT_PER_STA_INFO = 0x6d,
@@ -1300,6 +1301,7 @@ enum {
MCU_UNI_CMD_THERMAL = 0x35,
MCU_UNI_CMD_VOW = 0x37,
MCU_UNI_CMD_FIXED_RATE_TABLE = 0x40,
+ MCU_UNI_CMD_RSSI_MONITOR = 0x41,
MCU_UNI_CMD_TESTMODE_CTRL = 0x46,
MCU_UNI_CMD_RRO = 0x57,
MCU_UNI_CMD_OFFCH_SCAN_CTRL = 0x58,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index d1f63c81ceb99..f503e861a7e63 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -430,6 +430,9 @@ mt7925_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
goto out;
vif->driver_flags |= IEEE80211_VIF_BEACON_FILTER;
+ if (phy->chip_cap & MT792x_CHIP_CAP_RSSI_NOTIFY_EVT_EN)
+ vif->driver_flags |= IEEE80211_VIF_SUPPORTS_CQM_RSSI;
+
out:
mt792x_mutex_release(dev);
@@ -1958,6 +1961,9 @@ static void mt7925_link_info_changed(struct ieee80211_hw *hw,
mt7925_mcu_set_eht_pp(mvif->phy->mt76, &mconf->mt76,
link_conf, NULL);
+ if (changed & BSS_CHANGED_CQM)
+ mt7925_mcu_set_rssimonitor(dev, vif);
+
mt792x_mutex_release(dev);
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index 130f1742546bc..d887aa9a3dff7 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -450,6 +450,56 @@ mt7925_mcu_tx_done_event(struct mt792x_dev *dev, struct sk_buff *skb)
}
}
+static void
+mt7925_mcu_rssi_monitor_iter(void *priv, u8 *mac,
+ struct ieee80211_vif *vif)
+{
+ struct mt7925_uni_rssi_monitor_event *event = priv;
+ enum nl80211_cqm_rssi_threshold_event nl_event;
+ s32 rssi = le32_to_cpu(event->rssi);
+
+ if (vif->type != NL80211_IFTYPE_STATION)
+ return;
+
+ if (!(vif->driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI))
+ return;
+
+ if (rssi > vif->bss_conf.cqm_rssi_thold)
+ nl_event = NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH;
+ else
+ nl_event = NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW;
+
+ ieee80211_cqm_rssi_notify(vif, nl_event, rssi, GFP_KERNEL);
+}
+
+static void
+mt7925_mcu_rssi_monitor_event(struct mt792x_dev *dev, struct sk_buff *skb)
+{
+ struct tlv *tlv;
+ u32 tlv_len;
+ struct mt7925_uni_rssi_monitor_event *event;
+
+ skb_pull(skb, sizeof(struct mt7925_mcu_rxd) + 4);
+ tlv = (struct tlv *)skb->data;
+ tlv_len = skb->len;
+
+ while (tlv_len > 0 && le16_to_cpu(tlv->len) <= tlv_len) {
+ switch (le16_to_cpu(tlv->tag)) {
+ case UNI_EVENT_RSSI_MONITOR_INFO:
+ event = (struct mt7925_uni_rssi_monitor_event *)skb->data;
+ ieee80211_iterate_active_interfaces_atomic(dev->mt76.hw,
+ IEEE80211_IFACE_ITER_RESUME_ALL,
+ mt7925_mcu_rssi_monitor_iter,
+ event);
+ break;
+ default:
+ break;
+ }
+ tlv_len -= le16_to_cpu(tlv->len);
+ tlv = (struct tlv *)((char *)(tlv) + le16_to_cpu(tlv->len));
+ }
+}
+
static void
mt7925_mcu_uni_debug_msg_event(struct mt792x_dev *dev, struct sk_buff *skb)
{
@@ -546,6 +596,9 @@ mt7925_mcu_uni_rx_unsolicited_event(struct mt792x_dev *dev,
case MCU_UNI_EVENT_BSS_BEACON_LOSS:
mt7925_mcu_connection_loss_event(dev, skb);
break;
+ case MCU_UNI_EVENT_RSSI_MONITOR:
+ mt7925_mcu_rssi_monitor_event(dev, skb);
+ break;
case MCU_UNI_EVENT_COREDUMP:
dev->fw_assert = true;
mt76_connac_mcu_coredump_event(&dev->mt76, skb, &dev->coredump);
@@ -3821,3 +3874,32 @@ int mt7925_mcu_set_rxfilter(struct mt792x_dev *dev, u32 fif,
return mt76_mcu_send_msg(&phy->dev->mt76, MCU_UNI_CMD(BAND_CONFIG),
&req, sizeof(req), true);
}
+
+int mt7925_mcu_set_rssimonitor(struct mt792x_dev *dev, struct ieee80211_vif *vif)
+{
+ struct mt792x_bss_conf *mconf = mt792x_link_conf_to_mconf(&vif->bss_conf);
+ struct {
+ struct {
+ u8 bss_idx;
+ u8 pad[3];
+ } __packed hdr;
+ __le16 tag;
+ __le16 len;
+ u8 enable;
+ s8 cqm_rssi_high;
+ s8 cqm_rssi_low;
+ u8 rsv;
+ } req = {
+ .hdr = {
+ .bss_idx = mconf->mt76.idx,
+ },
+ .tag = cpu_to_le16(UNI_CMD_RSSI_MONITOR_SET),
+ .len = cpu_to_le16(sizeof(req) - 4),
+ .enable = vif->cfg.assoc,
+ .cqm_rssi_high = (s8)(vif->bss_conf.cqm_rssi_thold + vif->bss_conf.cqm_rssi_hyst),
+ .cqm_rssi_low = (s8)(vif->bss_conf.cqm_rssi_thold - vif->bss_conf.cqm_rssi_hyst),
+ };
+
+ return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(RSSI_MONITOR), &req,
+ sizeof(req), false);
+}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
index a40764d89a1ff..148aa3c05c8c4 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
@@ -152,6 +152,14 @@ enum {
UNI_EVENT_SCAN_DONE_NLO = 3,
};
+enum {
+ UNI_CMD_RSSI_MONITOR_SET = 0,
+};
+
+enum {
+ UNI_EVENT_RSSI_MONITOR_INFO = 0,
+};
+
enum connac3_mcu_cipher_type {
CONNAC3_CIPHER_NONE = 0,
CONNAC3_CIPHER_WEP40 = 1,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
index 1c5ab3ea247d8..7f67e0a978726 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
@@ -103,6 +103,12 @@ struct mt7925_uni_beacon_loss_event {
struct mt7925_beacon_loss_tlv beacon_loss;
} __packed;
+struct mt7925_uni_rssi_monitor_event {
+ __le16 tag;
+ __le16 len;
+ __le32 rssi;
+} __packed;
+
#define to_rssi(field, rxv) ((FIELD_GET(field, rxv) - 220) / 2)
#define to_rcpi(rssi) (2 * (rssi) + 220)
@@ -372,4 +378,5 @@ int mt7925_testmode_cmd(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
int mt7925_testmode_dump(struct ieee80211_hw *hw, struct sk_buff *msg,
struct netlink_callback *cb, void *data, int len);
+int mt7925_mcu_set_rssimonitor(struct mt792x_dev *dev, struct ieee80211_vif *vif);
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 090/957] wifi: mt76: mt7925: drop puncturing handling from BSS change path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 089/957] wifi: mt76: mt7925: cqm rssi low/high event notify Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 091/957] wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync Greg Kroah-Hartman
` (872 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Wang, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
[ Upstream commit 59a1864509d084a4b34117e693951c06b846b00a ]
IEEE80211_CHANCTX_CHANGE_PUNCTURING is a channel context change
flag and should not be checked in the BSS change handler, where
the changed mask represents enum ieee80211_bss_change.
Remove the puncturing handling from the BSS path and rely on
mt7925_change_chanctx() to update puncturing configuration.
Fixes: cadebdad959b ("wifi: mt76: mt7925: add EHT preamble puncturing")
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20251216022017.23870-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index f503e861a7e63..ebb746f4072de 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -1912,10 +1912,8 @@ static void mt7925_link_info_changed(struct ieee80211_hw *hw,
struct mt792x_phy *phy = mt792x_hw_phy(hw);
struct mt792x_dev *dev = mt792x_hw_dev(hw);
struct mt792x_bss_conf *mconf;
- struct ieee80211_bss_conf *link_conf;
mconf = mt792x_vif_to_link(mvif, info->link_id);
- link_conf = mt792x_vif_to_bss_conf(vif, mconf->link_id);
mt792x_mutex_acquire(dev);
@@ -1957,10 +1955,6 @@ static void mt7925_link_info_changed(struct ieee80211_hw *hw,
mvif->mlo_pm_state = MT792x_MLO_CHANGED_PS;
}
- if (changed & IEEE80211_CHANCTX_CHANGE_PUNCTURING)
- mt7925_mcu_set_eht_pp(mvif->phy->mt76, &mconf->mt76,
- link_conf, NULL);
-
if (changed & BSS_CHANGED_CQM)
mt7925_mcu_set_rssimonitor(dev, vif);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 091/957] wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 090/957] wifi: mt76: mt7925: drop puncturing handling from BSS change path Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 092/957] wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync Greg Kroah-Hartman
` (871 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quan Zhou, Sean Wang, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
[ Upstream commit dd08ca3f092f4185ece69ce2a835c23198b1628a ]
roc_abort_sync() can deadlock with roc_work(). roc_work() holds
dev->mt76.mutex, while cancel_work_sync() waits for roc_work()
to finish. If the caller already owns the same mutex, both
sides block and no progress is possible.
This deadlock can occur during station removal when
mt76_sta_state() -> mt76_sta_remove() ->
mt7925_mac_sta_remove_link() -> mt7925_mac_link_sta_remove() ->
mt7925_roc_abort_sync() invokes cancel_work_sync() while
roc_work() is still running and holding dev->mt76.mutex.
This avoids the mutex deadlock and preserves exactly-once
work ownership.
Fixes: 45064d19fd3a ("wifi: mt76: mt7925: fix a potential association failure upon resuming")
Co-developed-by: Quan Zhou <quan.zhou@mediatek.com>
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20251216013849.17976-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index ebb746f4072de..00126f563dfd9 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -452,12 +452,16 @@ void mt7925_roc_abort_sync(struct mt792x_dev *dev)
{
struct mt792x_phy *phy = &dev->phy;
+ if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
+ return;
+
timer_delete_sync(&phy->roc_timer);
- cancel_work_sync(&phy->roc_work);
- if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
- ieee80211_iterate_interfaces(mt76_hw(dev),
- IEEE80211_IFACE_ITER_RESUME_ALL,
- mt7925_roc_iter, (void *)phy);
+
+ cancel_work(&phy->roc_work);
+
+ ieee80211_iterate_interfaces(mt76_hw(dev),
+ IEEE80211_IFACE_ITER_RESUME_ALL,
+ mt7925_roc_iter, (void *)phy);
}
EXPORT_SYMBOL_GPL(mt7925_roc_abort_sync);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 092/957] wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 091/957] wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 093/957] wifi: mt76: fix deadlock in remain-on-channel Greg Kroah-Hartman
` (870 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quan Zhou, Sean Wang, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Wang <sean.wang@mediatek.com>
[ Upstream commit d5059e52fd8bc624ec4255c9fa01a266513d126b ]
roc_abort_sync() can deadlock with roc_work(). roc_work() holds
dev->mt76.mutex, while cancel_work_sync() waits for roc_work()
to finish. If the caller already owns the same mutex, both
sides block and no progress is possible.
This deadlock can occur during station removal when
mt76_sta_state() -> mt76_sta_remove() -> mt7921_mac_sta_remove() ->
mt7921_roc_abort_sync() invokes cancel_work_sync() while
roc_work() is still running and holding dev->mt76.mutex.
This avoids the mutex deadlock and preserves exactly-once
work ownership.
Fixes: 352d966126e6 ("wifi: mt76: mt7921: fix a potential association failure upon resuming")
Co-developed-by: Quan Zhou <quan.zhou@mediatek.com>
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20260126180013.8167-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index ea6ff4c6bc90b..07495c97f1c12 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -371,12 +371,15 @@ void mt7921_roc_abort_sync(struct mt792x_dev *dev)
{
struct mt792x_phy *phy = &dev->phy;
+ if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
+ return;
+
timer_delete_sync(&phy->roc_timer);
- cancel_work_sync(&phy->roc_work);
- if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
- ieee80211_iterate_interfaces(mt76_hw(dev),
- IEEE80211_IFACE_ITER_RESUME_ALL,
- mt7921_roc_iter, (void *)phy);
+ cancel_work(&phy->roc_work);
+
+ ieee80211_iterate_interfaces(mt76_hw(dev),
+ IEEE80211_IFACE_ITER_RESUME_ALL,
+ mt7921_roc_iter, (void *)phy);
}
EXPORT_SYMBOL_GPL(mt7921_roc_abort_sync);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 093/957] wifi: mt76: fix deadlock in remain-on-channel
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 092/957] wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 094/957] arm64: cpufeature: Make PMUVer and PerfMon unsigned Greg Kroah-Hartman
` (869 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chad Monroe, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chad Monroe <chad@monroe.io>
[ Upstream commit 6939b97ddad3cf3dfbb3b5a0a12ef79cb886747e ]
mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
while already holding dev->mutex. Since mt76_set_channel() also acquires
dev->mutex, this results in a deadlock.
Use __mt76_set_channel() instead of mt76_set_channel().
Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
in mt76_remain_on_channel() to prevent a secondary deadlock with the
mac_work workqueue.
Fixes: a8f424c1287c ("wifi: mt76: add multi-radio remain_on_channel functions")
Signed-off-by: Chad Monroe <chad@monroe.io>
Link: https://patch.msgid.link/ace737e7b621af7c2adb33b0188011a5c1de2166.1765204256.git.chad@monroe.io
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
index 130af1b254dbf..eccaee1fd434f 100644
--- a/drivers/net/wireless/mediatek/mt76/channel.c
+++ b/drivers/net/wireless/mediatek/mt76/channel.c
@@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy)
mlink->mvif->roc_phy = NULL;
if (phy->main_chandef.chan &&
!test_bit(MT76_MCU_RESET, &dev->phy.state))
- mt76_set_channel(phy, &phy->main_chandef, false);
+ __mt76_set_channel(phy, &phy->main_chandef, false);
mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link);
phy->roc_vif = NULL;
phy->roc_link = NULL;
@@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
if (!phy)
return -EINVAL;
+ cancel_delayed_work_sync(&phy->mac_work);
+
mutex_lock(&dev->mutex);
if (phy->roc_vif || dev->scan.phy == phy ||
@@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
phy->roc_vif = vif;
phy->roc_link = mlink;
cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20);
- mt76_set_channel(phy, &chandef, true);
+ ret = __mt76_set_channel(phy, &chandef, true);
+ if (ret) {
+ mlink->mvif->roc_phy = NULL;
+ phy->roc_vif = NULL;
+ phy->roc_link = NULL;
+ mt76_put_vif_phy_link(phy, vif, mlink);
+ goto out;
+ }
ieee80211_ready_on_channel(hw);
ieee80211_queue_delayed_work(phy->hw, &phy->roc_work,
msecs_to_jiffies(duration));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 094/957] arm64: cpufeature: Make PMUVer and PerfMon unsigned
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 093/957] wifi: mt76: fix deadlock in remain-on-channel Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 095/957] wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP Greg Kroah-Hartman
` (868 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Clark, Marc Zyngier,
Colton Lewis, Will Deacon, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Clark <james.clark@linaro.org>
[ Upstream commit d1dcc20bcc40efe1f1c71639376c91dafa489222 ]
On the host, this change doesn't make a difference because the fields
are defined as FTR_EXACT. However, KVM allows userspace to set these
fields for a guest and overrides the type to be FTR_LOWER_SAFE. And
while KVM used to do an unsigned comparison to validate that the new
value is lower than what the hardware provides, since the linked commit
it uses the generic sanitization framework which does a signed
comparison.
Fix it by defining these fields as unsigned. In theory, without this
fix, userspace could set a higher PMU version than the hardware supports
by providing any value with the top bit set.
Fixes: c118cead07a7 ("KVM: arm64: Use generic sanitisation for ID_(AA64)DFR0_EL1")
Signed-off-by: James Clark <james.clark@linaro.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Colton Lewis <coltonlewis@google.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/cpufeature.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index e25b0f84a22da..39a798f74778e 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -564,7 +564,7 @@ static const struct arm64_ftr_bits ftr_id_aa64dfr0[] = {
* We can instantiate multiple PMU instances with different levels
* of support.
*/
- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_AA64DFR0_EL1_PMUVer_SHIFT, 4, 0),
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_AA64DFR0_EL1_PMUVer_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_EXACT, ID_AA64DFR0_EL1_DebugVer_SHIFT, 4, 0x6),
ARM64_FTR_END,
};
@@ -708,7 +708,7 @@ static const struct arm64_ftr_bits ftr_id_pfr2[] = {
static const struct arm64_ftr_bits ftr_id_dfr0[] = {
/* [31:28] TraceFilt */
- S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_DFR0_EL1_PerfMon_SHIFT, 4, 0),
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_EXACT, ID_DFR0_EL1_PerfMon_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_DFR0_EL1_MProfDbg_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_DFR0_EL1_MMapTrc_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_DFR0_EL1_CopTrc_SHIFT, 4, 0),
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 095/957] wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 094/957] arm64: cpufeature: Make PMUVer and PerfMon unsigned Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 096/957] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event Greg Kroah-Hartman
` (867 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shayne Chen, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shayne Chen <shayne.chen@mediatek.com>
[ Upstream commit 97b9f9831bf297f3ffa62018721601ed2736f2c3 ]
The struct mt76_connac_fw_txp is used for HIF TXP. Change to use the
struct mt76_connac_hw_txp to fix the wrong DMAD length for MAC TXP.
Fixes: cb6ebbdffef2 ("wifi: mt76: mt7996: support writing MAC TXD for AddBA Request")
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20260203155532.1098290-1-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 2aa8bb779b228..0b5194e708b3a 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1109,10 +1109,10 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
* req
*/
if (le32_to_cpu(ptr[7]) & MT_TXD7_MAC_TXD) {
- u32 val;
+ u32 val, mac_txp_size = sizeof(struct mt76_connac_hw_txp);
ptr = (__le32 *)(txwi + MT_TXD_SIZE);
- memset((void *)ptr, 0, sizeof(struct mt76_connac_fw_txp));
+ memset((void *)ptr, 0, mac_txp_size);
val = FIELD_PREP(MT_TXP0_TOKEN_ID0, id) |
MT_TXP0_TOKEN_ID0_VALID_MASK;
@@ -1131,6 +1131,8 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
tx_info->buf[1].addr >> 32);
#endif
ptr[3] = cpu_to_le32(val);
+
+ tx_info->buf[0].len = MT_TXD_SIZE + mac_txp_size;
} else {
struct mt76_connac_txp_common *txp;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 096/957] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 095/957] wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 097/957] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() Greg Kroah-Hartman
` (866 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, StanleyYP Wang, Shayne Chen,
Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
[ Upstream commit efbd5bf395f4e6b45a87f3835d4c2e28170c77c5 ]
The cid field is defined as a two-byte value in the firmware.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20260203155532.1098290-2-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index 321098496a39e..c2d15128784bc 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -233,7 +233,7 @@ mt7996_mcu_parse_response(struct mt76_dev *mdev, int cmd,
event = (struct mt7996_mcu_uni_event *)skb->data;
ret = le32_to_cpu(event->status);
/* skip invalid event */
- if (mcu_cmd != event->cid)
+ if (mcu_cmd != le16_to_cpu(event->cid))
ret = -EAGAIN;
} else {
skb_pull(skb, sizeof(struct mt7996_mcu_rxd));
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
index abfd7e5a775b3..7b51d7346bcaa 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
@@ -25,8 +25,8 @@ struct mt7996_mcu_rxd {
};
struct mt7996_mcu_uni_event {
- u8 cid;
- u8 __rsv[3];
+ __le16 cid;
+ u8 __rsv[2];
__le32 status; /* 0: success, others: fail */
} __packed;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 097/957] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 096/957] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 098/957] wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() Greg Kroah-Hartman
` (865 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 1146d0946b5358fad24812bd39d68f31cd40cc34 ]
When the mt7915 pci chip is detaching, the mt7915_crash_data is
released in mt7915_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7915_mac_dump_work().
The race condition can occur as follows:
CPU 0 (removal path) | CPU 1 (workqueue)
mt7915_pci_remove() | mt7915_sys_recovery_set()
mt7915_unregister_device() | mt7915_reset()
mt7915_coredump_unregister() | queue_work()
vfree(dev->coredump.crash_data) | mt7915_mac_dump_work()
| crash_data-> // UAF
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7915_unregister_device() to synchronize with any pending
or executing dump work.
Fixes: 4dbcb9125cc3 ("wifi: mt76: mt7915: enable coredump support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20260130145759.84272-1-duoming@zju.edu.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
index 5ea8b46e092ef..d2b163a5fce5b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
@@ -1287,6 +1287,7 @@ int mt7915_register_device(struct mt7915_dev *dev)
void mt7915_unregister_device(struct mt7915_dev *dev)
{
+ cancel_work_sync(&dev->dump_work);
mt7915_unregister_ext_phy(dev);
mt7915_coredump_unregister(dev);
mt7915_unregister_thermal(&dev->phy);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 098/957] wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 097/957] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 099/957] wifi: mt76: mt7921: fix 6GHz regulatory update on connection Greg Kroah-Hartman
` (864 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit c8f62f73bbced3a79894655bdb0b625462d956fc ]
When the mt7996 pci chip is detaching, the mt7996_crash_data is
released in mt7996_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7996_mac_dump_work().
The race condition can occur as follows:
CPU 0 (removal path) | CPU 1 (workqueue)
mt7996_pci_remove() | mt7996_sys_recovery_set()
mt7996_unregister_device() | mt7996_reset()
mt7996_coredump_unregister() | queue_work()
vfree(dev->coredump.crash_data) | mt7996_mac_dump_work()
| crash_data-> // UAF
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7996_unregister_device() to synchronize with any pending
or executing dump work.
Fixes: 878161d5d4a4 ("wifi: mt76: mt7996: enable coredump support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20260131024731.18741-1-duoming@zju.edu.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
index e26f8e9e4f8fc..ba769e6de76d2 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
@@ -1732,6 +1732,7 @@ int mt7996_register_device(struct mt7996_dev *dev)
void mt7996_unregister_device(struct mt7996_dev *dev)
{
+ cancel_work_sync(&dev->dump_work);
cancel_work_sync(&dev->wed_rro.work);
mt7996_unregister_phy(mt7996_phy3(dev));
mt7996_unregister_phy(mt7996_phy2(dev));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 099/957] wifi: mt76: mt7921: fix 6GHz regulatory update on connection
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 098/957] wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 100/957] wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property Greg Kroah-Hartman
` (863 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Lo, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Lo <michael.lo@mediatek.com>
[ Upstream commit 3dc0c40d7806c72cfe88cf4e1e2650c1673f9db4 ]
Call mt7921_regd_update() instead of mt7921_mcu_set_clc() when setting
the 6GHz power type after connection, so that regulatory limits and SAR
power are also applied.
Fixes: 51ba0e3a15eb ("wifi: mt76: mt7921: add 6GHz power type support for clc")
Signed-off-by: Michael Lo <michael.lo@mediatek.com>
Link: https://patch.msgid.link/20260211095025.2415624-1-leon.yen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index 07495c97f1c12..ce11666a32db9 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -800,7 +800,8 @@ mt7921_regd_set_6ghz_power_type(struct ieee80211_vif *vif, bool is_add)
}
out:
- mt7921_mcu_set_clc(dev, dev->mt76.alpha2, dev->country_ie_env);
+ if (vif->bss_conf.chanreq.oper.chan->band == NL80211_BAND_6GHZ)
+ mt7921_regd_update(dev);
}
int mt7921_mac_sta_add(struct mt76_dev *mdev, struct ieee80211_vif *vif,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 100/957] wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 099/957] wifi: mt76: mt7921: fix 6GHz regulatory update on connection Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 101/957] wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links() Greg Kroah-Hartman
` (862 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi,
AngeloGioacchino Del Regno, Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit c0a47ffc4caaf5161955add553322112c3a211b0 ]
Enable missing CHANCTX_STA_CSA property required for MLO.
Fixes: f5160304d57c ("wifi: mt76: mt7996: Enable MLO support for client interfaces")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patch.msgid.link/20250928-mt7996_chanctx_sta_csa-v1-1-82e455185990@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
index ba769e6de76d2..817acfad31d06 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
@@ -536,6 +536,7 @@ mt7996_init_wiphy(struct ieee80211_hw *hw, struct mtk_wed_device *wed)
ieee80211_hw_set(hw, SUPPORTS_RX_DECAP_OFFLOAD);
ieee80211_hw_set(hw, NO_VIRTUAL_MONITOR);
ieee80211_hw_set(hw, SUPPORTS_MULTI_BSSID);
+ ieee80211_hw_set(hw, CHANCTX_STA_CSA);
hw->max_tx_fragments = 4;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 101/957] wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 100/957] wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 102/957] wifi: mt76: mt7996: use correct link_id when filling TXD and TXP Greg Kroah-Hartman
` (861 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 569ce4340268915911fc356ec9ad27e92fb82289 ]
Remove link pointer dependency in mt7996_mac_sta_remove_links routine to
get the mt7996_phy pointer since the link can be already offchannel
running mt7996_mac_sta_remove_links(). Rely on __mt7996_phy routine
instead.
Fixes: 344dd6a4c919 ("wifi: mt76: mt7996: Move num_sta accounting in mt7996_mac_sta_{add,remove}_links")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260306-mt7996-deflink-lookup-link-remove-v1-1-7162b332873c@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/main.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 589b228a4eb0c..32d44540605fc 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -1047,8 +1047,7 @@ mt7996_mac_sta_remove_links(struct mt7996_dev *dev, struct ieee80211_vif *vif,
for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) {
struct mt7996_sta_link *msta_link = NULL;
- struct mt7996_vif_link *link;
- struct mt76_phy *mphy;
+ struct mt7996_phy *phy;
msta_link = rcu_replace_pointer(msta->link[link_id], msta_link,
lockdep_is_held(&mdev->mutex));
@@ -1057,17 +1056,12 @@ mt7996_mac_sta_remove_links(struct mt7996_dev *dev, struct ieee80211_vif *vif,
mt7996_mac_wtbl_update(dev, msta_link->wcid.idx,
MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
-
mt7996_mac_sta_deinit_link(dev, msta_link);
- link = mt7996_vif_link(dev, vif, link_id);
- if (!link)
- continue;
- mphy = mt76_vif_link_phy(&link->mt76);
- if (!mphy)
- continue;
+ phy = __mt7996_phy(dev, msta_link->wcid.phy_idx);
+ if (phy)
+ phy->mt76->num_sta--;
- mphy->num_sta--;
if (msta->deflink_id == link_id) {
msta->deflink_id = IEEE80211_LINK_UNSPECIFIED;
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 102/957] wifi: mt76: mt7996: use correct link_id when filling TXD and TXP
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 101/957] wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 103/957] wifi: mt76: mt7996: Switch to the secondary link if the default one is removed Greg Kroah-Hartman
` (860 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shayne Chen, Lorenzo Bianconi,
Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shayne Chen <shayne.chen@mediatek.com>
[ Upstream commit 85cd5534a3f2ec93e7d88713a77df5b4255520df ]
Obtain the correct link ID and, if needed, switch to the corresponding
wcid before populating the TX descriptor and TX payload.
Rules for link id:
- For QoS data of MLD peers (excluding EAPOL), select the primary or
secondary wcid based on whether the TID is odd or even to meet FW/HW
requirements
- For other packets, use IEEE80211_TX_CTRL_MLO_LINK if specified
(such as multicast and broadcast packets)
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251106064203.1000505-8-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Stable-dep-of: e648051d52af ("wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7996/mac.c | 34 ++++++++++++++++---
.../net/wireless/mediatek/mt76/mt7996/main.c | 9 +++++
.../net/wireless/mediatek/mt76/mt7996/mcu.c | 4 +--
.../wireless/mediatek/mt76/mt7996/mt7996.h | 1 +
4 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 0b5194e708b3a..13a3b521437be 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1040,15 +1040,20 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
struct ieee80211_sta *sta,
struct mt76_tx_info *tx_info)
{
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx_info->skb->data;
struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76);
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx_info->skb);
struct ieee80211_key_conf *key = info->control.hw_key;
struct ieee80211_vif *vif = info->control.vif;
+ struct mt7996_vif *mvif = vif ? (struct mt7996_vif *)vif->drv_priv : NULL;
+ struct mt7996_sta *msta = sta ? (struct mt7996_sta *)sta->drv_priv : NULL;
+ struct mt76_vif_link *mlink = NULL;
struct mt76_txwi_cache *t;
int id, i, pid, nbuf = tx_info->nbuf - 1;
bool is_8023 = info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP;
__le32 *ptr = (__le32 *)txwi_ptr;
u8 *txwi = (u8 *)txwi_ptr;
+ u8 link_id;
if (unlikely(tx_info->skb->len <= ETH_HLEN))
return -EINVAL;
@@ -1056,6 +1061,30 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
if (!wcid)
wcid = &dev->mt76.global_wcid;
+ if ((is_8023 || ieee80211_is_data_qos(hdr->frame_control)) && sta->mlo &&
+ likely(tx_info->skb->protocol != cpu_to_be16(ETH_P_PAE))) {
+ u8 tid = tx_info->skb->priority & IEEE80211_QOS_CTL_TID_MASK;
+
+ link_id = (tid % 2) ? msta->seclink_id : msta->deflink_id;
+ } else {
+ link_id = u32_get_bits(info->control.flags,
+ IEEE80211_TX_CTRL_MLO_LINK);
+ }
+
+ if (link_id != wcid->link_id && link_id != IEEE80211_LINK_UNSPECIFIED) {
+ if (msta) {
+ struct mt7996_sta_link *msta_link =
+ rcu_dereference(msta->link[link_id]);
+
+ if (msta_link)
+ wcid = &msta_link->wcid;
+ } else if (mvif) {
+ mlink = rcu_dereference(mvif->mt76.link[link_id]);
+ if (mlink && mlink->wcid)
+ wcid = mlink->wcid;
+ }
+ }
+
t = (struct mt76_txwi_cache *)(txwi + mdev->drv->txwi_size);
t->skb = tx_info->skb;
@@ -1162,10 +1191,7 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
if (!is_8023 && mt7996_tx_use_mgmt(dev, tx_info->skb))
txp->fw.flags |= cpu_to_le16(MT_CT_INFO_MGMT_FRAME);
- if (vif) {
- struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
- struct mt76_vif_link *mlink = NULL;
-
+ if (mvif) {
if (wcid->offchannel)
mlink = rcu_dereference(mvif->mt76.offchannel_link);
if (!mlink)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 32d44540605fc..af322f505f8ab 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -982,6 +982,7 @@ mt7996_mac_sta_init_link(struct mt7996_dev *dev,
msta_link = &msta->deflink;
msta->deflink_id = link_id;
+ msta->seclink_id = msta->deflink_id;
for (i = 0; i < ARRAY_SIZE(sta->txq); i++) {
struct mt76_txq *mtxq;
@@ -996,6 +997,11 @@ mt7996_mac_sta_init_link(struct mt7996_dev *dev,
msta_link = kzalloc(sizeof(*msta_link), GFP_KERNEL);
if (!msta_link)
return -ENOMEM;
+
+ if (msta->seclink_id == msta->deflink_id &&
+ (sta->valid_links & ~BIT(msta->deflink_id)))
+ msta->seclink_id = __ffs(sta->valid_links &
+ ~BIT(msta->deflink_id));
}
INIT_LIST_HEAD(&msta_link->rc_list);
@@ -1065,6 +1071,8 @@ mt7996_mac_sta_remove_links(struct mt7996_dev *dev, struct ieee80211_vif *vif,
if (msta->deflink_id == link_id) {
msta->deflink_id = IEEE80211_LINK_UNSPECIFIED;
continue;
+ } else if (msta->seclink_id == link_id) {
+ msta->seclink_id = IEEE80211_LINK_UNSPECIFIED;
}
kfree_rcu(msta_link, rcu_head);
@@ -1160,6 +1168,7 @@ mt7996_mac_sta_add(struct mt7996_dev *dev, struct ieee80211_vif *vif,
mutex_lock(&dev->mt76.mutex);
msta->deflink_id = IEEE80211_LINK_UNSPECIFIED;
+ msta->seclink_id = IEEE80211_LINK_UNSPECIFIED;
msta->vif = mvif;
err = mt7996_mac_sta_add_links(dev, vif, sta, links);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index c2d15128784bc..38b8743409a0c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -2399,8 +2399,8 @@ mt7996_mcu_sta_mld_setup_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
mld_setup->primary_id = cpu_to_le16(msta_link->wcid.idx);
if (nlinks > 1) {
- link_id = __ffs(sta->valid_links & ~BIT(msta->deflink_id));
- msta_link = mt76_dereference(msta->link[link_id], &dev->mt76);
+ msta_link = mt76_dereference(msta->link[msta->seclink_id],
+ &dev->mt76);
if (!msta_link)
return;
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
index 6190fbcd4df7e..6793161ed198c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
@@ -243,6 +243,7 @@ struct mt7996_sta {
struct mt7996_sta_link deflink; /* must be first */
struct mt7996_sta_link __rcu *link[IEEE80211_MLD_MAX_NUM_LINKS];
u8 deflink_id;
+ u8 seclink_id;
struct mt7996_vif *vif;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 103/957] wifi: mt76: mt7996: Switch to the secondary link if the default one is removed
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 102/957] wifi: mt76: mt7996: use correct link_id when filling TXD and TXP Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 104/957] wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter() Greg Kroah-Hartman
` (859 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 5ef44c200618430b004233cbfc1b0929a13d5ac8 ]
Switch to the secondary link if available in mt7996_mac_sta_remove_links
routine if the primary one is removed.
Moreover reset secondary link index for single link scenario.
Fixes: 85cd5534a3f2e ("wifi: mt76: mt7996: use correct link_id when filling TXD and TXP")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251205-mt76-txq-wicd-fix-v2-3-f19ba48af7c1@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Stable-dep-of: e648051d52af ("wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7996/mac.c | 12 ++---
.../net/wireless/mediatek/mt76/mt7996/main.c | 51 +++++++++++++------
2 files changed, 41 insertions(+), 22 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 13a3b521437be..3280446f7caa8 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -2406,14 +2406,12 @@ mt7996_mac_reset_sta_iter(void *data, struct ieee80211_sta *sta)
continue;
mt7996_mac_sta_deinit_link(dev, msta_link);
-
- if (msta->deflink_id == i) {
- msta->deflink_id = IEEE80211_LINK_UNSPECIFIED;
- continue;
- }
-
- kfree_rcu(msta_link, rcu_head);
+ if (msta_link != &msta->deflink)
+ kfree_rcu(msta_link, rcu_head);
}
+
+ msta->deflink_id = IEEE80211_LINK_UNSPECIFIED;
+ msta->seclink_id = msta->deflink_id;
}
static void
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index af322f505f8ab..d714b7f3efe56 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -961,6 +961,22 @@ mt7996_post_channel_switch(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
return ret;
}
+static void
+mt7996_sta_init_txq_wcid(struct ieee80211_sta *sta, int idx)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(sta->txq); i++) {
+ struct mt76_txq *mtxq;
+
+ if (!sta->txq[i])
+ continue;
+
+ mtxq = (struct mt76_txq *)sta->txq[i]->drv_priv;
+ mtxq->wcid = idx;
+ }
+}
+
static int
mt7996_mac_sta_init_link(struct mt7996_dev *dev,
struct ieee80211_bss_conf *link_conf,
@@ -978,21 +994,10 @@ mt7996_mac_sta_init_link(struct mt7996_dev *dev,
return -ENOSPC;
if (msta->deflink_id == IEEE80211_LINK_UNSPECIFIED) {
- int i;
-
msta_link = &msta->deflink;
msta->deflink_id = link_id;
msta->seclink_id = msta->deflink_id;
-
- for (i = 0; i < ARRAY_SIZE(sta->txq); i++) {
- struct mt76_txq *mtxq;
-
- if (!sta->txq[i])
- continue;
-
- mtxq = (struct mt76_txq *)sta->txq[i]->drv_priv;
- mtxq->wcid = idx;
- }
+ mt7996_sta_init_txq_wcid(sta, idx);
} else {
msta_link = kzalloc(sizeof(*msta_link), GFP_KERNEL);
if (!msta_link)
@@ -1070,12 +1075,28 @@ mt7996_mac_sta_remove_links(struct mt7996_dev *dev, struct ieee80211_vif *vif,
if (msta->deflink_id == link_id) {
msta->deflink_id = IEEE80211_LINK_UNSPECIFIED;
- continue;
+ if (msta->seclink_id == link_id) {
+ /* no secondary link available */
+ msta->seclink_id = msta->deflink_id;
+ } else {
+ struct mt7996_sta_link *msta_seclink;
+
+ /* switch to the secondary link */
+ msta_seclink = mt76_dereference(
+ msta->link[msta->seclink_id],
+ mdev);
+ if (msta_seclink) {
+ msta->deflink_id = msta->seclink_id;
+ mt7996_sta_init_txq_wcid(sta,
+ msta_seclink->wcid.idx);
+ }
+ }
} else if (msta->seclink_id == link_id) {
- msta->seclink_id = IEEE80211_LINK_UNSPECIFIED;
+ msta->seclink_id = msta->deflink_id;
}
- kfree_rcu(msta_link, rcu_head);
+ if (msta_link != &msta->deflink)
+ kfree_rcu(msta_link, rcu_head);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 104/957] wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 103/957] wifi: mt76: mt7996: Switch to the secondary link if the default one is removed Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 105/957] wifi: mt76: fix multi-radio on-channel scanning Greg Kroah-Hartman
` (858 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit e648051d52afbdb360bd586218961f5fffff63e8 ]
Fixes tracking per-phy stations for offchannel switching.
Fixes: ace5d3b6b49e8 ("wifi: mt76: mt7996: improve hardware restart reliability")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260308-mt7996_mac_reset_vif_iter-fix-v1-1-57f640aa2dcf@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 3280446f7caa8..dce9f48637927 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -2399,6 +2399,7 @@ mt7996_mac_reset_sta_iter(void *data, struct ieee80211_sta *sta)
for (i = 0; i < ARRAY_SIZE(msta->link); i++) {
struct mt7996_sta_link *msta_link = NULL;
+ struct mt7996_phy *phy;
msta_link = rcu_replace_pointer(msta->link[i], msta_link,
lockdep_is_held(&dev->mt76.mutex));
@@ -2406,6 +2407,10 @@ mt7996_mac_reset_sta_iter(void *data, struct ieee80211_sta *sta)
continue;
mt7996_mac_sta_deinit_link(dev, msta_link);
+ phy = __mt7996_phy(dev, msta_link->wcid.phy_idx);
+ if (phy)
+ phy->mt76->num_sta--;
+
if (msta_link != &msta->deflink)
kfree_rcu(msta_link, rcu_head);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 105/957] wifi: mt76: fix multi-radio on-channel scanning
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 104/957] wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 106/957] wifi: mt76: support upgrading passive scans to active Greg Kroah-Hartman
` (857 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chad Monroe, Felix Fietkau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chad Monroe <chad@monroe.io>
[ Upstream commit 0420180df092419a96351fb2afec1e2a74d385c3 ]
avoid unnecessary channel switch when performing an on-channel scan
using a multi-radio device.
Fixes: c56d6edebc1f ("wifi: mt76: mt7996: use emulated hardware scan support")
Signed-off-by: Chad Monroe <chad@monroe.io>
Link: https://patch.msgid.link/20251118102723.47997-1-nbd@nbd.name
Link: https://patch.msgid.link/20260309060730.87840-1-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/scan.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/scan.c b/drivers/net/wireless/mediatek/mt76/scan.c
index 3d9cf6f5e137f..efcf79d9d60e0 100644
--- a/drivers/net/wireless/mediatek/mt76/scan.c
+++ b/drivers/net/wireless/mediatek/mt76/scan.c
@@ -16,7 +16,7 @@ static void mt76_scan_complete(struct mt76_dev *dev, bool abort)
clear_bit(MT76_SCANNING, &phy->state);
- if (dev->scan.chan && phy->main_chandef.chan &&
+ if (dev->scan.chan && phy->main_chandef.chan && phy->offchannel &&
!test_bit(MT76_MCU_RESET, &dev->phy.state))
mt76_set_channel(phy, &phy->main_chandef, false);
mt76_put_vif_phy_link(phy, dev->scan.vif, dev->scan.mlink);
@@ -85,6 +85,7 @@ void mt76_scan_work(struct work_struct *work)
struct cfg80211_chan_def chandef = {};
struct mt76_phy *phy = dev->scan.phy;
int duration = HZ / 9; /* ~110 ms */
+ bool offchannel = true;
int i;
if (dev->scan.chan_idx >= req->n_channels) {
@@ -92,7 +93,7 @@ void mt76_scan_work(struct work_struct *work)
return;
}
- if (dev->scan.chan && phy->num_sta) {
+ if (dev->scan.chan && phy->num_sta && phy->offchannel) {
dev->scan.chan = NULL;
mt76_set_channel(phy, &phy->main_chandef, false);
goto out;
@@ -100,20 +101,26 @@ void mt76_scan_work(struct work_struct *work)
dev->scan.chan = req->channels[dev->scan.chan_idx++];
cfg80211_chandef_create(&chandef, dev->scan.chan, NL80211_CHAN_HT20);
- mt76_set_channel(phy, &chandef, true);
+ if (phy->main_chandef.chan == dev->scan.chan) {
+ chandef = phy->main_chandef;
+ offchannel = false;
+ }
+
+ mt76_set_channel(phy, &chandef, offchannel);
if (!req->n_ssids ||
chandef.chan->flags & (IEEE80211_CHAN_NO_IR | IEEE80211_CHAN_RADAR))
goto out;
- duration = HZ / 16; /* ~60 ms */
+ if (phy->offchannel)
+ duration = HZ / 16; /* ~60 ms */
local_bh_disable();
for (i = 0; i < req->n_ssids; i++)
mt76_scan_send_probe(dev, &req->ssids[i]);
local_bh_enable();
out:
- if (dev->scan.chan)
+ if (dev->scan.chan && phy->offchannel)
duration = max_t(int, duration,
msecs_to_jiffies(req->duration +
(req->duration >> 5)));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 106/957] wifi: mt76: support upgrading passive scans to active
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 105/957] wifi: mt76: fix multi-radio on-channel scanning Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 107/957] wifi: mt76: mt7996: fix RRO EMU configuration Greg Kroah-Hartman
` (856 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piotr Kubik, Chad Monroe,
Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chad Monroe <chad@monroe.io>
[ Upstream commit 360552c8592dab3c69e0bbff786b55137f1a81bb ]
On channels with NO_IR or RADAR flags, wait for beacon before sending
probe requests. Allows active scanning and WPS on restricted channels
if another AP is already present.
Fixes: c56d6edebc1f ("wifi: mt76: mt7996: use emulated hardware scan support")
Tested-by: Piotr Kubik <piotr.kubik@adtran.com>
Signed-off-by: Chad Monroe <chad@monroe.io>
Link: https://patch.msgid.link/20251118102723.47997-2-nbd@nbd.name
Link: https://patch.msgid.link/20260309060730.87840-2-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mac80211.c | 1 +
drivers/net/wireless/mediatek/mt76/mt76.h | 4 ++
.../net/wireless/mediatek/mt76/mt7996/mac.c | 3 ++
drivers/net/wireless/mediatek/mt76/scan.c | 51 +++++++++++++++++--
4 files changed, 56 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 5e75861bf6f99..76eb740428b8d 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -724,6 +724,7 @@ mt76_alloc_device(struct device *pdev, unsigned int size,
INIT_LIST_HEAD(&dev->rxwi_cache);
dev->token_size = dev->drv->token_size;
INIT_DELAYED_WORK(&dev->scan_work, mt76_scan_work);
+ spin_lock_init(&dev->scan_lock);
for (i = 0; i < ARRAY_SIZE(dev->q_rx); i++)
skb_queue_head_init(&dev->rx_skb[i]);
diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
index 7753afa3d883d..125ac1eb2d541 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
@@ -985,6 +985,7 @@ struct mt76_dev {
u32 rxfilter;
struct delayed_work scan_work;
+ spinlock_t scan_lock;
struct {
struct cfg80211_scan_request *req;
struct ieee80211_channel *chan;
@@ -992,6 +993,8 @@ struct mt76_dev {
struct mt76_vif_link *mlink;
struct mt76_phy *phy;
int chan_idx;
+ bool beacon_wait;
+ bool beacon_received;
} scan;
#ifdef CONFIG_NL80211_TESTMODE
@@ -1571,6 +1574,7 @@ int mt76_get_rate(struct mt76_dev *dev,
int mt76_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
struct ieee80211_scan_request *hw_req);
void mt76_cancel_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif);
+void mt76_scan_rx_beacon(struct mt76_dev *dev, struct ieee80211_channel *chan);
void mt76_sw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
const u8 *mac);
void mt76_sw_scan_complete(struct ieee80211_hw *hw,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index dce9f48637927..c375b4dd68a20 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -554,6 +554,9 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q,
qos_ctl = FIELD_GET(MT_RXD10_QOS_CTL, v2);
seq_ctrl = FIELD_GET(MT_RXD10_SEQ_CTRL, v2);
+ if (ieee80211_is_beacon(fc))
+ mt76_scan_rx_beacon(&dev->mt76, mphy->chandef.chan);
+
rxd += 4;
if ((u8 *)rxd - skb->data >= skb->len)
return -EINVAL;
diff --git a/drivers/net/wireless/mediatek/mt76/scan.c b/drivers/net/wireless/mediatek/mt76/scan.c
index efcf79d9d60e0..6cfca5108bc7e 100644
--- a/drivers/net/wireless/mediatek/mt76/scan.c
+++ b/drivers/net/wireless/mediatek/mt76/scan.c
@@ -27,6 +27,10 @@ static void mt76_scan_complete(struct mt76_dev *dev, bool abort)
void mt76_abort_scan(struct mt76_dev *dev)
{
+ spin_lock_bh(&dev->scan_lock);
+ dev->scan.beacon_wait = false;
+ spin_unlock_bh(&dev->scan_lock);
+
cancel_delayed_work_sync(&dev->scan_work);
mt76_scan_complete(dev, true);
}
@@ -77,6 +81,28 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid)
rcu_read_unlock();
}
+void mt76_scan_rx_beacon(struct mt76_dev *dev, struct ieee80211_channel *chan)
+{
+ struct mt76_phy *phy;
+
+ spin_lock(&dev->scan_lock);
+
+ if (!dev->scan.beacon_wait || dev->scan.beacon_received ||
+ dev->scan.chan != chan)
+ goto out;
+
+ phy = dev->scan.phy;
+ if (!phy)
+ goto out;
+
+ dev->scan.beacon_received = true;
+ ieee80211_queue_delayed_work(phy->hw, &dev->scan_work, 0);
+
+out:
+ spin_unlock(&dev->scan_lock);
+}
+EXPORT_SYMBOL_GPL(mt76_scan_rx_beacon);
+
void mt76_scan_work(struct work_struct *work)
{
struct mt76_dev *dev = container_of(work, struct mt76_dev,
@@ -85,9 +111,20 @@ void mt76_scan_work(struct work_struct *work)
struct cfg80211_chan_def chandef = {};
struct mt76_phy *phy = dev->scan.phy;
int duration = HZ / 9; /* ~110 ms */
- bool offchannel = true;
+ bool beacon_rx, offchannel = true;
int i;
+ if (!phy || !req)
+ return;
+
+ spin_lock_bh(&dev->scan_lock);
+ beacon_rx = dev->scan.beacon_wait && dev->scan.beacon_received;
+ dev->scan.beacon_wait = false;
+ spin_unlock_bh(&dev->scan_lock);
+
+ if (beacon_rx)
+ goto probe;
+
if (dev->scan.chan_idx >= req->n_channels) {
mt76_scan_complete(dev, false);
return;
@@ -108,10 +145,18 @@ void mt76_scan_work(struct work_struct *work)
mt76_set_channel(phy, &chandef, offchannel);
- if (!req->n_ssids ||
- chandef.chan->flags & (IEEE80211_CHAN_NO_IR | IEEE80211_CHAN_RADAR))
+ if (!req->n_ssids)
goto out;
+ if (chandef.chan->flags & (IEEE80211_CHAN_NO_IR | IEEE80211_CHAN_RADAR)) {
+ spin_lock_bh(&dev->scan_lock);
+ dev->scan.beacon_received = false;
+ dev->scan.beacon_wait = true;
+ spin_unlock_bh(&dev->scan_lock);
+ goto out;
+ }
+
+probe:
if (phy->offchannel)
duration = HZ / 16; /* ~60 ms */
local_bh_disable();
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 107/957] wifi: mt76: mt7996: fix RRO EMU configuration
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 106/957] wifi: mt76: support upgrading passive scans to active Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 108/957] bpf: Fix refcount check in check_struct_ops_btf_id() Greg Kroah-Hartman
` (855 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Chiu, Shayne Chen,
Lorenzo Bianconi, Felix Fietkau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chiu <chui-hao.chiu@mediatek.com>
[ Upstream commit 73b46379e5231138025b271ce8e158d2a8aa0768 ]
Use the correct helper to update specific bitfields instead of
overwriting the entire register.
Fixes: eedb427eb260 ("wifi: mt76: mt7996: Enable HW RRO for MT7992 chipset")
Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260312095724.2117448-1-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/init.c | 3 +--
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
index 817acfad31d06..efbd46d649017 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
@@ -857,8 +857,7 @@ void mt7996_rro_hw_init(struct mt7996_dev *dev)
}
} else {
/* set emul 3.0 function */
- mt76_wr(dev, MT_RRO_3_0_EMU_CONF,
- MT_RRO_3_0_EMU_CONF_EN_MASK);
+ mt76_set(dev, MT_RRO_3_0_EMU_CONF, MT_RRO_3_0_EMU_CONF_EN_MASK);
mt76_wr(dev, MT_RRO_ADDR_ARRAY_BASE0,
dev->wed_rro.addr_elem[0].phy_addr);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index c375b4dd68a20..149d8d711fc4c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -2597,7 +2597,7 @@ void mt7996_mac_reset_work(struct work_struct *work)
mt7996_dma_start(dev, false, false);
if (!is_mt7996(&dev->mt76) && dev->mt76.hwrro_mode == MT76_HWRRO_V3)
- mt76_wr(dev, MT_RRO_3_0_EMU_CONF, MT_RRO_3_0_EMU_CONF_EN_MASK);
+ mt76_set(dev, MT_RRO_3_0_EMU_CONF, MT_RRO_3_0_EMU_CONF_EN_MASK);
if (mtk_wed_device_active(&dev->mt76.mmio.wed)) {
u32 wed_irq_mask = MT_INT_TX_DONE_BAND2 |
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 108/957] bpf: Fix refcount check in check_struct_ops_btf_id()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 107/957] wifi: mt76: mt7996: fix RRO EMU configuration Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 109/957] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
` (854 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keisuke Nishimura, Emil Tsalapatis,
Amery Hung, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keisuke Nishimura <keisuke.nishimura@inria.fr>
[ Upstream commit 25e3e1f1096089a64901ae1faa7b7b13446653db ]
The current implementation only checks whether the first argument is
refcounted. Fix this by iterating over all arguments.
Signed-off-by: Keisuke Nishimura <keisuke.nishimura@inria.fr>
Fixes: 38f1e66abd184 ("bpf: Do not allow tail call in strcut_ops program with __ref argument")
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20260320130219.63711-1-keisuke.nishimura@inria.fr
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index db1c591a1da3b..76503ed088b5d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23687,7 +23687,7 @@ static int check_struct_ops_btf_id(struct bpf_verifier_env *env)
}
for (i = 0; i < st_ops_desc->arg_info[member_idx].cnt; i++) {
- if (st_ops_desc->arg_info[member_idx].info->refcounted) {
+ if (st_ops_desc->arg_info[member_idx].info[i].refcounted) {
has_refcounted_arg = true;
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 109/957] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 108/957] bpf: Fix refcount check in check_struct_ops_btf_id() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 110/957] bpf: Fix variable length stack write over spilled pointers Greg Kroah-Hartman
` (853 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Martin KaFai Lau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19 ]
The DEVMAP_HASH branch in dev_map_redirect_multi() uses
hlist_for_each_entry_safe() to iterate hash buckets, but this function
runs under RCU protection (called from xdp_do_generic_redirect_map()
in softirq context). Concurrent writers (__dev_map_hash_update_elem,
dev_map_hash_delete_elem) modify the list using RCU primitives
(hlist_add_head_rcu, hlist_del_rcu).
hlist_for_each_entry_safe() performs plain pointer dereferences without
rcu_dereference(), missing the acquire barrier needed to pair with
writers' rcu_assign_pointer(). On weakly-ordered architectures (ARM64,
POWER), a reader can observe a partially-constructed node. It also
defeats CONFIG_PROVE_RCU lockdep validation and KCSAN data-race
detection.
Replace with hlist_for_each_entry_rcu() using rcu_read_lock_bh_held()
as the lockdep condition, consistent with the rcu_dereference_check()
used in the DEVMAP (non-hash) branch of the same functions. Also fix
the same incorrect lockdep_is_held(&dtab->index_lock) condition in
dev_map_enqueue_multi(), where the lock is not held either.
Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support")
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20260320072645.16731-1-devnexen@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/devmap.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 3d619d01088e3..cc0a43ebab6b9 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -665,7 +665,7 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx,
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
hlist_for_each_entry_rcu(dst, head, index_hlist,
- lockdep_is_held(&dtab->index_lock)) {
+ rcu_read_lock_bh_held()) {
if (!is_valid_dst(dst, xdpf))
continue;
@@ -747,7 +747,6 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
struct bpf_dtab_netdev *dst, *last_dst = NULL;
int excluded_devices[1+MAX_NEST_DEV];
struct hlist_head *head;
- struct hlist_node *next;
int num_excluded = 0;
unsigned int i;
int err;
@@ -787,7 +786,7 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
} else { /* BPF_MAP_TYPE_DEVMAP_HASH */
for (i = 0; i < dtab->n_buckets; i++) {
head = dev_map_index_hash(dtab, i);
- hlist_for_each_entry_safe(dst, next, head, index_hlist) {
+ hlist_for_each_entry_rcu(dst, head, index_hlist, rcu_read_lock_bh_held()) {
if (is_ifindex_excluded(excluded_devices, num_excluded,
dst->dev->ifindex))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 110/957] bpf: Fix variable length stack write over spilled pointers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 109/957] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 111/957] bpf,arc_jit: Fix missing newline in pr_err messages Greg Kroah-Hartman
` (852 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman,
Kumar Kartikeya Dwivedi, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Starovoitov <ast@kernel.org>
[ Upstream commit 4639eb9e30ab10c7935c7c19e872facf9a94713f ]
Scrub slots if variable-offset stack write goes over spilled pointers.
Otherwise is_spilled_reg() may == true && spilled_ptr.type == NOT_INIT
and valid program is rejected by check_stack_read_fixed_off()
with obscure "invalid size of register fill" message.
Fixes: 01f810ace9ed ("bpf: Allow variable-offset stack access")
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260324215938.81733-1-alexei.starovoitov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 76503ed088b5d..0d1ec2b5d469a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5095,6 +5095,18 @@ static void check_fastcall_stack_contract(struct bpf_verifier_env *env,
}
}
+static void scrub_special_slot(struct bpf_func_state *state, int spi)
+{
+ int i;
+
+ /* regular write of data into stack destroys any spilled ptr */
+ state->stack[spi].spilled_ptr.type = NOT_INIT;
+ /* Mark slots as STACK_MISC if they belonged to spilled ptr/dynptr/iter. */
+ if (is_stack_slot_special(&state->stack[spi]))
+ for (i = 0; i < BPF_REG_SIZE; i++)
+ scrub_spilled_slot(&state->stack[spi].slot_type[i]);
+}
+
/* check_stack_{read,write}_fixed_off functions track spill/fill of registers,
* stack boundary and alignment are checked in check_mem_access()
*/
@@ -5192,12 +5204,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
} else {
u8 type = STACK_MISC;
- /* regular write of data into stack destroys any spilled ptr */
- state->stack[spi].spilled_ptr.type = NOT_INIT;
- /* Mark slots as STACK_MISC if they belonged to spilled ptr/dynptr/iter. */
- if (is_stack_slot_special(&state->stack[spi]))
- for (i = 0; i < BPF_REG_SIZE; i++)
- scrub_spilled_slot(&state->stack[spi].slot_type[i]);
+ scrub_special_slot(state, spi);
/* when we zero initialize stack slots mark them as such */
if ((reg && register_is_null(reg)) ||
@@ -5321,8 +5328,13 @@ static int check_stack_write_var_off(struct bpf_verifier_env *env,
}
}
- /* Erase all other spilled pointers. */
- state->stack[spi].spilled_ptr.type = NOT_INIT;
+ /*
+ * Scrub slots if variable-offset stack write goes over spilled pointers.
+ * Otherwise is_spilled_reg() may == true && spilled_ptr.type == NOT_INIT
+ * and valid program is rejected by check_stack_read_fixed_off()
+ * with obscure "invalid size of register fill" message.
+ */
+ scrub_special_slot(state, spi);
/* Update the slot type. */
new_type = STACK_MISC;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 111/957] bpf,arc_jit: Fix missing newline in pr_err messages
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 110/957] bpf: Fix variable length stack write over spilled pointers Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 112/957] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
` (851 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, haoyu.lu, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: haoyu.lu <hechushiguitu666@gmail.com>
[ Upstream commit b6b5e0ebd429d66ce37ae5af649a74ea1f041d92 ]
Add missing newline to pr_err messages in ARC JIT.
Fixes: f122668ddcce ("ARC: Add eBPF JIT support")
Signed-off-by: haoyu.lu <hechushiguitu666@gmail.com>
Link: https://lore.kernel.org/r/20260324122703.641-1-hechushiguitu666@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arc/net/bpf_jit_arcv2.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arc/net/bpf_jit_arcv2.c b/arch/arc/net/bpf_jit_arcv2.c
index 6d989b6d88c69..7ee50aeae5a45 100644
--- a/arch/arc/net/bpf_jit_arcv2.c
+++ b/arch/arc/net/bpf_jit_arcv2.c
@@ -2427,7 +2427,7 @@ u8 arc_prologue(u8 *buf, u32 usage, u16 frame_size)
#ifdef ARC_BPF_JIT_DEBUG
if ((usage & BIT(ARC_R_FP)) && frame_size == 0) {
- pr_err("FP is being saved while there is no frame.");
+ pr_err("FP is being saved while there is no frame.\n");
BUG();
}
#endif
@@ -2454,7 +2454,7 @@ u8 arc_epilogue(u8 *buf, u32 usage, u16 frame_size)
#ifdef ARC_BPF_JIT_DEBUG
if ((usage & BIT(ARC_R_FP)) && frame_size == 0) {
- pr_err("FP is being saved while there is no frame.");
+ pr_err("FP is being saved while there is no frame.\n");
BUG();
}
#endif
@@ -2868,7 +2868,7 @@ u8 gen_jmp_64(u8 *buf, u8 rd, u8 rs, u8 cond, u32 curr_off, u32 targ_off)
break;
default:
#ifdef ARC_BPF_JIT_DEBUG
- pr_err("64-bit jump condition is not known.");
+ pr_err("64-bit jump condition is not known.\n");
BUG();
#endif
}
@@ -2948,7 +2948,7 @@ u8 gen_jmp_32(u8 *buf, u8 rd, u8 rs, u8 cond, u32 curr_off, u32 targ_off)
*/
if (cond >= ARC_CC_LAST) {
#ifdef ARC_BPF_JIT_DEBUG
- pr_err("32-bit jump condition is not known.");
+ pr_err("32-bit jump condition is not known.\n");
BUG();
#endif
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 112/957] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 111/957] bpf,arc_jit: Fix missing newline in pr_err messages Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 113/957] vfio: refactor vfio_pci_mmap_huge_fault function Greg Kroah-Hartman
` (850 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Velichayshiy, Ping-Ke Shih,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
[ Upstream commit 047cddf88c611e616d49a00311d4722e46286234 ]
In the rtw89_phy_cfo_set_crystal_cap() function, for chips other than
RTL8852A/RTL8851B, the values read by rtw89_mac_read_xtal_si() are
stored into the local variables sc_xi_val and sc_xo_val. If either
read fails, these variables remain uninitialized, they are later
used to update cfo->crystal_cap and in debug print statements. This
can lead to undefined behavior.
Fix the issue by initializing sc_xi_val and sc_xo_val to zero,
like is implemented in vendor driver.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 8379fa611536 ("rtw89: 8852c: add write/read crystal function in CFO tracking")
Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260323140613.1615574-1-a.velichayshiy@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/phy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
index ba7feadd75828..36dee482bc34b 100644
--- a/drivers/net/wireless/realtek/rtw89/phy.c
+++ b/drivers/net/wireless/realtek/rtw89/phy.c
@@ -4499,7 +4499,7 @@ static void rtw89_phy_cfo_set_crystal_cap(struct rtw89_dev *rtwdev,
{
struct rtw89_cfo_tracking_info *cfo = &rtwdev->cfo_tracking;
const struct rtw89_chip_info *chip = rtwdev->chip;
- u8 sc_xi_val, sc_xo_val;
+ u8 sc_xi_val = 0, sc_xo_val = 0;
if (!force && cfo->crystal_cap == crystal_cap)
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 113/957] vfio: refactor vfio_pci_mmap_huge_fault function
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 112/957] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 114/957] drivers/vfio_pci_core: Change PXD_ORDER check from switch case to if/else block Greg Kroah-Hartman
` (849 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shameer Kolothum, Alex Williamson,
Jason Gunthorpe, Ankit Agrawal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Agrawal <ankita@nvidia.com>
[ Upstream commit 9b92bc7554b543dc00a0a0b62904a9ef2ad5c4b0 ]
Refactor vfio_pci_mmap_huge_fault to take out the implementation
to map the VMA to the PTE/PMD/PUD as a separate function.
Export the new function to be used by nvgrace-gpu module.
Move the alignment check code to verify that pfn and VMA VA is
aligned to the page order to the header file and make it inline.
No functional change is intended.
Cc: Shameer Kolothum <skolothumtho@nvidia.com>
Cc: Alex Williamson <alex@shazbot.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com>
Signed-off-by: Ankit Agrawal <ankita@nvidia.com>
Link: https://lore.kernel.org/r/20251127170632.3477-2-ankita@nvidia.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Stable-dep-of: 948b71aa81cd ("drivers/vfio_pci_core: Change PXD_ORDER check from switch case to if/else block")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/vfio_pci_core.c | 54 ++++++++++++++++----------------
include/linux/vfio_pci_core.h | 13 ++++++++
2 files changed, 40 insertions(+), 27 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index 69476fc67ca08..d07f0ede5d731 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -1677,49 +1677,49 @@ static unsigned long vma_to_pfn(struct vm_area_struct *vma)
return (pci_resource_start(vdev->pdev, index) >> PAGE_SHIFT) + pgoff;
}
-static vm_fault_t vfio_pci_mmap_huge_fault(struct vm_fault *vmf,
- unsigned int order)
+vm_fault_t vfio_pci_vmf_insert_pfn(struct vfio_pci_core_device *vdev,
+ struct vm_fault *vmf,
+ unsigned long pfn,
+ unsigned int order)
{
- struct vm_area_struct *vma = vmf->vma;
- struct vfio_pci_core_device *vdev = vma->vm_private_data;
- unsigned long addr = vmf->address & ~((PAGE_SIZE << order) - 1);
- unsigned long pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
- unsigned long pfn = vma_to_pfn(vma) + pgoff;
- vm_fault_t ret = VM_FAULT_SIGBUS;
-
- if (order && (addr < vma->vm_start ||
- addr + (PAGE_SIZE << order) > vma->vm_end ||
- pfn & ((1 << order) - 1))) {
- ret = VM_FAULT_FALLBACK;
- goto out;
- }
-
- down_read(&vdev->memory_lock);
+ lockdep_assert_held_read(&vdev->memory_lock);
if (vdev->pm_runtime_engaged || !__vfio_pci_memory_enabled(vdev))
- goto out_unlock;
+ return VM_FAULT_SIGBUS;
switch (order) {
case 0:
- ret = vmf_insert_pfn(vma, vmf->address, pfn);
- break;
+ return vmf_insert_pfn(vmf->vma, vmf->address, pfn);
#ifdef CONFIG_ARCH_SUPPORTS_PMD_PFNMAP
case PMD_ORDER:
- ret = vmf_insert_pfn_pmd(vmf, pfn, false);
- break;
+ return vmf_insert_pfn_pmd(vmf, pfn, false);
#endif
#ifdef CONFIG_ARCH_SUPPORTS_PUD_PFNMAP
case PUD_ORDER:
- ret = vmf_insert_pfn_pud(vmf, pfn, false);
+ return vmf_insert_pfn_pud(vmf, pfn, false);
break;
#endif
default:
- ret = VM_FAULT_FALLBACK;
+ return VM_FAULT_FALLBACK;
+ }
+}
+EXPORT_SYMBOL_GPL(vfio_pci_vmf_insert_pfn);
+
+static vm_fault_t vfio_pci_mmap_huge_fault(struct vm_fault *vmf,
+ unsigned int order)
+{
+ struct vm_area_struct *vma = vmf->vma;
+ struct vfio_pci_core_device *vdev = vma->vm_private_data;
+ unsigned long addr = vmf->address & ~((PAGE_SIZE << order) - 1);
+ unsigned long pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
+ unsigned long pfn = vma_to_pfn(vma) + pgoff;
+ vm_fault_t ret = VM_FAULT_FALLBACK;
+
+ if (is_aligned_for_order(vma, addr, pfn, order)) {
+ scoped_guard(rwsem_read, &vdev->memory_lock)
+ ret = vfio_pci_vmf_insert_pfn(vdev, vmf, pfn, order);
}
-out_unlock:
- up_read(&vdev->memory_lock);
-out:
dev_dbg_ratelimited(&vdev->pdev->dev,
"%s(,order = %d) BAR %ld page offset 0x%lx: 0x%x\n",
__func__, order,
diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
index 7aa29428982aa..0ddc42732647e 100644
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -132,6 +132,9 @@ ssize_t vfio_pci_core_read(struct vfio_device *core_vdev, char __user *buf,
size_t count, loff_t *ppos);
ssize_t vfio_pci_core_write(struct vfio_device *core_vdev, const char __user *buf,
size_t count, loff_t *ppos);
+vm_fault_t vfio_pci_vmf_insert_pfn(struct vfio_pci_core_device *vdev,
+ struct vm_fault *vmf, unsigned long pfn,
+ unsigned int order);
int vfio_pci_core_mmap(struct vfio_device *core_vdev, struct vm_area_struct *vma);
void vfio_pci_core_request(struct vfio_device *core_vdev, unsigned int count);
int vfio_pci_core_match(struct vfio_device *core_vdev, char *buf);
@@ -175,4 +178,14 @@ VFIO_IOREAD_DECLARATION(32)
VFIO_IOREAD_DECLARATION(64)
#endif
+static inline bool is_aligned_for_order(struct vm_area_struct *vma,
+ unsigned long addr,
+ unsigned long pfn,
+ unsigned int order)
+{
+ return !(order && (addr < vma->vm_start ||
+ addr + (PAGE_SIZE << order) > vma->vm_end ||
+ !IS_ALIGNED(pfn, 1 << order)));
+}
+
#endif /* VFIO_PCI_CORE_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 114/957] drivers/vfio_pci_core: Change PXD_ORDER check from switch case to if/else block
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 113/957] vfio: refactor vfio_pci_mmap_huge_fault function Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 115/957] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
` (848 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Venkat Rao Bagalkote, Alex Williamson,
Christophe Leroy (CS GROUP), Madhavan Srinivasan, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
[ Upstream commit 948b71aa81cd89b222942db6055e8d9c51c54e78 ]
Architectures like PowerPC uses runtime defined values for
PMD_ORDER/PUD_ORDER. This is because it can use either RADIX or HASH MMU
at runtime using kernel cmdline. So the pXd_index_size is not known at
compile time. Without this fix, when we add huge pfn support on powerpc
in the next patch, vfio_pci_core driver compilation can fail with the
following errors.
CC [M] drivers/vfio/vfio_main.o
CC [M] drivers/vfio/group.o
CC [M] drivers/vfio/container.o
CC [M] drivers/vfio/virqfd.o
CC [M] drivers/vfio/vfio_iommu_spapr_tce.o
CC [M] drivers/vfio/pci/vfio_pci_core.o
CC [M] drivers/vfio/pci/vfio_pci_intrs.o
CC [M] drivers/vfio/pci/vfio_pci_rdwr.o
CC [M] drivers/vfio/pci/vfio_pci_config.o
CC [M] drivers/vfio/pci/vfio_pci.o
AR kernel/built-in.a
../drivers/vfio/pci/vfio_pci_core.c: In function ‘vfio_pci_vmf_insert_pfn’:
../drivers/vfio/pci/vfio_pci_core.c:1678:9: error: case label does not reduce to an integer constant
1678 | case PMD_ORDER:
| ^~~~
../drivers/vfio/pci/vfio_pci_core.c:1682:9: error: case label does not reduce to an integer constant
1682 | case PUD_ORDER:
| ^~~~
make[6]: *** [../scripts/Makefile.build:289: drivers/vfio/pci/vfio_pci_core.o] Error 1
make[6]: *** Waiting for unfinished jobs....
make[5]: *** [../scripts/Makefile.build:546: drivers/vfio/pci] Error 2
make[5]: *** Waiting for unfinished jobs....
make[4]: *** [../scripts/Makefile.build:546: drivers/vfio] Error 2
make[3]: *** [../scripts/Makefile.build:546: drivers] Error 2
Fixes: f9e54c3a2f5b7 ("vfio/pci: implement huge_fault support")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Reviewed-by: Alex Williamson <alex@shazbot.org>
Reviewed-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/b155e19993ee1f5584c72050192eb468b31c5029.1773058761.git.ritesh.list@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/vfio_pci_core.c | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index d07f0ede5d731..53a846d3e6758 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -1687,21 +1687,16 @@ vm_fault_t vfio_pci_vmf_insert_pfn(struct vfio_pci_core_device *vdev,
if (vdev->pm_runtime_engaged || !__vfio_pci_memory_enabled(vdev))
return VM_FAULT_SIGBUS;
- switch (order) {
- case 0:
+ if (!order)
return vmf_insert_pfn(vmf->vma, vmf->address, pfn);
-#ifdef CONFIG_ARCH_SUPPORTS_PMD_PFNMAP
- case PMD_ORDER:
+
+ if (IS_ENABLED(CONFIG_ARCH_SUPPORTS_PMD_PFNMAP) && order == PMD_ORDER)
return vmf_insert_pfn_pmd(vmf, pfn, false);
-#endif
-#ifdef CONFIG_ARCH_SUPPORTS_PUD_PFNMAP
- case PUD_ORDER:
+
+ if (IS_ENABLED(CONFIG_ARCH_SUPPORTS_PUD_PFNMAP) && order == PUD_ORDER)
return vmf_insert_pfn_pud(vmf, pfn, false);
- break;
-#endif
- default:
- return VM_FAULT_FALLBACK;
- }
+
+ return VM_FAULT_FALLBACK;
}
EXPORT_SYMBOL_GPL(vfio_pci_vmf_insert_pfn);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 115/957] r8152: fix incorrect register write to USB_UPHY_XTAL
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 114/957] drivers/vfio_pci_core: Change PXD_ORDER check from switch case to if/else block Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 116/957] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
` (847 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chih Kai Hsu, Hayes Wang,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chih Kai Hsu <hsu.chih.kai@realtek.com>
[ Upstream commit 48afd5124fd6129c46fd12cb06155384b1c4a0c4 ]
The old code used ocp_write_byte() to clear the OOBS_POLLING bit
(BIT(8)) in the USB_UPHY_XTAL register, but this doesn't correctly
clear a bit in the upper byte of the 16-bit register.
Fix this by using ocp_write_word() instead.
Fixes: 195aae321c82 ("r8152: support new chips")
Signed-off-by: Chih Kai Hsu <hsu.chih.kai@realtek.com>
Reviewed-by: Hayes Wang <hayeswang@realtek.com>
Link: https://patch.msgid.link/20260326073925.32976-454-nic_swsd@realtek.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/r8152.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 357f5c733d0b5..d610741782794 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -3896,7 +3896,7 @@ static void r8156_ups_en(struct r8152 *tp, bool enable)
case RTL_VER_15:
ocp_data = ocp_read_word(tp, MCU_TYPE_USB, USB_UPHY_XTAL);
ocp_data &= ~OOBS_POLLING;
- ocp_write_byte(tp, MCU_TYPE_USB, USB_UPHY_XTAL, ocp_data);
+ ocp_write_word(tp, MCU_TYPE_USB, USB_UPHY_XTAL, ocp_data);
break;
default:
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 116/957] powerpc/crash: fix backup region offset update to elfcorehdr
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 115/957] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
@ 2026-05-20 16:09 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 117/957] powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug Greg Kroah-Hartman
` (846 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Gupta, Sourabh Jain,
Hari Bathini, Madhavan Srinivasan, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit 789335cacdf37da93bb7c70322dff8c7e82881df ]
update_backup_region_phdr() in file_load_64.c iterates over all the
program headers in the kdump kernel’s elfcorehdr and updates the
p_offset of the program header whose physical address starts at 0.
However, the loop logic is incorrect because the program header pointer
is not updated during iteration. Since elfcorehdr typically contains
PT_NOTE entries first, the PT_LOAD program header with physical address
0 is never reached. As a result, its p_offset is not updated to point to
the backup region.
Because of this behavior, the capture kernel exports the first 64 KB of
the crashed kernel’s memory at offset 0, even though that memory
actually lives in the backup region. When a crash happens, purgatory
copies the first 64 KB of the crashed kernel’s memory into the backup
region so the capture kernel can safely use it.
This has not caused problems so far because the first 64 KB is usually
identical in both the crashed and capture kernels. However, this is
just an assumption and is not guaranteed to always hold true.
Fix update_backup_region_phdr() to correctly update the p_offset of the
program header with a starting physical address of 0 by correcting the
logic used to iterate over the program headers.
Fixes: cb350c1f1f86 ("powerpc/kexec_file: Prepare elfcore header for crashing kernel")
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260312083051.1935737-2-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kexec/file_load_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index 5f6d50e4c3d45..a7db7eca0481b 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -391,7 +391,7 @@ static void update_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr)
unsigned int i;
phdr = (Elf64_Phdr *)(ehdr + 1);
- for (i = 0; i < ehdr->e_phnum; i++) {
+ for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
if (phdr->p_paddr == BACKUP_SRC_START) {
phdr->p_offset = image->arch.backup_start;
kexec_dprintk("Backup region offset updated to 0x%lx\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 117/957] powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-05-20 16:09 ` [PATCH 6.18 116/957] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 118/957] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15 Greg Kroah-Hartman
` (845 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Gupta, Sourabh Jain,
Madhavan Srinivasan, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sourabh Jain <sourabhjain@linux.ibm.com>
[ Upstream commit f53b24d1fa263f56155213eabab734c18d884aff ]
When elfcorehdr is prepared for kdump, the program header representing
the first 64 KB of memory is expected to have its offset point to the
backup region. This is required because purgatory copies the first 64 KB
of the crashed kernel memory to this backup region following a kernel
crash. This allows the capture kernel to use the first 64 KB of memory
to place the exception vectors and other required data.
When elfcorehdr is recreated due to memory hotplug, the offset of
the program header representing the first 64 KB is not updated.
As a result, the capture kernel exports the first 64 KB at offset
0, even though the data actually resides in the backup region.
Fix this by calling sync_backup_region_phdr() to update the program
header offset in the elfcorehdr created during memory hotplug.
sync_backup_region_phdr() works for images loaded via the
kexec_file_load syscall. However, it does not work for kexec_load,
because image->arch.backup_start is not initialized in that case.
So introduce machine_kexec_post_load() to process the elfcorehdr
prepared by kexec-tools and initialize image->arch.backup_start for
kdump images loaded via kexec_load syscall.
Rename update_backup_region_phdr() to sync_backup_region_phdr() and
extend it to synchronize the backup region offset between the kdump
image and the ELF core header. The helper now supports updating either
the kdump image from the ELF program header or updating the ELF program
header from the kdump image, avoiding code duplication.
Define ARCH_HAS_KIMAGE_ARCH and struct kimage_arch when
CONFIG_KEXEC_FILE or CONFIG_CRASH_DUMP is enabled so that
kimage->arch.backup_start is available with the kexec_load system call.
This patch depends on the patch titled
"powerpc/crash: fix backup region offset update to elfcorehdr".
Fixes: 849599b702ef ("powerpc/crash: add crash memory hotplug support")
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260312083051.1935737-3-sourabhjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/kexec.h | 14 +++++--
arch/powerpc/kexec/crash.c | 64 +++++++++++++++++++++++++++++++
arch/powerpc/kexec/file_load_64.c | 29 +-------------
3 files changed, 76 insertions(+), 31 deletions(-)
diff --git a/arch/powerpc/include/asm/kexec.h b/arch/powerpc/include/asm/kexec.h
index 4bbf9f699aaaf..d3b5028102cdd 100644
--- a/arch/powerpc/include/asm/kexec.h
+++ b/arch/powerpc/include/asm/kexec.h
@@ -66,11 +66,9 @@ void relocate_new_kernel(unsigned long indirection_page, unsigned long reboot_co
unsigned long start_address) __noreturn;
void kexec_copy_flush(struct kimage *image);
-#ifdef CONFIG_KEXEC_FILE
-extern const struct kexec_file_ops kexec_elf64_ops;
+#if defined(CONFIG_KEXEC_FILE) || defined(CONFIG_CRASH_DUMP)
#define ARCH_HAS_KIMAGE_ARCH
-
struct kimage_arch {
struct crash_mem *exclude_ranges;
@@ -78,6 +76,10 @@ struct kimage_arch {
void *backup_buf;
void *fdt;
};
+#endif
+
+#ifdef CONFIG_KEXEC_FILE
+extern const struct kexec_file_ops kexec_elf64_ops;
char *setup_kdump_cmdline(struct kimage *image, char *cmdline,
unsigned long cmdline_len);
@@ -143,6 +145,10 @@ int arch_crash_hotplug_support(struct kimage *image, unsigned long kexec_flags);
unsigned int arch_crash_get_elfcorehdr_size(void);
#define crash_get_elfcorehdr_size arch_crash_get_elfcorehdr_size
+
+int machine_kexec_post_load(struct kimage *image);
+#define machine_kexec_post_load machine_kexec_post_load
+
#endif /* CONFIG_CRASH_HOTPLUG */
extern int crashing_cpu;
@@ -157,6 +163,8 @@ extern void default_machine_crash_shutdown(struct pt_regs *regs);
extern void crash_kexec_prepare(void);
extern void crash_kexec_secondary(struct pt_regs *regs);
+extern void sync_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr,
+ bool phdr_to_kimage);
static inline bool kdump_in_progress(void)
{
return crashing_cpu >= 0;
diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
index a325c1c02f96d..e6539f213b3d1 100644
--- a/arch/powerpc/kexec/crash.c
+++ b/arch/powerpc/kexec/crash.c
@@ -27,6 +27,7 @@
#include <asm/debug.h>
#include <asm/interrupt.h>
#include <asm/kexec_ranges.h>
+#include <asm/crashdump-ppc64.h>
/*
* The primary CPU waits a while for all secondary CPUs to enter. This is to
@@ -399,7 +400,68 @@ void default_machine_crash_shutdown(struct pt_regs *regs)
ppc_md.kexec_cpu_down(1, 0);
}
+#ifdef CONFIG_CRASH_DUMP
+/**
+ * sync_backup_region_phdr - synchronize backup region offset between
+ * kexec image and ELF core header.
+ * @image: Kexec image.
+ * @ehdr: ELF core header.
+ * @phdr_to_kimage: If true, read the offset from the ELF program header
+ * and update the kimage backup region. If false, update
+ * the ELF program header offset from the kimage backup
+ * region.
+ *
+ * Note: During kexec_load, this is called with phdr_to_kimage = true. For
+ * kexec_file_load and ELF core header recreation during memory hotplug
+ * events, it is called with phdr_to_kimage = false.
+ *
+ * Returns nothing.
+ */
+void sync_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr, bool phdr_to_kimage)
+{
+ Elf64_Phdr *phdr;
+ unsigned int i;
+
+ phdr = (Elf64_Phdr *)(ehdr + 1);
+ for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
+ if (phdr->p_paddr == BACKUP_SRC_START) {
+ if (phdr_to_kimage)
+ image->arch.backup_start = phdr->p_offset;
+ else
+ phdr->p_offset = image->arch.backup_start;
+
+ kexec_dprintk("Backup region offset updated to 0x%lx\n",
+ image->arch.backup_start);
+ return;
+ }
+ }
+}
+#endif /* CONFIG_CRASH_DUMP */
+
#ifdef CONFIG_CRASH_HOTPLUG
+
+int machine_kexec_post_load(struct kimage *image)
+{
+ int i;
+ unsigned long mem;
+ unsigned char *ptr;
+
+ if (image->type != KEXEC_TYPE_CRASH)
+ return 0;
+
+ if (image->file_mode)
+ return 0;
+
+ for (i = 0; i < image->nr_segments; i++) {
+ mem = image->segment[i].mem;
+ ptr = (char *)__va(mem);
+
+ if (ptr && memcmp(ptr, ELFMAG, SELFMAG) == 0)
+ sync_backup_region_phdr(image, (Elf64_Ehdr *) ptr, true);
+ }
+ return 0;
+}
+
#undef pr_fmt
#define pr_fmt(fmt) "crash hp: " fmt
@@ -474,6 +536,8 @@ static void update_crash_elfcorehdr(struct kimage *image, struct memory_notify *
goto out;
}
+ sync_backup_region_phdr(image, (Elf64_Ehdr *) elfbuf, false);
+
ptr = __va(mem);
if (ptr) {
/* Temporarily invalidate the crash image while it is replaced */
diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
index a7db7eca0481b..8c72e12ea44e5 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch/powerpc/kexec/file_load_64.c
@@ -374,33 +374,6 @@ static int load_backup_segment(struct kimage *image, struct kexec_buf *kbuf)
return 0;
}
-/**
- * update_backup_region_phdr - Update backup region's offset for the core to
- * export the region appropriately.
- * @image: Kexec image.
- * @ehdr: ELF core header.
- *
- * Assumes an exclusive program header is setup for the backup region
- * in the ELF headers
- *
- * Returns nothing.
- */
-static void update_backup_region_phdr(struct kimage *image, Elf64_Ehdr *ehdr)
-{
- Elf64_Phdr *phdr;
- unsigned int i;
-
- phdr = (Elf64_Phdr *)(ehdr + 1);
- for (i = 0; i < ehdr->e_phnum; i++, phdr++) {
- if (phdr->p_paddr == BACKUP_SRC_START) {
- phdr->p_offset = image->arch.backup_start;
- kexec_dprintk("Backup region offset updated to 0x%lx\n",
- image->arch.backup_start);
- return;
- }
- }
-}
-
static unsigned int kdump_extra_elfcorehdr_size(struct crash_mem *cmem)
{
#if defined(CONFIG_CRASH_HOTPLUG) && defined(CONFIG_MEMORY_HOTPLUG)
@@ -445,7 +418,7 @@ static int load_elfcorehdr_segment(struct kimage *image, struct kexec_buf *kbuf)
}
/* Fix the offset for backup region in the ELF header */
- update_backup_region_phdr(image, headers);
+ sync_backup_region_phdr(image, headers, false);
kbuf->buffer = headers;
kbuf->mem = KEXEC_BUF_MEM_UNKNOWN;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 118/957] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 117/957] powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 119/957] bpf: Fix abuse of kprobe_write_ctx via freplace Greg Kroah-Hartman
` (844 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vaibhav Jain, Amit Machhiwal,
Venkat Rao Bagalkote, Madhavan Srinivasan, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Machhiwal <amachhiw@linux.ibm.com>
[ Upstream commit 6e65886fceb23605eff952d6b1975737b4c4b154 ]
GCC 15 reports the below false positive '-Wmaybe-uninitialized' warning
in vphn_unpack_associativity() when building the powerpc selftests.
# make -C tools/testing/selftests TARGETS="powerpc"
[...]
CC test-vphn
In file included from test-vphn.c:3:
In function ‘vphn_unpack_associativity’,
inlined from ‘test_one’ at test-vphn.c:371:2,
inlined from ‘test_vphn’ at test-vphn.c:399:9:
test-vphn.c:10:33: error: ‘be_packed’ may be used uninitialized [-Werror=maybe-uninitialized]
10 | #define be16_to_cpup(x) bswap_16(*x)
| ^~~~~~~~
vphn.c:42:27: note: in expansion of macro ‘be16_to_cpup’
42 | u16 new = be16_to_cpup(field++);
| ^~~~~~~~~~~~
In file included from test-vphn.c:19:
vphn.c: In function ‘test_vphn’:
vphn.c:27:16: note: ‘be_packed’ declared here
27 | __be64 be_packed[VPHN_REGISTER_COUNT];
| ^~~~~~~~~
cc1: all warnings being treated as errors
When vphn_unpack_associativity() is called from hcall_vphn() in kernel
the error is not seen while building vphn.c during kernel compilation.
This is because the top level Makefile includes '-fno-strict-aliasing'
flag always.
The issue here is that GCC 15 emits '-Wmaybe-uninitialized' due to type
punning between __be64[] and __b16* when accessing the buffer via
be16_to_cpup(). The underlying object is fully initialized but GCC 15
fails to track the aliasing due to the strict aliasing violation here.
Please refer [1] and [2]. This results in a false positive warning which
is promoted to an error under '-Werror'. This problem is not seen when
the compilation is performed with GCC 13 and 14. An issue [1] has also
been created on GCC bugzilla.
The selftest compiles fine with '-fno-strict-aliasing'. Since this GCC
flag is used to compile vphn.c in kernel too, the same flag should be
used to build vphn tests when compiling vphn.c in the selftest as well.
Fix this by including '-fno-strict-aliasing' during vphn.c compilation
in the selftest. This keeps the build working while limiting the scope
of the suppression to building vphn tests.
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=124427
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99768
Fixes: 58dae82843f5 ("selftests/powerpc: Add test for VPHN")
Reviewed-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Signed-off-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260313165426.43259-1-amachhiw@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/powerpc/vphn/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/powerpc/vphn/Makefile b/tools/testing/selftests/powerpc/vphn/Makefile
index 61d519a076c6f..778fc396340db 100644
--- a/tools/testing/selftests/powerpc/vphn/Makefile
+++ b/tools/testing/selftests/powerpc/vphn/Makefile
@@ -5,7 +5,7 @@ top_srcdir = ../../../../..
include ../../lib.mk
include ../flags.mk
-CFLAGS += -m64 -I$(CURDIR)
+CFLAGS += -m64 -I$(CURDIR) -fno-strict-aliasing
$(TEST_GEN_PROGS): ../harness.c
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 119/957] bpf: Fix abuse of kprobe_write_ctx via freplace
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 118/957] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15 Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 120/957] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
` (843 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Olsa, Song Liu, Leon Hwang,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Hwang <leon.hwang@linux.dev>
[ Upstream commit 611fe4b79af72d00d80f2223354284447daafae9 ]
uprobe programs are allowed to modify struct pt_regs.
Since the actual program type of uprobe is KPROBE, it can be abused to
modify struct pt_regs via kprobe+freplace when the kprobe attaches to
kernel functions.
For example,
SEC("?kprobe")
int kprobe(struct pt_regs *regs)
{
return 0;
}
SEC("?freplace")
int freplace_kprobe(struct pt_regs *regs)
{
regs->di = 0;
return 0;
}
freplace_kprobe prog will attach to kprobe prog.
kprobe prog will attach to a kernel function.
Without this patch, when the kernel function runs, its first arg will
always be set as 0 via the freplace_kprobe prog.
To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow
attaching freplace programs on kprobe programs with different
kprobe_write_ctx values.
Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers")
Acked-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
Link: https://lore.kernel.org/r/20260331145353.87606-2-leon.hwang@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/syscall.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 586ece78f783a..ff268fd2ff8b5 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -3708,6 +3708,23 @@ static int bpf_tracing_prog_attach(struct bpf_prog *prog,
tr = prog->aux->dst_trampoline;
tgt_prog = prog->aux->dst_prog;
}
+ /*
+ * It is to prevent modifying struct pt_regs via kprobe_write_ctx=true
+ * freplace prog. Without this check, kprobe_write_ctx=true freplace
+ * prog is allowed to attach to kprobe_write_ctx=false kprobe prog, and
+ * then modify the registers of the kprobe prog's target kernel
+ * function.
+ *
+ * This also blocks the combination of uprobe+freplace, because it is
+ * unable to recognize the use of the tgt_prog as an uprobe or a kprobe
+ * by tgt_prog itself. At attach time, uprobe/kprobe is recognized by
+ * the target perf event flags in __perf_event_set_bpf_prog().
+ */
+ if (prog->type == BPF_PROG_TYPE_EXT &&
+ prog->aux->kprobe_write_ctx != tgt_prog->aux->kprobe_write_ctx) {
+ err = -EINVAL;
+ goto out_unlock;
+ }
err = bpf_link_prime(&link->link.link, &link_primer);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 120/957] macvlan: annotate data-races around port->bc_queue_len_used
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 119/957] bpf: Fix abuse of kprobe_write_ctx via freplace Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 121/957] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
` (842 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ef5789d9906df3771c99b7f413caaf2bf473ca5 ]
port->bc_queue_len_used is read and written locklessly,
add READ_ONCE()/WRITE_ONCE() annotations.
While WRITE_ONCE() in macvlan_fill_info() is not yet needed,
it is a prereq for future RTNL avoidance.
Fixes: d4bff72c8401 ("macvlan: Support for high multicast packet rate")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260401103809.3038139-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macvlan.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 4433b8e95b6ac..e9d288a05e39e 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -352,6 +352,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
const struct macvlan_dev *src,
struct sk_buff *skb)
{
+ u32 bc_queue_len_used = READ_ONCE(port->bc_queue_len_used);
struct sk_buff *nskb;
int err = -ENOMEM;
@@ -362,7 +363,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
MACVLAN_SKB_CB(nskb)->src = src;
spin_lock(&port->bc_queue.lock);
- if (skb_queue_len(&port->bc_queue) < port->bc_queue_len_used) {
+ if (skb_queue_len(&port->bc_queue) < bc_queue_len_used) {
if (src)
dev_hold(src->dev);
__skb_queue_tail(&port->bc_queue, nskb);
@@ -1727,7 +1728,8 @@ static int macvlan_fill_info(struct sk_buff *skb,
}
if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN, vlan->bc_queue_len_req))
goto nla_put_failure;
- if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN_USED, port->bc_queue_len_used))
+ if (nla_put_u32(skb, IFLA_MACVLAN_BC_QUEUE_LEN_USED,
+ READ_ONCE(port->bc_queue_len_used)))
goto nla_put_failure;
if (port->bc_cutoff != 1 &&
nla_put_s32(skb, IFLA_MACVLAN_BC_CUTOFF, port->bc_cutoff))
@@ -1787,7 +1789,7 @@ static void update_port_bc_queue_len(struct macvlan_port *port)
if (vlan->bc_queue_len_req > max_bc_queue_len_req)
max_bc_queue_len_req = vlan->bc_queue_len_req;
}
- port->bc_queue_len_used = max_bc_queue_len_req;
+ WRITE_ONCE(port->bc_queue_len_used, max_bc_queue_len_req);
}
static int macvlan_device_event(struct notifier_block *unused,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 121/957] bpf: fix end-of-list detection in cgroup_storage_get_next_key()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 120/957] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 122/957] bpf: Fix stale offload->prog pointer after constant blinding Greg Kroah-Hartman
` (841 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Sun Jian,
Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 5828b9e5b272ecff7cf5d345128d3de7324117f7 ]
list_next_entry() never returns NULL -- when the current element is the
last entry it wraps to the list head via container_of(). The subsequent
NULL check is therefore dead code and get_next_key() never returns
-ENOENT for the last element, instead reading storage->key from a bogus
pointer that aliases internal map fields and copying the result to
userspace.
Replace it with list_entry_is_head() so the function correctly returns
-ENOENT when there are no more entries.
Fixes: de9cbbaadba5 ("bpf: introduce cgroup storage maps")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260403132951.43533-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/local_storage.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
index c93a756e035c0..b8db4fbd3bd2a 100644
--- a/kernel/bpf/local_storage.c
+++ b/kernel/bpf/local_storage.c
@@ -259,7 +259,7 @@ static int cgroup_storage_get_next_key(struct bpf_map *_map, void *key,
goto enoent;
storage = list_next_entry(storage, list_map);
- if (!storage)
+ if (list_entry_is_head(storage, &map->list, list_map))
goto enoent;
} else {
storage = list_first_entry(&map->list,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 122/957] bpf: Fix stale offload->prog pointer after constant blinding
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 121/957] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 123/957] net: ethernet: ti-cpsw:: rename soft_reset() function Greg Kroah-Hartman
` (840 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, MingTao Huang, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: MingTao Huang <mintaohuang@tencent.com>
[ Upstream commit a1aa9ef47c299c5bbc30594d3c2f0589edf908e6 ]
When a dev-bound-only BPF program (BPF_F_XDP_DEV_BOUND_ONLY) undergoes
JIT compilation with constant blinding enabled (bpf_jit_harden >= 2),
bpf_jit_blind_constants() clones the program. The original prog is then
freed in bpf_jit_prog_release_other(), which updates aux->prog to point
to the surviving clone, but fails to update offload->prog.
This leaves offload->prog pointing to the freed original program. When
the network namespace is subsequently destroyed, cleanup_net() triggers
bpf_dev_bound_netdev_unregister(), which iterates ondev->progs and calls
__bpf_prog_offload_destroy(offload->prog). Accessing the freed prog
causes a page fault:
BUG: unable to handle page fault for address: ffffc900085f1038
Workqueue: netns cleanup_net
RIP: 0010:__bpf_prog_offload_destroy+0xc/0x80
Call Trace:
__bpf_offload_dev_netdev_unregister+0x257/0x350
bpf_dev_bound_netdev_unregister+0x4a/0x90
unregister_netdevice_many_notify+0x2a2/0x660
...
cleanup_net+0x21a/0x320
The test sequence that triggers this reliably is:
1. Set net.core.bpf_jit_harden=2 (echo 2 > /proc/sys/net/core/bpf_jit_harden)
2. Run xdp_metadata selftest, which creates a dev-bound-only XDP
program on a veth inside a netns (./test_progs -t xdp_metadata)
3. cleanup_net -> page fault in __bpf_prog_offload_destroy
Dev-bound-only programs are unique in that they have an offload structure
but go through the normal JIT path instead of bpf_prog_offload_compile().
This means they are subject to constant blinding's prog clone-and-replace,
while also having offload->prog that must stay in sync.
Fix this by updating offload->prog in bpf_jit_prog_release_other(),
alongside the existing aux->prog update. Both are back-pointers to
the prog that must be kept in sync when the prog is replaced.
Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
Signed-off-by: MingTao Huang <mintaohuang@tencent.com>
Link: https://lore.kernel.org/r/tencent_BCF692F45859CCE6C22B7B0B64827947D406@qq.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 8de006d388f67..931a4ddd8530c 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1468,6 +1468,8 @@ void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
* know whether fp here is the clone or the original.
*/
fp->aux->prog = fp;
+ if (fp->aux->offload)
+ fp->aux->offload->prog = fp;
bpf_prog_clone_free(fp_other);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 123/957] net: ethernet: ti-cpsw:: rename soft_reset() function
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 122/957] bpf: Fix stale offload->prog pointer after constant blinding Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 124/957] net: ethernet: ti-cpsw: fix linking built-in code to modules Greg Kroah-Hartman
` (839 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Arnd Bergmann,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 961f3c535608df64553f61d64ca086aa9f371bdd ]
While looking at the glob symbols shared between the cpsw drivers,
I noticed that soft_reset() is the only one that is missing a proper
namespace prefix, and will pollute the kernel namespace, so rename
it to be consistent with the other symbols.
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20260402184726.3746487-1-arnd@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: df75bd552a87 ("net: ethernet: ti-cpsw: fix linking built-in code to modules")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/cpsw.c | 2 +-
drivers/net/ethernet/ti/cpsw_new.c | 2 +-
drivers/net/ethernet/ti/cpsw_priv.c | 2 +-
drivers/net/ethernet/ti/cpsw_priv.h | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
index b0e18bdc2c851..aa3531e844e87 100644
--- a/drivers/net/ethernet/ti/cpsw.c
+++ b/drivers/net/ethernet/ti/cpsw.c
@@ -706,7 +706,7 @@ static void cpsw_init_host_port(struct cpsw_priv *priv)
struct cpsw_common *cpsw = priv->cpsw;
/* soft reset the controller and initialize ale */
- soft_reset("cpsw", &cpsw->regs->soft_reset);
+ cpsw_soft_reset("cpsw", &cpsw->regs->soft_reset);
cpsw_ale_start(cpsw->ale);
/* switch to vlan aware mode */
diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c
index fd3931d667021..c6cf7a0375e08 100644
--- a/drivers/net/ethernet/ti/cpsw_new.c
+++ b/drivers/net/ethernet/ti/cpsw_new.c
@@ -573,7 +573,7 @@ static void cpsw_init_host_port(struct cpsw_priv *priv)
u32 control_reg;
/* soft reset the controller and initialize ale */
- soft_reset("cpsw", &cpsw->regs->soft_reset);
+ cpsw_soft_reset("cpsw", &cpsw->regs->soft_reset);
cpsw_ale_start(cpsw->ale);
/* switch to vlan aware mode */
diff --git a/drivers/net/ethernet/ti/cpsw_priv.c b/drivers/net/ethernet/ti/cpsw_priv.c
index bc4fdf17a99ec..c6eb6b785b0b5 100644
--- a/drivers/net/ethernet/ti/cpsw_priv.c
+++ b/drivers/net/ethernet/ti/cpsw_priv.c
@@ -275,7 +275,7 @@ void cpsw_set_slave_mac(struct cpsw_slave *slave, struct cpsw_priv *priv)
slave_write(slave, mac_lo(priv->mac_addr), SA_LO);
}
-void soft_reset(const char *module, void __iomem *reg)
+void cpsw_soft_reset(const char *module, void __iomem *reg)
{
unsigned long timeout = jiffies + HZ;
diff --git a/drivers/net/ethernet/ti/cpsw_priv.h b/drivers/net/ethernet/ti/cpsw_priv.h
index acb6181c5c9e1..fddd7a79f4b0f 100644
--- a/drivers/net/ethernet/ti/cpsw_priv.h
+++ b/drivers/net/ethernet/ti/cpsw_priv.h
@@ -458,7 +458,7 @@ int cpsw_tx_poll(struct napi_struct *napi_tx, int budget);
int cpsw_rx_mq_poll(struct napi_struct *napi_rx, int budget);
int cpsw_rx_poll(struct napi_struct *napi_rx, int budget);
void cpsw_rx_vlan_encap(struct sk_buff *skb);
-void soft_reset(const char *module, void __iomem *reg);
+void cpsw_soft_reset(const char *module, void __iomem *reg);
void cpsw_set_slave_mac(struct cpsw_slave *slave, struct cpsw_priv *priv);
void cpsw_ndo_tx_timeout(struct net_device *ndev, unsigned int txqueue);
int cpsw_need_resplit(struct cpsw_common *cpsw);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 124/957] net: ethernet: ti-cpsw: fix linking built-in code to modules
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 123/957] net: ethernet: ti-cpsw:: rename soft_reset() function Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 125/957] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
` (838 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit df75bd552a8790e83d4aeb5f112050cf3dc687bf ]
There are six variants of the cpsw driver, sharing various parts of
the code: davinci-emac, cpsw, cpsw-switchdev, netcp, netcp_ethss and
am65-cpsw-nuss.
I noticed that this means some files can be linked into more than
one loadable module, or even part of vmlinux but also linked into
a loadable module, both of which mess up assumptions of the build
system, and causes warnings:
scripts/Makefile.build:279: cpsw_ale.o is added to multiple modules: ti-am65-cpsw-nuss ti_cpsw ti_cpsw_new
scripts/Makefile.build:279: cpsw_priv.o is added to multiple modules: ti_cpsw ti_cpsw_new
scripts/Makefile.build:279: cpsw_sl.o is added to multiple modules: ti-am65-cpsw-nuss ti_cpsw ti_cpsw_new
scripts/Makefile.build:279: cpsw_ethtool.o is added to multiple modules: ti_cpsw ti_cpsw_new
scripts/Makefile.build:279: davinci_cpdma.o is added to multiple modules: ti_cpsw ti_cpsw_new ti_davinci_emac
Change this back to having separate modules for each portion that
can be linked standalone, exporting symbols as needed:
- ti-cpsw-common.ko now contains both cpsw-common.o and
davinci_cpdma.o as they are always used together
- ti-cpsw-priv.ko contains cpsw_priv.o, cpsw_sl.o and cpsw_ethtool.o,
which are the core of the cpsw and cpsw-new drivers.
- ti-cpsw-sl.ko contains the cpsw-sl.o object and is used on
ti-am65-cpsw-nuss.ko in addition to the two other cpsw variants.
- ti-cpsw-ale.o is the one standalone module that is used by all
except davinci_emac.
Each of these will be built-in if any of its users are built-in, otherwise
it's a loadable module if there is at least one module using it. I did
not bring back the separate Kconfig symbols for this, but just handle
it using Makefile logic.
Note: ideally this is something that Kbuild complains about, but usually
we just notice when something using THIS_MODULE misbehaves in a way that
a user notices.
Fixes: 99f6297182729 ("net: ethernet: ti: cpsw: drop TI_DAVINCI_CPDMA config option")
Link: https://lore.kernel.org/lkml/20240417084400.3034104-1-arnd@kernel.org/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20260402184726.3746487-2-arnd@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/Makefile | 30 ++++++++++----------
drivers/net/ethernet/ti/cpsw_ale.c | 25 +++++++++++++++++
drivers/net/ethernet/ti/cpsw_ethtool.c | 24 ++++++++++++++++
drivers/net/ethernet/ti/cpsw_priv.c | 37 +++++++++++++++++++++++++
drivers/net/ethernet/ti/cpsw_sl.c | 11 ++++++++
drivers/net/ethernet/ti/davinci_cpdma.c | 27 ++++++++++++++++++
6 files changed, 139 insertions(+), 15 deletions(-)
diff --git a/drivers/net/ethernet/ti/Makefile b/drivers/net/ethernet/ti/Makefile
index 93c0a4d0e33a6..fec6ba62c0303 100644
--- a/drivers/net/ethernet/ti/Makefile
+++ b/drivers/net/ethernet/ti/Makefile
@@ -6,30 +6,30 @@
obj-$(CONFIG_TI_PRUETH) += icssm-prueth.o
icssm-prueth-y := icssm/icssm_prueth.o
-obj-$(CONFIG_TI_CPSW) += cpsw-common.o
-obj-$(CONFIG_TI_DAVINCI_EMAC) += cpsw-common.o
-obj-$(CONFIG_TI_CPSW_SWITCHDEV) += cpsw-common.o
+ti-cpsw-common-y += cpsw-common.o davinci_cpdma.o
+ti-cpsw-priv-y += cpsw_priv.o cpsw_ethtool.o
+ti-cpsw-ale-y += cpsw_ale.o
+ti-cpsw-sl-y += cpsw_sl.o
obj-$(CONFIG_TLAN) += tlan.o
-obj-$(CONFIG_TI_DAVINCI_EMAC) += ti_davinci_emac.o
-ti_davinci_emac-y := davinci_emac.o davinci_cpdma.o
+obj-$(CONFIG_TI_DAVINCI_EMAC) += davinci_emac.o ti-cpsw-common.o
obj-$(CONFIG_TI_DAVINCI_MDIO) += davinci_mdio.o
obj-$(CONFIG_TI_CPSW_PHY_SEL) += cpsw-phy-sel.o
obj-$(CONFIG_TI_CPTS) += cpts.o
-obj-$(CONFIG_TI_CPSW) += ti_cpsw.o
-ti_cpsw-y := cpsw.o davinci_cpdma.o cpsw_ale.o cpsw_priv.o cpsw_sl.o cpsw_ethtool.o
-obj-$(CONFIG_TI_CPSW_SWITCHDEV) += ti_cpsw_new.o
-ti_cpsw_new-y := cpsw_switchdev.o cpsw_new.o davinci_cpdma.o cpsw_ale.o cpsw_sl.o cpsw_priv.o cpsw_ethtool.o
+obj-$(CONFIG_TI_CPSW) += ti_cpsw.o ti-cpsw-common.o ti-cpsw-priv.o ti-cpsw-ale.o ti-cpsw-sl.o
+ti_cpsw-y := cpsw.o
+obj-$(CONFIG_TI_CPSW_SWITCHDEV) += ti_cpsw_new.o ti-cpsw-common.o ti-cpsw-priv.o ti-cpsw-ale.o ti-cpsw-sl.o
+ti_cpsw_new-y := cpsw_switchdev.o cpsw_new.o
-obj-$(CONFIG_TI_KEYSTONE_NETCP) += keystone_netcp.o
-keystone_netcp-y := netcp_core.o cpsw_ale.o
-obj-$(CONFIG_TI_KEYSTONE_NETCP_ETHSS) += keystone_netcp_ethss.o
-keystone_netcp_ethss-y := netcp_ethss.o netcp_sgmii.o netcp_xgbepcsr.o cpsw_ale.o
+obj-$(CONFIG_TI_KEYSTONE_NETCP) += keystone_netcp.o ti-cpsw-ale.o
+keystone_netcp-y := netcp_core.o
+obj-$(CONFIG_TI_KEYSTONE_NETCP_ETHSS) += keystone_netcp_ethss.o ti-cpsw-ale.o
+keystone_netcp_ethss-y := netcp_ethss.o netcp_sgmii.o netcp_xgbepcsr.o
obj-$(CONFIG_TI_K3_CPPI_DESC_POOL) += k3-cppi-desc-pool.o
-obj-$(CONFIG_TI_K3_AM65_CPSW_NUSS) += ti-am65-cpsw-nuss.o
-ti-am65-cpsw-nuss-y := am65-cpsw-nuss.o cpsw_sl.o am65-cpsw-ethtool.o cpsw_ale.o
+obj-$(CONFIG_TI_K3_AM65_CPSW_NUSS) += ti-am65-cpsw-nuss.o ti-cpsw-sl.o ti-cpsw-ale.o
+ti-am65-cpsw-nuss-y := am65-cpsw-nuss.o am65-cpsw-ethtool.o
ti-am65-cpsw-nuss-$(CONFIG_TI_AM65_CPSW_QOS) += am65-cpsw-qos.o
ti-am65-cpsw-nuss-$(CONFIG_TI_K3_AM65_CPSW_SWITCHDEV) += am65-cpsw-switchdev.o
obj-$(CONFIG_TI_K3_AM65_CPTS) += am65-cpts.o
diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c
index 9632ad3741de1..7fb1488ca0025 100644
--- a/drivers/net/ethernet/ti/cpsw_ale.c
+++ b/drivers/net/ethernet/ti/cpsw_ale.c
@@ -498,6 +498,7 @@ int cpsw_ale_flush_multicast(struct cpsw_ale *ale, int port_mask, int vid)
}
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_flush_multicast);
static inline void cpsw_ale_set_vlan_entry_type(u32 *ale_entry,
int flags, u16 vid)
@@ -535,6 +536,7 @@ int cpsw_ale_add_ucast(struct cpsw_ale *ale, const u8 *addr, int port,
cpsw_ale_write(ale, idx, ale_entry);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_add_ucast);
int cpsw_ale_del_ucast(struct cpsw_ale *ale, const u8 *addr, int port,
int flags, u16 vid)
@@ -550,6 +552,7 @@ int cpsw_ale_del_ucast(struct cpsw_ale *ale, const u8 *addr, int port,
cpsw_ale_write(ale, idx, ale_entry);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_del_ucast);
int cpsw_ale_add_mcast(struct cpsw_ale *ale, const u8 *addr, int port_mask,
int flags, u16 vid, int mcast_state)
@@ -583,6 +586,7 @@ int cpsw_ale_add_mcast(struct cpsw_ale *ale, const u8 *addr, int port_mask,
cpsw_ale_write(ale, idx, ale_entry);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_add_mcast);
int cpsw_ale_del_mcast(struct cpsw_ale *ale, const u8 *addr, int port_mask,
int flags, u16 vid)
@@ -612,6 +616,7 @@ int cpsw_ale_del_mcast(struct cpsw_ale *ale, const u8 *addr, int port_mask,
cpsw_ale_write(ale, idx, ale_entry);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_del_mcast);
/* ALE NetCP NU switch specific vlan functions */
static void cpsw_ale_set_vlan_mcast(struct cpsw_ale *ale, u32 *ale_entry,
@@ -681,6 +686,7 @@ int cpsw_ale_add_vlan(struct cpsw_ale *ale, u16 vid, int port_mask, int untag,
cpsw_ale_write(ale, idx, ale_entry);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_add_vlan);
static void cpsw_ale_vlan_del_modify_int(struct cpsw_ale *ale, u32 *ale_entry,
u16 vid, int port_mask)
@@ -738,6 +744,7 @@ int cpsw_ale_vlan_del_modify(struct cpsw_ale *ale, u16 vid, int port_mask)
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_vlan_del_modify);
int cpsw_ale_del_vlan(struct cpsw_ale *ale, u16 vid, int port_mask)
{
@@ -772,6 +779,7 @@ int cpsw_ale_del_vlan(struct cpsw_ale *ale, u16 vid, int port_mask)
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_del_vlan);
int cpsw_ale_vlan_add_modify(struct cpsw_ale *ale, u16 vid, int port_mask,
int untag_mask, int reg_mask, int unreg_mask)
@@ -811,6 +819,7 @@ int cpsw_ale_vlan_add_modify(struct cpsw_ale *ale, u16 vid, int port_mask,
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_vlan_add_modify);
void cpsw_ale_set_unreg_mcast(struct cpsw_ale *ale, int unreg_mcast_mask,
bool add)
@@ -838,6 +847,7 @@ void cpsw_ale_set_unreg_mcast(struct cpsw_ale *ale, int unreg_mcast_mask,
cpsw_ale_write(ale, idx, ale_entry);
}
}
+EXPORT_SYMBOL_GPL(cpsw_ale_set_unreg_mcast);
static void cpsw_ale_vlan_set_unreg_mcast(struct cpsw_ale *ale, u32 *ale_entry,
int allmulti)
@@ -903,6 +913,7 @@ void cpsw_ale_set_allmulti(struct cpsw_ale *ale, int allmulti, int port)
cpsw_ale_write(ale, idx, ale_entry);
}
}
+EXPORT_SYMBOL_GPL(cpsw_ale_set_allmulti);
struct ale_control_info {
const char *name;
@@ -1160,6 +1171,7 @@ int cpsw_ale_control_set(struct cpsw_ale *ale, int port, int control,
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_control_set);
int cpsw_ale_control_get(struct cpsw_ale *ale, int port, int control)
{
@@ -1183,6 +1195,7 @@ int cpsw_ale_control_get(struct cpsw_ale *ale, int port, int control)
tmp = readl_relaxed(ale->params.ale_regs + offset) >> shift;
return tmp & BITMASK(info->bits);
}
+EXPORT_SYMBOL_GPL(cpsw_ale_control_get);
int cpsw_ale_rx_ratelimit_mc(struct cpsw_ale *ale, int port, unsigned int ratelimit_pps)
@@ -1205,6 +1218,7 @@ int cpsw_ale_rx_ratelimit_mc(struct cpsw_ale *ale, int port, unsigned int rateli
port, val * ALE_RATE_LIMIT_MIN_PPS);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_rx_ratelimit_mc);
int cpsw_ale_rx_ratelimit_bc(struct cpsw_ale *ale, int port, unsigned int ratelimit_pps)
@@ -1227,6 +1241,7 @@ int cpsw_ale_rx_ratelimit_bc(struct cpsw_ale *ale, int port, unsigned int rateli
port, val * ALE_RATE_LIMIT_MIN_PPS);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_rx_ratelimit_bc);
static void cpsw_ale_timer(struct timer_list *t)
{
@@ -1316,6 +1331,7 @@ void cpsw_ale_start(struct cpsw_ale *ale)
cpsw_ale_aging_start(ale);
}
+EXPORT_SYMBOL_GPL(cpsw_ale_start);
void cpsw_ale_stop(struct cpsw_ale *ale)
{
@@ -1323,6 +1339,7 @@ void cpsw_ale_stop(struct cpsw_ale *ale)
cpsw_ale_control_set(ale, 0, ALE_CLEAR, 1);
cpsw_ale_control_set(ale, 0, ALE_ENABLE, 0);
}
+EXPORT_SYMBOL_GPL(cpsw_ale_stop);
static const struct reg_field ale_fields_cpsw[] = {
/* CPSW_ALE_IDVER_REG */
@@ -1623,6 +1640,7 @@ struct cpsw_ale *cpsw_ale_create(struct cpsw_ale_params *params)
cpsw_ale_control_set(ale, 0, ALE_CLEAR, 1);
return ale;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_create);
void cpsw_ale_dump(struct cpsw_ale *ale, u32 *data)
{
@@ -1633,6 +1651,7 @@ void cpsw_ale_dump(struct cpsw_ale *ale, u32 *data)
data += ALE_ENTRY_WORDS;
}
}
+EXPORT_SYMBOL_GPL(cpsw_ale_dump);
void cpsw_ale_restore(struct cpsw_ale *ale, u32 *data)
{
@@ -1643,11 +1662,13 @@ void cpsw_ale_restore(struct cpsw_ale *ale, u32 *data)
data += ALE_ENTRY_WORDS;
}
}
+EXPORT_SYMBOL_GPL(cpsw_ale_restore);
u32 cpsw_ale_get_num_entries(struct cpsw_ale *ale)
{
return ale ? ale->params.ale_entries : 0;
}
+EXPORT_SYMBOL_GPL(cpsw_ale_get_num_entries);
/* Reads the specified policer index into ALE POLICER registers */
static void cpsw_ale_policer_read_idx(struct cpsw_ale *ale, u32 idx)
@@ -1750,3 +1771,7 @@ void cpsw_ale_classifier_setup_default(struct cpsw_ale *ale, int num_rx_ch)
1);
}
}
+EXPORT_SYMBOL_GPL(cpsw_ale_classifier_setup_default);
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("TI N-Port Ethernet Switch Address Lookup Engine");
diff --git a/drivers/net/ethernet/ti/cpsw_ethtool.c b/drivers/net/ethernet/ti/cpsw_ethtool.c
index bdc4db0d169c4..6350031e976f7 100644
--- a/drivers/net/ethernet/ti/cpsw_ethtool.c
+++ b/drivers/net/ethernet/ti/cpsw_ethtool.c
@@ -144,6 +144,7 @@ u32 cpsw_get_msglevel(struct net_device *ndev)
return priv->msg_enable;
}
+EXPORT_SYMBOL_GPL(cpsw_get_msglevel);
void cpsw_set_msglevel(struct net_device *ndev, u32 value)
{
@@ -151,6 +152,7 @@ void cpsw_set_msglevel(struct net_device *ndev, u32 value)
priv->msg_enable = value;
}
+EXPORT_SYMBOL_GPL(cpsw_set_msglevel);
int cpsw_get_coalesce(struct net_device *ndev, struct ethtool_coalesce *coal,
struct kernel_ethtool_coalesce *kernel_coal,
@@ -161,6 +163,7 @@ int cpsw_get_coalesce(struct net_device *ndev, struct ethtool_coalesce *coal,
coal->rx_coalesce_usecs = cpsw->coal_intvl;
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_get_coalesce);
int cpsw_set_coalesce(struct net_device *ndev, struct ethtool_coalesce *coal,
struct kernel_ethtool_coalesce *kernel_coal,
@@ -220,6 +223,7 @@ int cpsw_set_coalesce(struct net_device *ndev, struct ethtool_coalesce *coal,
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_set_coalesce);
int cpsw_get_sset_count(struct net_device *ndev, int sset)
{
@@ -234,6 +238,7 @@ int cpsw_get_sset_count(struct net_device *ndev, int sset)
return -EOPNOTSUPP;
}
}
+EXPORT_SYMBOL_GPL(cpsw_get_sset_count);
static void cpsw_add_ch_strings(u8 **p, int ch_num, int rx_dir)
{
@@ -271,6 +276,7 @@ void cpsw_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
break;
}
}
+EXPORT_SYMBOL_GPL(cpsw_get_strings);
void cpsw_get_ethtool_stats(struct net_device *ndev,
struct ethtool_stats *stats, u64 *data)
@@ -303,6 +309,7 @@ void cpsw_get_ethtool_stats(struct net_device *ndev,
}
}
}
+EXPORT_SYMBOL_GPL(cpsw_get_ethtool_stats);
void cpsw_get_pauseparam(struct net_device *ndev,
struct ethtool_pauseparam *pause)
@@ -313,6 +320,7 @@ void cpsw_get_pauseparam(struct net_device *ndev,
pause->rx_pause = priv->rx_pause ? true : false;
pause->tx_pause = priv->tx_pause ? true : false;
}
+EXPORT_SYMBOL_GPL(cpsw_get_pauseparam);
void cpsw_get_wol(struct net_device *ndev, struct ethtool_wolinfo *wol)
{
@@ -326,6 +334,7 @@ void cpsw_get_wol(struct net_device *ndev, struct ethtool_wolinfo *wol)
if (cpsw->slaves[slave_no].phy)
phy_ethtool_get_wol(cpsw->slaves[slave_no].phy, wol);
}
+EXPORT_SYMBOL_GPL(cpsw_get_wol);
int cpsw_set_wol(struct net_device *ndev, struct ethtool_wolinfo *wol)
{
@@ -338,6 +347,7 @@ int cpsw_set_wol(struct net_device *ndev, struct ethtool_wolinfo *wol)
else
return -EOPNOTSUPP;
}
+EXPORT_SYMBOL_GPL(cpsw_set_wol);
int cpsw_get_regs_len(struct net_device *ndev)
{
@@ -346,6 +356,7 @@ int cpsw_get_regs_len(struct net_device *ndev)
return cpsw_ale_get_num_entries(cpsw->ale) *
ALE_ENTRY_WORDS * sizeof(u32);
}
+EXPORT_SYMBOL_GPL(cpsw_get_regs_len);
void cpsw_get_regs(struct net_device *ndev, struct ethtool_regs *regs, void *p)
{
@@ -357,6 +368,7 @@ void cpsw_get_regs(struct net_device *ndev, struct ethtool_regs *regs, void *p)
cpsw_ale_dump(cpsw->ale, reg);
}
+EXPORT_SYMBOL_GPL(cpsw_get_regs);
int cpsw_ethtool_op_begin(struct net_device *ndev)
{
@@ -370,6 +382,7 @@ int cpsw_ethtool_op_begin(struct net_device *ndev)
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_ethtool_op_begin);
void cpsw_ethtool_op_complete(struct net_device *ndev)
{
@@ -380,6 +393,7 @@ void cpsw_ethtool_op_complete(struct net_device *ndev)
if (ret < 0)
cpsw_err(priv, drv, "ethtool complete failed %d\n", ret);
}
+EXPORT_SYMBOL_GPL(cpsw_ethtool_op_complete);
void cpsw_get_channels(struct net_device *ndev, struct ethtool_channels *ch)
{
@@ -394,6 +408,7 @@ void cpsw_get_channels(struct net_device *ndev, struct ethtool_channels *ch)
ch->tx_count = cpsw->tx_ch_num;
ch->combined_count = 0;
}
+EXPORT_SYMBOL_GPL(cpsw_get_channels);
int cpsw_get_link_ksettings(struct net_device *ndev,
struct ethtool_link_ksettings *ecmd)
@@ -408,6 +423,7 @@ int cpsw_get_link_ksettings(struct net_device *ndev,
phy_ethtool_ksettings_get(cpsw->slaves[slave_no].phy, ecmd);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_get_link_ksettings);
int cpsw_set_link_ksettings(struct net_device *ndev,
const struct ethtool_link_ksettings *ecmd)
@@ -421,6 +437,7 @@ int cpsw_set_link_ksettings(struct net_device *ndev,
return phy_ethtool_ksettings_set(cpsw->slaves[slave_no].phy, ecmd);
}
+EXPORT_SYMBOL_GPL(cpsw_set_link_ksettings);
int cpsw_get_eee(struct net_device *ndev, struct ethtool_keee *edata)
{
@@ -433,6 +450,7 @@ int cpsw_get_eee(struct net_device *ndev, struct ethtool_keee *edata)
else
return -EOPNOTSUPP;
}
+EXPORT_SYMBOL_GPL(cpsw_get_eee);
int cpsw_nway_reset(struct net_device *ndev)
{
@@ -445,6 +463,7 @@ int cpsw_nway_reset(struct net_device *ndev)
else
return -EOPNOTSUPP;
}
+EXPORT_SYMBOL_GPL(cpsw_nway_reset);
static void cpsw_suspend_data_pass(struct net_device *ndev)
{
@@ -642,6 +661,7 @@ int cpsw_set_channels_common(struct net_device *ndev,
cpsw_fail(cpsw);
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_set_channels_common);
void cpsw_get_ringparam(struct net_device *ndev,
struct ethtool_ringparam *ering,
@@ -657,6 +677,7 @@ void cpsw_get_ringparam(struct net_device *ndev,
ering->rx_max_pending = cpsw->descs_pool_size - CPSW_MAX_QUEUES;
ering->rx_pending = cpdma_get_num_rx_descs(cpsw->dma);
}
+EXPORT_SYMBOL_GPL(cpsw_get_ringparam);
int cpsw_set_ringparam(struct net_device *ndev,
struct ethtool_ringparam *ering,
@@ -703,6 +724,7 @@ int cpsw_set_ringparam(struct net_device *ndev,
cpsw_fail(cpsw);
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_set_ringparam);
#if IS_ENABLED(CONFIG_TI_CPTS)
int cpsw_get_ts_info(struct net_device *ndev, struct kernel_ethtool_ts_info *info)
@@ -723,6 +745,7 @@ int cpsw_get_ts_info(struct net_device *ndev, struct kernel_ethtool_ts_info *inf
(1 << HWTSTAMP_FILTER_PTP_V2_EVENT);
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_get_ts_info);
#else
int cpsw_get_ts_info(struct net_device *ndev, struct kernel_ethtool_ts_info *info)
{
@@ -732,4 +755,5 @@ int cpsw_get_ts_info(struct net_device *ndev, struct kernel_ethtool_ts_info *inf
info->rx_filters = 0;
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_get_ts_info);
#endif
diff --git a/drivers/net/ethernet/ti/cpsw_priv.c b/drivers/net/ethernet/ti/cpsw_priv.c
index c6eb6b785b0b5..1f6f374551cb6 100644
--- a/drivers/net/ethernet/ti/cpsw_priv.c
+++ b/drivers/net/ethernet/ti/cpsw_priv.c
@@ -32,6 +32,7 @@
#define CPTS_N_ETX_TS 4
int (*cpsw_slave_index)(struct cpsw_common *cpsw, struct cpsw_priv *priv);
+EXPORT_SYMBOL_GPL(cpsw_slave_index);
void cpsw_intr_enable(struct cpsw_common *cpsw)
{
@@ -40,6 +41,7 @@ void cpsw_intr_enable(struct cpsw_common *cpsw)
cpdma_ctlr_int_ctrl(cpsw->dma, true);
}
+EXPORT_SYMBOL_GPL(cpsw_intr_enable);
void cpsw_intr_disable(struct cpsw_common *cpsw)
{
@@ -48,6 +50,7 @@ void cpsw_intr_disable(struct cpsw_common *cpsw)
cpdma_ctlr_int_ctrl(cpsw->dma, false);
}
+EXPORT_SYMBOL_GPL(cpsw_intr_disable);
void cpsw_tx_handler(void *token, int len, int status)
{
@@ -82,6 +85,7 @@ void cpsw_tx_handler(void *token, int len, int status)
ndev->stats.tx_packets++;
ndev->stats.tx_bytes += len;
}
+EXPORT_SYMBOL_GPL(cpsw_tx_handler);
irqreturn_t cpsw_tx_interrupt(int irq, void *dev_id)
{
@@ -98,6 +102,7 @@ irqreturn_t cpsw_tx_interrupt(int irq, void *dev_id)
napi_schedule(&cpsw->napi_tx);
return IRQ_HANDLED;
}
+EXPORT_SYMBOL_GPL(cpsw_tx_interrupt);
irqreturn_t cpsw_rx_interrupt(int irq, void *dev_id)
{
@@ -114,6 +119,7 @@ irqreturn_t cpsw_rx_interrupt(int irq, void *dev_id)
napi_schedule(&cpsw->napi_rx);
return IRQ_HANDLED;
}
+EXPORT_SYMBOL_GPL(cpsw_rx_interrupt);
irqreturn_t cpsw_misc_interrupt(int irq, void *dev_id)
{
@@ -126,6 +132,7 @@ irqreturn_t cpsw_misc_interrupt(int irq, void *dev_id)
return IRQ_HANDLED;
}
+EXPORT_SYMBOL_GPL(cpsw_misc_interrupt);
int cpsw_tx_mq_poll(struct napi_struct *napi_tx, int budget)
{
@@ -158,6 +165,7 @@ int cpsw_tx_mq_poll(struct napi_struct *napi_tx, int budget)
return num_tx;
}
+EXPORT_SYMBOL_GPL(cpsw_tx_mq_poll);
int cpsw_tx_poll(struct napi_struct *napi_tx, int budget)
{
@@ -176,6 +184,7 @@ int cpsw_tx_poll(struct napi_struct *napi_tx, int budget)
return num_tx;
}
+EXPORT_SYMBOL_GPL(cpsw_tx_poll);
int cpsw_rx_mq_poll(struct napi_struct *napi_rx, int budget)
{
@@ -208,6 +217,7 @@ int cpsw_rx_mq_poll(struct napi_struct *napi_rx, int budget)
return num_rx;
}
+EXPORT_SYMBOL_GPL(cpsw_rx_mq_poll);
int cpsw_rx_poll(struct napi_struct *napi_rx, int budget)
{
@@ -226,6 +236,7 @@ int cpsw_rx_poll(struct napi_struct *napi_rx, int budget)
return num_rx;
}
+EXPORT_SYMBOL_GPL(cpsw_rx_poll);
void cpsw_rx_vlan_encap(struct sk_buff *skb)
{
@@ -268,12 +279,14 @@ void cpsw_rx_vlan_encap(struct sk_buff *skb)
skb_pull(skb, VLAN_HLEN);
}
}
+EXPORT_SYMBOL_GPL(cpsw_rx_vlan_encap);
void cpsw_set_slave_mac(struct cpsw_slave *slave, struct cpsw_priv *priv)
{
slave_write(slave, mac_hi(priv->mac_addr), SA_HI);
slave_write(slave, mac_lo(priv->mac_addr), SA_LO);
}
+EXPORT_SYMBOL_GPL(cpsw_set_slave_mac);
void cpsw_soft_reset(const char *module, void __iomem *reg)
{
@@ -286,6 +299,7 @@ void cpsw_soft_reset(const char *module, void __iomem *reg)
WARN(readl_relaxed(reg) & 1, "failed to soft-reset %s\n", module);
}
+EXPORT_SYMBOL_GPL(cpsw_soft_reset);
void cpsw_ndo_tx_timeout(struct net_device *ndev, unsigned int txqueue)
{
@@ -305,6 +319,7 @@ void cpsw_ndo_tx_timeout(struct net_device *ndev, unsigned int txqueue)
netif_trans_update(ndev);
netif_tx_wake_all_queues(ndev);
}
+EXPORT_SYMBOL_GPL(cpsw_ndo_tx_timeout);
static int cpsw_get_common_speed(struct cpsw_common *cpsw)
{
@@ -343,6 +358,7 @@ int cpsw_need_resplit(struct cpsw_common *cpsw)
return 1;
}
+EXPORT_SYMBOL_GPL(cpsw_need_resplit);
void cpsw_split_res(struct cpsw_common *cpsw)
{
@@ -428,6 +444,7 @@ void cpsw_split_res(struct cpsw_common *cpsw)
if (budget)
cpsw->rxv[0].budget += budget;
}
+EXPORT_SYMBOL_GPL(cpsw_split_res);
int cpsw_init_common(struct cpsw_common *cpsw, void __iomem *ss_regs,
int ale_ageout, phys_addr_t desc_mem_phys,
@@ -548,6 +565,7 @@ int cpsw_init_common(struct cpsw_common *cpsw, void __iomem *ss_regs,
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_init_common);
#if IS_ENABLED(CONFIG_TI_CPTS)
@@ -678,6 +696,7 @@ int cpsw_hwtstamp_set(struct net_device *dev,
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_hwtstamp_set);
int cpsw_hwtstamp_get(struct net_device *dev,
struct kernel_hwtstamp_config *cfg)
@@ -695,12 +714,14 @@ int cpsw_hwtstamp_get(struct net_device *dev,
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_hwtstamp_get);
#else
int cpsw_hwtstamp_get(struct net_device *dev,
struct kernel_hwtstamp_config *cfg)
{
return -EOPNOTSUPP;
}
+EXPORT_SYMBOL_GPL(cpsw_hwtstamp_set);
int cpsw_hwtstamp_set(struct net_device *dev,
struct kernel_hwtstamp_config *cfg,
@@ -708,6 +729,7 @@ int cpsw_hwtstamp_set(struct net_device *dev,
{
return -EOPNOTSUPP;
}
+EXPORT_SYMBOL_GPL(cpsw_hwtstamp_get);
#endif /*CONFIG_TI_CPTS*/
int cpsw_ndo_set_tx_maxrate(struct net_device *ndev, int queue, u32 rate)
@@ -758,6 +780,7 @@ int cpsw_ndo_set_tx_maxrate(struct net_device *ndev, int queue, u32 rate)
cpsw_split_res(cpsw);
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_ndo_set_tx_maxrate);
static int cpsw_tc_to_fifo(int tc, int num_tc)
{
@@ -782,6 +805,7 @@ bool cpsw_shp_is_off(struct cpsw_priv *priv)
return !val;
}
+EXPORT_SYMBOL_GPL(cpsw_shp_is_off);
static void cpsw_fifo_shp_on(struct cpsw_priv *priv, int fifo, int on)
{
@@ -1043,6 +1067,7 @@ int cpsw_ndo_setup_tc(struct net_device *ndev, enum tc_setup_type type,
return -EOPNOTSUPP;
}
}
+EXPORT_SYMBOL_GPL(cpsw_ndo_setup_tc);
void cpsw_cbs_resume(struct cpsw_slave *slave, struct cpsw_priv *priv)
{
@@ -1056,6 +1081,7 @@ void cpsw_cbs_resume(struct cpsw_slave *slave, struct cpsw_priv *priv)
cpsw_set_fifo_rlimit(priv, fifo, bw);
}
}
+EXPORT_SYMBOL_GPL(cpsw_cbs_resume);
void cpsw_mqprio_resume(struct cpsw_slave *slave, struct cpsw_priv *priv)
{
@@ -1078,6 +1104,7 @@ void cpsw_mqprio_resume(struct cpsw_slave *slave, struct cpsw_priv *priv)
slave_write(slave, tx_prio_map, tx_prio_rg);
}
+EXPORT_SYMBOL_GPL(cpsw_mqprio_resume);
int cpsw_fill_rx_channels(struct cpsw_priv *priv)
{
@@ -1123,6 +1150,7 @@ int cpsw_fill_rx_channels(struct cpsw_priv *priv)
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_fill_rx_channels);
static struct page_pool *cpsw_create_page_pool(struct cpsw_common *cpsw,
int size)
@@ -1208,6 +1236,7 @@ void cpsw_destroy_xdp_rxqs(struct cpsw_common *cpsw)
cpsw->page_pool[ch] = NULL;
}
}
+EXPORT_SYMBOL_GPL(cpsw_destroy_xdp_rxqs);
int cpsw_create_xdp_rxqs(struct cpsw_common *cpsw)
{
@@ -1240,6 +1269,7 @@ int cpsw_create_xdp_rxqs(struct cpsw_common *cpsw)
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_create_xdp_rxqs);
static int cpsw_xdp_prog_setup(struct cpsw_priv *priv, struct netdev_bpf *bpf)
{
@@ -1267,6 +1297,7 @@ int cpsw_ndo_bpf(struct net_device *ndev, struct netdev_bpf *bpf)
return -EINVAL;
}
}
+EXPORT_SYMBOL_GPL(cpsw_ndo_bpf);
int cpsw_xdp_tx_frame(struct cpsw_priv *priv, struct xdp_frame *xdpf,
struct page *page, int port)
@@ -1300,6 +1331,7 @@ int cpsw_xdp_tx_frame(struct cpsw_priv *priv, struct xdp_frame *xdpf,
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_xdp_tx_frame);
int cpsw_run_xdp(struct cpsw_priv *priv, int ch, struct xdp_buff *xdp,
struct page *page, int port, int *len)
@@ -1362,6 +1394,7 @@ int cpsw_run_xdp(struct cpsw_priv *priv, int ch, struct xdp_buff *xdp,
page_pool_recycle_direct(cpsw->page_pool[ch], page);
return ret;
}
+EXPORT_SYMBOL_GPL(cpsw_run_xdp);
static int cpsw_qos_clsflower_add_policer(struct cpsw_priv *priv,
struct netlink_ext_ack *extack,
@@ -1564,3 +1597,7 @@ void cpsw_qos_clsflower_resume(struct cpsw_priv *priv)
cpsw_ale_rx_ratelimit_mc(priv->cpsw->ale, port_id,
priv->ale_mc_ratelimit.rate_packet_ps);
}
+EXPORT_SYMBOL_GPL(cpsw_qos_clsflower_resume);
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("TI CPSW Ethernet Switch Driver");
diff --git a/drivers/net/ethernet/ti/cpsw_sl.c b/drivers/net/ethernet/ti/cpsw_sl.c
index 0c7531cb0f398..761719a348fa5 100644
--- a/drivers/net/ethernet/ti/cpsw_sl.c
+++ b/drivers/net/ethernet/ti/cpsw_sl.c
@@ -200,6 +200,7 @@ u32 cpsw_sl_reg_read(struct cpsw_sl *sl, enum cpsw_sl_regs reg)
dev_dbg(sl->dev, "cpsw_sl: reg: %04X r 0x%08X\n", sl->regs[reg], val);
return val;
}
+EXPORT_SYMBOL_GPL(cpsw_sl_reg_read);
void cpsw_sl_reg_write(struct cpsw_sl *sl, enum cpsw_sl_regs reg, u32 val)
{
@@ -212,6 +213,7 @@ void cpsw_sl_reg_write(struct cpsw_sl *sl, enum cpsw_sl_regs reg, u32 val)
dev_dbg(sl->dev, "cpsw_sl: reg: %04X w 0x%08X\n", sl->regs[reg], val);
writel(val, sl->sl_base + sl->regs[reg]);
}
+EXPORT_SYMBOL_GPL(cpsw_sl_reg_write);
static const struct cpsw_sl_dev_id *cpsw_sl_match_id(
const struct cpsw_sl_dev_id *id,
@@ -252,6 +254,7 @@ struct cpsw_sl *cpsw_sl_get(const char *device_id, struct device *dev,
return sl;
}
+EXPORT_SYMBOL_GPL(cpsw_sl_get);
void cpsw_sl_reset(struct cpsw_sl *sl, unsigned long tmo)
{
@@ -270,6 +273,7 @@ void cpsw_sl_reset(struct cpsw_sl *sl, unsigned long tmo)
if (cpsw_sl_reg_read(sl, CPSW_SL_SOFT_RESET) & CPSW_SL_SOFT_RESET_BIT)
dev_err(sl->dev, "cpsw_sl failed to soft-reset.\n");
}
+EXPORT_SYMBOL_GPL(cpsw_sl_reset);
u32 cpsw_sl_ctl_set(struct cpsw_sl *sl, u32 ctl_funcs)
{
@@ -287,6 +291,7 @@ u32 cpsw_sl_ctl_set(struct cpsw_sl *sl, u32 ctl_funcs)
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_sl_ctl_set);
u32 cpsw_sl_ctl_clr(struct cpsw_sl *sl, u32 ctl_funcs)
{
@@ -304,11 +309,13 @@ u32 cpsw_sl_ctl_clr(struct cpsw_sl *sl, u32 ctl_funcs)
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_sl_ctl_clr);
void cpsw_sl_ctl_reset(struct cpsw_sl *sl)
{
cpsw_sl_reg_write(sl, CPSW_SL_MACCONTROL, 0);
}
+EXPORT_SYMBOL_GPL(cpsw_sl_ctl_reset);
int cpsw_sl_wait_for_idle(struct cpsw_sl *sl, unsigned long tmo)
{
@@ -326,3 +333,7 @@ int cpsw_sl_wait_for_idle(struct cpsw_sl *sl, unsigned long tmo)
return 0;
}
+EXPORT_SYMBOL_GPL(cpsw_sl_wait_for_idle);
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("TI Ethernet Switch media-access-controller (MAC) submodule");
diff --git a/drivers/net/ethernet/ti/davinci_cpdma.c b/drivers/net/ethernet/ti/davinci_cpdma.c
index d2eab5cd1e0c9..41e89a19be537 100644
--- a/drivers/net/ethernet/ti/davinci_cpdma.c
+++ b/drivers/net/ethernet/ti/davinci_cpdma.c
@@ -531,6 +531,7 @@ struct cpdma_ctlr *cpdma_ctlr_create(struct cpdma_params *params)
ctlr->num_chan = CPDMA_MAX_CHANNELS;
return ctlr;
}
+EXPORT_SYMBOL_GPL(cpdma_ctlr_create);
int cpdma_ctlr_start(struct cpdma_ctlr *ctlr)
{
@@ -591,6 +592,7 @@ int cpdma_ctlr_start(struct cpdma_ctlr *ctlr)
spin_unlock_irqrestore(&ctlr->lock, flags);
return 0;
}
+EXPORT_SYMBOL_GPL(cpdma_ctlr_start);
int cpdma_ctlr_stop(struct cpdma_ctlr *ctlr)
{
@@ -623,6 +625,7 @@ int cpdma_ctlr_stop(struct cpdma_ctlr *ctlr)
spin_unlock_irqrestore(&ctlr->lock, flags);
return 0;
}
+EXPORT_SYMBOL_GPL(cpdma_ctlr_stop);
int cpdma_ctlr_destroy(struct cpdma_ctlr *ctlr)
{
@@ -640,6 +643,7 @@ int cpdma_ctlr_destroy(struct cpdma_ctlr *ctlr)
cpdma_desc_pool_destroy(ctlr);
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_ctlr_destroy);
int cpdma_ctlr_int_ctrl(struct cpdma_ctlr *ctlr, bool enable)
{
@@ -660,21 +664,25 @@ int cpdma_ctlr_int_ctrl(struct cpdma_ctlr *ctlr, bool enable)
spin_unlock_irqrestore(&ctlr->lock, flags);
return 0;
}
+EXPORT_SYMBOL_GPL(cpdma_ctlr_int_ctrl);
void cpdma_ctlr_eoi(struct cpdma_ctlr *ctlr, u32 value)
{
dma_reg_write(ctlr, CPDMA_MACEOIVECTOR, value);
}
+EXPORT_SYMBOL_GPL(cpdma_ctlr_eoi);
u32 cpdma_ctrl_rxchs_state(struct cpdma_ctlr *ctlr)
{
return dma_reg_read(ctlr, CPDMA_RXINTSTATMASKED);
}
+EXPORT_SYMBOL_GPL(cpdma_ctrl_rxchs_state);
u32 cpdma_ctrl_txchs_state(struct cpdma_ctlr *ctlr)
{
return dma_reg_read(ctlr, CPDMA_TXINTSTATMASKED);
}
+EXPORT_SYMBOL_GPL(cpdma_ctrl_txchs_state);
static void cpdma_chan_set_descs(struct cpdma_ctlr *ctlr,
int rx, int desc_num,
@@ -802,6 +810,7 @@ int cpdma_chan_set_weight(struct cpdma_chan *ch, int weight)
spin_unlock_irqrestore(&ctlr->lock, flags);
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_set_weight);
/* cpdma_chan_get_min_rate - get minimum allowed rate for channel
* Should be called before cpdma_chan_set_rate.
@@ -816,6 +825,7 @@ u32 cpdma_chan_get_min_rate(struct cpdma_ctlr *ctlr)
return DIV_ROUND_UP(divident, divisor);
}
+EXPORT_SYMBOL_GPL(cpdma_chan_get_min_rate);
/* cpdma_chan_set_rate - limits bandwidth for transmit channel.
* The bandwidth * limited channels have to be in order beginning from lowest.
@@ -860,6 +870,7 @@ int cpdma_chan_set_rate(struct cpdma_chan *ch, u32 rate)
spin_unlock_irqrestore(&ctlr->lock, flags);
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_set_rate);
u32 cpdma_chan_get_rate(struct cpdma_chan *ch)
{
@@ -872,6 +883,7 @@ u32 cpdma_chan_get_rate(struct cpdma_chan *ch)
return rate;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_get_rate);
struct cpdma_chan *cpdma_chan_create(struct cpdma_ctlr *ctlr, int chan_num,
cpdma_handler_fn handler, int rx_type)
@@ -931,6 +943,7 @@ struct cpdma_chan *cpdma_chan_create(struct cpdma_ctlr *ctlr, int chan_num,
spin_unlock_irqrestore(&ctlr->lock, flags);
return chan;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_create);
int cpdma_chan_get_rx_buf_num(struct cpdma_chan *chan)
{
@@ -943,6 +956,7 @@ int cpdma_chan_get_rx_buf_num(struct cpdma_chan *chan)
return desc_num;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_get_rx_buf_num);
int cpdma_chan_destroy(struct cpdma_chan *chan)
{
@@ -964,6 +978,7 @@ int cpdma_chan_destroy(struct cpdma_chan *chan)
spin_unlock_irqrestore(&ctlr->lock, flags);
return 0;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_destroy);
int cpdma_chan_get_stats(struct cpdma_chan *chan,
struct cpdma_chan_stats *stats)
@@ -976,6 +991,7 @@ int cpdma_chan_get_stats(struct cpdma_chan *chan,
spin_unlock_irqrestore(&chan->lock, flags);
return 0;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_get_stats);
static void __cpdma_chan_submit(struct cpdma_chan *chan,
struct cpdma_desc __iomem *desc)
@@ -1100,6 +1116,7 @@ int cpdma_chan_idle_submit(struct cpdma_chan *chan, void *token, void *data,
spin_unlock_irqrestore(&chan->lock, flags);
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_idle_submit);
int cpdma_chan_idle_submit_mapped(struct cpdma_chan *chan, void *token,
dma_addr_t data, int len, int directed)
@@ -1125,6 +1142,7 @@ int cpdma_chan_idle_submit_mapped(struct cpdma_chan *chan, void *token,
spin_unlock_irqrestore(&chan->lock, flags);
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_idle_submit_mapped);
int cpdma_chan_submit(struct cpdma_chan *chan, void *token, void *data,
int len, int directed)
@@ -1150,6 +1168,7 @@ int cpdma_chan_submit(struct cpdma_chan *chan, void *token, void *data,
spin_unlock_irqrestore(&chan->lock, flags);
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_submit);
int cpdma_chan_submit_mapped(struct cpdma_chan *chan, void *token,
dma_addr_t data, int len, int directed)
@@ -1175,6 +1194,7 @@ int cpdma_chan_submit_mapped(struct cpdma_chan *chan, void *token,
spin_unlock_irqrestore(&chan->lock, flags);
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_submit_mapped);
bool cpdma_check_free_tx_desc(struct cpdma_chan *chan)
{
@@ -1189,6 +1209,7 @@ bool cpdma_check_free_tx_desc(struct cpdma_chan *chan)
spin_unlock_irqrestore(&chan->lock, flags);
return free_tx_desc;
}
+EXPORT_SYMBOL_GPL(cpdma_check_free_tx_desc);
static void __cpdma_chan_free(struct cpdma_chan *chan,
struct cpdma_desc __iomem *desc,
@@ -1289,6 +1310,7 @@ int cpdma_chan_process(struct cpdma_chan *chan, int quota)
}
return used;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_process);
int cpdma_chan_start(struct cpdma_chan *chan)
{
@@ -1308,6 +1330,7 @@ int cpdma_chan_start(struct cpdma_chan *chan)
return 0;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_start);
int cpdma_chan_stop(struct cpdma_chan *chan)
{
@@ -1370,6 +1393,7 @@ int cpdma_chan_stop(struct cpdma_chan *chan)
spin_unlock_irqrestore(&chan->lock, flags);
return 0;
}
+EXPORT_SYMBOL_GPL(cpdma_chan_stop);
int cpdma_chan_int_ctrl(struct cpdma_chan *chan, bool enable)
{
@@ -1416,11 +1440,13 @@ int cpdma_get_num_rx_descs(struct cpdma_ctlr *ctlr)
{
return ctlr->num_rx_desc;
}
+EXPORT_SYMBOL_GPL(cpdma_get_num_rx_descs);
int cpdma_get_num_tx_descs(struct cpdma_ctlr *ctlr)
{
return ctlr->num_tx_desc;
}
+EXPORT_SYMBOL_GPL(cpdma_get_num_tx_descs);
int cpdma_set_num_rx_descs(struct cpdma_ctlr *ctlr, int num_rx_desc)
{
@@ -1442,3 +1468,4 @@ int cpdma_set_num_rx_descs(struct cpdma_ctlr *ctlr, int num_rx_desc)
return ret;
}
+EXPORT_SYMBOL_GPL(cpdma_set_num_rx_descs);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 125/957] wifi: brcmfmac: Fix error pointer dereference
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 124/957] net: ethernet: ti-cpsw: fix linking built-in code to modules Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 126/957] wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() Greg Kroah-Hartman
` (837 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Arend van Spriel,
Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit dd8592fc6007a451c3e4b9025de365e39de8178a ]
The function brcmf_chip_add_core() can return an error pointer and is
not checked. Add checks for error pointer.
Detected by Smatch:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1010 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1013 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1016 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1019 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c:1022 brcmf_chip_recognition() error:
'core' dereferencing possible ERR_PTR()
Fixes: cb7cf7be9eba7 ("brcmfmac: make chip related functions host interface independent")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260217023043.73631-1-ethantidmore06@gmail.com
[add missing wifi: prefix]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/broadcom/brcm80211/brcmfmac/chip.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
index 4239f2b21e542..dcd8a296de106 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
@@ -1007,18 +1007,33 @@ static int brcmf_chip_recognition(struct brcmf_chip_priv *ci)
core = brcmf_chip_add_core(ci, BCMA_CORE_CHIPCOMMON,
SI_ENUM_BASE_DEFAULT, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_SDIO_DEV,
BCM4329_CORE_BUS_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_INTERNAL_MEM,
BCM4329_CORE_SOCRAM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_ARM_CM3,
BCM4329_CORE_ARM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_80211, 0x18001000, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
+
brcmf_chip_sb_corerev(ci, core);
} else if (socitype == SOCI_AI) {
ci->iscoreup = brcmf_chip_ai_iscoreup;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 126/957] wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 125/957] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 127/957] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
` (836 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Escande, Johannes Berg,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Escande <nico.escande@gmail.com>
[ Upstream commit b5b8e295973083abf823fb66647a7c702a8db8a7 ]
A station which has a NSS ratio on the number of streams it is capable of
in 160MHz VHT operation is supposed to use the 'Extended NSS BW Support'
as defined by section '9.4.2.156.2 VHT Capabilities Information field'.
This was missing in ieee80211_determine_our_sta_mode() and so we would
wrongfully downgrade our bandwidth when connecting to an AP that supported
160MHz with messages such as:
[ 37.638346] wlan1: AP XX:XX:XX:XX:XX:XX changed bandwidth in assoc response, new used config is 5280.000 MHz, width 3 (5290.000/0 MHz)
Fixes: 310c8387c638 ("wifi: mac80211: clean up connection process")
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Link: https://patch.msgid.link/20260327100256.3101348-1-nico.escande@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/mlme.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index deef15c074c83..bcc4090ddc1a5 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -5897,7 +5897,8 @@ ieee80211_determine_our_sta_mode(struct ieee80211_sub_if_data *sdata,
if (is_5ghz &&
!(vht_cap.cap & (IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ |
- IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ))) {
+ IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ |
+ IEEE80211_VHT_CAP_EXT_NSS_BW_MASK))) {
conn->bw_limit = IEEE80211_CONN_BW_LIMIT_80;
mlme_link_id_dbg(sdata, link_id,
"no VHT 160 MHz capability on 5 GHz, limiting to 80 MHz");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 127/957] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 126/957] wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 128/957] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
` (835 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quan Sun, Yinhao Hu, Kaiyan Mei,
Dongliang Mu, Jiayuan Chen, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit beaf0e96b1da74549a6cabd040f9667d83b2e97e ]
bpf_lsm_task_to_inode() is called under rcu_read_lock() and
bpf_lsm_inet_conn_established() is called from softirq context, so
neither hook can be used by sleepable LSM programs.
Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/3ab69731-24d1-431a-a351-452aafaaf2a5@std.uestc.edu.cn/T/#u
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20260407122334.344072-1-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/bpf_lsm.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 0a59df1c550a0..2eead789b898b 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -357,8 +357,6 @@ BTF_ID(func, bpf_lsm_sb_umount)
BTF_ID(func, bpf_lsm_settime)
#ifdef CONFIG_SECURITY_NETWORK
-BTF_ID(func, bpf_lsm_inet_conn_established)
-
BTF_ID(func, bpf_lsm_socket_accept)
BTF_ID(func, bpf_lsm_socket_bind)
BTF_ID(func, bpf_lsm_socket_connect)
@@ -379,7 +377,6 @@ BTF_ID(func, bpf_lsm_syslog)
BTF_ID(func, bpf_lsm_task_alloc)
BTF_ID(func, bpf_lsm_task_prctl)
BTF_ID(func, bpf_lsm_task_setscheduler)
-BTF_ID(func, bpf_lsm_task_to_inode)
BTF_ID(func, bpf_lsm_userns_create)
BTF_SET_END(sleepable_lsm_hooks)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 128/957] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 127/957] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 129/957] wifi: ath10k: fix station lookup failure during disconnect Greg Kroah-Hartman
` (834 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Emil Tsalapatis, Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 1c22483a2c4bbf747787f328392ca3e68619c4dc ]
CO-RE accessor strings are colon-separated indices that describe a path
from a root BTF type to a target field, e.g. "0:1:2" walks through
nested struct members. bpf_core_parse_spec() parses each component with
sscanf("%d"), so negative values like -1 are silently accepted. The
subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
upper bound and always pass for negative values because C integer
promotion converts the __u16 btf_vlen result to int, making the
comparison (int)(-1) >= (int)(N) false for any positive N.
When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,
producing an out-of-bounds read far past the members array. A crafted
BPF program with a negative CO-RE accessor on any struct that exists in
vmlinux BTF (e.g. task_struct) crashes the kernel deterministically
during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y
(default on major distributions). The bug is reachable with CAP_BPF:
BUG: unable to handle page fault for address: ffffed11818b6626
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)
RAX: 00000000ffffffff
Call Trace:
<TASK>
bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)
bpf_core_apply (kernel/bpf/btf.c:9507)
check_core_relo (kernel/bpf/verifier.c:19475)
bpf_check (kernel/bpf/verifier.c:26031)
bpf_prog_load (kernel/bpf/syscall.c:3089)
__sys_bpf (kernel/bpf/syscall.c:6228)
</TASK>
CO-RE accessor indices are inherently non-negative (struct member index,
array element index, or enumerator index), so reject them immediately
after parsing.
Fixes: ddc7c3042614 ("libbpf: implement BPF CO-RE offset relocation algorithm")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260404161221.961828-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/relo_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index 6eea5edba58a5..0ccc8f548cbaa 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
++spec_str;
if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
return -EINVAL;
+ if (access_idx < 0)
+ return -EINVAL;
if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
return -E2BIG;
spec_str += parsed_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 129/957] wifi: ath10k: fix station lookup failure during disconnect
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 128/957] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 130/957] bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking Greg Kroah-Hartman
` (833 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Baochen Qiang,
Rameshkumar Sundaram, Jeff Johnson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
[ Upstream commit 9a34a59c6086ae731a06b3e61b0951feef758648 ]
Recent commit [1] moved station statistics collection to an earlier stage
of the disconnect flow. With this change in place, ath10k fails to resolve
the station entry when handling a peer stats event triggered during
disconnect, resulting in log messages such as:
wlp58s0: deauthenticating from 74:1a:e0:e7:b4:c8 by local choice (Reason: 3=DEAUTH_LEAVING)
ath10k_pci 0000:3a:00.0: not found station for peer stats
ath10k_pci 0000:3a:00.0: failed to parse stats info tlv: -22
The failure occurs because ath10k relies on ieee80211_find_sta_by_ifaddr()
for station lookup. That function uses local->sta_hash, but by the time
the peer stats request is triggered during disconnect, mac80211 has
already removed the station from that hash table, leading to lookup
failure.
Before commit [1], this issue was not visible because the transition from
IEEE80211_STA_NONE to IEEE80211_STA_NOTEXIST prevented ath10k from sending
a peer stats request at all: ath10k_mac_sta_get_peer_stats_info() would
fail early to find the peer and skip requesting statistics.
Fix this by switching the lookup path to ath10k_peer_find(), which queries
ath10k's internal peer table. At the point where the firmware emits the
peer stats event, the peer entry is still present in the driver's list,
ensuring lookup succeeds.
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00309-QCARMSWPZ-1
Fixes: a203dbeeca15 ("wifi: mac80211: collect station statistics earlier when disconnect") # [1]
Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Closes: https://lore.kernel.org/ath10k/57671b89-ec9f-4e6c-992c-45eb8e75929c@molgen.mpg.de
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
Link: https://patch.msgid.link/20260325-ath10k-station-lookup-failure-v1-1-2e0c970f25d5@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 26 +++++++++++++----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index 16d07d619b4df..ba1294c8ee39f 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -3,7 +3,7 @@
* Copyright (c) 2005-2011 Atheros Communications Inc.
* Copyright (c) 2011-2017 Qualcomm Atheros, Inc.
* Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
- * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
*/
#include "core.h"
#include "debug.h"
@@ -14,6 +14,7 @@
#include "wmi-tlv.h"
#include "p2p.h"
#include "testmode.h"
+#include "txrx.h"
#include <linux/bitfield.h>
/***************/
@@ -224,8 +225,9 @@ static int ath10k_wmi_tlv_parse_peer_stats_info(struct ath10k *ar, u16 tag, u16
const void *ptr, void *data)
{
const struct wmi_tlv_peer_stats_info *stat = ptr;
- struct ieee80211_sta *sta;
+ u32 vdev_id = *(u32 *)data;
struct ath10k_sta *arsta;
+ struct ath10k_peer *peer;
if (tag != WMI_TLV_TAG_STRUCT_PEER_STATS_INFO)
return -EPROTO;
@@ -241,20 +243,20 @@ static int ath10k_wmi_tlv_parse_peer_stats_info(struct ath10k *ar, u16 tag, u16
__le32_to_cpu(stat->last_tx_rate_code),
__le32_to_cpu(stat->last_tx_bitrate_kbps));
- rcu_read_lock();
- sta = ieee80211_find_sta_by_ifaddr(ar->hw, stat->peer_macaddr.addr, NULL);
- if (!sta) {
- rcu_read_unlock();
- ath10k_warn(ar, "not found station for peer stats\n");
+ guard(spinlock_bh)(&ar->data_lock);
+
+ peer = ath10k_peer_find(ar, vdev_id, stat->peer_macaddr.addr);
+ if (!peer || !peer->sta) {
+ ath10k_warn(ar, "not found %s with vdev id %u mac addr %pM for peer stats\n",
+ peer ? "sta" : "peer", vdev_id, stat->peer_macaddr.addr);
return -EINVAL;
}
- arsta = (struct ath10k_sta *)sta->drv_priv;
+ arsta = (struct ath10k_sta *)peer->sta->drv_priv;
arsta->rx_rate_code = __le32_to_cpu(stat->last_rx_rate_code);
arsta->rx_bitrate_kbps = __le32_to_cpu(stat->last_rx_bitrate_kbps);
arsta->tx_rate_code = __le32_to_cpu(stat->last_tx_rate_code);
arsta->tx_bitrate_kbps = __le32_to_cpu(stat->last_tx_bitrate_kbps);
- rcu_read_unlock();
return 0;
}
@@ -266,6 +268,7 @@ static int ath10k_wmi_tlv_op_pull_peer_stats_info(struct ath10k *ar,
const struct wmi_tlv_peer_stats_info_ev *ev;
const void *data;
u32 num_peer_stats;
+ u32 vdev_id;
int ret;
tb = ath10k_wmi_tlv_parse_alloc(ar, skb->data, skb->len, GFP_ATOMIC);
@@ -284,15 +287,16 @@ static int ath10k_wmi_tlv_op_pull_peer_stats_info(struct ath10k *ar,
}
num_peer_stats = __le32_to_cpu(ev->num_peers);
+ vdev_id = __le32_to_cpu(ev->vdev_id);
ath10k_dbg(ar, ATH10K_DBG_WMI,
"wmi tlv peer stats info update peer vdev id %d peers %i more data %d\n",
- __le32_to_cpu(ev->vdev_id),
+ vdev_id,
num_peer_stats,
__le32_to_cpu(ev->more_data));
ret = ath10k_wmi_tlv_iter(ar, data, ath10k_wmi_tlv_len(data),
- ath10k_wmi_tlv_parse_peer_stats_info, NULL);
+ ath10k_wmi_tlv_parse_peer_stats_info, &vdev_id);
if (ret)
ath10k_warn(ar, "failed to parse stats info tlv: %d\n", ret);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 130/957] bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 129/957] wifi: ath10k: fix station lookup failure during disconnect Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 131/957] bpf: Fix linked reg delta tracking when src_reg == dst_reg Greg Kroah-Hartman
` (832 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Eduard Zingerman,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 7a433e519364c3c19643e5c857f4fbfaebec441c ]
Previously, the verifier only tracked positive constant deltas between
linked registers using BPF_ADD. This limitation meant patterns like:
r1 = r0;
r1 += -4;
if r1 s>= 0 goto l0_%=; // r1 >= 0 implies r0 >= 4
// verifier couldn't propagate bounds back to r0
if r0 != 0 goto l0_%=;
r0 /= 0; // Verifier thinks this is reachable
l0_%=:
Similar limitation exists for 32-bit registers.
With this change, the verifier can now track negative deltas in reg->off
enabling bound propagation for the above pattern.
For alu32, we make sure the destination register has the upper 32 bits
as 0s before creating the link. BPF_ADD_CONST is split into
BPF_ADD_CONST64 and BPF_ADD_CONST32, the latter is used in case of alu32
and sync_linked_regs uses this to zext the result if known_reg has this
flag.
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260204151741.2678118-2-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Stable-dep-of: d7f14173c0d5 ("bpf: Fix linked reg delta tracking when src_reg == dst_reg")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bpf_verifier.h | 6 ++-
kernel/bpf/verifier.c | 50 +++++++++++++++----
.../selftests/bpf/progs/verifier_bounds.c | 2 +-
3 files changed, 45 insertions(+), 13 deletions(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 4c497e839526a..4867b0e8b5d9d 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -147,8 +147,12 @@ struct bpf_reg_state {
* registers. Example:
* r1 = r2; both will have r1->id == r2->id == N
* r1 += 10; r1->id == N | BPF_ADD_CONST and r1->off == 10
+ * r3 = r2; both will have r3->id == r2->id == N
+ * w3 += 10; r3->id == N | BPF_ADD_CONST32 and r3->off == 10
*/
-#define BPF_ADD_CONST (1U << 31)
+#define BPF_ADD_CONST64 (1U << 31)
+#define BPF_ADD_CONST32 (1U << 30)
+#define BPF_ADD_CONST (BPF_ADD_CONST64 | BPF_ADD_CONST32)
u32 id;
/* PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned
* from a pointer-cast helper, bpf_sk_fullsock() and
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0d1ec2b5d469a..6cf8b13db301b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15787,6 +15787,13 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
verbose(env, "verifier internal error: no src_reg\n");
return -EFAULT;
}
+ /*
+ * For alu32 linked register tracking, we need to check dst_reg's
+ * umax_value before the ALU operation. After adjust_scalar_min_max_vals(),
+ * alu32 ops will have zero-extended the result, making umax_value <= U32_MAX.
+ */
+ u64 dst_umax = dst_reg->umax_value;
+
err = adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg);
if (err)
return err;
@@ -15796,26 +15803,44 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
* r1 += 0x1
* if r2 < 1000 goto ...
* use r1 in memory access
- * So for 64-bit alu remember constant delta between r2 and r1 and
- * update r1 after 'if' condition.
+ * So remember constant delta between r2 and r1 and update r1 after
+ * 'if' condition.
*/
if (env->bpf_capable &&
- BPF_OP(insn->code) == BPF_ADD && !alu32 &&
- dst_reg->id && is_reg_const(src_reg, false)) {
- u64 val = reg_const_value(src_reg, false);
+ (BPF_OP(insn->code) == BPF_ADD || BPF_OP(insn->code) == BPF_SUB) &&
+ dst_reg->id && is_reg_const(src_reg, alu32)) {
+ u64 val = reg_const_value(src_reg, alu32);
+ s32 off;
+
+ if (!alu32 && ((s64)val < S32_MIN || (s64)val > S32_MAX))
+ goto clear_id;
+
+ if (alu32 && (dst_umax > U32_MAX))
+ goto clear_id;
- if ((dst_reg->id & BPF_ADD_CONST) ||
- /* prevent overflow in sync_linked_regs() later */
- val > (u32)S32_MAX) {
+ off = (s32)val;
+
+ if (BPF_OP(insn->code) == BPF_SUB) {
+ /* Negating S32_MIN would overflow */
+ if (off == S32_MIN)
+ goto clear_id;
+ off = -off;
+ }
+
+ if (dst_reg->id & BPF_ADD_CONST) {
/*
* If the register already went through rX += val
* we cannot accumulate another val into rx->off.
*/
+clear_id:
dst_reg->off = 0;
dst_reg->id = 0;
} else {
- dst_reg->id |= BPF_ADD_CONST;
- dst_reg->off = val;
+ if (alu32)
+ dst_reg->id |= BPF_ADD_CONST32;
+ else
+ dst_reg->id |= BPF_ADD_CONST64;
+ dst_reg->off = off;
}
} else {
/*
@@ -16888,7 +16913,7 @@ static void sync_linked_regs(struct bpf_verifier_state *vstate, struct bpf_reg_s
u32 saved_id = reg->id;
fake_reg.type = SCALAR_VALUE;
- __mark_reg_known(&fake_reg, (s32)reg->off - (s32)known_reg->off);
+ __mark_reg_known(&fake_reg, (s64)reg->off - (s64)known_reg->off);
/* reg = known_reg; reg += delta */
copy_register_state(reg, known_reg);
@@ -16903,6 +16928,9 @@ static void sync_linked_regs(struct bpf_verifier_state *vstate, struct bpf_reg_s
scalar32_min_max_add(reg, &fake_reg);
scalar_min_max_add(reg, &fake_reg);
reg->var_off = tnum_add(reg->var_off, fake_reg.var_off);
+ if (known_reg->id & BPF_ADD_CONST32)
+ zext_32_to_64(reg);
+ reg_bounds_sync(reg);
}
}
}
diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
index e772ae430915f..ea5db79da40ef 100644
--- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
+++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
@@ -1477,7 +1477,7 @@ __naked void sub64_full_overflow(void)
SEC("socket")
__description("64-bit subtraction, partial overflow, result in unbounded reg")
__success __log_level(2)
-__msg("3: (1f) r3 -= r2 {{.*}} R3=scalar()")
+__msg("3: (1f) r3 -= r2 {{.*}} R3=scalar(id=1-1)")
__retval(0)
__naked void sub64_partial_overflow(void)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 131/957] bpf: Fix linked reg delta tracking when src_reg == dst_reg
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 130/957] bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 132/957] arm64: entry: Dont preempt with SError or Debug masked Greg Kroah-Hartman
` (831 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, STAR Labs SG, Daniel Borkmann,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit d7f14173c0d5866c3cae759dee560ad1bed10d2e ]
Consider the case of rX += rX where src_reg and dst_reg are pointers to
the same bpf_reg_state in adjust_reg_min_max_vals(). The latter first
modifies the dst_reg in-place, and later in the delta tracking, the
subsequent is_reg_const(src_reg)/reg_const_value(src_reg) reads the
post-{add,sub} value instead of the original source.
This is problematic since it sets an incorrect delta, which sync_linked_regs()
then propagates to linked registers, thus creating a verifier-vs-runtime
mismatch. Fix it by just skipping this corner case.
Fixes: 98d7ca374ba4 ("bpf: Track delta between "linked" registers.")
Reported-by: STAR Labs SG <info@starlabs.sg>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260407192421.508817-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6cf8b13db301b..6d5fc1af7a1f6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15808,7 +15808,8 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
*/
if (env->bpf_capable &&
(BPF_OP(insn->code) == BPF_ADD || BPF_OP(insn->code) == BPF_SUB) &&
- dst_reg->id && is_reg_const(src_reg, alu32)) {
+ dst_reg->id && is_reg_const(src_reg, alu32) &&
+ !(BPF_SRC(insn->code) == BPF_X && insn->src_reg == insn->dst_reg)) {
u64 val = reg_const_value(src_reg, alu32);
s32 off;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 132/957] arm64: entry: Dont preempt with SError or Debug masked
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 131/957] bpf: Fix linked reg delta tracking when src_reg == dst_reg Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 133/957] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
` (830 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz, Vladimir Murzin,
Mark Rutland, Andy Lutomirski, Jinjie Ruan, Peter Zijlstra,
Thomas Gleixner, Will Deacon, Catalin Marinas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 2371bd83b3df9d833191fe58dadb0e69a794a1cd ]
On arm64, involuntary kernel preemption has been subtly broken since the
move to the generic irqentry code. When preemption occurs, the new task
may run with SError and Debug exceptions masked unexpectedly, leading to
a loss of RAS events, breakpoints, watchpoints, and single-step
exceptions.
Prior to moving to the generic irqentry code, involuntary preemption of
kernel mode would only occur when returning from regular interrupts, in
a state where interrupts were masked and all other arm64-specific
exceptions (SError, Debug, and pseudo-NMI) were unmasked. This is the
only state in which it is valid to switch tasks.
As part of moving to the generic irqentry code, the involuntary
preemption logic was moved such that involuntary preemption could occur
when returning from any (non-NMI) exception. As most exception handlers
mask all arm64-specific exceptions before this point, preemption could
occur in a state where arm64-specific exceptions were masked. This is
not a valid state to switch tasks, and resulted in the loss of
exceptions described above.
As a temporary bodge, avoid the loss of exceptions by avoiding
involuntary preemption when SError and/or Debug exceptions are masked.
Practically speaking this means that involuntary preemption will only
occur when returning from regular interrupts, as was the case before
moving to the generic irqentry code.
Fixes: 99eb057ccd67 ("arm64: entry: Move arm64_preempt_schedule_irq() into __exit_to_kernel_mode()")
Reported-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Reported-by: Vladimir Murzin <vladimir.murzin@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Jinjie Ruan <ruanjinjie@huawei.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/entry-common.h | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/entry-common.h b/arch/arm64/include/asm/entry-common.h
index cab8cd78f6938..20f0a7c7bde15 100644
--- a/arch/arm64/include/asm/entry-common.h
+++ b/arch/arm64/include/asm/entry-common.h
@@ -29,14 +29,19 @@ static __always_inline void arch_exit_to_user_mode_work(struct pt_regs *regs,
static inline bool arch_irqentry_exit_need_resched(void)
{
- /*
- * DAIF.DA are cleared at the start of IRQ/FIQ handling, and when GIC
- * priority masking is used the GIC irqchip driver will clear DAIF.IF
- * using gic_arch_enable_irqs() for normal IRQs. If anything is set in
- * DAIF we must have handled an NMI, so skip preemption.
- */
- if (system_uses_irq_prio_masking() && read_sysreg(daif))
- return false;
+ if (system_uses_irq_prio_masking()) {
+ /*
+ * DAIF.DA are cleared at the start of IRQ/FIQ handling, and when GIC
+ * priority masking is used the GIC irqchip driver will clear DAIF.IF
+ * using gic_arch_enable_irqs() for normal IRQs. If anything is set in
+ * DAIF we must have handled an NMI, so skip preemption.
+ */
+ if (read_sysreg(daif))
+ return false;
+ } else {
+ if (read_sysreg(daif) & (PSR_D_BIT | PSR_A_BIT))
+ return false;
+ }
/*
* Preempting a task from an IRQ means we leave copies of PSTATE
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 133/957] ACPI: AGDI: fix missing newline in error message
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 132/957] arm64: entry: Dont preempt with SError or Debug masked Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 134/957] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
` (829 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilkka Koskinen, Haoyu Lu, Hanjun Guo,
Catalin Marinas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoyu Lu <hechushiguitu666@gmail.com>
[ Upstream commit b178330b67abb7293b6de28b2a49d49c83962db5 ]
Add the missing trailing newline to the dev_err() message
printed when SDEI event registration fails.
This keeps the error output as a properly terminated log line.
Fixes: a2a591fb76e6 ("ACPI: AGDI: Add driver for Arm Generic Diagnostic Dump and Reset device")
Reviewed-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
Signed-off-by: Haoyu Lu <hechushiguitu666@gmail.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/arm64/agdi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/arm64/agdi.c b/drivers/acpi/arm64/agdi.c
index e0df3daa4abf0..abe29705744e5 100644
--- a/drivers/acpi/arm64/agdi.c
+++ b/drivers/acpi/arm64/agdi.c
@@ -32,7 +32,7 @@ static int agdi_sdei_probe(struct platform_device *pdev,
err = sdei_event_register(adata->sdei_event, agdi_sdei_handler, pdev);
if (err) {
- dev_err(&pdev->dev, "Failed to register for SDEI event %d",
+ dev_err(&pdev->dev, "Failed to register for SDEI event %d\n",
adata->sdei_event);
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 134/957] arm64: kexec: Remove duplicate allocation for trans_pgd
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 133/957] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 135/957] macsec: Support VLAN-filtering lower devices Greg Kroah-Hartman
` (828 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Wensheng, Pasha Tatashin,
Catalin Marinas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Wensheng <wsw9603@163.com>
[ Upstream commit ee020bf6f14094c9ae434bb37e6957a1fdad513c ]
trans_pgd would be allocated in trans_pgd_create_copy(), so remove the
duplicate allocation before calling trans_pgd_create_copy().
Fixes: 3744b5280e67 ("arm64: kexec: install a copy of the linear-map")
Signed-off-by: Wang Wensheng <wsw9603@163.com>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/machine_kexec.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/kernel/machine_kexec.c b/arch/arm64/kernel/machine_kexec.c
index 6f121a0164a48..28df62051cc97 100644
--- a/arch/arm64/kernel/machine_kexec.c
+++ b/arch/arm64/kernel/machine_kexec.c
@@ -129,9 +129,6 @@ int machine_kexec_post_load(struct kimage *kimage)
}
/* Create a copy of the linear map */
- trans_pgd = kexec_page_alloc(kimage);
- if (!trans_pgd)
- return -ENOMEM;
rc = trans_pgd_create_copy(&info, &trans_pgd, PAGE_OFFSET, PAGE_END);
if (rc)
return rc;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 135/957] macsec: Support VLAN-filtering lower devices
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 134/957] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 136/957] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
` (827 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Sabrina Dubroca,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit a363b1c8be879c79a688eaf93ba01b63f8b0e63c ]
VLAN-filtering is done through two netdev features
(NETIF_F_HW_VLAN_CTAG_FILTER and NETIF_F_HW_VLAN_STAG_FILTER) and two
netdev ops (ndo_vlan_rx_add_vid and ndo_vlan_rx_kill_vid).
Implement these and advertise the features if the lower device supports
them. This allows proper VLAN filtering to work on top of MACsec
devices, when the lower device is capable of VLAN filtering.
As a concrete example, having this chain of interfaces now works:
vlan_filtering_capable_dev(1) -> macsec_dev(2) -> macsec_vlan_dev(3)
Before the mentioned commit this used to accidentally work because the
MACsec device (and thus the lower device) was put in promiscuous mode
and the VLAN filter was not used. But after commit [1] correctly made
the macsec driver expose the IFF_UNICAST_FLT flag, promiscuous mode was
no longer used and VLAN filters on dev 1 kicked in. Without support in
dev 2 for propagating VLAN filters down, the register_vlan_dev ->
vlan_vid_add -> __vlan_vid_add -> vlan_add_rx_filter_info call from dev
3 is silently eaten (because vlan_hw_filter_capable returns false and
vlan_add_rx_filter_info silently succeeds).
For MACsec, VLAN filters are only relevant for offload, otherwise
the VLANs are encrypted and the lower devices don't care about them. So
VLAN filters are only passed on to lower devices in offload mode.
Flipping between offload modes now needs to offload/unoffload the
filters with vlan_{get,drop}_rx_*_filter_info().
To avoid the back-and-forth filter updating during rollback, the setting
of macsec->offload is moved after the add/del secy ops. This is safe
since none of the code called from those requires macsec->offload.
In case adding the filters fails, the added ones are rolled back and an
error is returned to the operation toggling the offload state.
Fixes: 0349659fd72f ("macsec: set IFF_UNICAST_FLT priv flag")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20260408115240.1636047-5-cratiu@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macsec.c | 71 +++++++++++++++++++++++++++++++++++++++-----
1 file changed, 63 insertions(+), 8 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 5200fd5a10e5c..5d820ef619469 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -2584,7 +2584,9 @@ static void macsec_inherit_tso_max(struct net_device *dev)
netif_inherit_tso_max(dev, macsec->real_dev);
}
-static int macsec_update_offload(struct net_device *dev, enum macsec_offload offload)
+static int macsec_update_offload(struct net_device *dev,
+ enum macsec_offload offload,
+ struct netlink_ext_ack *extack)
{
enum macsec_offload prev_offload;
const struct macsec_ops *ops;
@@ -2616,14 +2618,35 @@ static int macsec_update_offload(struct net_device *dev, enum macsec_offload off
if (!ops)
return -EOPNOTSUPP;
- macsec->offload = offload;
-
ctx.secy = &macsec->secy;
ret = offload == MACSEC_OFFLOAD_OFF ? macsec_offload(ops->mdo_del_secy, &ctx)
: macsec_offload(ops->mdo_add_secy, &ctx);
- if (ret) {
- macsec->offload = prev_offload;
+ if (ret)
return ret;
+
+ /* Remove VLAN filters when disabling offload. */
+ if (offload == MACSEC_OFFLOAD_OFF) {
+ vlan_drop_rx_ctag_filter_info(dev);
+ vlan_drop_rx_stag_filter_info(dev);
+ }
+ macsec->offload = offload;
+ /* Add VLAN filters when enabling offload. */
+ if (prev_offload == MACSEC_OFFLOAD_OFF) {
+ ret = vlan_get_rx_ctag_filter_info(dev);
+ if (ret) {
+ NL_SET_ERR_MSG_FMT(extack,
+ "adding ctag VLAN filters failed, err %d",
+ ret);
+ goto rollback_offload;
+ }
+ ret = vlan_get_rx_stag_filter_info(dev);
+ if (ret) {
+ NL_SET_ERR_MSG_FMT(extack,
+ "adding stag VLAN filters failed, err %d",
+ ret);
+ vlan_drop_rx_ctag_filter_info(dev);
+ goto rollback_offload;
+ }
}
macsec_set_head_tail_room(dev);
@@ -2633,6 +2656,12 @@ static int macsec_update_offload(struct net_device *dev, enum macsec_offload off
netdev_update_features(dev);
+ return 0;
+
+rollback_offload:
+ macsec->offload = prev_offload;
+ macsec_offload(ops->mdo_del_secy, &ctx);
+
return ret;
}
@@ -2673,7 +2702,7 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]);
if (macsec->offload != offload)
- ret = macsec_update_offload(dev, offload);
+ ret = macsec_update_offload(dev, offload, info->extack);
out:
rtnl_unlock();
return ret;
@@ -3486,7 +3515,8 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
}
#define MACSEC_FEATURES \
- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
+ (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+ NETIF_F_HW_VLAN_STAG_FILTER | NETIF_F_HW_VLAN_CTAG_FILTER)
#define MACSEC_OFFLOAD_FEATURES \
(MACSEC_FEATURES | NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES | \
@@ -3707,6 +3737,29 @@ static int macsec_set_mac_address(struct net_device *dev, void *p)
return err;
}
+static int macsec_vlan_rx_add_vid(struct net_device *dev,
+ __be16 proto, u16 vid)
+{
+ struct macsec_dev *macsec = netdev_priv(dev);
+
+ if (!macsec_is_offloaded(macsec))
+ return 0;
+
+ return vlan_vid_add(macsec->real_dev, proto, vid);
+}
+
+static int macsec_vlan_rx_kill_vid(struct net_device *dev,
+ __be16 proto, u16 vid)
+{
+ struct macsec_dev *macsec = netdev_priv(dev);
+
+ if (!macsec_is_offloaded(macsec))
+ return 0;
+
+ vlan_vid_del(macsec->real_dev, proto, vid);
+ return 0;
+}
+
static int macsec_change_mtu(struct net_device *dev, int new_mtu)
{
struct macsec_dev *macsec = macsec_priv(dev);
@@ -3748,6 +3801,8 @@ static const struct net_device_ops macsec_netdev_ops = {
.ndo_set_rx_mode = macsec_dev_set_rx_mode,
.ndo_change_rx_flags = macsec_dev_change_rx_flags,
.ndo_set_mac_address = macsec_set_mac_address,
+ .ndo_vlan_rx_add_vid = macsec_vlan_rx_add_vid,
+ .ndo_vlan_rx_kill_vid = macsec_vlan_rx_kill_vid,
.ndo_start_xmit = macsec_start_xmit,
.ndo_get_stats64 = macsec_get_stats64,
.ndo_get_iflink = macsec_get_iflink,
@@ -3912,7 +3967,7 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
offload = nla_get_u8(data[IFLA_MACSEC_OFFLOAD]);
if (macsec->offload != offload) {
macsec_offload_state_change = true;
- ret = macsec_update_offload(dev, offload);
+ ret = macsec_update_offload(dev, offload, extack);
if (ret)
goto cleanup;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 136/957] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 135/957] macsec: Support VLAN-filtering lower devices Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 137/957] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
` (826 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Nicolai Buchwitz,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 57f3f53d2c9c5a9e133596e2f7bc1c50688a6d38 ]
The write_ptr points to the next open tx_cb. We want to return the
tx_cb that gets rewinded, so we must rewind the pointer first then
return the tx_cb that it points to. That way the txcb can be correctly
cleaned up.
Fixes: 876dbadd53a7 ("net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit()")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-2-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index e142939d87cbe..1791523b83383 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1815,15 +1815,15 @@ static struct enet_cb *bcmgenet_put_txcb(struct bcmgenet_priv *priv,
{
struct enet_cb *tx_cb_ptr;
- tx_cb_ptr = ring->cbs;
- tx_cb_ptr += ring->write_ptr - ring->cb_ptr;
-
/* Rewinding local write pointer */
if (ring->write_ptr == ring->cb_ptr)
ring->write_ptr = ring->end_ptr;
else
ring->write_ptr--;
+ tx_cb_ptr = ring->cbs;
+ tx_cb_ptr += ring->write_ptr - ring->cb_ptr;
+
return tx_cb_ptr;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 137/957] net: bcmgenet: fix leaking free_bds
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 136/957] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 138/957] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
` (825 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 3f3168300efb839028328d720ab3962f91d6a0d0 ]
While reclaiming the tx queue we fast forward the write pointer to
drop any data in flight. These dropped frames are not added back
to the pool of free bds. We also need to tell the netdev that we
are dropping said data.
Fixes: f1bacae8b655 ("net: bcmgenet: support reclaiming unsent Tx packets")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-3-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 1791523b83383..7d4d394c6ab1e 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1981,6 +1981,7 @@ static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
drop = (ring->prod_index - ring->c_index) & DMA_C_INDEX_MASK;
released += drop;
ring->prod_index = ring->c_index & DMA_C_INDEX_MASK;
+ ring->free_bds += drop;
while (drop--) {
cb_ptr = bcmgenet_put_txcb(priv, ring);
skb = cb_ptr->skb;
@@ -1992,6 +1993,7 @@ static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
}
if (skb)
dev_consume_skb_any(skb);
+ netdev_tx_reset_queue(netdev_get_tx_queue(dev, ring->index));
bcmgenet_tdma_ring_writel(priv, ring->index,
ring->prod_index, TDMA_PROD_INDEX);
wr_ptr = ring->write_ptr * WORDS_PER_BD(priv);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 138/957] net: bcmgenet: fix racing timeout handler
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 137/957] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 139/957] net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process() Greg Kroah-Hartman
` (824 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Florian Fainelli,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justin.chen@broadcom.com>
[ Upstream commit 5393b2b5bee2ac51a0043dc7f4ac3475f053d08d ]
The bcmgenet_timeout handler tries to take down all tx queues when
a single queue times out. This is over zealous and causes many race
conditions with queues that are still chugging along. Instead lets
only restart the timed out queue.
Fixes: 13ea657806cf ("net: bcmgenet: improve TX timeout")
Signed-off-by: Justin Chen <justin.chen@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de>
Link: https://patch.msgid.link/20260406175756.134567-4-justin.chen@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++++++-----------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 7d4d394c6ab1e..63cdf6d9d0772 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -3475,27 +3475,23 @@ static void bcmgenet_dump_tx_queue(struct bcmgenet_tx_ring *ring)
static void bcmgenet_timeout(struct net_device *dev, unsigned int txqueue)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
- u32 int1_enable = 0;
- unsigned int q;
+ struct bcmgenet_tx_ring *ring = &priv->tx_rings[txqueue];
+ struct netdev_queue *txq = netdev_get_tx_queue(dev, txqueue);
netif_dbg(priv, tx_err, dev, "bcmgenet_timeout\n");
- for (q = 0; q <= priv->hw_params->tx_queues; q++)
- bcmgenet_dump_tx_queue(&priv->tx_rings[q]);
-
- bcmgenet_tx_reclaim_all(dev);
+ bcmgenet_dump_tx_queue(ring);
- for (q = 0; q <= priv->hw_params->tx_queues; q++)
- int1_enable |= (1 << q);
+ bcmgenet_tx_reclaim(dev, ring, true);
- /* Re-enable TX interrupts if disabled */
- bcmgenet_intrl2_1_writel(priv, int1_enable, INTRL2_CPU_MASK_CLEAR);
+ /* Re-enable the TX interrupt for this ring */
+ bcmgenet_intrl2_1_writel(priv, 1 << txqueue, INTRL2_CPU_MASK_CLEAR);
- netif_trans_update(dev);
+ txq_trans_cond_update(txq);
- BCMGENET_STATS64_INC((&priv->tx_rings[txqueue].stats64), errors);
+ BCMGENET_STATS64_INC((&ring->stats64), errors);
- netif_tx_wake_all_queues(dev);
+ netif_tx_wake_queue(txq);
}
#define MAX_MDF_FILTER 17
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 139/957] net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 138/957] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 140/957] eth: fbnic: Use wake instead of start Greg Kroah-Hartman
` (823 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 4ae0604a0673e11e2075b178387151fcad5111b5 ]
Add missing dma_rmb() in airoha_qdma_rx_process routine to make sure the
DMA read operations are completed when the NIC reports the processing on
the current descriptor is done. Moreover, add missing READ_ONCE() in
airoha_qdma_rx_process() for DMA descriptor control fields in order to
avoid any compiler reordering.
Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260407-airoha_qdma_rx_process-fix-reordering-v3-1-91c36e9da31f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index bdf600fea9508..060865b98880e 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -596,7 +596,7 @@ static int airoha_qdma_fill_rx_queue(struct airoha_queue *q)
static int airoha_qdma_get_gdm_port(struct airoha_eth *eth,
struct airoha_qdma_desc *desc)
{
- u32 port, sport, msg1 = le32_to_cpu(desc->msg1);
+ u32 port, sport, msg1 = le32_to_cpu(READ_ONCE(desc->msg1));
sport = FIELD_GET(QDMA_ETH_RXMSG_SPORT_MASK, msg1);
switch (sport) {
@@ -624,21 +624,24 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget)
while (done < budget) {
struct airoha_queue_entry *e = &q->entry[q->tail];
struct airoha_qdma_desc *desc = &q->desc[q->tail];
- u32 hash, reason, msg1 = le32_to_cpu(desc->msg1);
- struct page *page = virt_to_head_page(e->buf);
- u32 desc_ctrl = le32_to_cpu(desc->ctrl);
+ u32 hash, reason, msg1, desc_ctrl;
struct airoha_gdm_port *port;
int data_len, len, p;
+ struct page *page;
+ desc_ctrl = le32_to_cpu(READ_ONCE(desc->ctrl));
if (!(desc_ctrl & QDMA_DESC_DONE_MASK))
break;
+ dma_rmb();
+
q->tail = (q->tail + 1) % q->ndesc;
q->queued--;
dma_sync_single_for_cpu(eth->dev, e->dma_addr,
SKB_WITH_OVERHEAD(q->buf_size), dir);
+ page = virt_to_head_page(e->buf);
len = FIELD_GET(QDMA_DESC_LEN_MASK, desc_ctrl);
data_len = q->skb ? q->buf_size
: SKB_WITH_OVERHEAD(q->buf_size);
@@ -682,8 +685,8 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget)
* DMA descriptor. Report DSA tag to the DSA stack
* via skb dst info.
*/
- u32 sptag = FIELD_GET(QDMA_ETH_RXMSG_SPTAG,
- le32_to_cpu(desc->msg0));
+ u32 msg0 = le32_to_cpu(READ_ONCE(desc->msg0));
+ u32 sptag = FIELD_GET(QDMA_ETH_RXMSG_SPTAG, msg0);
if (sptag < ARRAY_SIZE(port->dsa_meta) &&
port->dsa_meta[sptag])
@@ -691,6 +694,7 @@ static int airoha_qdma_rx_process(struct airoha_queue *q, int budget)
&port->dsa_meta[sptag]->dst);
}
+ msg1 = le32_to_cpu(READ_ONCE(desc->msg1));
hash = FIELD_GET(AIROHA_RXD4_FOE_ENTRY, msg1);
if (hash != AIROHA_RXD4_FOE_ENTRY)
skb_set_hash(q->skb, jhash_1word(hash, 0),
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 140/957] eth: fbnic: Use wake instead of start
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 139/957] net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 141/957] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
` (822 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mohsin Bashir, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohsin Bashir <hmohsin@meta.com>
[ Upstream commit 12ff2a4aee6c86746623d5aed24389dbf6dffded ]
fbnic_up() calls netif_tx_start_all_queues(), which only clears
__QUEUE_STATE_DRV_XOFF. If qdisc backlog has accumulated on any TX
queue before the reconfiguration (e.g. ring resize via ethtool -G),
start does not call __netif_schedule() to kick the qdisc, so the
pending backlog is never drained and the queue stalls.
Switch to netif_tx_wake_all_queues(), which clears DRV_XOFF and also
calls __netif_schedule() on every queue, ensuring any backlog that
built up before the down/up cycle is promptly dequeued.
Fixes: bc6107771bb4 ("eth: fbnic: Allocate a netdevice and napi vectors with queues")
Signed-off-by: Mohsin Bashir <hmohsin@meta.com>
Link: https://patch.msgid.link/20260408002415.2963915-1-mohsin.bashr@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/meta/fbnic/fbnic_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_pci.c b/drivers/net/ethernet/meta/fbnic/fbnic_pci.c
index 698b8a85afb31..99b7c0718e80e 100644
--- a/drivers/net/ethernet/meta/fbnic/fbnic_pci.c
+++ b/drivers/net/ethernet/meta/fbnic/fbnic_pci.c
@@ -139,7 +139,7 @@ void fbnic_up(struct fbnic_net *fbn)
/* Enable Tx/Rx processing */
fbnic_napi_enable(fbn);
- netif_tx_start_all_queues(fbn->netdev);
+ netif_tx_wake_all_queues(fbn->netdev);
fbnic_service_task_start(fbn);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 141/957] netfilter: xt_socket: enable defrag after all other checks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 140/957] eth: fbnic: Use wake instead of start Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 142/957] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
` (821 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 542be3fa5aff54210a02954c38f07e53ea9bdafd ]
Originally this did not matter because defrag was enabled once per netns
and only disabled again on netns dismantle. When this got changed I should
have adjusted checkentry to not leave defrag enabled on error.
Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_socket.c | 23 ++++++-----------------
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 76e01f292aaff..811e53bee4085 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -168,52 +168,41 @@ static int socket_mt_enable_defrag(struct net *net, int family)
static int socket_mt_v1_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
- int err;
-
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V1) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V1);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static int socket_mt_v2_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo;
- int err;
-
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V2) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V2);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static int socket_mt_v3_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo3 *info =
(struct xt_socket_mtinfo3 *)par->matchinfo;
- int err;
- err = socket_mt_enable_defrag(par->net, par->family);
- if (err)
- return err;
if (info->flags & ~XT_SOCKET_FLAGS_V3) {
pr_info_ratelimited("unknown flags 0x%x\n",
info->flags & ~XT_SOCKET_FLAGS_V3);
return -EINVAL;
}
- return 0;
+
+ return socket_mt_enable_defrag(par->net, par->family);
}
static void socket_mt_destroy(const struct xt_mtdtor_param *par)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 142/957] netfilter: nft_fwd_netdev: check ttl/hl before forwarding
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 141/957] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 143/957] bpf: fix mm lifecycle in open-coded task_vma iterator Greg Kroah-Hartman
` (820 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 1dfd95bdf4d18d263aa8fad06bfb9f4d9c992b18 ]
Drop packets if their ttl/hl is too small for forwarding.
Fixes: d32de98ea70f ("netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_fwd_netdev.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index 152a9fb4d23af..256e832f1bb99 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -116,6 +116,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
iph = ip_hdr(skb);
+ if (iph->ttl <= 1) {
+ verdict = NF_DROP;
+ goto out;
+ }
+
ip_decrease_ttl(iph);
neigh_table = NEIGH_ARP_TABLE;
break;
@@ -132,6 +137,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
ip6h = ipv6_hdr(skb);
+ if (ip6h->hop_limit <= 1) {
+ verdict = NF_DROP;
+ goto out;
+ }
+
ip6h->hop_limit--;
neigh_table = NEIGH_ND_TABLE;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 143/957] bpf: fix mm lifecycle in open-coded task_vma iterator
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 142/957] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 144/957] bpf: switch task_vma iterator from mmap_lock to per-VMA locks Greg Kroah-Hartman
` (819 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit d8e27d2d22b6e2df3a0125b8c08e9aace38c954c ]
The open-coded task_vma iterator reads task->mm locklessly and acquires
mmap_read_trylock() but never calls mmget(). If the task exits
concurrently, the mm_struct can be freed as it is not
SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.
Safely read task->mm with a trylock on alloc_lock and acquire an mm
reference. Drop the reference via bpf_iter_mmput_async() in _destroy()
and error paths. bpf_iter_mmput_async() is a local wrapper around
mmput_async() with a fallback to mmput() on !CONFIG_MMU.
Reject irqs-disabled contexts (including NMI) up front. Operations used
by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)
take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from
NMI or from a tracepoint that fires with those locks held could
deadlock.
A trylock on alloc_lock is used instead of the blocking task_lock()
(get_task_mm) to avoid a deadlock when a softirq BPF program iterates
a task that already holds its alloc_lock on the same CPU.
Fixes: 4ac454682158 ("bpf: Introduce task_vma open-coded iterator kfuncs")
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/r/20260408154539.3832150-2-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/task_iter.c | 54 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 51 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
index 98d9b4c0daff3..c1f5fbe9dc2f3 100644
--- a/kernel/bpf/task_iter.c
+++ b/kernel/bpf/task_iter.c
@@ -9,6 +9,7 @@
#include <linux/bpf_mem_alloc.h>
#include <linux/btf_ids.h>
#include <linux/mm_types.h>
+#include <linux/sched/mm.h>
#include "mmap_unlock_work.h"
static const char * const iter_task_type_names[] = {
@@ -794,6 +795,15 @@ const struct bpf_func_proto bpf_find_vma_proto = {
.arg5_type = ARG_ANYTHING,
};
+static inline void bpf_iter_mmput_async(struct mm_struct *mm)
+{
+#ifdef CONFIG_MMU
+ mmput_async(mm);
+#else
+ mmput(mm);
+#endif
+}
+
struct bpf_iter_task_vma_kern_data {
struct task_struct *task;
struct mm_struct *mm;
@@ -825,6 +835,24 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
BUILD_BUG_ON(sizeof(struct bpf_iter_task_vma_kern) != sizeof(struct bpf_iter_task_vma));
BUILD_BUG_ON(__alignof__(struct bpf_iter_task_vma_kern) != __alignof__(struct bpf_iter_task_vma));
+ /* bpf_iter_mmput_async() needs mmput_async() which requires CONFIG_MMU */
+ if (!IS_ENABLED(CONFIG_MMU)) {
+ kit->data = NULL;
+ return -EOPNOTSUPP;
+ }
+
+ /*
+ * Reject irqs-disabled contexts including NMI. Operations used
+ * by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)
+ * can take spinlocks with IRQs disabled (pi_lock, pool->lock).
+ * Running from NMI or from a tracepoint that fires with those
+ * locks held could deadlock.
+ */
+ if (irqs_disabled()) {
+ kit->data = NULL;
+ return -EBUSY;
+ }
+
/* is_iter_reg_valid_uninit guarantees that kit hasn't been initialized
* before, so non-NULL kit->data doesn't point to previously
* bpf_mem_alloc'd bpf_iter_task_vma_kern_data
@@ -834,7 +862,25 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
return -ENOMEM;
kit->data->task = get_task_struct(task);
+ /*
+ * Safely read task->mm and acquire an mm reference.
+ *
+ * Cannot use get_task_mm() because its task_lock() is a
+ * blocking spin_lock that would deadlock if the target task
+ * already holds alloc_lock on this CPU (e.g. a softirq BPF
+ * program iterating a task interrupted while holding its
+ * alloc_lock).
+ */
+ if (!spin_trylock(&task->alloc_lock)) {
+ err = -EBUSY;
+ goto err_cleanup_iter;
+ }
kit->data->mm = task->mm;
+ if (kit->data->mm && !(task->flags & PF_KTHREAD))
+ mmget(kit->data->mm);
+ else
+ kit->data->mm = NULL;
+ spin_unlock(&task->alloc_lock);
if (!kit->data->mm) {
err = -ENOENT;
goto err_cleanup_iter;
@@ -844,15 +890,16 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
irq_work_busy = bpf_mmap_unlock_get_irq_work(&kit->data->work);
if (irq_work_busy || !mmap_read_trylock(kit->data->mm)) {
err = -EBUSY;
- goto err_cleanup_iter;
+ goto err_cleanup_mmget;
}
vma_iter_init(&kit->data->vmi, kit->data->mm, addr);
return 0;
+err_cleanup_mmget:
+ bpf_iter_mmput_async(kit->data->mm);
err_cleanup_iter:
- if (kit->data->task)
- put_task_struct(kit->data->task);
+ put_task_struct(kit->data->task);
bpf_mem_free(&bpf_global_ma, kit->data);
/* NULL kit->data signals failed bpf_iter_task_vma initialization */
kit->data = NULL;
@@ -875,6 +922,7 @@ __bpf_kfunc void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it)
if (kit->data) {
bpf_mmap_unlock_mm(kit->data->work, kit->data->mm);
put_task_struct(kit->data->task);
+ bpf_iter_mmput_async(kit->data->mm);
bpf_mem_free(&bpf_global_ma, kit->data);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 144/957] bpf: switch task_vma iterator from mmap_lock to per-VMA locks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 143/957] bpf: fix mm lifecycle in open-coded task_vma iterator Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 145/957] bpf: return VMA snapshot from task_vma iterator Greg Kroah-Hartman
` (818 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit bee9ef4a40a277bf401be43d39ba7f7f063cf39c ]
The open-coded task_vma iterator holds mmap_lock for the entire duration
of iteration, increasing contention on this highly contended lock.
Switch to per-VMA locking. Find the next VMA via an RCU-protected maple
tree walk and lock it with lock_vma_under_rcu(). lock_next_vma() is not
used because its fallback takes mmap_read_lock(), and the iterator must
work in non-sleepable contexts.
lock_vma_under_rcu() is a point lookup (mas_walk) that finds the VMA
containing a given address but cannot iterate across gaps. An
RCU-protected vma_next() walk (mas_find) first locates the next VMA's
vm_start to pass to lock_vma_under_rcu().
Between the RCU walk and the lock, the VMA may be removed, shrunk, or
write-locked. On failure, advance past it using vm_end from the RCU
walk. Because the VMA slab is SLAB_TYPESAFE_BY_RCU, vm_end may be
stale; fall back to PAGE_SIZE advancement when it does not make forward
progress. Concurrent VMA insertions at addresses already passed by the
iterator are not detected.
CONFIG_PER_VMA_LOCK is required; return -EOPNOTSUPP without it.
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/r/20260408154539.3832150-3-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Stable-dep-of: 4cbee026db54 ("bpf: return VMA snapshot from task_vma iterator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/task_iter.c | 91 +++++++++++++++++++++++++++++++++---------
1 file changed, 73 insertions(+), 18 deletions(-)
diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
index c1f5fbe9dc2f3..87e87f18913d9 100644
--- a/kernel/bpf/task_iter.c
+++ b/kernel/bpf/task_iter.c
@@ -9,6 +9,7 @@
#include <linux/bpf_mem_alloc.h>
#include <linux/btf_ids.h>
#include <linux/mm_types.h>
+#include <linux/mmap_lock.h>
#include <linux/sched/mm.h>
#include "mmap_unlock_work.h"
@@ -807,8 +808,8 @@ static inline void bpf_iter_mmput_async(struct mm_struct *mm)
struct bpf_iter_task_vma_kern_data {
struct task_struct *task;
struct mm_struct *mm;
- struct mmap_unlock_irq_work *work;
- struct vma_iterator vmi;
+ struct vm_area_struct *locked_vma;
+ u64 next_addr;
};
struct bpf_iter_task_vma {
@@ -829,21 +830,19 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
struct task_struct *task, u64 addr)
{
struct bpf_iter_task_vma_kern *kit = (void *)it;
- bool irq_work_busy = false;
int err;
BUILD_BUG_ON(sizeof(struct bpf_iter_task_vma_kern) != sizeof(struct bpf_iter_task_vma));
BUILD_BUG_ON(__alignof__(struct bpf_iter_task_vma_kern) != __alignof__(struct bpf_iter_task_vma));
- /* bpf_iter_mmput_async() needs mmput_async() which requires CONFIG_MMU */
- if (!IS_ENABLED(CONFIG_MMU)) {
+ if (!IS_ENABLED(CONFIG_PER_VMA_LOCK)) {
kit->data = NULL;
return -EOPNOTSUPP;
}
/*
* Reject irqs-disabled contexts including NMI. Operations used
- * by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)
+ * by _next() and _destroy() (vma_end_read, bpf_iter_mmput_async)
* can take spinlocks with IRQs disabled (pi_lock, pool->lock).
* Running from NMI or from a tracepoint that fires with those
* locks held could deadlock.
@@ -886,18 +885,10 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
goto err_cleanup_iter;
}
- /* kit->data->work == NULL is valid after bpf_mmap_unlock_get_irq_work */
- irq_work_busy = bpf_mmap_unlock_get_irq_work(&kit->data->work);
- if (irq_work_busy || !mmap_read_trylock(kit->data->mm)) {
- err = -EBUSY;
- goto err_cleanup_mmget;
- }
-
- vma_iter_init(&kit->data->vmi, kit->data->mm, addr);
+ kit->data->locked_vma = NULL;
+ kit->data->next_addr = addr;
return 0;
-err_cleanup_mmget:
- bpf_iter_mmput_async(kit->data->mm);
err_cleanup_iter:
put_task_struct(kit->data->task);
bpf_mem_free(&bpf_global_ma, kit->data);
@@ -906,13 +897,76 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
return err;
}
+/*
+ * Find and lock the next VMA at or after data->next_addr.
+ *
+ * lock_vma_under_rcu() is a point lookup (mas_walk): it finds the VMA
+ * containing a given address but cannot iterate. An RCU-protected
+ * maple tree walk with vma_next() (mas_find) is needed first to locate
+ * the next VMA's vm_start across any gap.
+ *
+ * Between the RCU walk and the lock, the VMA may be removed, shrunk,
+ * or write-locked. On failure, advance past it using vm_end from the
+ * RCU walk. SLAB_TYPESAFE_BY_RCU can make vm_end stale, so fall back
+ * to PAGE_SIZE advancement to guarantee forward progress.
+ */
+static struct vm_area_struct *
+bpf_iter_task_vma_find_next(struct bpf_iter_task_vma_kern_data *data)
+{
+ struct vm_area_struct *vma;
+ struct vma_iterator vmi;
+ unsigned long start, end;
+
+retry:
+ rcu_read_lock();
+ vma_iter_init(&vmi, data->mm, data->next_addr);
+ vma = vma_next(&vmi);
+ if (!vma) {
+ rcu_read_unlock();
+ return NULL;
+ }
+ start = vma->vm_start;
+ end = vma->vm_end;
+ rcu_read_unlock();
+
+ vma = lock_vma_under_rcu(data->mm, start);
+ if (!vma) {
+ if (end <= data->next_addr)
+ data->next_addr += PAGE_SIZE;
+ else
+ data->next_addr = end;
+ goto retry;
+ }
+
+ if (unlikely(vma->vm_end <= data->next_addr)) {
+ data->next_addr += PAGE_SIZE;
+ vma_end_read(vma);
+ goto retry;
+ }
+
+ return vma;
+}
+
__bpf_kfunc struct vm_area_struct *bpf_iter_task_vma_next(struct bpf_iter_task_vma *it)
{
struct bpf_iter_task_vma_kern *kit = (void *)it;
+ struct vm_area_struct *vma;
if (!kit->data) /* bpf_iter_task_vma_new failed */
return NULL;
- return vma_next(&kit->data->vmi);
+
+ if (kit->data->locked_vma) {
+ vma_end_read(kit->data->locked_vma);
+ kit->data->locked_vma = NULL;
+ }
+
+ vma = bpf_iter_task_vma_find_next(kit->data);
+ if (!vma)
+ return NULL;
+
+ kit->data->locked_vma = vma;
+ kit->data->next_addr = vma->vm_end;
+ return vma;
}
__bpf_kfunc void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it)
@@ -920,7 +974,8 @@ __bpf_kfunc void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it)
struct bpf_iter_task_vma_kern *kit = (void *)it;
if (kit->data) {
- bpf_mmap_unlock_mm(kit->data->work, kit->data->mm);
+ if (kit->data->locked_vma)
+ vma_end_read(kit->data->locked_vma);
put_task_struct(kit->data->task);
bpf_iter_mmput_async(kit->data->mm);
bpf_mem_free(&bpf_global_ma, kit->data);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 145/957] bpf: return VMA snapshot from task_vma iterator
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 144/957] bpf: switch task_vma iterator from mmap_lock to per-VMA locks Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 146/957] bpf: Fix RCU stall in bpf_fd_array_map_clear() Greg Kroah-Hartman
` (817 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Andrii Nakryiko,
Mykyta Yatsenko, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 4cbee026db54cad39c39db4d356100cb133412b3 ]
Holding the per-VMA lock across the BPF program body creates a lock
ordering problem when helpers acquire locks that depend on mmap_lock:
vm_lock -> i_rwsem -> mmap_lock -> vm_lock
Snapshot the VMA under the per-VMA lock in _next() via memcpy(), then
drop the lock before returning. The BPF program accesses only the
snapshot.
The verifier only trusts vm_mm and vm_file pointers (see
BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). vm_file is reference-
counted with get_file() under the lock and released via fput() on the
next iteration or in _destroy(). vm_mm is already correct because
lock_vma_under_rcu() verifies vma->vm_mm == mm. All other pointers
are left as-is by memcpy() since the verifier treats them as untrusted.
Fixes: 4ac454682158 ("bpf: Introduce task_vma open-coded iterator kfuncs")
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Mykyta Yatsenko <yatsenko@meta.com>
Link: https://lore.kernel.org/r/20260408154539.3832150-4-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/task_iter.c | 42 ++++++++++++++++++++++++++++++------------
1 file changed, 30 insertions(+), 12 deletions(-)
diff --git a/kernel/bpf/task_iter.c b/kernel/bpf/task_iter.c
index 87e87f18913d9..e791ae065c39b 100644
--- a/kernel/bpf/task_iter.c
+++ b/kernel/bpf/task_iter.c
@@ -808,7 +808,7 @@ static inline void bpf_iter_mmput_async(struct mm_struct *mm)
struct bpf_iter_task_vma_kern_data {
struct task_struct *task;
struct mm_struct *mm;
- struct vm_area_struct *locked_vma;
+ struct vm_area_struct snapshot;
u64 next_addr;
};
@@ -842,7 +842,7 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
/*
* Reject irqs-disabled contexts including NMI. Operations used
- * by _next() and _destroy() (vma_end_read, bpf_iter_mmput_async)
+ * by _next() and _destroy() (vma_end_read, fput, bpf_iter_mmput_async)
* can take spinlocks with IRQs disabled (pi_lock, pool->lock).
* Running from NMI or from a tracepoint that fires with those
* locks held could deadlock.
@@ -885,7 +885,7 @@ __bpf_kfunc int bpf_iter_task_vma_new(struct bpf_iter_task_vma *it,
goto err_cleanup_iter;
}
- kit->data->locked_vma = NULL;
+ kit->data->snapshot.vm_file = NULL;
kit->data->next_addr = addr;
return 0;
@@ -947,26 +947,45 @@ bpf_iter_task_vma_find_next(struct bpf_iter_task_vma_kern_data *data)
return vma;
}
+static void bpf_iter_task_vma_snapshot_reset(struct vm_area_struct *snap)
+{
+ if (snap->vm_file) {
+ fput(snap->vm_file);
+ snap->vm_file = NULL;
+ }
+}
+
__bpf_kfunc struct vm_area_struct *bpf_iter_task_vma_next(struct bpf_iter_task_vma *it)
{
struct bpf_iter_task_vma_kern *kit = (void *)it;
- struct vm_area_struct *vma;
+ struct vm_area_struct *snap, *vma;
if (!kit->data) /* bpf_iter_task_vma_new failed */
return NULL;
- if (kit->data->locked_vma) {
- vma_end_read(kit->data->locked_vma);
- kit->data->locked_vma = NULL;
- }
+ snap = &kit->data->snapshot;
+
+ bpf_iter_task_vma_snapshot_reset(snap);
vma = bpf_iter_task_vma_find_next(kit->data);
if (!vma)
return NULL;
- kit->data->locked_vma = vma;
+ memcpy(snap, vma, sizeof(*snap));
+
+ /*
+ * The verifier only trusts vm_mm and vm_file (see
+ * BTF_TYPE_SAFE_TRUSTED_OR_NULL in verifier.c). Take a reference
+ * on vm_file; vm_mm is already correct because lock_vma_under_rcu()
+ * verifies vma->vm_mm == mm. All other pointers are untrusted by
+ * the verifier and left as-is.
+ */
+ if (snap->vm_file)
+ get_file(snap->vm_file);
+
kit->data->next_addr = vma->vm_end;
- return vma;
+ vma_end_read(vma);
+ return snap;
}
__bpf_kfunc void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it)
@@ -974,8 +993,7 @@ __bpf_kfunc void bpf_iter_task_vma_destroy(struct bpf_iter_task_vma *it)
struct bpf_iter_task_vma_kern *kit = (void *)it;
if (kit->data) {
- if (kit->data->locked_vma)
- vma_end_read(kit->data->locked_vma);
+ bpf_iter_task_vma_snapshot_reset(&kit->data->snapshot);
put_task_struct(kit->data->task);
bpf_iter_mmput_async(kit->data->mm);
bpf_mem_free(&bpf_global_ma, kit->data);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 146/957] bpf: Fix RCU stall in bpf_fd_array_map_clear()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 145/957] bpf: return VMA snapshot from task_vma iterator Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 147/957] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
` (816 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sun Jian, Sechang Lim,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sechang Lim <rhkrqnwk98@gmail.com>
[ Upstream commit 4406942e65ca128c56c67443832988873c21d2e9 ]
Add a missing cond_resched() in bpf_fd_array_map_clear() loop.
For PROG_ARRAY maps with many entries this loop calls
prog_array_map_poke_run() per entry which can be expensive, and
without yielding this can cause RCU stalls under load:
rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 30932 Comm: kworker/0:2 Not tainted 6.14.0-13195-g967e8def1100 #2 PREEMPT(undef)
Workqueue: events prog_array_map_clear_deferred
RIP: 0010:write_comp_data+0x38/0x90 kernel/kcov.c:246
Call Trace:
<TASK>
prog_array_map_poke_run+0x77/0x380 kernel/bpf/arraymap.c:1096
__fd_array_map_delete_elem+0x197/0x310 kernel/bpf/arraymap.c:925
bpf_fd_array_map_clear kernel/bpf/arraymap.c:1000 [inline]
prog_array_map_clear_deferred+0x119/0x1b0 kernel/bpf/arraymap.c:1141
process_one_work+0x898/0x19d0 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x770/0x10b0 kernel/workqueue.c:3400
kthread+0x465/0x880 kernel/kthread.c:464
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x19/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Reviewed-by: Sun Jian <sun.jian.kdev@gmail.com>
Fixes: da765a2f5993 ("bpf: Add poke dependency tracking for prog array maps")
Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
Link: https://lore.kernel.org/r/20260407103823.3942156-1-rhkrqnwk98@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/arraymap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 80b1765a31596..248ab6854cf24 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -1006,8 +1006,10 @@ static void bpf_fd_array_map_clear(struct bpf_map *map, bool need_defer)
struct bpf_array *array = container_of(map, struct bpf_array, map);
int i;
- for (i = 0; i < array->map.max_entries; i++)
+ for (i = 0; i < array->map.max_entries; i++) {
__fd_array_map_delete_elem(map, &i, need_defer);
+ cond_resched();
+ }
}
static void prog_array_map_seq_show_elem(struct bpf_map *map, void *key,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 147/957] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 146/957] bpf: Fix RCU stall in bpf_fd_array_map_clear() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 148/957] net: airoha: Add airoha_ppe_get_num_stats_entries() and airoha_ppe_get_num_total_stats_entries() Greg Kroah-Hartman
` (815 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ecdb8c9878a81eb21e54,
Mashiro Chen, Simon Horman, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mashiro Chen <mashiro.chen@mailbox.org>
[ Upstream commit bf9a38803b2626b01cc769aaf13485d8650f576f ]
sixpack_receive_buf() does not properly skip bytes with TTY error flags.
The while loop iterates through the flags buffer but never advances the
data pointer (cp), and passes the original count (including error bytes)
to sixpack_decode(). This causes sixpack_decode() to process bytes that
should have been skipped due to TTY errors. The TTY layer does not
guarantee that cp[i] holds a meaningful value when fp[i] is set, so
passing those positions to sixpack_decode() results in KMSAN reporting
an uninit-value read.
Fix this by processing bytes one at a time, advancing cp on each
iteration, and only passing valid (non-error) bytes to sixpack_decode().
This matches the pattern used by slip_receive_buf() and
mkiss_receive_buf() for the same purpose.
Reported-by: syzbot+ecdb8c9878a81eb21e54@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ecdb8c9878a81eb21e54
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260407173101.107352-1-mashiro.chen@mailbox.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/6pack.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 885992951e8a6..c8b2dc5c1becc 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -391,7 +391,6 @@ static void sixpack_receive_buf(struct tty_struct *tty, const u8 *cp,
const u8 *fp, size_t count)
{
struct sixpack *sp;
- size_t count1;
if (!count)
return;
@@ -401,16 +400,16 @@ static void sixpack_receive_buf(struct tty_struct *tty, const u8 *cp,
return;
/* Read the characters out of the buffer */
- count1 = count;
- while (count) {
- count--;
+ while (count--) {
if (fp && *fp++) {
if (!test_and_set_bit(SIXPF_ERROR, &sp->flags))
sp->dev->stats.rx_errors++;
+ cp++;
continue;
}
+ sixpack_decode(sp, cp, 1);
+ cp++;
}
- sixpack_decode(sp, cp, count1);
tty_unthrottle(tty);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 148/957] net: airoha: Add airoha_ppe_get_num_stats_entries() and airoha_ppe_get_num_total_stats_entries()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 147/957] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 149/957] net: airoha: Add airoha_eth_soc_data struct Greg Kroah-Hartman
` (814 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 15f357cd4581ce6e02e5e97719320600783140ec ]
Introduce airoha_ppe_get_num_stats_entries and
airoha_ppe_get_num_total_stats_entries routines in order to make the
code more readable controlling if CONFIG_NET_AIROHA_FLOW_STATS is
enabled or disabled.
Modify airoha_ppe_foe_get_flow_stats_index routine signature relying on
airoha_ppe_get_num_total_stats_entries().
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251017-an7583-eth-support-v3-3-f28319666667@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 02f729643959 ("net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.h | 10 +--
drivers/net/ethernet/airoha/airoha_ppe.c | 101 ++++++++++++++++++-----
2 files changed, 81 insertions(+), 30 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index cd13c1c1224f6..3e43f01e9a652 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -50,15 +50,9 @@
#define PPE_NUM 2
#define PPE1_SRAM_NUM_ENTRIES (8 * 1024)
-#define PPE_SRAM_NUM_ENTRIES (2 * PPE1_SRAM_NUM_ENTRIES)
-#ifdef CONFIG_NET_AIROHA_FLOW_STATS
+#define PPE_SRAM_NUM_ENTRIES (PPE_NUM * PPE1_SRAM_NUM_ENTRIES)
#define PPE1_STATS_NUM_ENTRIES (4 * 1024)
-#else
-#define PPE1_STATS_NUM_ENTRIES 0
-#endif /* CONFIG_NET_AIROHA_FLOW_STATS */
-#define PPE_STATS_NUM_ENTRIES (2 * PPE1_STATS_NUM_ENTRIES)
-#define PPE1_SRAM_NUM_DATA_ENTRIES (PPE1_SRAM_NUM_ENTRIES - PPE1_STATS_NUM_ENTRIES)
-#define PPE_SRAM_NUM_DATA_ENTRIES (2 * PPE1_SRAM_NUM_DATA_ENTRIES)
+#define PPE_STATS_NUM_ENTRIES (PPE_NUM * PPE1_STATS_NUM_ENTRIES)
#define PPE_DRAM_NUM_ENTRIES (16 * 1024)
#define PPE_NUM_ENTRIES (PPE_SRAM_NUM_ENTRIES + PPE_DRAM_NUM_ENTRIES)
#define PPE_HASH_MASK (PPE_NUM_ENTRIES - 1)
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index b3632f964a580..117dfc21d6a81 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -32,6 +32,24 @@ static const struct rhashtable_params airoha_l2_flow_table_params = {
.automatic_shrinking = true,
};
+static int airoha_ppe_get_num_stats_entries(struct airoha_ppe *ppe)
+{
+ if (!IS_ENABLED(CONFIG_NET_AIROHA_FLOW_STATS))
+ return -EOPNOTSUPP;
+
+ return PPE1_STATS_NUM_ENTRIES;
+}
+
+static int airoha_ppe_get_total_num_stats_entries(struct airoha_ppe *ppe)
+{
+ int num_stats = airoha_ppe_get_num_stats_entries(ppe);
+
+ if (num_stats > 0)
+ num_stats = num_stats * PPE_NUM;
+
+ return num_stats;
+}
+
static bool airoha_ppe2_is_enabled(struct airoha_eth *eth)
{
return airoha_fe_rr(eth, REG_PPE_GLO_CFG(1)) & PPE_GLO_CFG_EN_MASK;
@@ -48,7 +66,7 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
{
u32 sram_tb_size, sram_num_entries, dram_num_entries;
struct airoha_eth *eth = ppe->eth;
- int i;
+ int i, sram_num_stats_entries;
sram_tb_size = PPE_SRAM_NUM_ENTRIES * sizeof(struct airoha_foe_entry);
dram_num_entries = PPE_RAM_NUM_ENTRIES_SHIFT(PPE_DRAM_NUM_ENTRIES);
@@ -103,8 +121,13 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
}
if (airoha_ppe2_is_enabled(eth)) {
- sram_num_entries =
- PPE_RAM_NUM_ENTRIES_SHIFT(PPE1_SRAM_NUM_DATA_ENTRIES);
+ sram_num_entries = PPE1_SRAM_NUM_ENTRIES;
+ sram_num_stats_entries =
+ airoha_ppe_get_num_stats_entries(ppe);
+ if (sram_num_stats_entries > 0)
+ sram_num_entries -= sram_num_stats_entries;
+ sram_num_entries = PPE_RAM_NUM_ENTRIES_SHIFT(sram_num_entries);
+
airoha_fe_rmw(eth, REG_PPE_TB_CFG(0),
PPE_SRAM_TB_NUM_ENTRY_MASK |
PPE_DRAM_TB_NUM_ENTRY_MASK,
@@ -120,8 +143,13 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
FIELD_PREP(PPE_DRAM_TB_NUM_ENTRY_MASK,
dram_num_entries));
} else {
- sram_num_entries =
- PPE_RAM_NUM_ENTRIES_SHIFT(PPE_SRAM_NUM_DATA_ENTRIES);
+ sram_num_entries = PPE_SRAM_NUM_ENTRIES;
+ sram_num_stats_entries =
+ airoha_ppe_get_total_num_stats_entries(ppe);
+ if (sram_num_stats_entries > 0)
+ sram_num_entries -= sram_num_stats_entries;
+ sram_num_entries = PPE_RAM_NUM_ENTRIES_SHIFT(sram_num_entries);
+
airoha_fe_rmw(eth, REG_PPE_TB_CFG(0),
PPE_SRAM_TB_NUM_ENTRY_MASK |
PPE_DRAM_TB_NUM_ENTRY_MASK,
@@ -482,13 +510,21 @@ static u32 airoha_ppe_foe_get_entry_hash(struct airoha_foe_entry *hwe)
return hash;
}
-static u32 airoha_ppe_foe_get_flow_stats_index(struct airoha_ppe *ppe, u32 hash)
+static int airoha_ppe_foe_get_flow_stats_index(struct airoha_ppe *ppe,
+ u32 hash, u32 *index)
{
- if (!airoha_ppe2_is_enabled(ppe->eth))
- return hash;
+ int ppe_num_stats_entries;
+
+ ppe_num_stats_entries = airoha_ppe_get_total_num_stats_entries(ppe);
+ if (ppe_num_stats_entries < 0)
+ return ppe_num_stats_entries;
- return hash >= PPE_STATS_NUM_ENTRIES ? hash - PPE1_STATS_NUM_ENTRIES
- : hash;
+ *index = hash;
+ if (airoha_ppe2_is_enabled(ppe->eth) &&
+ hash >= ppe_num_stats_entries)
+ *index = *index - PPE_STATS_NUM_ENTRIES;
+
+ return 0;
}
static void airoha_ppe_foe_flow_stat_entry_reset(struct airoha_ppe *ppe,
@@ -502,9 +538,13 @@ static void airoha_ppe_foe_flow_stat_entry_reset(struct airoha_ppe *ppe,
static void airoha_ppe_foe_flow_stats_reset(struct airoha_ppe *ppe,
struct airoha_npu *npu)
{
- int i;
+ int i, ppe_num_stats_entries;
+
+ ppe_num_stats_entries = airoha_ppe_get_total_num_stats_entries(ppe);
+ if (ppe_num_stats_entries < 0)
+ return;
- for (i = 0; i < PPE_STATS_NUM_ENTRIES; i++)
+ for (i = 0; i < ppe_num_stats_entries; i++)
airoha_ppe_foe_flow_stat_entry_reset(ppe, npu, i);
}
@@ -515,10 +555,17 @@ static void airoha_ppe_foe_flow_stats_update(struct airoha_ppe *ppe,
{
int type = FIELD_GET(AIROHA_FOE_IB1_BIND_PACKET_TYPE, hwe->ib1);
u32 index, pse_port, val, *data, *ib2, *meter;
+ int ppe_num_stats_entries;
u8 nbq;
- index = airoha_ppe_foe_get_flow_stats_index(ppe, hash);
- if (index >= PPE_STATS_NUM_ENTRIES)
+ ppe_num_stats_entries = airoha_ppe_get_total_num_stats_entries(ppe);
+ if (ppe_num_stats_entries < 0)
+ return;
+
+ if (airoha_ppe_foe_get_flow_stats_index(ppe, hash, &index))
+ return;
+
+ if (index >= ppe_num_stats_entries)
return;
if (type == PPE_PKT_TYPE_BRIDGE) {
@@ -1160,11 +1207,19 @@ static int airoha_ppe_flow_offload_destroy(struct airoha_eth *eth,
void airoha_ppe_foe_entry_get_stats(struct airoha_ppe *ppe, u32 hash,
struct airoha_foe_stats64 *stats)
{
- u32 index = airoha_ppe_foe_get_flow_stats_index(ppe, hash);
struct airoha_eth *eth = ppe->eth;
+ int ppe_num_stats_entries;
struct airoha_npu *npu;
+ u32 index;
+
+ ppe_num_stats_entries = airoha_ppe_get_total_num_stats_entries(ppe);
+ if (ppe_num_stats_entries < 0)
+ return;
- if (index >= PPE_STATS_NUM_ENTRIES)
+ if (airoha_ppe_foe_get_flow_stats_index(ppe, hash, &index))
+ return;
+
+ if (index >= ppe_num_stats_entries)
return;
rcu_read_lock();
@@ -1259,7 +1314,7 @@ static int airoha_ppe_offload_setup(struct airoha_eth *eth)
{
struct airoha_npu *npu = airoha_ppe_npu_get(eth);
struct airoha_ppe *ppe = eth->ppe;
- int err;
+ int err, ppe_num_stats_entries;
if (IS_ERR(npu))
return PTR_ERR(npu);
@@ -1268,9 +1323,10 @@ static int airoha_ppe_offload_setup(struct airoha_eth *eth)
if (err)
goto error_npu_put;
- if (PPE_STATS_NUM_ENTRIES) {
+ ppe_num_stats_entries = airoha_ppe_get_total_num_stats_entries(ppe);
+ if (ppe_num_stats_entries > 0) {
err = npu->ops.ppe_init_stats(npu, ppe->foe_stats_dma,
- PPE_STATS_NUM_ENTRIES);
+ ppe_num_stats_entries);
if (err)
goto error_npu_put;
}
@@ -1407,8 +1463,8 @@ EXPORT_SYMBOL_GPL(airoha_ppe_put_dev);
int airoha_ppe_init(struct airoha_eth *eth)
{
+ int foe_size, err, ppe_num_stats_entries;
struct airoha_ppe *ppe;
- int foe_size, err;
ppe = devm_kzalloc(eth->dev, sizeof(*ppe), GFP_KERNEL);
if (!ppe)
@@ -1433,8 +1489,9 @@ int airoha_ppe_init(struct airoha_eth *eth)
if (!ppe->foe_flow)
return -ENOMEM;
- foe_size = PPE_STATS_NUM_ENTRIES * sizeof(*ppe->foe_stats);
- if (foe_size) {
+ ppe_num_stats_entries = airoha_ppe_get_total_num_stats_entries(ppe);
+ if (ppe_num_stats_entries > 0) {
+ foe_size = ppe_num_stats_entries * sizeof(*ppe->foe_stats);
ppe->foe_stats = dmam_alloc_coherent(eth->dev, foe_size,
&ppe->foe_stats_dma,
GFP_KERNEL);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 149/957] net: airoha: Add airoha_eth_soc_data struct
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 148/957] net: airoha: Add airoha_ppe_get_num_stats_entries() and airoha_ppe_get_num_total_stats_entries() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 150/957] net: airoha: Generalize airoha_ppe2_is_enabled routine Greg Kroah-Hartman
` (813 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Marangi, Simon Horman,
Lorenzo Bianconi, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 5863b4e065e2253ef05684f728a04e4972046bcb ]
Introduce airoha_eth_soc_data struct to contain differences between
various SoC. Move XSI reset names in airoha_eth_soc_data. This is a
preliminary patch to enable AN7583 ethernet controller support in
airoha-eth driver.
Co-developed-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251017-an7583-eth-support-v3-4-f28319666667@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 02f729643959 ("net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 42 +++++++++++++++++++-----
drivers/net/ethernet/airoha/airoha_eth.h | 17 ++++++++--
2 files changed, 48 insertions(+), 11 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 060865b98880e..5162f2a689000 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1406,8 +1406,7 @@ static int airoha_hw_init(struct platform_device *pdev,
int err, i;
/* disable xsi */
- err = reset_control_bulk_assert(ARRAY_SIZE(eth->xsi_rsts),
- eth->xsi_rsts);
+ err = reset_control_bulk_assert(eth->soc->num_xsi_rsts, eth->xsi_rsts);
if (err)
return err;
@@ -2943,6 +2942,7 @@ static int airoha_register_gdm_devices(struct airoha_eth *eth)
static int airoha_probe(struct platform_device *pdev)
{
+ struct reset_control_bulk_data *xsi_rsts;
struct device_node *np;
struct airoha_eth *eth;
int i, err;
@@ -2951,6 +2951,10 @@ static int airoha_probe(struct platform_device *pdev)
if (!eth)
return -ENOMEM;
+ eth->soc = of_device_get_match_data(&pdev->dev);
+ if (!eth->soc)
+ return -EINVAL;
+
eth->dev = &pdev->dev;
err = dma_set_mask_and_coherent(eth->dev, DMA_BIT_MASK(32));
@@ -2975,13 +2979,18 @@ static int airoha_probe(struct platform_device *pdev)
return err;
}
- eth->xsi_rsts[0].id = "xsi-mac";
- eth->xsi_rsts[1].id = "hsi0-mac";
- eth->xsi_rsts[2].id = "hsi1-mac";
- eth->xsi_rsts[3].id = "hsi-mac";
- eth->xsi_rsts[4].id = "xfp-mac";
+ xsi_rsts = devm_kzalloc(eth->dev,
+ eth->soc->num_xsi_rsts * sizeof(*xsi_rsts),
+ GFP_KERNEL);
+ if (err)
+ return err;
+
+ eth->xsi_rsts = xsi_rsts;
+ for (i = 0; i < eth->soc->num_xsi_rsts; i++)
+ eth->xsi_rsts[i].id = eth->soc->xsi_rsts_names[i];
+
err = devm_reset_control_bulk_get_exclusive(eth->dev,
- ARRAY_SIZE(eth->xsi_rsts),
+ eth->soc->num_xsi_rsts,
eth->xsi_rsts);
if (err) {
dev_err(eth->dev, "failed to get bulk xsi reset lines\n");
@@ -3074,8 +3083,23 @@ static void airoha_remove(struct platform_device *pdev)
platform_set_drvdata(pdev, NULL);
}
+static const char * const en7581_xsi_rsts_names[] = {
+ "xsi-mac",
+ "hsi0-mac",
+ "hsi1-mac",
+ "hsi-mac",
+ "xfp-mac",
+};
+
+static const struct airoha_eth_soc_data en7581_soc_data = {
+ .version = 0x7581,
+ .xsi_rsts_names = en7581_xsi_rsts_names,
+ .num_xsi_rsts = ARRAY_SIZE(en7581_xsi_rsts_names),
+ .num_ppe = 2,
+};
+
static const struct of_device_id of_airoha_match[] = {
- { .compatible = "airoha,en7581-eth" },
+ { .compatible = "airoha,en7581-eth", .data = &en7581_soc_data },
{ /* sentinel */ }
};
MODULE_DEVICE_TABLE(of, of_airoha_match);
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 3e43f01e9a652..655bc6acd80f0 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -21,7 +21,6 @@
#define AIROHA_MAX_NUM_IRQ_BANKS 4
#define AIROHA_MAX_DSA_PORTS 7
#define AIROHA_MAX_NUM_RSTS 3
-#define AIROHA_MAX_NUM_XSI_RSTS 5
#define AIROHA_MAX_MTU 9216
#define AIROHA_MAX_PACKET_SIZE 2048
#define AIROHA_NUM_QOS_CHANNELS 4
@@ -556,9 +555,18 @@ struct airoha_ppe {
struct dentry *debugfs_dir;
};
+struct airoha_eth_soc_data {
+ u16 version;
+ const char * const *xsi_rsts_names;
+ int num_xsi_rsts;
+ int num_ppe;
+};
+
struct airoha_eth {
struct device *dev;
+ const struct airoha_eth_soc_data *soc;
+
unsigned long state;
void __iomem *fe_regs;
@@ -568,7 +576,7 @@ struct airoha_eth {
struct rhashtable flow_table;
struct reset_control_bulk_data rsts[AIROHA_MAX_NUM_RSTS];
- struct reset_control_bulk_data xsi_rsts[AIROHA_MAX_NUM_XSI_RSTS];
+ struct reset_control_bulk_data *xsi_rsts;
struct net_device *napi_dev;
@@ -611,6 +619,11 @@ static inline bool airhoa_is_lan_gdm_port(struct airoha_gdm_port *port)
return port->id == 1;
}
+static inline bool airoha_is_7581(struct airoha_eth *eth)
+{
+ return eth->soc->version == 0x7581;
+}
+
bool airoha_is_valid_gdm_port(struct airoha_eth *eth,
struct airoha_gdm_port *port);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 150/957] net: airoha: Generalize airoha_ppe2_is_enabled routine
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 149/957] net: airoha: Add airoha_eth_soc_data struct Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 151/957] net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available Greg Kroah-Hartman
` (812 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit ef9449f080b61920cdc3d3106f8ffc2d9ba8b861 ]
Rename airoha_ppe2_is_enabled() in airoha_ppe_is_enabled() and
generalize it in order to check if each PPE module is enabled.
Rely on airoha_ppe_is_enabled routine to properly initialize PPE for
AN7583 SoC since AN7583 does not support PPE2.
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251017-an7583-eth-support-v3-5-f28319666667@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 02f729643959 ("net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 32 ++++++++++++++++--------
drivers/net/ethernet/airoha/airoha_eth.h | 1 +
drivers/net/ethernet/airoha/airoha_ppe.c | 17 +++++++------
3 files changed, 32 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 5162f2a689000..677e40001f9f2 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -297,8 +297,11 @@ static void airoha_fe_pse_ports_init(struct airoha_eth *eth)
int q;
all_rsv = airoha_fe_get_pse_all_rsv(eth);
- /* hw misses PPE2 oq rsv */
- all_rsv += PSE_RSV_PAGES * pse_port_num_queues[FE_PSE_PORT_PPE2];
+ if (airoha_ppe_is_enabled(eth, 1)) {
+ /* hw misses PPE2 oq rsv */
+ all_rsv += PSE_RSV_PAGES *
+ pse_port_num_queues[FE_PSE_PORT_PPE2];
+ }
airoha_fe_set(eth, REG_FE_PSE_BUF_SET, all_rsv);
/* CMD1 */
@@ -335,13 +338,17 @@ static void airoha_fe_pse_ports_init(struct airoha_eth *eth)
for (q = 4; q < pse_port_num_queues[FE_PSE_PORT_CDM4]; q++)
airoha_fe_set_pse_oq_rsv(eth, FE_PSE_PORT_CDM4, q,
PSE_QUEUE_RSV_PAGES);
- /* PPE2 */
- for (q = 0; q < pse_port_num_queues[FE_PSE_PORT_PPE2]; q++) {
- if (q < pse_port_num_queues[FE_PSE_PORT_PPE2] / 2)
- airoha_fe_set_pse_oq_rsv(eth, FE_PSE_PORT_PPE2, q,
- PSE_QUEUE_RSV_PAGES);
- else
- airoha_fe_set_pse_oq_rsv(eth, FE_PSE_PORT_PPE2, q, 0);
+ if (airoha_ppe_is_enabled(eth, 1)) {
+ /* PPE2 */
+ for (q = 0; q < pse_port_num_queues[FE_PSE_PORT_PPE2]; q++) {
+ if (q < pse_port_num_queues[FE_PSE_PORT_PPE2] / 2)
+ airoha_fe_set_pse_oq_rsv(eth, FE_PSE_PORT_PPE2,
+ q,
+ PSE_QUEUE_RSV_PAGES);
+ else
+ airoha_fe_set_pse_oq_rsv(eth, FE_PSE_PORT_PPE2,
+ q, 0);
+ }
}
/* GMD4 */
for (q = 0; q < pse_port_num_queues[FE_PSE_PORT_GDM4]; q++)
@@ -1781,8 +1788,11 @@ static int airoha_dev_init(struct net_device *dev)
airhoha_set_gdm2_loopback(port);
fallthrough;
case 2:
- pse_port = FE_PSE_PORT_PPE2;
- break;
+ if (airoha_ppe_is_enabled(eth, 1)) {
+ pse_port = FE_PSE_PORT_PPE2;
+ break;
+ }
+ fallthrough;
default:
pse_port = FE_PSE_PORT_PPE1;
break;
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 655bc6acd80f0..d76f71558f8c2 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -627,6 +627,7 @@ static inline bool airoha_is_7581(struct airoha_eth *eth)
bool airoha_is_valid_gdm_port(struct airoha_eth *eth,
struct airoha_gdm_port *port);
+bool airoha_ppe_is_enabled(struct airoha_eth *eth, int index);
void airoha_ppe_check_skb(struct airoha_ppe_dev *dev, struct sk_buff *skb,
u16 hash, bool rx_wlan);
int airoha_ppe_setup_tc_block_cb(struct airoha_ppe_dev *dev, void *type_data);
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index 117dfc21d6a81..4ed244557065d 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -50,9 +50,12 @@ static int airoha_ppe_get_total_num_stats_entries(struct airoha_ppe *ppe)
return num_stats;
}
-static bool airoha_ppe2_is_enabled(struct airoha_eth *eth)
+bool airoha_ppe_is_enabled(struct airoha_eth *eth, int index)
{
- return airoha_fe_rr(eth, REG_PPE_GLO_CFG(1)) & PPE_GLO_CFG_EN_MASK;
+ if (index >= eth->soc->num_ppe)
+ return false;
+
+ return airoha_fe_rr(eth, REG_PPE_GLO_CFG(index)) & PPE_GLO_CFG_EN_MASK;
}
static u32 airoha_ppe_get_timestamp(struct airoha_ppe *ppe)
@@ -120,7 +123,7 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
AIROHA_MAX_MTU));
}
- if (airoha_ppe2_is_enabled(eth)) {
+ if (airoha_ppe_is_enabled(eth, 1)) {
sram_num_entries = PPE1_SRAM_NUM_ENTRIES;
sram_num_stats_entries =
airoha_ppe_get_num_stats_entries(ppe);
@@ -520,7 +523,7 @@ static int airoha_ppe_foe_get_flow_stats_index(struct airoha_ppe *ppe,
return ppe_num_stats_entries;
*index = hash;
- if (airoha_ppe2_is_enabled(ppe->eth) &&
+ if (airoha_ppe_is_enabled(ppe->eth, 1) &&
hash >= ppe_num_stats_entries)
*index = *index - PPE_STATS_NUM_ENTRIES;
@@ -615,7 +618,7 @@ airoha_ppe_foe_get_entry_locked(struct airoha_ppe *ppe, u32 hash)
u32 val;
int i;
- ppe2 = airoha_ppe2_is_enabled(ppe->eth) &&
+ ppe2 = airoha_ppe_is_enabled(ppe->eth, 1) &&
hash >= PPE1_SRAM_NUM_ENTRIES;
airoha_fe_wr(ppe->eth, REG_PPE_RAM_CTRL(ppe2),
FIELD_PREP(PPE_SRAM_CTRL_ENTRY_MASK, hash) |
@@ -693,7 +696,7 @@ static int airoha_ppe_foe_commit_entry(struct airoha_ppe *ppe,
if (hash < PPE_SRAM_NUM_ENTRIES) {
dma_addr_t addr = ppe->foe_dma + hash * sizeof(*hwe);
- bool ppe2 = airoha_ppe2_is_enabled(eth) &&
+ bool ppe2 = airoha_ppe_is_enabled(eth, 1) &&
hash >= PPE1_SRAM_NUM_ENTRIES;
err = npu->ops.ppe_foe_commit_entry(npu, addr, sizeof(*hwe),
@@ -1288,7 +1291,7 @@ static int airoha_ppe_flush_sram_entries(struct airoha_ppe *ppe,
int i, sram_num_entries = PPE_SRAM_NUM_ENTRIES;
struct airoha_foe_entry *hwe = ppe->foe;
- if (airoha_ppe2_is_enabled(ppe->eth))
+ if (airoha_ppe_is_enabled(ppe->eth, 1))
sram_num_entries = sram_num_entries / 2;
for (i = 0; i < sram_num_entries; i++)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 151/957] net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 150/957] net: airoha: Generalize airoha_ppe2_is_enabled routine Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 152/957] bpf: Relax scalar id equivalence for state pruning Greg Kroah-Hartman
` (811 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xuegang Lu, Lorenzo Bianconi,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 02f72964395911e7a09bb2ea2fe6f79eda4ea2c2 ]
airoha_fe_set routine is used to set specified bits to 1 in the selected
register. In the FE_PSE_BUF_SET case this can due to a overestimation of
the required buffers for I/O queues since we can miss to set some bits
of PSE_ALLRSV_MASK subfield to 0. Fix the issue relying on airoha_fe_rmw
routine instead.
Fixes: 8e38e08f2c560 ("net: airoha: fix PSE memory configuration in airoha_fe_pse_ports_init()")
Tested-by: Xuegang Lu <xuegang.lu@airoha.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260408-airoha-reg_fe_pse_buf_set-v1-1-0c4fa8f4d1d9@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 677e40001f9f2..132a32e9e633a 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -293,16 +293,18 @@ static void airoha_fe_pse_ports_init(struct airoha_eth *eth)
[FE_PSE_PORT_GDM4] = 2,
[FE_PSE_PORT_CDM5] = 2,
};
- u32 all_rsv;
int q;
- all_rsv = airoha_fe_get_pse_all_rsv(eth);
if (airoha_ppe_is_enabled(eth, 1)) {
+ u32 all_rsv;
+
/* hw misses PPE2 oq rsv */
+ all_rsv = airoha_fe_get_pse_all_rsv(eth);
all_rsv += PSE_RSV_PAGES *
pse_port_num_queues[FE_PSE_PORT_PPE2];
+ airoha_fe_rmw(eth, REG_FE_PSE_BUF_SET, PSE_ALLRSV_MASK,
+ FIELD_PREP(PSE_ALLRSV_MASK, all_rsv));
}
- airoha_fe_set(eth, REG_FE_PSE_BUF_SET, all_rsv);
/* CMD1 */
for (q = 0; q < pse_port_num_queues[FE_PSE_PORT_CDM1]; q++)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 152/957] bpf: Relax scalar id equivalence for state pruning
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 151/957] net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 153/957] bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars Greg Kroah-Hartman
` (810 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit b0388bafa4949bd30af7b3be5ee415f2a25ac014 ]
Scalar register IDs are used by the verifier to track relationships
between registers and enable bounds propagation across those
relationships. Once an ID becomes singular (i.e. only a single
register/stack slot carries it), it can no longer contribute to bounds
propagation and effectively becomes stale. The previous commit makes the
verifier clear such ids before caching the state.
When comparing the current and cached states for pruning, these stale
IDs can cause technically equivalent states to be considered different
and thus prevent pruning.
For example, in the selftest added in the next commit, two registers -
r6 and r7 are not linked to any other registers and get cached with
id=0, in the current state, they are both linked to each other with
id=A. Before this commit, check_scalar_ids would give temporary ids to
r6 and r7 (say tid1 and tid2) and then check_ids() would map tid1->A,
and when it would see tid2->A, it would not consider these state
equivalent.
Relax scalar ID equivalence by treating rold->id == 0 as "independent":
if the old state did not rely on any ID relationships for a register,
then any ID/linking present in the current state only adds constraints
and is always safe to accept for pruning. Implement this by returning
true immediately in check_scalar_ids() when old_id == 0.
Maintain correctness for the opposite direction (old_id != 0 && cur_id
== 0) by still allocating a temporary ID for cur_id == 0. This avoids
incorrectly allowing multiple independent current registers (id==0) to
satisfy a single linked old ID during mapping.
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/r/20260203165102.2302462-5-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Stable-dep-of: 2f2ec8e7730e ("bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 63 +++++++++++++++----
.../selftests/bpf/progs/verifier_scalar_ids.c | 8 ++-
2 files changed, 56 insertions(+), 15 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6d5fc1af7a1f6..0cf6ca1f870f7 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18808,13 +18808,29 @@ static bool check_ids(u32 old_id, u32 cur_id, struct bpf_idmap *idmap)
return false;
}
-/* Similar to check_ids(), but allocate a unique temporary ID
- * for 'old_id' or 'cur_id' of zero.
- * This makes pairs like '0 vs unique ID', 'unique ID vs 0' valid.
+/*
+ * Compare scalar register IDs for state equivalence.
+ *
+ * When old_id == 0, the old register is independent - not linked to any
+ * other register. Any linking in the current state only adds constraints,
+ * making it more restrictive. Since the old state didn't rely on any ID
+ * relationships for this register, it's always safe to accept cur regardless
+ * of its ID. Hence, return true immediately.
+ *
+ * When old_id != 0 but cur_id == 0, we need to ensure that different
+ * independent registers in cur don't incorrectly satisfy the ID matching
+ * requirements of linked registers in old.
+ *
+ * Example: if old has r6.id=X and r7.id=X (linked), but cur has r6.id=0
+ * and r7.id=0 (both independent), without temp IDs both would map old_id=X
+ * to cur_id=0 and pass. With temp IDs: r6 maps X->temp1, r7 tries to map
+ * X->temp2, but X is already mapped to temp1, so the check fails correctly.
*/
static bool check_scalar_ids(u32 old_id, u32 cur_id, struct bpf_idmap *idmap)
{
- old_id = old_id ? old_id : ++idmap->tmp_id_gen;
+ if (!old_id)
+ return true;
+
cur_id = cur_id ? cur_id : ++idmap->tmp_id_gen;
return check_ids(old_id, cur_id, idmap);
@@ -18975,11 +18991,21 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
}
if (!rold->precise && exact == NOT_EXACT)
return true;
- if ((rold->id & BPF_ADD_CONST) != (rcur->id & BPF_ADD_CONST))
- return false;
- if ((rold->id & BPF_ADD_CONST) && (rold->off != rcur->off))
- return false;
- /* Why check_ids() for scalar registers?
+ /*
+ * Linked register tracking uses rold->id to detect relationships.
+ * When rold->id == 0, the register is independent and any linking
+ * in rcur only adds constraints. When rold->id != 0, we must verify
+ * id mapping and (for BPF_ADD_CONST) offset consistency.
+ *
+ * +------------------+-----------+------------------+---------------+
+ * | | rold->id | rold + ADD_CONST | rold->id == 0 |
+ * |------------------+-----------+------------------+---------------|
+ * | rcur->id | range,ids | false | range |
+ * | rcur + ADD_CONST | false | range,ids,off | range |
+ * | rcur->id == 0 | range,ids | false | range |
+ * +------------------+-----------+------------------+---------------+
+ *
+ * Why check_ids() for scalar registers?
*
* Consider the following BPF code:
* 1: r6 = ... unbound scalar, ID=a ...
@@ -19003,9 +19029,22 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
* ---
* Also verify that new value satisfies old value range knowledge.
*/
- return range_within(rold, rcur) &&
- tnum_in(rold->var_off, rcur->var_off) &&
- check_scalar_ids(rold->id, rcur->id, idmap);
+
+ /* ADD_CONST mismatch: different linking semantics */
+ if ((rold->id & BPF_ADD_CONST) && !(rcur->id & BPF_ADD_CONST))
+ return false;
+
+ if (rold->id && !(rold->id & BPF_ADD_CONST) && (rcur->id & BPF_ADD_CONST))
+ return false;
+
+ /* Both have offset linkage: offsets must match */
+ if ((rold->id & BPF_ADD_CONST) && rold->off != rcur->off)
+ return false;
+
+ if (!check_scalar_ids(rold->id, rcur->id, idmap))
+ return false;
+
+ return range_within(rold, rcur) && tnum_in(rold->var_off, rcur->var_off);
case PTR_TO_MAP_KEY:
case PTR_TO_MAP_VALUE:
case PTR_TO_MEM:
diff --git a/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c b/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c
index 1fdd85b4b8443..f1c17df9c4f99 100644
--- a/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c
+++ b/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c
@@ -751,9 +751,9 @@ __success __log_level(2)
/* The exit instruction should be reachable from two states,
* use two matches and "processed .. insns" to ensure this.
*/
-__msg("13: (95) exit")
-__msg("13: (95) exit")
-__msg("processed 18 insns")
+__msg("15: (95) exit")
+__msg("15: (95) exit")
+__msg("processed 20 insns")
__flag(BPF_F_TEST_STATE_FREQ)
__naked void two_old_ids_one_cur_id(void)
{
@@ -762,9 +762,11 @@ __naked void two_old_ids_one_cur_id(void)
"call %[bpf_ktime_get_ns];"
"r0 &= 0xff;"
"r6 = r0;"
+ "r8 = r0;"
"call %[bpf_ktime_get_ns];"
"r0 &= 0xff;"
"r7 = r0;"
+ "r9 = r0;"
"r0 = 0;"
/* Maybe make r{6,7} IDs identical */
"if r6 > r7 goto l0_%=;"
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 153/957] bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 152/957] bpf: Relax scalar id equivalence for state pruning Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 154/957] selftests/bpf: fix __jited_unpriv tag name Greg Kroah-Hartman
` (809 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, STAR Labs SG, Daniel Borkmann,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 2f2ec8e7730e21fc9bd49e0de9cdd58213ea24d0 ]
When regsafe() compares two scalar registers that both carry
BPF_ADD_CONST, check_scalar_ids() maps their full compound id
(aka base | BPF_ADD_CONST flag) as one idmap entry. However,
it never verifies that the underlying base ids, that is, with
the flag stripped are consistent with existing idmap mappings.
This allows construction of two verifier states where the old
state has R3 = R2 + 10 (both sharing base id A) while the current
state has R3 = R4 + 10 (base id C, unrelated to R2). The idmap
creates two independent entries: A->B (for R2) and A|flag->C|flag
(for R3), without catching that A->C conflicts with A->B. State
pruning then incorrectly succeeds.
Fix this by additionally verifying base ID mapping consistency
whenever BPF_ADD_CONST is set: after mapping the compound ids,
also invoke check_ids() on the base IDs (flag bits stripped).
This ensures that if A was already mapped to B from comparing
the source register, any ADD_CONST derivative must also derive
from B, not an unrelated C.
Fixes: 98d7ca374ba4 ("bpf: Track delta between "linked" registers.")
Reported-by: STAR Labs SG <info@starlabs.sg>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260410232651.559778-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0cf6ca1f870f7..e8975e9761e26 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18825,6 +18825,13 @@ static bool check_ids(u32 old_id, u32 cur_id, struct bpf_idmap *idmap)
* and r7.id=0 (both independent), without temp IDs both would map old_id=X
* to cur_id=0 and pass. With temp IDs: r6 maps X->temp1, r7 tries to map
* X->temp2, but X is already mapped to temp1, so the check fails correctly.
+ *
+ * When old_id has BPF_ADD_CONST set, the compound id (base | flag) and the
+ * base id (flag stripped) must both map consistently. Example: old has
+ * r2.id=A, r3.id=A|flag (r3 = r2 + delta), cur has r2.id=B, r3.id=C|flag
+ * (r3 derived from unrelated r4). Without the base check, idmap gets two
+ * independent entries A->B and A|flag->C|flag, missing that A->C conflicts
+ * with A->B. The base ID cross-check catches this.
*/
static bool check_scalar_ids(u32 old_id, u32 cur_id, struct bpf_idmap *idmap)
{
@@ -18833,7 +18840,15 @@ static bool check_scalar_ids(u32 old_id, u32 cur_id, struct bpf_idmap *idmap)
cur_id = cur_id ? cur_id : ++idmap->tmp_id_gen;
- return check_ids(old_id, cur_id, idmap);
+ if (!check_ids(old_id, cur_id, idmap))
+ return false;
+ if (old_id & BPF_ADD_CONST) {
+ old_id &= ~BPF_ADD_CONST;
+ cur_id &= ~BPF_ADD_CONST;
+ if (!check_ids(old_id, cur_id, idmap))
+ return false;
+ }
+ return true;
}
static void clean_func_state(struct bpf_verifier_env *env,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 154/957] selftests/bpf: fix __jited_unpriv tag name
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 153/957] bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 155/957] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
` (808 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ihor Solodrai, Puranjay Mohan,
Eduard Zingerman, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eduard Zingerman <eddyz87@gmail.com>
[ Upstream commit cdd54fe98c00549264a92613af6bb0e9a5fd0d1c ]
__jited_unpriv was using "test_jited=" as its tag name, same as the
priv variant __jited. Fix by using "test_jited_unpriv=".
Fixes: 7d743e4c759c ("selftests/bpf: __jited test tag to check disassembly after jit")
Acked-by: Ihor Solodrai <ihor.solodrai@linux.dev>
Reviewed-by: Puranjay Mohan <puranjay@kernel.org>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260410-selftests-global-tags-ordering-v2-1-c566ec9781bf@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/progs/bpf_misc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
index a7a1a684eed11..25172ca74b204 100644
--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
+++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
@@ -137,7 +137,7 @@
#define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" XSTR(__COUNTER__) "=" msg)))
#define __not_msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_not_msg_unpriv=" XSTR(__COUNTER__) "=" msg)))
#define __xlated_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated_unpriv=" XSTR(__COUNTER__) "=" msg)))
-#define __jited_unpriv(msg) __attribute__((btf_decl_tag("comment:test_jited=" XSTR(__COUNTER__) "=" msg)))
+#define __jited_unpriv(msg) __attribute__((btf_decl_tag("comment:test_jited_unpriv=" XSTR(__COUNTER__) "=" msg)))
#define __failure_unpriv __attribute__((btf_decl_tag("comment:test_expect_failure_unpriv")))
#define __success_unpriv __attribute__((btf_decl_tag("comment:test_expect_success_unpriv")))
#define __log_level(lvl) __attribute__((btf_decl_tag("comment:test_log_level="#lvl)))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 155/957] net/sched: act_ct: Only release RCU read lock after ct_ft
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 154/957] selftests/bpf: fix __jited_unpriv tag name Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 156/957] selftests: netfilter: nft_tproxy.sh: adjust to socat changes Greg Kroah-Hartman
` (807 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, zdi-disclosures, Victor Nogueira,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit f462dca0c8415bf0058d0ffa476354c4476d0f09 ]
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Fixes: 138470a9b2cc2 ("net/sched: act_ct: fix lockdep splat in tcf_ct_flow_table_get")
Reported-by: zdi-disclosures@trendmicro.com
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260410111627.46611-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_ct.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index b3c160ad590d2..f9cb8f7474ed3 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -326,9 +326,13 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
int err = -ENOMEM;
mutex_lock(&zones_mutex);
- ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params);
- if (ct_ft && refcount_inc_not_zero(&ct_ft->ref))
+ rcu_read_lock();
+ ct_ft = rhashtable_lookup(&zones_ht, &key, zones_params);
+ if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) {
+ rcu_read_unlock();
goto out_unlock;
+ }
+ rcu_read_unlock();
ct_ft = kzalloc(sizeof(*ct_ft), GFP_KERNEL);
if (!ct_ft)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 156/957] selftests: netfilter: nft_tproxy.sh: adjust to socat changes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 155/957] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 157/957] net: mana: Use pci_name() for debugfs directory naming Greg Kroah-Hartman
` (806 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Florian Westphal,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 61119542663cac70898aef532eb57ee41ea9b477 ]
Like e65d8b6f3092 ("selftests: drv-net: adjust to socat changes") we
need to add shut-none for this test too.
The extra 0-packet can trigger a second (unexpected) reply from the server.
Fixes: 7e37e0eacd22 ("selftests: netfilter: nft_tproxy.sh: add tcp tests")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netdev/20260408152432.24b8ad0d@kernel.org/
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20260409224506.27072-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/net/netfilter/nft_tproxy_udp.sh | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/tools/testing/selftests/net/netfilter/nft_tproxy_udp.sh b/tools/testing/selftests/net/netfilter/nft_tproxy_udp.sh
index d16de13fe5a75..1dc7b04501459 100755
--- a/tools/testing/selftests/net/netfilter/nft_tproxy_udp.sh
+++ b/tools/testing/selftests/net/netfilter/nft_tproxy_udp.sh
@@ -190,13 +190,13 @@ table inet filter {
}
EOF
- timeout "$timeout" ip netns exec "$nsrouter" socat -u "$socat_ipproto" udp-listen:12345,fork,ip-transparent,reuseport udp:"$ns1_ip_port",ip-transparent,reuseport,bind="$ns2_ip_port" 2>/dev/null &
+ timeout "$timeout" ip netns exec "$nsrouter" socat -u "$socat_ipproto" udp-listen:12345,fork,ip-transparent,reuseport,shut-none udp:"$ns1_ip_port",ip-transparent,reuseport,bind="$ns2_ip_port",shut-none 2>/dev/null &
local tproxy_pid=$!
- timeout "$timeout" ip netns exec "$ns2" socat "$socat_ipproto" udp-listen:8080,fork SYSTEM:"echo PONG_NS2" 2>/dev/null &
+ timeout "$timeout" ip netns exec "$ns2" socat "$socat_ipproto" udp-listen:8080,fork,shut-none SYSTEM:"echo PONG_NS2" 2>/dev/null &
local server2_pid=$!
- timeout "$timeout" ip netns exec "$ns3" socat "$socat_ipproto" udp-listen:8080,fork SYSTEM:"echo PONG_NS3" 2>/dev/null &
+ timeout "$timeout" ip netns exec "$ns3" socat "$socat_ipproto" udp-listen:8080,fork,shut-none SYSTEM:"echo PONG_NS3" 2>/dev/null &
local server3_pid=$!
busywait "$BUSYWAIT_TIMEOUT" listener_ready "$nsrouter" 12345 "-u"
@@ -205,7 +205,7 @@ EOF
local result
# request from ns1 to ns2 (forwarded traffic)
- result=$(echo I_M_PROXIED | ip netns exec "$ns1" socat -t 2 -T 2 STDIO udp:"$ns2_ip_port",sourceport=18888)
+ result=$(echo I_M_PROXIED | ip netns exec "$ns1" socat -t 2 -T 2 STDIO udp:"$ns2_ip_port",sourceport=18888,shut-none)
if [ "$result" == "$expect_ns1_ns2" ] ;then
echo "PASS: tproxy test $testname: ns1 got reply \"$result\" connecting to ns2"
else
@@ -214,7 +214,7 @@ EOF
fi
# request from ns1 to ns3 (forwarded traffic)
- result=$(echo I_M_PROXIED | ip netns exec "$ns1" socat -t 2 -T 2 STDIO udp:"$ns3_ip_port")
+ result=$(echo I_M_PROXIED | ip netns exec "$ns1" socat -t 2 -T 2 STDIO udp:"$ns3_ip_port",shut-none)
if [ "$result" = "$expect_ns1_ns3" ] ;then
echo "PASS: tproxy test $testname: ns1 got reply \"$result\" connecting to ns3"
else
@@ -223,7 +223,7 @@ EOF
fi
# request from nsrouter to ns2 (localy originated traffic)
- result=$(echo I_M_PROXIED | ip netns exec "$nsrouter" socat -t 2 -T 2 STDIO udp:"$ns2_ip_port")
+ result=$(echo I_M_PROXIED | ip netns exec "$nsrouter" socat -t 2 -T 2 STDIO udp:"$ns2_ip_port",shut-none)
if [ "$result" == "$expect_nsrouter_ns2" ] ;then
echo "PASS: tproxy test $testname: nsrouter got reply \"$result\" connecting to ns2"
else
@@ -232,7 +232,7 @@ EOF
fi
# request from nsrouter to ns3 (localy originated traffic)
- result=$(echo I_M_PROXIED | ip netns exec "$nsrouter" socat -t 2 -T 2 STDIO udp:"$ns3_ip_port")
+ result=$(echo I_M_PROXIED | ip netns exec "$nsrouter" socat -t 2 -T 2 STDIO udp:"$ns3_ip_port",shut-none)
if [ "$result" = "$expect_nsrouter_ns3" ] ;then
echo "PASS: tproxy test $testname: nsrouter got reply \"$result\" connecting to ns3"
else
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 157/957] net: mana: Use pci_name() for debugfs directory naming
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 156/957] selftests: netfilter: nft_tproxy.sh: adjust to socat changes Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 158/957] net: mana: Support HW link state events Greg Kroah-Hartman
` (805 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit c116f07ab9d22bb6f355f3cf9e44c1e6a47fe559 ]
Use pci_name(pdev) for the per-device debugfs directory instead of
hardcoded "0" for PFs and pci_slot_name(pdev->slot) for VFs. The
previous approach had two issues:
1. pci_slot_name() dereferences pdev->slot, which can be NULL for VFs
in environments like generic VFIO passthrough or nested KVM,
causing a NULL pointer dereference.
2. Multiple PFs would all use "0", and VFs across different PCI
domains or buses could share the same slot name, leading to
-EEXIST errors from debugfs_create_dir().
pci_name(pdev) returns the unique BDF address, is always valid, and is
unique across the system.
Fixes: 6607c17c6c5e ("net: mana: Enable debugfs files for MANA device")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260408081224.302308-2-ernis@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/gdma_main.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index 962fdd29d6063..c0de20b2183a2 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -1927,11 +1927,8 @@ static int mana_gd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
gc->dev = &pdev->dev;
xa_init(&gc->irq_contexts);
- if (gc->is_pf)
- gc->mana_pci_debugfs = debugfs_create_dir("0", mana_debugfs_root);
- else
- gc->mana_pci_debugfs = debugfs_create_dir(pci_slot_name(pdev->slot),
- mana_debugfs_root);
+ gc->mana_pci_debugfs = debugfs_create_dir(pci_name(pdev),
+ mana_debugfs_root);
err = mana_gd_setup(pdev);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 158/957] net: mana: Support HW link state events
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 157/957] net: mana: Use pci_name() for debugfs directory naming Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 159/957] net: mana: Move current_speed debugfs file to mana_init_port() Greg Kroah-Hartman
` (804 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
[ Upstream commit 54133f9b4b53ffa2204eb27cfc9d50072c9a52d2 ]
Handle the NIC hardware link state events received from the HW
channel, then set the proper link state accordingly.
And, add a feature bit, GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE,
to inform the NIC hardware this handler exists.
Our MANA NIC only sends out the link state down/up messages
when we need to let the VM rerun DHCP client and change IP
address. So, add netif_carrier_on() in the probe(), let the NIC
show the right initial state in /sys/class/net/ethX/operstate.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1761770601-16920-1-git-send-email-haiyangz@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 3b7c7fc97aea ("net: mana: Move current_speed debugfs file to mana_init_port()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/microsoft/mana/gdma_main.c | 1 +
.../net/ethernet/microsoft/mana/hw_channel.c | 12 +++++
drivers/net/ethernet/microsoft/mana/mana_en.c | 54 +++++++++++++++++--
include/net/mana/gdma.h | 4 +-
include/net/mana/hw_channel.h | 2 +
include/net/mana/mana.h | 4 ++
6 files changed, 71 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index c0de20b2183a2..d93cfb7f4e788 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -528,6 +528,7 @@ static void mana_gd_process_eqe(struct gdma_queue *eq)
case GDMA_EQE_HWC_INIT_DONE:
case GDMA_EQE_HWC_SOC_SERVICE:
case GDMA_EQE_RNIC_QP_FATAL:
+ case GDMA_EQE_HWC_SOC_RECONFIG_DATA:
if (!eq->eq.callback)
break;
diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
index 21cddafba5061..840c6b8957c90 100644
--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
@@ -118,6 +118,7 @@ static void mana_hwc_init_event_handler(void *ctx, struct gdma_queue *q_self,
struct gdma_dev *gd = hwc->gdma_dev;
union hwc_init_type_data type_data;
union hwc_init_eq_id_db eq_db;
+ struct mana_context *ac;
u32 type, val;
int ret;
@@ -196,6 +197,17 @@ static void mana_hwc_init_event_handler(void *ctx, struct gdma_queue *q_self,
hwc->hwc_timeout = val;
break;
+ case HWC_DATA_HW_LINK_CONNECT:
+ case HWC_DATA_HW_LINK_DISCONNECT:
+ ac = gd->gdma_context->mana.driver_data;
+ if (!ac)
+ break;
+
+ WRITE_ONCE(ac->link_event, type);
+ schedule_work(&ac->link_change_work);
+
+ break;
+
default:
dev_warn(hwc->dev, "Received unknown reconfig type %u\n", type);
break;
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index abb207339992b..8277a1ac0ad74 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -20,6 +20,7 @@
#include <net/mana/mana.h>
#include <net/mana/mana_auxiliary.h>
+#include <net/mana/hw_channel.h>
static DEFINE_IDA(mana_adev_ida);
@@ -84,7 +85,6 @@ static int mana_open(struct net_device *ndev)
/* Ensure port state updated before txq state */
smp_wmb();
- netif_carrier_on(ndev);
netif_tx_wake_all_queues(ndev);
netdev_dbg(ndev, "%s successful\n", __func__);
return 0;
@@ -100,6 +100,46 @@ static int mana_close(struct net_device *ndev)
return mana_detach(ndev, true);
}
+static void mana_link_state_handle(struct work_struct *w)
+{
+ struct mana_context *ac;
+ struct net_device *ndev;
+ u32 link_event;
+ bool link_up;
+ int i;
+
+ ac = container_of(w, struct mana_context, link_change_work);
+
+ rtnl_lock();
+
+ link_event = READ_ONCE(ac->link_event);
+
+ if (link_event == HWC_DATA_HW_LINK_CONNECT)
+ link_up = true;
+ else if (link_event == HWC_DATA_HW_LINK_DISCONNECT)
+ link_up = false;
+ else
+ goto out;
+
+ /* Process all ports */
+ for (i = 0; i < ac->num_ports; i++) {
+ ndev = ac->ports[i];
+ if (!ndev)
+ continue;
+
+ if (link_up) {
+ netif_carrier_on(ndev);
+
+ __netdev_notify_peers(ndev);
+ } else {
+ netif_carrier_off(ndev);
+ }
+ }
+
+out:
+ rtnl_unlock();
+}
+
static bool mana_can_tx(struct gdma_queue *wq)
{
return mana_gd_wq_avail_space(wq) >= MAX_TX_WQE_SIZE;
@@ -3086,9 +3126,6 @@ int mana_attach(struct net_device *ndev)
/* Ensure port state updated before txq state */
smp_wmb();
- if (apc->port_is_up)
- netif_carrier_on(ndev);
-
netif_device_attach(ndev);
return 0;
@@ -3183,7 +3220,6 @@ int mana_detach(struct net_device *ndev, bool from_close)
smp_wmb();
netif_tx_disable(ndev);
- netif_carrier_off(ndev);
if (apc->port_st_save) {
err = mana_dealloc_queues(ndev);
@@ -3272,6 +3308,8 @@ static int mana_probe_port(struct mana_context *ac, int port_idx,
goto free_indir;
}
+ netif_carrier_on(ndev);
+
debugfs_create_u32("current_speed", 0400, apc->mana_port_debugfs, &apc->speed);
return 0;
@@ -3462,6 +3500,8 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
if (!resuming) {
ac->num_ports = num_ports;
+
+ INIT_WORK(&ac->link_change_work, mana_link_state_handle);
} else {
if (ac->num_ports != num_ports) {
dev_err(dev, "The number of vPorts changed: %d->%d\n",
@@ -3469,6 +3509,8 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
err = -EPROTO;
goto out;
}
+
+ enable_work(&ac->link_change_work);
}
if (ac->num_ports == 0)
@@ -3531,6 +3573,8 @@ void mana_remove(struct gdma_dev *gd, bool suspending)
int err;
int i;
+ disable_work_sync(&ac->link_change_work);
+
/* adev currently doesn't support suspending, always remove it */
if (gd->adev)
remove_adev(gd);
diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
index 57df78cfbf82c..637f42485dba6 100644
--- a/include/net/mana/gdma.h
+++ b/include/net/mana/gdma.h
@@ -590,6 +590,7 @@ enum {
/* Driver can self reset on FPGA Reconfig EQE notification */
#define GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE BIT(17)
+#define GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE BIT(6)
#define GDMA_DRV_CAP_FLAGS1 \
(GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \
@@ -599,7 +600,8 @@ enum {
GDMA_DRV_CAP_FLAG_1_DEV_LIST_HOLES_SUP | \
GDMA_DRV_CAP_FLAG_1_DYNAMIC_IRQ_ALLOC_SUPPORT | \
GDMA_DRV_CAP_FLAG_1_SELF_RESET_ON_EQE | \
- GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE)
+ GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE | \
+ GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE)
#define GDMA_DRV_CAP_FLAGS2 0
diff --git a/include/net/mana/hw_channel.h b/include/net/mana/hw_channel.h
index 83cf93338eb38..16feb39616c1b 100644
--- a/include/net/mana/hw_channel.h
+++ b/include/net/mana/hw_channel.h
@@ -24,6 +24,8 @@
#define HWC_INIT_DATA_PF_DEST_CQ_ID 11
#define HWC_DATA_CFG_HWC_TIMEOUT 1
+#define HWC_DATA_HW_LINK_CONNECT 2
+#define HWC_DATA_HW_LINK_DISCONNECT 3
#define HW_CHANNEL_WAIT_RESOURCE_TIMEOUT_MS 30000
diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h
index 857f45a3386cc..f9f264385405c 100644
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -477,6 +477,10 @@ struct mana_context {
struct dentry *mana_eqs_debugfs;
struct net_device *ports[MAX_PORTS_IN_MANA_DEV];
+
+ /* Link state change work */
+ struct work_struct link_change_work;
+ u32 link_event;
};
struct mana_port_context {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 159/957] net: mana: Move current_speed debugfs file to mana_init_port()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 158/957] net: mana: Support HW link state events Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 160/957] net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue() Greg Kroah-Hartman
` (803 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit 3b7c7fc97aea7b4048001d12f45777201c74a17f ]
Move the current_speed debugfs file creation from mana_probe_port() to
mana_init_port(). The file was previously created only during initial
probe, but mana_cleanup_port_context() removes the entire vPort debugfs
directory during detach/attach cycles. Since mana_init_port() recreates
the directory on re-attach, moving current_speed here ensures it survives
these cycles.
Fixes: 75cabb46935b ("net: mana: Add support for net_shaper_ops")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260408081224.302308-3-ernis@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 8277a1ac0ad74..c770fb86fd2d3 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3038,6 +3038,8 @@ static int mana_init_port(struct net_device *ndev)
eth_hw_addr_set(ndev, apc->mac_addr);
sprintf(vport, "vport%d", port_idx);
apc->mana_port_debugfs = debugfs_create_dir(vport, gc->mana_pci_debugfs);
+ debugfs_create_u32("current_speed", 0400, apc->mana_port_debugfs,
+ &apc->speed);
return 0;
reset_apc:
@@ -3310,8 +3312,6 @@ static int mana_probe_port(struct mana_context *ac, int port_idx,
netif_carrier_on(ndev);
- debugfs_create_u32("current_speed", 0400, apc->mana_port_debugfs, &apc->speed);
-
return 0;
free_indir:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 160/957] net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 159/957] net: mana: Move current_speed debugfs file to mana_init_port() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 161/957] bpf: Allow instructions with arena source and non-arena dest registers Greg Kroah-Hartman
` (802 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 656121b155030086b01cfce9bd31b0c925ee6860 ]
When the descriptor index written in REG_RX_CPU_IDX() is equal to the one
stored in REG_RX_DMA_IDX(), the hw will stop since the QDMA RX ring is
empty.
Add missing REG_RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue
routine during QDMA RX ring cleanup.
Fixes: 514aac359987 ("net: airoha: Add missing cleanup bits in airoha_qdma_cleanup_rx_queue()")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260408-airoha-cpu-idx-airoha_qdma_cleanup_rx_queue-v1-1-8efa64844308@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 132a32e9e633a..cbf21e15df6dd 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -844,6 +844,11 @@ static void airoha_qdma_cleanup_rx_queue(struct airoha_queue *q)
}
q->head = q->tail;
+ /* Set RX_DMA_IDX to RX_CPU_IDX to notify the hw the QDMA RX ring is
+ * empty.
+ */
+ airoha_qdma_rmw(qdma, REG_RX_CPU_IDX(qid), RX_RING_CPU_IDX_MASK,
+ FIELD_PREP(RX_RING_CPU_IDX_MASK, q->head));
airoha_qdma_rmw(qdma, REG_RX_DMA_IDX(qid), RX_RING_DMA_IDX_MASK,
FIELD_PREP(RX_RING_DMA_IDX_MASK, q->tail));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 161/957] bpf: Allow instructions with arena source and non-arena dest registers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 160/957] net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 162/957] selftests/bpf: Fix reg_bounds to match new tnum-based refinement Greg Kroah-Hartman
` (801 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Tsalapatis, Song Liu,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Tsalapatis <emil@etsalapatis.com>
[ Upstream commit ac61bffe91d4bda08806e12957c6d64756d042db ]
The compiler sometimes stores the result of a PTR_TO_ARENA and SCALAR
operation into the scalar register rather than the pointer register.
Relax the verifier to allow operations between a source arena register
and a destination non-arena register, marking the destination's value
as a PTR_TO_ARENA.
Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Song Liu <song@kernel.org>
Fixes: 6082b6c328b5 ("bpf: Recognize addr_space_cast instruction in the verifier.")
Link: https://lore.kernel.org/r/20260412174546.18684-2-emil@etsalapatis.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e8975e9761e26..153a7c1d32069 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15705,11 +15705,20 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
int err;
dst_reg = ®s[insn->dst_reg];
- src_reg = NULL;
+ if (BPF_SRC(insn->code) == BPF_X)
+ src_reg = ®s[insn->src_reg];
+ else
+ src_reg = NULL;
- if (dst_reg->type == PTR_TO_ARENA) {
+ /* Case where at least one operand is an arena. */
+ if (dst_reg->type == PTR_TO_ARENA || (src_reg && src_reg->type == PTR_TO_ARENA)) {
struct bpf_insn_aux_data *aux = cur_aux(env);
+ if (dst_reg->type != PTR_TO_ARENA)
+ *dst_reg = *src_reg;
+
+ dst_reg->subreg_def = env->insn_idx + 1;
+
if (BPF_CLASS(insn->code) == BPF_ALU64)
/*
* 32-bit operations zero upper bits automatically.
@@ -15725,7 +15734,6 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
ptr_reg = dst_reg;
if (BPF_SRC(insn->code) == BPF_X) {
- src_reg = ®s[insn->src_reg];
if (src_reg->type != SCALAR_VALUE) {
if (dst_reg->type != SCALAR_VALUE) {
/* Combining two pointers by any ALU op yields
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 162/957] selftests/bpf: Fix reg_bounds to match new tnum-based refinement
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 161/957] bpf: Allow instructions with arena source and non-arena dest registers Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 163/957] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
` (800 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Paul Chaignon,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
[ Upstream commit 2fefa9c81a25534464911447d51ddb44b04a8e5b ]
Commit efc11a667878 ("bpf: Improve bounds when tnum has a single
possible value") improved the bounds refinement to detect when the tnum
and u64 range overlap in a single value (and the bounds can thus be set
to that value).
Eduard then noticed that it broke the slow-mode reg_bounds selftests
because they don't have an equivalent logic and are therefore unable to
refine the bounds as much as the verifier. The following test case
illustrates this.
ACTUAL TRUE1: scalar(u64=0xffffffff00000000,u32=0,s64=0xffffffff00000000,s32=0)
EXPECTED TRUE1: scalar(u64=[0xfffffffe00000001; 0xffffffff00000000],u32=0,s64=[0xfffffffe00000001; 0xffffffff00000000],s32=0)
[...]
#323/1007 reg_bounds_gen_consts_s64_s32/(s64)[0xfffffffe00000001; 0xffffffff00000000] (s32)<op> S64_MIN:FAIL
with the verifier logs:
[...]
19: w0 = w6 ; R0=scalar(smin=0,smax=umax=0xffffffff,
var_off=(0x0; 0xffffffff))
R6=scalar(smin=0xfffffffe00000001,smax=0xffffffff00000000,
umin=0xfffffffe00000001,umax=0xffffffff00000000,
var_off=(0xfffffffe00000000; 0x1ffffffff))
20: w0 = w7 ; R0=0 R7=0x8000000000000000
21: if w6 == w7 goto pc+3
[...]
from 21 to 25: [...]
25: w0 = w6 ; R0=0 R6=0xffffffff00000000
; ^
; unexpected refined value
26: w0 = w7 ; R0=0 R7=0x8000000000000000
27: exit
When w6 == w7 is true, the verifier can deduce that the R6's tnum is
equal to (0xfffffffe00000000; 0x100000000) and then use that information
to refine the bounds: the tnum only overlap with the u64 range in
0xffffffff00000000. The reg_bounds selftest doesn't know about tnums
and therefore fails to perform the same refinement.
This issue happens when the tnum carries information that cannot be
represented in the ranges, as otherwise the selftest could reach the
same refined value using just the ranges. The tnum thus needs to
represent non-contiguous values (ex., R6's tnum above, after the
condition). The only way this can happen in the reg_bounds selftest is
at the boundary between the 32 and 64bit ranges. We therefore only need
to handle that case.
This patch fixes the selftest refinement logic by checking if the u32
and u64 ranges overlap in a single value. If so, the ranges can be set
to that value. We need to handle two cases: either they overlap in
umin64...
u64 values
matching u32 range: xxx xxx xxx xxx
|--------------------------------------|
u64 range: 0 xxxxx UMAX64
or in umax64:
u64 values
matching u32 range: xxx xxx xxx xxx
|--------------------------------------|
u64 range: 0 xxxxx UMAX64
To detect the first case, we decrease umax64 to the maximum value that
matches the u32 range. If that happens to be umin64, then umin64 is the
only overlap. We proceed similarly for the second case, increasing
umin64 to the minimum value that matches the u32 range.
Note this is similar to how the verifier handles the general case using
tnum, but we don't need to care about a single-value overlap in the
middle of the range. That case is not possible when comparing two
ranges.
This patch also adds two test cases reproducing this bug as part of the
normal test runs (without SLOW_TESTS=1).
Fixes: efc11a667878 ("bpf: Improve bounds when tnum has a single possible value")
Reported-by: Eduard Zingerman <eddyz87@gmail.com>
Closes: https://lore.kernel.org/bpf/4e6dd64a162b3cab3635706ae6abfdd0be4db5db.camel@gmail.com/
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/ada9UuSQi2SE2IfB@mail.gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/prog_tests/reg_bounds.c | 35 +++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
index 04938d0d431b3..5f57d3c923801 100644
--- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
+++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
@@ -500,6 +500,39 @@ static struct range range_refine(enum num_t x_t, struct range x, enum num_t y_t,
(s64)x.a >= S32_MIN && (s64)x.b <= S32_MAX)
return range_intersection(x_t, x, y_cast);
+ if (y_t == U32 && x_t == U64) {
+ u64 xmin_swap, xmax_swap, xmin_lower32, xmax_lower32;
+
+ xmin_lower32 = x.a & 0xffffffff;
+ xmax_lower32 = x.b & 0xffffffff;
+ if (xmin_lower32 < y.a || xmin_lower32 > y.b) {
+ /* The 32 lower bits of the umin64 are outside the u32
+ * range. Let's update umin64 to match the u32 range.
+ * We want to *increase* the umin64 to the *minimum*
+ * value that matches the u32 range.
+ */
+ xmin_swap = swap_low32(x.a, y.a);
+ /* We should always only increase the minimum, so if
+ * the new value is lower than before, we need to
+ * increase the 32 upper bits by 1.
+ */
+ if (xmin_swap < x.a)
+ xmin_swap += 0x100000000;
+ if (xmin_swap == x.b)
+ return range(x_t, x.b, x.b);
+ } else if (xmax_lower32 < y.a || xmax_lower32 > y.b) {
+ /* Same for the umax64, but we want to *decrease*
+ * umax64 to the *maximum* value that matches the u32
+ * range.
+ */
+ xmax_swap = swap_low32(x.b, y.b);
+ if (xmax_swap > x.b)
+ xmax_swap -= 0x100000000;
+ if (xmax_swap == x.a)
+ return range(x_t, x.a, x.a);
+ }
+ }
+
/* the case when new range knowledge, *y*, is a 32-bit subregister
* range, while previous range knowledge, *x*, is a full register
* 64-bit range, needs special treatment to take into account upper 32
@@ -2143,6 +2176,8 @@ static struct subtest_case crafted_cases[] = {
{U64, S64, {0x7fffffff00000001ULL, 0xffffffff00000000ULL}, {0, 0}},
{U64, S64, {0, 0xffffffffULL}, {1, 1}},
{U64, S64, {0, 0xffffffffULL}, {0x7fffffff, 0x7fffffff}},
+ {U64, S32, {0xfffffffe00000001, 0xffffffff00000000}, {S64_MIN, S64_MIN}},
+ {U64, U32, {0xfffffffe00000000, U64_MAX - 1}, {U64_MAX, U64_MAX}},
{U64, U32, {0, 0x100000000}, {0, 0}},
{U64, U32, {0xfffffffe, 0x300000000}, {0x80000000, 0x80000000}},
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 163/957] net/rds: Optimize rds_ib_laddr_check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 162/957] selftests/bpf: Fix reg_bounds to match new tnum-based refinement Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 164/957] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
` (799 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Håkon Bugge,
Somasundaram Krishnasamy, Gerd Rausch, Allison Henderson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Håkon Bugge <haakon.bugge@oracle.com>
[ Upstream commit 236f718ac885965fa886440b9898dfae185c9733 ]
rds_ib_laddr_check() creates a CM_ID and attempts to bind the address
in question to it. This in order to qualify the allegedly local
address as a usable IB/RoCE address.
In the field, ExaWatcher runs rds-ping to all ports in the fabric from
all local ports. This using all active ToS'es. In a full rack system,
we have 14 cell servers and eight db servers. Typically, 6 ToS'es are
used. This implies 528 rds-ping invocations per ExaWatcher's "RDSinfo"
interval.
Adding to this, each rds-ping invocation creates eight sockets and
binds the local address to them:
socket(AF_RDS, SOCK_SEQPACKET, 0) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 5
bind(5, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 6
bind(6, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 7
bind(7, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 8
bind(8, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 9
bind(9, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
socket(AF_RDS, SOCK_SEQPACKET, 0) = 10
bind(10, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.36.2")}, 16) = 0
So, at every interval ExaWatcher executes rds-ping's, 4224 CM_IDs are
allocated, considering this full-rack system. After the a CM_ID has
been allocated, rdma_bind_addr() is called, with the port number being
zero. This implies that the CMA will attempt to search for an un-used
ephemeral port. Simplified, the algorithm is to start at a random
position in the available port space, and then if needed, iterate
until an un-used port is found.
The book-keeping of used ports uses the idr system, which again uses
slab to allocate new struct idr_layer's. The size is 2092 bytes and
slab tries to reduce the wasted space. Hence, it chooses an order:3
allocation, for which 15 idr_layer structs will fit and only 1388
bytes are wasted per the 32KiB order:3 chunk.
Although this order:3 allocation seems like a good space/speed
trade-off, it does not resonate well with how it used by the CMA. The
combination of the randomized starting point in the port space (which
has close to zero spatial locality) and the close proximity in time of
the 4224 invocations of the rds-ping's, creates a memory hog for
order:3 allocations.
These costly allocations may need reclaims and/or compaction. At
worst, they may fail and produce a stack trace such as (from uek4):
[<ffffffff811a72d5>] __inc_zone_page_state+0x35/0x40
[<ffffffff811c2e97>] page_add_file_rmap+0x57/0x60
[<ffffffffa37ca1df>] remove_migration_pte+0x3f/0x3c0 [ksplice_6cn872bt_vmlinux_new]
[<ffffffff811c3de8>] rmap_walk+0xd8/0x340
[<ffffffff811e8860>] remove_migration_ptes+0x40/0x50
[<ffffffff811ea83c>] migrate_pages+0x3ec/0x890
[<ffffffff811afa0d>] compact_zone+0x32d/0x9a0
[<ffffffff811b00ed>] compact_zone_order+0x6d/0x90
[<ffffffff811b03b2>] try_to_compact_pages+0x102/0x270
[<ffffffff81190e56>] __alloc_pages_direct_compact+0x46/0x100
[<ffffffff8119165b>] __alloc_pages_nodemask+0x74b/0xaa0
[<ffffffff811d8411>] alloc_pages_current+0x91/0x110
[<ffffffff811e3b0b>] new_slab+0x38b/0x480
[<ffffffffa41323c7>] __slab_alloc+0x3b7/0x4a0 [ksplice_s0dk66a8_vmlinux_new]
[<ffffffff811e42ab>] kmem_cache_alloc+0x1fb/0x250
[<ffffffff8131fdd6>] idr_layer_alloc+0x36/0x90
[<ffffffff8132029c>] idr_get_empty_slot+0x28c/0x3d0
[<ffffffff813204ad>] idr_alloc+0x4d/0xf0
[<ffffffffa051727d>] cma_alloc_port+0x4d/0xa0 [rdma_cm]
[<ffffffffa0517cbe>] rdma_bind_addr+0x2ae/0x5b0 [rdma_cm]
[<ffffffffa09d8083>] rds_ib_laddr_check+0x83/0x2c0 [ksplice_6l2xst5i_rds_rdma_new]
[<ffffffffa05f892b>] rds_trans_get_preferred+0x5b/0xa0 [rds]
[<ffffffffa05f09f2>] rds_bind+0x212/0x280 [rds]
[<ffffffff815b4016>] SYSC_bind+0xe6/0x120
[<ffffffff815b4d3e>] SyS_bind+0xe/0x10
[<ffffffff816b031a>] system_call_fastpath+0x18/0xd4
To avoid these excessive calls to rdma_bind_addr(), we optimize
rds_ib_laddr_check() by simply checking if the address in question has
been used before. The rds_rdma module keeps track of addresses
associated with IB devices, and the function rds_ib_get_device() is
used to determine if the address already has been qualified as a valid
local address. If not found, we call the legacy rds_ib_laddr_check(),
now renamed to rds_ib_laddr_check_cm().
Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260408080420.540032-2-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: ebf71dd4aff4 ("net/rds: Restrict use of RDS/IB to the initial network namespace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/ib.c | 20 ++++++++++++++++++--
net/rds/ib.h | 1 +
net/rds/ib_rdma.c | 2 +-
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 9826fe7f9d008..996f007cd516b 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -403,8 +403,8 @@ static void rds6_ib_ic_info(struct socket *sock, unsigned int len,
* allowed to influence which paths have priority. We could call userspace
* asserting this policy "routing".
*/
-static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
- __u32 scope_id)
+static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
+ __u32 scope_id)
{
int ret;
struct rdma_cm_id *cm_id;
@@ -489,6 +489,22 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
return ret;
}
+static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
+ __u32 scope_id)
+{
+ struct rds_ib_device *rds_ibdev = NULL;
+
+ if (ipv6_addr_v4mapped(addr)) {
+ rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
+ if (rds_ibdev) {
+ rds_ib_dev_put(rds_ibdev);
+ return 0;
+ }
+ }
+
+ return rds_ib_laddr_check_cm(net, addr, scope_id);
+}
+
static void rds_ib_unregister_client(void)
{
ib_unregister_client(&rds_ib_client);
diff --git a/net/rds/ib.h b/net/rds/ib.h
index 8ef3178ed4d61..5ff346a1e8baa 100644
--- a/net/rds/ib.h
+++ b/net/rds/ib.h
@@ -381,6 +381,7 @@ void rds_ib_cm_connect_complete(struct rds_connection *conn,
__rds_ib_conn_error(conn, KERN_WARNING "RDS/IB: " fmt)
/* ib_rdma.c */
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr);
int rds_ib_update_ipaddr(struct rds_ib_device *rds_ibdev,
struct in6_addr *ipaddr);
void rds_ib_add_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *conn);
diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index dd08ccc4246da..751755cd069e0 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -43,7 +43,7 @@ struct workqueue_struct *rds_ib_mr_wq;
static void rds_ib_odp_mr_worker(struct work_struct *work);
-static struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
+struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
{
struct rds_ib_device *rds_ibdev;
struct rds_ib_ipaddr *i_ipaddr;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 164/957] net/rds: Restrict use of RDS/IB to the initial network namespace
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 163/957] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 165/957] bpf: Fix OOB in pcpu_init_value Greg Kroah-Hartman
` (798 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+da8e060735ae02c8f3d1,
Greg Jumper, Allison Henderson, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Jumper <greg.jumper@oracle.com>
[ Upstream commit ebf71dd4aff46e8e421d455db3e231ba43d2fa8a ]
Prevent using RDS/IB in network namespaces other than the initial one.
The existing RDS/IB code will not work properly in non-initial network
namespaces.
Fixes: d5a8ac28a7ff ("RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net")
Reported-by: syzbot+da8e060735ae02c8f3d1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=da8e060735ae02c8f3d1
Signed-off-by: Greg Jumper <greg.jumper@oracle.com>
Signed-off-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260408080420.540032-3-achender@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/af_rds.c | 10 ++++++++--
net/rds/ib.c | 4 ++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
index 4a7217fbeab6f..7a0f5150e9103 100644
--- a/net/rds/af_rds.c
+++ b/net/rds/af_rds.c
@@ -357,7 +357,8 @@ static int rds_cong_monitor(struct rds_sock *rs, sockptr_t optval, int optlen)
return ret;
}
-static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
+static int rds_set_transport(struct net *net, struct rds_sock *rs,
+ sockptr_t optval, int optlen)
{
int t_type;
@@ -373,6 +374,10 @@ static int rds_set_transport(struct rds_sock *rs, sockptr_t optval, int optlen)
if (t_type < 0 || t_type >= RDS_TRANS_COUNT)
return -EINVAL;
+ /* RDS/IB is restricted to the initial network namespace */
+ if (t_type != RDS_TRANS_TCP && !net_eq(net, &init_net))
+ return -EPROTOTYPE;
+
rs->rs_transport = rds_trans_get(t_type);
return rs->rs_transport ? 0 : -ENOPROTOOPT;
@@ -433,6 +438,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct rds_sock *rs = rds_sk_to_rs(sock->sk);
+ struct net *net = sock_net(sock->sk);
int ret;
if (level != SOL_RDS) {
@@ -461,7 +467,7 @@ static int rds_setsockopt(struct socket *sock, int level, int optname,
break;
case SO_RDS_TRANSPORT:
lock_sock(sock->sk);
- ret = rds_set_transport(rs, optval, optlen);
+ ret = rds_set_transport(net, rs, optval, optlen);
release_sock(sock->sk);
break;
case SO_TIMESTAMP_OLD:
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 996f007cd516b..ce5be43c5fbac 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -494,6 +494,10 @@ static int rds_ib_laddr_check(struct net *net, const struct in6_addr *addr,
{
struct rds_ib_device *rds_ibdev = NULL;
+ /* RDS/IB is restricted to the initial network namespace */
+ if (!net_eq(net, &init_net))
+ return -EPROTOTYPE;
+
if (ipv6_addr_v4mapped(addr)) {
rds_ibdev = rds_ib_get_device(addr->s6_addr32[3]);
if (rds_ibdev) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 165/957] bpf: Fix OOB in pcpu_init_value
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 164/957] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 166/957] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
` (797 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaiyan Mei, Lang Xu,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lang Xu <xulang@uniontech.com>
[ Upstream commit 576afddfee8d1108ee299bf10f581593540d1a36 ]
An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another pcpu map with the
same value_size that is not rounded up to 8 bytes.
The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
2. A pcpu map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1
pcpu_init_value assumes that all sources are rounded up to 8 bytes,
and invokes copy_map_value_long to make a data copy, However, the
assumption doesn't stand since there are some cases where the source
may not be rounded up to 8 bytes, e.g., CGROUP_STORAGE, skb->data.
the verifier verifies exactly the size that the source claims, not
the size rounded up to 8 bytes by kernel, an OOB happens when the
source has only 4 bytes while the copy size(4) is rounded up to 8.
Fixes: d3bec0138bfb ("bpf: Zero-fill re-used per-cpu map element")
Reported-by: Kaiyan Mei <kaiyanm@hust.edu.cn>
Closes: https://lore.kernel.org/all/14e6c70c.6c121.19c0399d948.Coremail.kaiyanm@hust.edu.cn/
Link: https://lore.kernel.org/r/420FEEDDC768A4BE+20260402074236.2187154-1-xulang@uniontech.com
Signed-off-by: Lang Xu <xulang@uniontech.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/hashtab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index e7721f0776c72..469bc48b25127 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -981,7 +981,7 @@ static void pcpu_init_value(struct bpf_htab *htab, void __percpu *pptr,
for_each_possible_cpu(cpu) {
if (cpu == current_cpu)
- copy_map_value_long(&htab->map, per_cpu_ptr(pptr, cpu), value);
+ copy_map_value(&htab->map, per_cpu_ptr(pptr, cpu), value);
else /* Since elem is preallocated, we cannot touch special fields */
zero_map_value(&htab->map, per_cpu_ptr(pptr, cpu));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 166/957] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 165/957] bpf: Fix OOB in pcpu_init_value Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 167/957] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG Greg Kroah-Hartman
` (796 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Taegu Ha, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taegu Ha <hataegu0826@gmail.com>
[ Upstream commit 2bb6379416fd19f44c3423a00bfd8626259f6067 ]
/dev/ppp open is currently authorized against file->f_cred->user_ns,
while unattached administrative ioctls operate on current->nsproxy->net_ns.
As a result, a local unprivileged user can create a new user namespace
with CLONE_NEWUSER, gain CAP_NET_ADMIN only in that new user namespace,
and still issue PPPIOCNEWUNIT, PPPIOCATTACH, or PPPIOCATTCHAN against
an inherited network namespace.
Require CAP_NET_ADMIN in the user namespace that owns the target network
namespace before handling unattached PPP administrative ioctls.
This preserves normal pppd operation in the network namespace it is
actually privileged in, while rejecting the userns-only inherited-netns
case.
Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Signed-off-by: Taegu Ha <hataegu0826@gmail.com>
Link: https://patch.msgid.link/20260409071117.4354-1-hataegu0826@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f9f0f16c41d10..7ad6c241c3295 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1057,6 +1057,9 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
struct ppp_net *pn;
int __user *p = (int __user *)arg;
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
switch (cmd) {
case PPPIOCNEWUNIT:
/* Create a new ppp unit */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 167/957] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 166/957] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 168/957] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ Greg Kroah-Hartman
` (795 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Konrad Dybcio,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit de08f9585692813bd41ee654fca0487664c4de30 ]
The 'val' variable gets overwritten multiple times, discarding previous
values. Looking at the git log shows these should be combined with |=
instead.
Fixes: 9265a4f0f0b4 ("net: ipa: define even more IPA register fields")
Link: https://sashiko.dev/#/patchset/20260403-milos-ipa-v1-0-01e9e4e03d3e%40fairphone.com?part=4
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-ipa-fixes-v1-1-a817c30678ac@fairphone.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipa/ipa_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ipa/ipa_main.c b/drivers/net/ipa/ipa_main.c
index 25500c5a6928e..30fe12e3582b2 100644
--- a/drivers/net/ipa/ipa_main.c
+++ b/drivers/net/ipa/ipa_main.c
@@ -361,7 +361,7 @@ static void ipa_qtime_config(struct ipa *ipa)
{
const struct reg *reg;
u32 offset;
- u32 val;
+ u32 val = 0;
/* Timer clock divider must be disabled when we change the rate */
reg = ipa_reg(ipa, TIMERS_XO_CLK_DIV_CFG);
@@ -374,8 +374,8 @@ static void ipa_qtime_config(struct ipa *ipa)
val |= reg_bit(reg, DPL_TIMESTAMP_SEL);
}
/* Configure tag and NAT Qtime timestamp resolution as well */
- val = reg_encode(reg, TAG_TIMESTAMP_LSB, TAG_TIMESTAMP_SHIFT);
- val = reg_encode(reg, NAT_TIMESTAMP_LSB, NAT_TIMESTAMP_SHIFT);
+ val |= reg_encode(reg, TAG_TIMESTAMP_LSB, TAG_TIMESTAMP_SHIFT);
+ val |= reg_encode(reg, NAT_TIMESTAMP_LSB, NAT_TIMESTAMP_SHIFT);
iowrite32(val, ipa->reg_virt + reg_offset(reg));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 168/957] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 167/957] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 169/957] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 Greg Kroah-Hartman
` (794 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Konrad Dybcio,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit 1335b903cf2e8aeaca87fd665683384c731ec941 ]
Initially 'reg' and 'val' are assigned from HW_PARAM_2.
But since IPA v5.0+ takes EV_PER_EE from HW_PARAM_4 (instead of
NUM_EV_PER_EE from HW_PARAM_2), we not only need to re-assign 'reg' but
also read the register value of that register into 'val' so that
reg_decode() works on the correct value.
Fixes: f651334e1ef5 ("net: ipa: add HW_PARAM_4 GSI register")
Link: https://sashiko.dev/#/patchset/20260403-milos-ipa-v1-0-01e9e4e03d3e%40fairphone.com?part=2
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-ipa-fixes-v1-2-a817c30678ac@fairphone.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipa/gsi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ipa/gsi.c b/drivers/net/ipa/gsi.c
index 4c3227e77898c..624649484d627 100644
--- a/drivers/net/ipa/gsi.c
+++ b/drivers/net/ipa/gsi.c
@@ -2044,6 +2044,7 @@ static int gsi_ring_setup(struct gsi *gsi)
count = reg_decode(reg, NUM_EV_PER_EE, val);
} else {
reg = gsi_reg(gsi, HW_PARAM_4);
+ val = ioread32(gsi->virt + reg_offset(reg));
count = reg_decode(reg, EV_PER_EE, val);
}
if (!count) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 169/957] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 168/957] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 170/957] net: phy: fix a return path in get_phy_c45_ids() Greg Kroah-Hartman
` (793 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josua Mayer, Conor Dooley,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 600f01dc4bd0c736b3ffea9f7976136d8bf1b136 ]
Currently, the binding requires 'spi-cpha' for SJA1105 and 'spi-cpol'
for SJA1110.
However, the SJA1110 supports both SPI modes 0 and 2. Mode 2
(cpha=0, cpol=1) is used by the NXP LX2160 Bluebox 3.
On the SolidRun i.MX8DXL HummingBoard Telematics, mode 0 is stable,
while forcing mode 2 introduces CRC errors especially during bursts.
Drop the requirement on spi-cpol for SJA1110.
Fixes: af2eab1a8243 ("dt-bindings: net: nxp,sja1105: document spi-cpol/cpha")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260409-imx8dxl-sr-som-v2-1-83ff20629ba0@solid-run.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml | 2 --
1 file changed, 2 deletions(-)
diff --git a/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml b/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml
index e9dd914b0734c..941f9a25bbea0 100644
--- a/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml
+++ b/Documentation/devicetree/bindings/net/dsa/nxp,sja1105.yaml
@@ -140,8 +140,6 @@ allOf:
else:
properties:
spi-cpha: false
- required:
- - spi-cpol
unevaluatedProperties: false
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 170/957] net: phy: fix a return path in get_phy_c45_ids()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 169/957] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 171/957] net/mlx5e: Fix features not applied during netdev registration Greg Kroah-Hartman
` (792 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charles Perry, Andrew Lunn,
Russell King (Oracle), Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Perry <charles.perry@microchip.com>
[ Upstream commit 6f533abe7bbad2eef1e42c639b6bb9dad2b02362 ]
The return value of phy_c45_probe_present() is stored in "ret", not
"phy_reg", fix this. "phy_reg" always has a positive value if we reach
this return path (since it would have returned earlier otherwise), which
means that the original goal of the patch of not considering -ENODEV
fatal wasn't achieved.
Fixes: 17b447539408 ("net: phy: c45 scanning: Don't consider -ENODEV fatal")
Signed-off-by: Charles Perry <charles.perry@microchip.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/20260409133654.3203336-1-charles.perry@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/phy_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
index 2353d6eced68d..dea8b94286d15 100644
--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -963,8 +963,8 @@ static int get_phy_c45_ids(struct mii_bus *bus, int addr,
/* returning -ENODEV doesn't stop bus
* scanning
*/
- return (phy_reg == -EIO ||
- phy_reg == -ENODEV) ? -ENODEV : -EIO;
+ return (ret == -EIO ||
+ ret == -ENODEV) ? -ENODEV : -EIO;
if (!ret)
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 171/957] net/mlx5e: Fix features not applied during netdev registration
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 170/957] net: phy: fix a return path in get_phy_c45_ids() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 172/957] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() Greg Kroah-Hartman
` (791 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Dragos Tatulea,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 9994ad4df82d64e57135c0f0906897685f5a9e87 ]
mlx5e_fix_features() returns early when the netdevice is not present.
This is correct during profile transitions where priv is cleared, but it
also incorrectly blocks feature fixups during register_netdev(), when
the device is also not yet present.
It is not trivial to distinguish between both cases as we cannot use
priv to carry state, and in both cases reg_state == NETREG_REGISTERED.
Force a netdev features update after register_netdev() completes, where
the device is present and fix_features() can actually work.
This is not a pretty solution, as it results in an additional features
update call (register_netdevice() already calls
__netdev_update_features() internally), but it is the simplest,
cleanest, and most robust way I found to fix this issue after multiple
attempts.
This fixes an issue on systems where CQE compression is enabled by
default, RXHASH remains enabled after registration despite the two
features being mutually exclusive.
Fixes: ab4b01bfdaa6 ("net/mlx5e: Verify dev is present for fix features ndo")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260409202852.158059-2-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index cb993ad2d9ad9..a696fb88dbef9 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -6740,6 +6740,14 @@ static int _mlx5e_probe(struct auxiliary_device *adev)
goto err_resume;
}
+ /* mlx5e_fix_features() returns early when the device is not present
+ * to avoid dereferencing cleared priv during profile changes.
+ * This also causes it to be a no-op during register_netdev(), where
+ * the device is not yet present.
+ * Trigger an additional features update that will actually work.
+ */
+ mlx5e_update_features(netdev);
+
mlx5e_dcbnl_init_app(priv);
mlx5_core_uplink_netdev_set(mdev, netdev);
mlx5e_params_print_info(mdev, &priv->channels.params);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 172/957] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 171/957] net/mlx5e: Fix features not applied during netdev registration Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 173/957] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
` (790 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Jianbo Liu,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit edccdd1eb94712da97a6ce71123ec27890add754 ]
The do-while poll loop uses jiffies for its timeout:
expires = jiffies + msecs_to_jiffies(10);
jiffies is sampled at an arbitrary point within the current tick, so the
first partial tick contributes anywhere from a full tick down to nearly
zero real time. For small msecs_to_jiffies() results this is
significant, the effective poll window can be much shorter than the
requested 10ms, and in the worst case the loop exits after a single
iteration (e.g., when HZ=100), well before the device has delivered the
CQE.
Replace the loop with read_poll_timeout_atomic(), which counts elapsed
time via udelay() accounting rather than jiffies, guaranteeing the full
poll window regardless of HZ.
Additionally, read_poll_timeout_atomic() executes the poll operation one
more time after the timeout has expired, giving the CQE a final chance
to be detected. The old do-while loop could exit without a final poll if
the timeout expired during the udelay() between iterations.
Fixes: 76e463f6508b ("net/mlx5e: Overcome slow response for first IPsec ASO WQE")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260409202852.158059-3-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/en_accel/ipsec_offload.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
index e0611fa827971..9e9e18f5dbc9b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
@@ -1,6 +1,8 @@
// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
/* Copyright (c) 2017, Mellanox Technologies inc. All rights reserved. */
+#include <linux/iopoll.h>
+
#include "mlx5_core.h"
#include "en.h"
#include "ipsec.h"
@@ -592,7 +594,6 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
struct mlx5_wqe_aso_ctrl_seg *ctrl;
struct mlx5e_hw_objs *res;
struct mlx5_aso_wqe *wqe;
- unsigned long expires;
u8 ds_cnt;
int ret;
@@ -614,13 +615,8 @@ int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
mlx5e_ipsec_aso_copy(ctrl, data);
mlx5_aso_post_wqe(aso->aso, false, &wqe->ctrl);
- expires = jiffies + msecs_to_jiffies(10);
- do {
- ret = mlx5_aso_poll_cq(aso->aso, false);
- if (ret)
- /* We are in atomic context */
- udelay(10);
- } while (ret && time_is_after_jiffies(expires));
+ read_poll_timeout_atomic(mlx5_aso_poll_cq, ret, !ret, 10,
+ 10 * USEC_PER_MSEC, false, aso->aso, false);
if (!ret)
memcpy(sa_entry->ctx, aso->ctx, MLX5_ST_SZ_BYTES(ipsec_aso));
spin_unlock_bh(&aso->lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 173/957] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 172/957] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 174/957] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
` (789 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+619b9ef527f510a57cfc,
Sun Jian, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sun Jian <sun.jian.kdev@gmail.com>
[ Upstream commit 12bec2bd4b76d81c5d3996bd14ec1b7f4d983747 ]
bpf_prog_test_run_skb() calls eth_type_trans() first and then uses
skb->protocol to initialize sk family and address fields for the test
run.
For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb)
even when the provided test input only contains an Ethernet header.
Reject the input earlier if the Ethernet frame carries IPv4/IPv6
EtherType but the L3 header is too short.
Fold the IPv4/IPv6 header length checks into the existing protocol
switch and return -EINVAL before accessing the network headers.
Fixes: fa5cb548ced6 ("bpf: Setup socket family and addresses in bpf_prog_test_run_skb")
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Link: https://lore.kernel.org/r/20260408034623.180320-2-sun.jian.kdev@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 65d7f8d51823e..963fee5d01e24 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1057,19 +1057,23 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
switch (skb->protocol) {
case htons(ETH_P_IP):
- sk->sk_family = AF_INET;
- if (sizeof(struct iphdr) <= skb_headlen(skb)) {
- sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
- sk->sk_daddr = ip_hdr(skb)->daddr;
+ if (skb_headlen(skb) < sizeof(struct iphdr)) {
+ ret = -EINVAL;
+ goto out;
}
+ sk->sk_family = AF_INET;
+ sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
+ sk->sk_daddr = ip_hdr(skb)->daddr;
break;
#if IS_ENABLED(CONFIG_IPV6)
case htons(ETH_P_IPV6):
- sk->sk_family = AF_INET6;
- if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) {
- sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
- sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
+ if (skb_headlen(skb) < sizeof(struct ipv6hdr)) {
+ ret = -EINVAL;
+ goto out;
}
+ sk->sk_family = AF_INET6;
+ sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
+ sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
break;
#endif
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 174/957] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 173/957] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 175/957] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
` (788 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Paul Menzel,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 15bf35a660eb82a49f8397fc3d3acada8dae13db ]
The code was printing skb->len and sdu_len in the places where it should
be sdu_len and chan->imtu respectively to match the if conditions.
Link: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06
Fixes: e1d9a6688986 ("Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 29e23f20dc438..7664723a34d0a 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6733,7 +6733,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
if (sdu_len > chan->imtu) {
BT_ERR("Too big LE L2CAP SDU length: len %u > %u",
- skb->len, sdu_len);
+ sdu_len, chan->imtu);
l2cap_send_disconn_req(chan, ECONNRESET);
err = -EMSGSIZE;
goto failed;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 175/957] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 174/957] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 176/957] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
` (787 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Rissanen,
Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Rissanen <jonathan.rissanen@axis.com>
[ Upstream commit 68d39ea5e0adc9ecaea1ce8abd842ec972eb8718 ]
When hci_register_dev() fails in hci_uart_register_dev()
HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu)
and setting hu->hdev to NULL. This means incoming UART data will reach
the protocol-specific recv handler in hci_uart_tty_receive() after
resources are freed.
Clear HCI_UART_PROTO_INIT with a write lock before calling
hu->proto->close() and setting hu->hdev to NULL. The write lock ensures
all active readers have completed and no new reader can enter the
protocol recv path before resources are freed.
This allows the protocol-specific recv functions to remove the
"HCI_UART_REGISTERED" guard without risking a null pointer dereference
if hci_register_dev() fails.
Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
Signed-off-by: Jonathan Rissanen <jonathan.rissanen@axis.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ldisc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 2b28515de92c4..5455990ab211e 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -692,6 +692,9 @@ static int hci_uart_register_dev(struct hci_uart *hu)
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ percpu_down_write(&hu->proto_lock);
+ clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 176/957] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 175/957] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
@ 2026-05-20 16:10 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 177/957] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
` (786 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen,
Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit 5c7209a341ff2ac338b2b0375c34a307b37c9ac2 ]
When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls
hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()
assumes it is held, and if conn is deleted concurrently -> UAF.
Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,
and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred
listening socket code paths, hci_connect_cfm(conn) is called with
hdev->lock held.
Fix by holding the lock.
Fixes: 70c464256310 ("Bluetooth: Refactor connection request handling")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6f77ab2629d65..b6b52b81b7b9c 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3309,8 +3309,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
memcpy(conn->dev_class, ev->dev_class, 3);
- hci_dev_unlock(hdev);
-
if (ev->link_type == ACL_LINK ||
(!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
struct hci_cp_accept_conn_req cp;
@@ -3344,7 +3342,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
hci_connect_cfm(conn, 0);
}
- return;
unlock:
hci_dev_unlock(hdev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 177/957] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-05-20 16:10 ` [PATCH 6.18 176/957] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 178/957] Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec Greg Kroah-Hartman
` (785 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Luiz Augusto von Dentz,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit 42776497cdbc9a665b384a6dcb85f0d4bd927eab ]
l2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding
l2cap_chan_lock(). Every other l2cap_chan_del() caller in the file
acquires the lock first. A remote BLE device can send a crafted
L2CAP ECRED reconfiguration response to corrupt the channel list
while another thread is iterating it.
Add l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),
and l2cap_chan_unlock() and l2cap_chan_put() after, matching the
pattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7664723a34d0a..bcb13ce531099 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5473,7 +5473,13 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
if (chan->ident != cmd->ident)
continue;
+ l2cap_chan_hold(chan);
+ l2cap_chan_lock(chan);
+
l2cap_chan_del(chan, ECONNRESET);
+
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 178/957] Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 177/957] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 179/957] net: phy: qcom: at803x: Use the correct bit to disable extended next page Greg Kroah-Hartman
` (784 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj,
Luiz Augusto von Dentz, Luiz Augusto von Dentz, Marcel Holtmann,
David Wei, linux-bluetooth, linux-kernel, Stefan Metzmacher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit 4e10a9ebbf081c16517cdd9366ac618bf38d7d0c ]
copy_struct_from_sockptr() fill 'buffer' in
sco_sock_setsockopt() with zeros, so there's no
real problem.
But it actually looks strange to do this,
without checking all of codecs->codecs[0]
really comes from userspace:
sco_pi(sk)->codec = codecs->codecs[0];
As only optlen < sizeof(struct bt_codecs) is checked
and codecs->num_codecs is not checked against != 1,
but only <= 1, and the space for the additional struct bt_codec
is not checked.
Note I don't understand bluetooth and I didn't do any runtime
tests with this! I just found it when debugging a problem
in copy_struct_from_sockptr().
I just added this to check the size is as expected:
BUILD_BUG_ON(struct_size(codecs, codecs, 0) != 1);
BUILD_BUG_ON(struct_size(codecs, codecs, 1) != 8);
And made sure it still compiles using this:
make CF=-D__CHECK_ENDIAN__ W=1ce C=1 net/bluetooth/sco.o
Fixes: 3e643e4efa1e ("Bluetooth: Improve setsockopt() handling of malformed user input")
Cc: Michal Luczaj <mhal@rbox.co>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: David Wei <dw@davidwei.uk>
Cc: linux-bluetooth@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/sco.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 1a38577135d44..9404fdb10ea63 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -1045,7 +1045,8 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
codecs = (void *)buffer;
- if (codecs->num_codecs > 1) {
+ if (codecs->num_codecs != 1 ||
+ optlen < struct_size(codecs, codecs, codecs->num_codecs)) {
hci_dev_put(hdev);
err = -EINVAL;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 179/957] net: phy: qcom: at803x: Use the correct bit to disable extended next page
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 178/957] Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 180/957] udp: Force compute_score to always inline Greg Kroah-Hartman
` (783 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit e7a62edd34b1b4bc5f979988efc2f81c075733fd ]
As noted in the blamed commit, the AR8035 and other PHYs from this
family advertise the Extended Next Page support by default, which may be
understood by some partners as this PHY being multi-gig capable.
The fix is to disable XNP advertising, which is done by setting bit 12
of the Auto-Negotiation Advertisement Register (MII_ADVERTISE).
The blamed commit incorrectly uses MDIO_AN_CTRL1_XNP, which is bit 13 as per
802.3 : 45.2.7.1 AN control register (Register 7.0)
BIT 12 in MII_ADVERTISE is wrapped by ADVERTISE_RESV, used by some
drivers such as the aquantia one. 802.3 Clause 28 defines bit 12 as
Extended Next Page ability, at least in recent versions of the standard.
Let's add a define for it and use it in the at803x driver.
Fixes: 3c51fa5d2afe ("net: phy: ar803x: disable extended next page bit")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260410171021.1277138-1-maxime.chevallier@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/qcom/at803x.c | 2 +-
include/uapi/linux/mii.h | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/phy/qcom/at803x.c b/drivers/net/phy/qcom/at803x.c
index 338acd11a9b65..023c1fe0cd14b 100644
--- a/drivers/net/phy/qcom/at803x.c
+++ b/drivers/net/phy/qcom/at803x.c
@@ -524,7 +524,7 @@ static int at803x_config_init(struct phy_device *phydev)
* behaviour but we still need to accommodate it. XNP is only needed
* for 10Gbps support, so disable XNP.
*/
- return phy_modify(phydev, MII_ADVERTISE, MDIO_AN_CTRL1_XNP, 0);
+ return phy_modify(phydev, MII_ADVERTISE, ADVERTISE_XNP, 0);
}
static void at803x_link_change_notify(struct phy_device *phydev)
diff --git a/include/uapi/linux/mii.h b/include/uapi/linux/mii.h
index 39f7c44baf535..61d6edad4b94a 100644
--- a/include/uapi/linux/mii.h
+++ b/include/uapi/linux/mii.h
@@ -82,7 +82,8 @@
#define ADVERTISE_100BASE4 0x0200 /* Try for 100mbps 4k packets */
#define ADVERTISE_PAUSE_CAP 0x0400 /* Try for pause */
#define ADVERTISE_PAUSE_ASYM 0x0800 /* Try for asymetric pause */
-#define ADVERTISE_RESV 0x1000 /* Unused... */
+#define ADVERTISE_XNP 0x1000 /* Extended Next Page */
+#define ADVERTISE_RESV ADVERTISE_XNP /* Used to be reserved */
#define ADVERTISE_RFAULT 0x2000 /* Say we can detect faults */
#define ADVERTISE_LPACK 0x4000 /* Ack link partners response */
#define ADVERTISE_NPAGE 0x8000 /* Next page bit */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 180/957] udp: Force compute_score to always inline
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 179/957] net: phy: qcom: at803x: Use the correct bit to disable extended next page Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 181/957] tcp: Dont set treq->req_usec_ts in cookie_tcp_reqsk_init() Greg Kroah-Hartman
` (782 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Willem de Bruijn,
Gabriel Krisman Bertazi, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi <krisman@suse.de>
[ Upstream commit b80a95ccf1604a882bb153c45ccb4056e44c8edb ]
Back in 2024 I reported a 7-12% regression on an iperf3 UDP loopback
thoughput test that we traced to the extra overhead of calling
compute_score on two places, introduced by commit f0ea27e7bfe1 ("udp:
re-score reuseport groups when connected sockets are present"). At the
time, I pointed out the overhead was caused by the multiple calls,
associated with cpu-specific mitigations, and merged commit
50aee97d1511 ("udp: Avoid call to compute_score on multiple sites") to
jump back explicitly, to force the rescore call in a single place.
Recently though, we got another regression report against a newer distro
version, which a team colleague traced back to the same root-cause.
Turns out that once we updated to gcc-13, the compiler got smart enough
to unroll the loop, undoing my previous mitigation. Let's bite the
bullet and __always_inline compute_score on both ipv4 and ipv6 to
prevent gcc from de-optimizing it again in the future. These functions
are only called in two places each, udpX_lib_lookup1 and
udpX_lib_lookup2, so the extra size shouldn't be a problem and it is hot
enough to be very visible in profilings. In fact, with gcc13, forcing
the inline will prevent gcc from unrolling the fix from commit
50aee97d1511, so we don't end up increasing udpX_lib_lookup2 at all.
I haven't recollected the results myself, as I don't have access to the
machine at the moment. But the same colleague reported 4.67%
inprovement with this patch in the loopback benchmark, solving the
regression report within noise margins.
Eric Dumazet reported no size change to vmlinux when built with clang.
I report the same also with gcc-13:
scripts/bloat-o-meter vmlinux vmlinux-inline
add/remove: 0/2 grow/shrink: 4/0 up/down: 616/-416 (200)
Function old new delta
udp6_lib_lookup2 762 949 +187
__udp6_lib_lookup 810 975 +165
udp4_lib_lookup2 757 906 +149
__udp4_lib_lookup 871 986 +115
__pfx_compute_score 32 - -32
compute_score 384 - -384
Total: Before=35011784, After=35011984, chg +0.00%
Fixes: 50aee97d1511 ("udp: Avoid call to compute_score on multiple sites")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Link: https://patch.msgid.link/20260410155936.654915-1-krisman@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp.c | 12 ++++++------
net/ipv6/udp.c | 13 +++++++------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index de0deded74f0a..a55642a42e82f 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -365,10 +365,10 @@ int udp_v4_get_port(struct sock *sk, unsigned short snum)
return udp_lib_get_port(sk, snum, hash2_nulladdr);
}
-static int compute_score(struct sock *sk, const struct net *net,
- __be32 saddr, __be16 sport,
- __be32 daddr, unsigned short hnum,
- int dif, int sdif)
+static __always_inline int
+compute_score(struct sock *sk, const struct net *net,
+ __be32 saddr, __be16 sport, __be32 daddr,
+ unsigned short hnum, int dif, int sdif)
{
int score;
struct inet_sock *inet;
@@ -508,8 +508,8 @@ static struct sock *udp4_lib_lookup2(const struct net *net,
continue;
/* compute_score is too long of a function to be
- * inlined, and calling it again here yields
- * measurable overhead for some
+ * inlined twice here, and calling it uninlined
+ * here yields measurable overhead for some
* workloads. Work around it by jumping
* backwards to rescore 'result'.
*/
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 813a2ba75824d..d47b4f5ac8705 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -127,10 +127,11 @@ void udp_v6_rehash(struct sock *sk)
udp_lib_rehash(sk, new_hash, new_hash4);
}
-static int compute_score(struct sock *sk, const struct net *net,
- const struct in6_addr *saddr, __be16 sport,
- const struct in6_addr *daddr, unsigned short hnum,
- int dif, int sdif)
+static __always_inline int
+compute_score(struct sock *sk, const struct net *net,
+ const struct in6_addr *saddr, __be16 sport,
+ const struct in6_addr *daddr, unsigned short hnum,
+ int dif, int sdif)
{
int bound_dev_if, score;
struct inet_sock *inet;
@@ -260,8 +261,8 @@ static struct sock *udp6_lib_lookup2(const struct net *net,
continue;
/* compute_score is too long of a function to be
- * inlined, and calling it again here yields
- * measurable overhead for some
+ * inlined twice here, and calling it uninlined
+ * here yields measurable overhead for some
* workloads. Work around it by jumping
* backwards to rescore 'result'.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 181/957] tcp: Dont set treq->req_usec_ts in cookie_tcp_reqsk_init().
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 180/957] udp: Force compute_score to always inline Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 182/957] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
` (781 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit c058bbf05b1197c33df7204842665bd8bc70b3a8 ]
Commit de5626b95e13 ("tcp: Factorise cookie-independent fields
initialisation in cookie_v[46]_check().") miscategorised
tcp_rsk(req)->req_usec_ts init to cookie_tcp_reqsk_init(),
which is used by both BPF/non-BPF SYN cookie reqsk.
Rather, it should have been moved to cookie_tcp_reqsk_alloc() by
commit 8e7bab6b9652 ("tcp: Factorise cookie-dependent fields
initialisation in cookie_v[46]_check()") so that only non-BPF SYN
cookie sets tcp_rsk(req)->req_usec_ts to false.
Let's move the initialisation to cookie_tcp_reqsk_alloc() to
respect bpf_tcp_req_attrs.usec_ts_ok.
Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260410235328.1773449-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/syncookies.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index fc3affd9c8014..b5f0a65c67864 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -286,7 +286,6 @@ static int cookie_tcp_reqsk_init(struct sock *sk, struct sk_buff *skb,
treq->rcv_isn = ntohl(th->seq) - 1;
treq->snt_isn = ntohl(th->ack_seq) - 1;
treq->syn_tos = TCP_SKB_CB(skb)->ip_dsfield;
- treq->req_usec_ts = false;
#if IS_ENABLED(CONFIG_MPTCP)
treq->is_mptcp = sk_is_mptcp(sk);
@@ -349,6 +348,7 @@ struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
ireq->wscale_ok = tcp_opt->wscale_ok;
ireq->ecn_ok = !!(tcp_opt->rcv_tsecr & TS_OPT_ECN);
+ treq->req_usec_ts = false;
treq->ts_off = tsoff;
return req;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 182/957] sctp: fix missing encap_port propagation for GSO fragments
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 181/957] tcp: Dont set treq->req_usec_ts in cookie_tcp_reqsk_init() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 183/957] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
` (780 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit bf6f95ae3b8b2638c0e1d6d802d50983ce5d0f45 ]
encap_port in SCTP_INPUT_CB(skb) is used by sctp_vtag_verify() for
SCTP-over-UDP processing. In the GSO case, it is only set on the head
skb, while fragment skbs leave it 0.
This results in fragment skbs seeing encap_port == 0, breaking
SCTP-over-UDP connections.
Fix it by propagating encap_port from the head skb cb when initializing
fragment skbs in sctp_inq_pop().
Fixes: 046c052b475e ("sctp: enable udp tunneling socks")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/ea65ed61b3598d8b4940f0170b9aa1762307e6c3.1776017631.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/inqueue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index f5a7d5a387555..a024c08432471 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -201,6 +201,7 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
cb->chunk = head_cb->chunk;
cb->af = head_cb->af;
+ cb->encap_port = head_cb->encap_port;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 183/957] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 182/957] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 184/957] net: airoha: Add missing PPE configurations in airoha_ppe_hw_init() Greg Kroah-Hartman
` (779 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+80e046b8da2820b6ba73,
Daniel Borkmann, Jiayuan Chen, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 1921f91298d1388a0bb9db8f83800c998b649cb3 ]
syzkaller reported a kernel panic in bond_rr_gen_slave_id() reached via
xdp_master_redirect(). Full decoded trace:
https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba73
bond_rr_gen_slave_id() dereferences bond->rr_tx_counter, a per-CPU
counter that bonding only allocates in bond_open() when the mode is
round-robin. If the bond device was never brought up, rr_tx_counter
stays NULL.
The XDP redirect path can still reach that code on a bond that was
never opened: bpf_master_redirect_enabled_key is a global static key,
so as soon as any bond device has native XDP attached, the
XDP_TX -> xdp_master_redirect() interception is enabled for every
slave system-wide. The path xdp_master_redirect() ->
bond_xdp_get_xmit_slave() -> bond_xdp_xmit_roundrobin_slave_get() ->
bond_rr_gen_slave_id() then runs against a bond that has no
rr_tx_counter and crashes.
Fix this in the generic xdp_master_redirect() by refusing to call into
the master's ->ndo_xdp_get_xmit_slave() when the master device is not
up. IFF_UP is only set after ->ndo_open() has successfully returned,
so this reliably excludes masters whose XDP state has not been fully
initialized. Drop the frame with XDP_ABORTED so the exception is
visible via trace_xdp_exception() rather than silently falling through.
This is not specific to bonding: any current or future master that
defers XDP state allocation to ->ndo_open() is protected.
Fixes: 879af96ffd72 ("net, core: Add support for XDP redirection to slave device")
Reported-by: syzbot+80e046b8da2820b6ba73@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698f84c6.a70a0220.2c38d7.00cc.GAE@google.com/T/
Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260411005524.201200-2-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 3d4bf4d2a1a4b..7fc01474c3781 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4385,6 +4385,8 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
struct net_device *master, *slave;
master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
+ if (unlikely(!(master->flags & IFF_UP)))
+ return XDP_ABORTED;
slave = master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp);
if (slave && slave != xdp->rxq->dev) {
/* The target device is different from the receiving device, so
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 184/957] net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 183/957] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 185/957] selftests/futex: Fix incorrect result reporting of futex_requeue test item Greg Kroah-Hartman
` (778 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit b9d8b856689d2b968495d79fe653d87fcb8ad98c ]
Add the following PPE configuration in airoha_ppe_hw_init routine:
- 6RD hw offloading is currently not supported by Netfilter flowtable.
Disable explicitly PPE 6RD offloading in order to prevent PPE to learn
6RD flows and eventually interrupt the traffic.
- Add missing PPE bind rate configuration for L3 and L2 traffic.
PPE bind rate configuration specifies the pps threshold to move a PPE
entry state from UNBIND to BIND. Without this configuration this value
is random.
- Set ageing thresholds to the values used in the vendor SDK in order to
improve connection stability under load and avoid packet loss caused by
fast aging.
Fixes: 00a7678310fe3 ("net: airoha: Introduce flowtable offload support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260412-airoha_ppe_hw_init-missing-bits-v1-1-06ac670819e3@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_ppe.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index 4ed244557065d..81a7056e3510a 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -83,13 +83,13 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
airoha_fe_rmw(eth, REG_PPE_BND_AGE0(i),
PPE_BIND_AGE0_DELTA_NON_L4 |
PPE_BIND_AGE0_DELTA_UDP,
- FIELD_PREP(PPE_BIND_AGE0_DELTA_NON_L4, 1) |
- FIELD_PREP(PPE_BIND_AGE0_DELTA_UDP, 12));
+ FIELD_PREP(PPE_BIND_AGE0_DELTA_NON_L4, 60) |
+ FIELD_PREP(PPE_BIND_AGE0_DELTA_UDP, 60));
airoha_fe_rmw(eth, REG_PPE_BND_AGE1(i),
PPE_BIND_AGE1_DELTA_TCP_FIN |
PPE_BIND_AGE1_DELTA_TCP,
FIELD_PREP(PPE_BIND_AGE1_DELTA_TCP_FIN, 1) |
- FIELD_PREP(PPE_BIND_AGE1_DELTA_TCP, 7));
+ FIELD_PREP(PPE_BIND_AGE1_DELTA_TCP, 60));
airoha_fe_rmw(eth, REG_PPE_TB_HASH_CFG(i),
PPE_SRAM_TABLE_EN_MASK |
@@ -111,7 +111,15 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
FIELD_PREP(PPE_TB_CFG_SEARCH_MISS_MASK, 3) |
FIELD_PREP(PPE_TB_ENTRY_SIZE_MASK, 0));
+ airoha_fe_rmw(eth, REG_PPE_BIND_RATE(i),
+ PPE_BIND_RATE_L2B_BIND_MASK |
+ PPE_BIND_RATE_BIND_MASK,
+ FIELD_PREP(PPE_BIND_RATE_L2B_BIND_MASK, 0x1e) |
+ FIELD_PREP(PPE_BIND_RATE_BIND_MASK, 0x1e));
+
airoha_fe_wr(eth, REG_PPE_HASH_SEED(i), PPE_HASH_SEED);
+ airoha_fe_clear(eth, REG_PPE_PPE_FLOW_CFG(i),
+ PPE_FLOW_CFG_IP6_6RD_MASK);
for (p = 0; p < ARRAY_SIZE(eth->ports); p++)
airoha_fe_rmw(eth, REG_PPE_MTU(i, p),
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 185/957] selftests/futex: Fix incorrect result reporting of futex_requeue test item
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 184/957] net: airoha: Add missing PPE configurations in airoha_ppe_hw_init() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 186/957] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
` (777 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuwen Chen, Thomas Gleixner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuwen Chen <ywen.chen@foxmail.com>
[ Upstream commit d317e2ef9dcf673c9f37cda784284af7c6812757 ]
When using the TEST_HARNESS_MAIN macro definition to declare the main
function, it is required to use the EXPECT*() and ASSERT*() macros in
conjunction and not ksft_test_result_*(). Otherwise, even if a test item
fails, the test will still return a success result because
ksft_test_result_*() does not affect the test harness state.
Convert the code to use EXPECT/ASSERT() variants, which ensures that the
overall test result is fail if one of the EXPECT()s fails.
[ tglx: Massaged change log to explain _why_ ksft_test_result*() is the wrong
choice ]
Fixes: f341a20f6d7e ("selftests/futex: Refactor futex_requeue with kselftest_harness.h")
Signed-off-by: Yuwen Chen <ywen.chen@foxmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/tencent_51851B741CC4B5EC9C22AFF70BA82BB60805@qq.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../futex/functional/futex_requeue.c | 49 +++----------------
1 file changed, 8 insertions(+), 41 deletions(-)
diff --git a/tools/testing/selftests/futex/functional/futex_requeue.c b/tools/testing/selftests/futex/functional/futex_requeue.c
index 69e2555b60399..d6be3fbd436a4 100644
--- a/tools/testing/selftests/futex/functional/futex_requeue.c
+++ b/tools/testing/selftests/futex/functional/futex_requeue.c
@@ -34,34 +34,18 @@ TEST(requeue_single)
volatile futex_t _f1 = 0;
volatile futex_t f2 = 0;
pthread_t waiter[10];
- int res;
f1 = &_f1;
/*
* Requeue a waiter from f1 to f2, and wake f2.
*/
- if (pthread_create(&waiter[0], NULL, waiterfn, NULL))
- ksft_exit_fail_msg("pthread_create failed\n");
+ ASSERT_EQ(0, pthread_create(&waiter[0], NULL, waiterfn, NULL));
usleep(WAKE_WAIT_US);
- ksft_print_dbg_msg("Requeuing 1 futex from f1 to f2\n");
- res = futex_cmp_requeue(f1, 0, &f2, 0, 1, 0);
- if (res != 1)
- ksft_test_result_fail("futex_requeue simple returned: %d %s\n",
- res ? errno : res,
- res ? strerror(errno) : "");
-
- ksft_print_dbg_msg("Waking 1 futex at f2\n");
- res = futex_wake(&f2, 1, 0);
- if (res != 1) {
- ksft_test_result_fail("futex_requeue simple returned: %d %s\n",
- res ? errno : res,
- res ? strerror(errno) : "");
- } else {
- ksft_test_result_pass("futex_requeue simple succeeds\n");
- }
+ EXPECT_EQ(1, futex_cmp_requeue(f1, 0, &f2, 0, 1, 0));
+ EXPECT_EQ(1, futex_wake(&f2, 1, 0));
}
TEST(requeue_multiple)
@@ -69,7 +53,7 @@ TEST(requeue_multiple)
volatile futex_t _f1 = 0;
volatile futex_t f2 = 0;
pthread_t waiter[10];
- int res, i;
+ int i;
f1 = &_f1;
@@ -77,30 +61,13 @@ TEST(requeue_multiple)
* Create 10 waiters at f1. At futex_requeue, wake 3 and requeue 7.
* At futex_wake, wake INT_MAX (should be exactly 7).
*/
- for (i = 0; i < 10; i++) {
- if (pthread_create(&waiter[i], NULL, waiterfn, NULL))
- ksft_exit_fail_msg("pthread_create failed\n");
- }
+ for (i = 0; i < 10; i++)
+ ASSERT_EQ(0, pthread_create(&waiter[i], NULL, waiterfn, NULL));
usleep(WAKE_WAIT_US);
- ksft_print_dbg_msg("Waking 3 futexes at f1 and requeuing 7 futexes from f1 to f2\n");
- res = futex_cmp_requeue(f1, 0, &f2, 3, 7, 0);
- if (res != 10) {
- ksft_test_result_fail("futex_requeue many returned: %d %s\n",
- res ? errno : res,
- res ? strerror(errno) : "");
- }
-
- ksft_print_dbg_msg("Waking INT_MAX futexes at f2\n");
- res = futex_wake(&f2, INT_MAX, 0);
- if (res != 7) {
- ksft_test_result_fail("futex_requeue many returned: %d %s\n",
- res ? errno : res,
- res ? strerror(errno) : "");
- } else {
- ksft_test_result_pass("futex_requeue many succeeds\n");
- }
+ EXPECT_EQ(10, futex_cmp_requeue(f1, 0, &f2, 3, 7, 0));
+ EXPECT_EQ(7, futex_wake(&f2, INT_MAX, 0));
}
TEST_HARNESS_MAIN
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 186/957] drm/komeda: fix integer overflow in AFBC framebuffer size check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 185/957] selftests/futex: Fix incorrect result reporting of futex_requeue test item Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 187/957] drm/virtio: Allow importing prime buffers when 3D is enabled Greg Kroah-Hartman
` (776 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Konyukhov, Liviu Dudau,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
[ Upstream commit 779ec12c85c9e4547519e3903a371a3b26a289de ]
The AFBC framebuffer size validation calculates the minimum required
buffer size by adding the AFBC payload size to the framebuffer offset.
This addition is performed without checking for integer overflow.
If the addition oveflows, the size check may incorrectly succed and
allow userspace to provide an undersized drm_gem_object, potentially
leading to out-of-bounds memory access.
Add usage of check_add_overflow() to safely compute the minimum
required size and reject the framebuffer if an overflow is detected.
This makes the AFBC size validation more robust against malformed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver")
Signed-off-by: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
Acked-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://lore.kernel.org/r/20260203134907.1587067-1-Alexander.Konyukhov@kaspersky.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
index 901f938aefe08..e4b7e2a89d044 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
@@ -4,6 +4,8 @@
* Author: James.Qian.Wang <james.qian.wang@arm.com>
*
*/
+#include <linux/overflow.h>
+
#include <drm/drm_device.h>
#include <drm/drm_fb_dma_helper.h>
#include <drm/drm_gem.h>
@@ -92,7 +94,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
kfb->afbc_size = kfb->offset_payload + n_blocks *
ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
AFBC_SUPERBLK_ALIGNMENT);
- min_size = kfb->afbc_size + fb->offsets[0];
+ if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
+ goto check_failed;
+ }
if (min_size > obj->size) {
DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
obj->size, min_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 187/957] drm/virtio: Allow importing prime buffers when 3D is enabled
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 186/957] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 188/957] ASoC: soc-compress: use function to clear symmetric params Greg Kroah-Hartman
` (775 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Dmitry Osipenko,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@invisiblethingslab.com>
[ Upstream commit df4dc947c46bb9f80038f52c6e38cb2d40c10e50 ]
This functionality was added for using a KMS-only virtgpu with a physical
(or SR-IOV) headless GPU in passthrough, but it should not be restricted
to KMS-only mode. It can be used with cross-domain to pass guest memfds
to the host compositor with zero copies (using udmabuf on both sides).
Drop the check for the absence of virgl_3d to allow for more use cases.
Fixes: ca77f27a2665 ("drm/virtio: Import prime buffers from other devices as guest blobs")
Signed-off-by: Val Packett <val@invisiblethingslab.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: https://patch.msgid.link/20251210154755.1119861-2-val@invisiblethingslab.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/virtio/virtgpu_prime.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/virtio/virtgpu_prime.c b/drivers/gpu/drm/virtio/virtgpu_prime.c
index ce49282198cbf..2fedd5d3bd62c 100644
--- a/drivers/gpu/drm/virtio/virtgpu_prime.c
+++ b/drivers/gpu/drm/virtio/virtgpu_prime.c
@@ -312,7 +312,7 @@ struct drm_gem_object *virtgpu_gem_prime_import(struct drm_device *dev,
}
}
- if (!vgdev->has_resource_blob || vgdev->has_virgl_3d)
+ if (!vgdev->has_resource_blob)
return drm_gem_prime_import(dev, buf);
bo = kzalloc(sizeof(*bo), GFP_KERNEL);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 188/957] ASoC: soc-compress: use function to clear symmetric params
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 187/957] drm/virtio: Allow importing prime buffers when 3D is enabled Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 189/957] PCI/TPH: Allow TPH enable for RCiEPs Greg Kroah-Hartman
` (774 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Kuninori Morimoto,
Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 07c774dd64ba0c605dbf844132122e3edbdbea93 ]
Current soc-compress.c clears symmetric_rate, but it clears rate only,
not clear other symmetric_channels/sample_bits.
static int soc_compr_clean(...)
{
...
if (!snd_soc_dai_active(cpu_dai))
=> cpu_dai->symmetric_rate = 0;
if (!snd_soc_dai_active(codec_dai))
=> codec_dai->symmetric_rate = 0;
...
};
This feature was added when v3.7 kernel [1], and there was only
symmetric_rate, no symmetric_channels/sample_bits in that timing.
symmetric_channels/sample_bits were added in v3.14 [2],
but I guess it didn't notice that soc-compress.c is updating symmetric_xxx.
We are clearing symmetry_xxx by soc_pcm_set_dai_params(), but is soc-pcm.c
local function. Makes it global function and clear symmetry_xxx by it.
[1] commit 1245b7005de02 ("ASoC: add compress stream support")
[2] commit 3635bf09a89cf ("ASoC: soc-pcm: add symmetry for channels and
sample bits")
Fixes: 3635bf09a89c ("ASoC: soc-pcm: add symmetry for channels and sample bits")
Cc: Nicolin Chen <b42378@freescale.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87ms15e3kv.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/soc.h | 3 +++
sound/soc/soc-compress.c | 4 ++--
sound/soc/soc-pcm.c | 4 ++--
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/include/sound/soc.h b/include/sound/soc.h
index a9c058b06ab42..33968935d00a9 100644
--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -1414,6 +1414,9 @@ struct snd_soc_dai *snd_soc_find_dai(
struct snd_soc_dai *snd_soc_find_dai_with_mutex(
const struct snd_soc_dai_link_component *dlc);
+void soc_pcm_set_dai_params(struct snd_soc_dai *dai,
+ struct snd_pcm_hw_params *params);
+
#include <sound/soc-dai.h>
static inline
diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
index 7b81dffc6a935..b8402802ae784 100644
--- a/sound/soc/soc-compress.c
+++ b/sound/soc/soc-compress.c
@@ -69,10 +69,10 @@ static int soc_compr_clean(struct snd_compr_stream *cstream, int rollback)
snd_soc_dai_digital_mute(codec_dai, 1, stream);
if (!snd_soc_dai_active(cpu_dai))
- cpu_dai->symmetric_rate = 0;
+ soc_pcm_set_dai_params(cpu_dai, NULL);
if (!snd_soc_dai_active(codec_dai))
- codec_dai->symmetric_rate = 0;
+ soc_pcm_set_dai_params(codec_dai, NULL);
snd_soc_link_compr_shutdown(cstream, rollback);
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 2c21fd528afd0..99299364c9ba3 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -423,8 +423,8 @@ void dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir, int event)
snd_soc_dapm_stream_event(fe, dir, event);
}
-static void soc_pcm_set_dai_params(struct snd_soc_dai *dai,
- struct snd_pcm_hw_params *params)
+void soc_pcm_set_dai_params(struct snd_soc_dai *dai,
+ struct snd_pcm_hw_params *params)
{
if (params) {
dai->symmetric_rate = params_rate(params);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 189/957] PCI/TPH: Allow TPH enable for RCiEPs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 188/957] ASoC: soc-compress: use function to clear symmetric params Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 190/957] PCI: endpoint: pci-epf-test: Dont free doorbell IRQ unless requested Greg Kroah-Hartman
` (773 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, George Abraham P, Bjorn Helgaas,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: George Abraham P <george.abraham.p@intel.com>
[ Upstream commit d3e996a596967a62c8a13a279221513461f6ab97 ]
Previously, pcie_enable_tph() only enabled TLP Processing Hints (TPH) if
both the Endpoint and its Root Port advertised TPH support.
Root Complex Integrated Endpoints (RCiEPs) are directly integrated into a
Root Complex and do not have an associated Root Port, so pcie_enable_tph()
never enabled TPH for RCiEPs.
PCIe r7.0 doesn't seem to include a way to learn whether a Root Complex
supports TPH, but sec 2.2.7.1.1 says Functions that lack TPH support should
ignore TPH, and maybe the same is true for Root Complexes:
A Function that does not support the TPH Completer or Routing capability
and receives a transaction with the TH bit [which indicates the presence
of TPH in the TLP header] Set is required to ignore the TH bit and handle
the Request in the same way as Requests of the same transaction type
without the TH bit Set.
Allow drivers to enable TPH for any RCiEP with a TPH Requester Capability.
Fixes: f69767a1ada3 ("PCI: Add TLP Processing Hints (TPH) support")
Signed-off-by: George Abraham P <george.abraham.p@intel.com>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20260109052923.1170070-1-george.abraham.p@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/tph.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index cc64f93709a4f..c61456d24f61b 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -397,10 +397,13 @@ int pcie_enable_tph(struct pci_dev *pdev, int mode)
else
pdev->tph_req_type = PCI_TPH_REQ_TPH_ONLY;
- rp_req_type = get_rp_completer_type(pdev);
+ /* Check if the device is behind a Root Port */
+ if (pci_pcie_type(pdev) != PCI_EXP_TYPE_RC_END) {
+ rp_req_type = get_rp_completer_type(pdev);
- /* Final req_type is the smallest value of two */
- pdev->tph_req_type = min(pdev->tph_req_type, rp_req_type);
+ /* Final req_type is the smallest value of two */
+ pdev->tph_req_type = min(pdev->tph_req_type, rp_req_type);
+ }
if (pdev->tph_req_type == PCI_TPH_REQ_DISABLE)
return -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 190/957] PCI: endpoint: pci-epf-test: Dont free doorbell IRQ unless requested
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 189/957] PCI/TPH: Allow TPH enable for RCiEPs Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 191/957] PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc Greg Kroah-Hartman
` (772 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Frank Li, Niklas Cassel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
[ Upstream commit e81fa70179aac6ac3a6636565d5d35968dca3900 ]
pci_epf_test_doorbell_cleanup() unconditionally calls free_irq() for the
doorbell virq, which can trigger "Trying to free already-free IRQ"
warnings when the IRQ was never requested or when request_threaded_irq()
failed.
Move free_irq() out of pci_epf_test_doorbell_cleanup() and invoke it
only after a successful request, so that free_irq() is not called for
an unrequested IRQ.
Fixes: eff0c286aa91 ("PCI: endpoint: pci-epf-test: Add doorbell test support")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Link: https://patch.msgid.link/20260217063856.3759713-3-den@valinux.co.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/endpoint/functions/pci-epf-test.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
index b05e8db575c35..9bc6d283eae25 100644
--- a/drivers/pci/endpoint/functions/pci-epf-test.c
+++ b/drivers/pci/endpoint/functions/pci-epf-test.c
@@ -704,7 +704,6 @@ static void pci_epf_test_doorbell_cleanup(struct pci_epf_test *epf_test)
struct pci_epf_test_reg *reg = epf_test->reg[epf_test->test_reg_bar];
struct pci_epf *epf = epf_test->epf;
- free_irq(epf->db_msg[0].virq, epf_test);
reg->doorbell_bar = cpu_to_le32(NO_BAR);
pci_epf_free_doorbell(epf);
@@ -748,7 +747,7 @@ static void pci_epf_test_enable_doorbell(struct pci_epf_test *epf_test,
&epf_test->db_bar.phys_addr, &offset);
if (ret)
- goto err_doorbell_cleanup;
+ goto err_free_irq;
reg->doorbell_offset = cpu_to_le32(offset);
@@ -758,12 +757,14 @@ static void pci_epf_test_enable_doorbell(struct pci_epf_test *epf_test,
ret = pci_epc_set_bar(epc, epf->func_no, epf->vfunc_no, &epf_test->db_bar);
if (ret)
- goto err_doorbell_cleanup;
+ goto err_free_irq;
status |= STATUS_DOORBELL_ENABLE_SUCCESS;
reg->status = cpu_to_le32(status);
return;
+err_free_irq:
+ free_irq(epf->db_msg[0].virq, epf_test);
err_doorbell_cleanup:
pci_epf_test_doorbell_cleanup(epf_test);
set_status_err:
@@ -783,6 +784,7 @@ static void pci_epf_test_disable_doorbell(struct pci_epf_test *epf_test,
if (bar < BAR_0)
goto set_status_err;
+ free_irq(epf->db_msg[0].virq, epf_test);
pci_epf_test_doorbell_cleanup(epf_test);
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 191/957] PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 190/957] PCI: endpoint: pci-epf-test: Dont free doorbell IRQ unless requested Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 192/957] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
` (771 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Frank Li, Niklas Cassel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
[ Upstream commit 1cba96c0a795124c3229293ed7b5b5765e66f259 ]
pci_epf_alloc_doorbell() stores the allocated doorbell message array in
epf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation
fails, the array is freed but the EPF state may still point to freed
memory.
Clear epf->db_msg and epf->num_db on the MSI allocation failure path so
that later cleanup cannot double-free the array and callers can retry
allocation.
Also return -EBUSY when doorbells have already been allocated to prevent
leaking or overwriting an existing allocation.
Fixes: 1c3b002c6bf6 ("PCI: endpoint: Add RC-to-EP doorbell support using platform MSI controller")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Link: https://patch.msgid.link/20260217063856.3759713-4-den@valinux.co.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/endpoint/pci-ep-msi.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/pci/endpoint/pci-ep-msi.c b/drivers/pci/endpoint/pci-ep-msi.c
index 1b58357b905fa..ad8a81d6ad773 100644
--- a/drivers/pci/endpoint/pci-ep-msi.c
+++ b/drivers/pci/endpoint/pci-ep-msi.c
@@ -50,6 +50,9 @@ int pci_epf_alloc_doorbell(struct pci_epf *epf, u16 num_db)
return -EINVAL;
}
+ if (epf->db_msg)
+ return -EBUSY;
+
domain = of_msi_map_get_device_domain(epc->dev.parent, 0,
DOMAIN_BUS_PLATFORM_MSI);
if (!domain) {
@@ -79,6 +82,8 @@ int pci_epf_alloc_doorbell(struct pci_epf *epf, u16 num_db)
if (ret) {
dev_err(dev, "Failed to allocate MSI\n");
kfree(msg);
+ epf->db_msg = NULL;
+ epf->num_db = 0;
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 192/957] drm/sun4i: backend: fix error pointer dereference
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 191/957] PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 193/957] PCI: imx6: Fix device node reference leak in imx_pcie_probe() Greg Kroah-Hartman
` (770 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Chen-Yu Tsai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 06277983eca4a31d3c2114fa33d99a6e82484b11 ]
The function drm_atomic_get_plane_state() can return an error pointer
and is not checked for it. Add error pointer check.
Detected by Smatch:
drivers/gpu/drm/sun4i/sun4i_backend.c:496 sun4i_backend_atomic_check() error:
'plane_state' dereferencing possible ERR_PTR()
Fixes: 96180dde23b79 ("drm/sun4i: backend: Add a custom atomic_check for the frontend")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Chen-Yu Tsai <wens@kernel.org>
Link: https://patch.msgid.link/20260217014801.60760-1-ethantidmore06@gmail.com
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sun4i/sun4i_backend.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c
index 2dded3b828df0..0484cc27c97ae 100644
--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
+++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
@@ -490,6 +490,9 @@ static int sun4i_backend_atomic_check(struct sunxi_engine *engine,
drm_for_each_plane_mask(plane, drm, crtc_state->plane_mask) {
struct drm_plane_state *plane_state =
drm_atomic_get_plane_state(state, plane);
+ if (IS_ERR(plane_state))
+ return PTR_ERR(plane_state);
+
struct sun4i_layer_state *layer_state =
state_to_sun4i_layer_state(plane_state);
struct drm_framebuffer *fb = plane_state->fb;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 193/957] PCI: imx6: Fix device node reference leak in imx_pcie_probe()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 192/957] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 194/957] ASoC: SDCA: Update counting of SU/GE DAPM routes Greg Kroah-Hartman
` (769 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Manivannan Sadhasivam,
Frank Li, Richard Zhu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 3b55079d6387805ede687e234d84669aeb0f7e98 ]
In imx_pcie_probe(), of_parse_phandle() returns the device node pointer
with increased refcount. The pointer reference must be dropped by the
caller when it's no longer needed. However, imx_pcie_probe() doesn't drop
the reference, causing reference leak.
Fix this by using the __free(device_node) cleanup handler to drop the
reference when the function goes out of scope.
Fixes: 1df82ec46600 ("PCI: imx: Add workaround for e10728, IMX7d PCIe PLL failure")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Acked-by: Richard Zhu <hongxing.zhu@nxp.com>
Link: https://patch.msgid.link/20260124-pci_imx6-v2-1-acb8d5187683@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pci-imx6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c
index 3984c16dbec39..9083658a4287f 100644
--- a/drivers/pci/controller/dwc/pci-imx6.c
+++ b/drivers/pci/controller/dwc/pci-imx6.c
@@ -1619,7 +1619,6 @@ static int imx_pcie_probe(struct platform_device *pdev)
struct device *dev = &pdev->dev;
struct dw_pcie *pci;
struct imx_pcie *imx_pcie;
- struct device_node *np;
struct device_node *node = dev->of_node;
int ret, domain;
u16 val;
@@ -1646,7 +1645,8 @@ static int imx_pcie_probe(struct platform_device *pdev)
pci->pp.ops = &imx_pcie_host_dw_pme_ops;
/* Find the PHY if one is defined, only imx7d uses it */
- np = of_parse_phandle(node, "fsl,imx7d-pcie-phy", 0);
+ struct device_node *np __free(device_node) =
+ of_parse_phandle(node, "fsl,imx7d-pcie-phy", 0);
if (np) {
struct resource res;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 194/957] ASoC: SDCA: Update counting of SU/GE DAPM routes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 193/957] PCI: imx6: Fix device node reference leak in imx_pcie_probe() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 195/957] crypto: inside-secure/eip93 - fix register definition Greg Kroah-Hartman
` (768 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart, Charles Keepax,
Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax <ckeepax@opensource.cirrus.com>
[ Upstream commit 1fb720d33eecdb9a90ee340b3000ba378d49f5ca ]
Device Layer Selector Unit's are controlled by a Group Entity control
rather than by the host directly. For the purposes of the ASoC class
driver the number of input routes to the SU is controlled by the number
of options within the Group Entity Selected Mode Control. ie. One valid
DAPM route for each valid route defined in the Group Entity.
Currently the code assumes that a Device Layer SU will have a number of
routes equal to the number of potential sources for the SU. ie. it
counts the routes using the SU, but then creates the routes using the
GE. However, this isn't actually true, it is perfectly allowed for the
GE to only define options for some of the potential sources of the SU.o
In such a case the number of routes return will not match those created,
leading to either an overflow of the routes array or undefined routes to
be past to the ASoC core, both of which generally lead to the sound card
failing to probe.
Update the handling for the counting of routes to count the connected
routes on the GE itself and then ignore the source routes on the SU.
This makes it match the logic generating the routes and ensuring that
both remain in sync.
Fixes: 2c8b3a8e6aa8 ("ASoC: SDCA: Create DAPM widgets and routes from DisCo")
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260225140118.402695-3-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sdca/sdca_asoc.c | 41 +++++++++++++++++++++++++++++++-------
1 file changed, 34 insertions(+), 7 deletions(-)
diff --git a/sound/soc/sdca/sdca_asoc.c b/sound/soc/sdca/sdca_asoc.c
index 197a592ec2f16..523ea9a2c5f42 100644
--- a/sound/soc/sdca/sdca_asoc.c
+++ b/sound/soc/sdca/sdca_asoc.c
@@ -51,6 +51,25 @@ static bool readonly_control(struct sdca_control *control)
return control->has_fixed || control->mode == SDCA_ACCESS_MODE_RO;
}
+static int ge_count_routes(struct sdca_entity *entity)
+{
+ int count = 0;
+ int i, j;
+
+ for (i = 0; i < entity->ge.num_modes; i++) {
+ struct sdca_ge_mode *mode = &entity->ge.modes[i];
+
+ for (j = 0; j < mode->num_controls; j++) {
+ struct sdca_ge_control *affected = &mode->controls[j];
+
+ if (affected->sel != SDCA_CTL_SU_SELECTOR || affected->val)
+ count++;
+ }
+ }
+
+ return count;
+}
+
/**
* sdca_asoc_count_component - count the various component parts
* @dev: Pointer to the device against which allocations will be done.
@@ -74,6 +93,7 @@ int sdca_asoc_count_component(struct device *dev, struct sdca_function_data *fun
int *num_widgets, int *num_routes, int *num_controls,
int *num_dais)
{
+ struct sdca_control *control;
int i, j;
*num_widgets = function->num_entities - 1;
@@ -83,6 +103,7 @@ int sdca_asoc_count_component(struct device *dev, struct sdca_function_data *fun
for (i = 0; i < function->num_entities - 1; i++) {
struct sdca_entity *entity = &function->entities[i];
+ bool skip_primary_routes = false;
/* Add supply/DAI widget connections */
switch (entity->type) {
@@ -96,6 +117,17 @@ int sdca_asoc_count_component(struct device *dev, struct sdca_function_data *fun
case SDCA_ENTITY_TYPE_PDE:
*num_routes += entity->pde.num_managed;
break;
+ case SDCA_ENTITY_TYPE_GE:
+ *num_routes += ge_count_routes(entity);
+ skip_primary_routes = true;
+ break;
+ case SDCA_ENTITY_TYPE_SU:
+ control = sdca_selector_find_control(dev, entity, SDCA_CTL_SU_SELECTOR);
+ if (!control)
+ return -EINVAL;
+
+ skip_primary_routes = (control->layers == SDCA_ACCESS_LAYER_DEVICE);
+ break;
default:
break;
}
@@ -104,7 +136,8 @@ int sdca_asoc_count_component(struct device *dev, struct sdca_function_data *fun
(*num_routes)++;
/* Add primary entity connections from DisCo */
- *num_routes += entity->num_sources;
+ if (!skip_primary_routes)
+ *num_routes += entity->num_sources;
for (j = 0; j < entity->num_controls; j++) {
if (exported_control(entity, &entity->controls[j]))
@@ -451,7 +484,6 @@ static int entity_parse_su_device(struct device *dev,
struct snd_soc_dapm_route **route)
{
struct sdca_control_range *range;
- int num_routes = 0;
int i, j;
if (!entity->group) {
@@ -487,11 +519,6 @@ static int entity_parse_su_device(struct device *dev,
return -EINVAL;
}
- if (++num_routes > entity->num_sources) {
- dev_err(dev, "%s: too many input routes\n", entity->label);
- return -EINVAL;
- }
-
term = sdca_range_search(range, SDCA_SELECTED_MODE_INDEX,
mode->val, SDCA_SELECTED_MODE_TERM_TYPE);
if (!term) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 195/957] crypto: inside-secure/eip93 - fix register definition
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 194/957] ASoC: SDCA: Update counting of SU/GE DAPM routes Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 196/957] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
` (767 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksander Jan Bajkowski, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksander Jan Bajkowski <olek2@wp.pl>
[ Upstream commit b7abbc8c7acaeb60c114b038f1fa91bbedb3d16a ]
Checked the register definitions with the documentation[1]. Turns out
that the PKTE_INBUF_CNT register has a bad offset. It's used in Direct
Host Mode (DHM). The driver uses Autonomous Ring Mode (ARM), so it
causes no harm.
1. ADSP-SC58x/ADSP-2158x SHARC+ Processor Hardware Reference
Fixes: 9739f5f93b78 ("crypto: eip93 - Add Inside Secure SafeXcel EIP-93 crypto engine support")
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/inside-secure/eip93/eip93-regs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/inside-secure/eip93/eip93-regs.h b/drivers/crypto/inside-secure/eip93/eip93-regs.h
index 0490b8d151311..116b3fbb6ad79 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-regs.h
+++ b/drivers/crypto/inside-secure/eip93/eip93-regs.h
@@ -109,7 +109,7 @@
#define EIP93_REG_PE_BUF_THRESH 0x10c
#define EIP93_PE_OUTBUF_THRESH GENMASK(23, 16)
#define EIP93_PE_INBUF_THRESH GENMASK(7, 0)
-#define EIP93_REG_PE_INBUF_COUNT 0x100
+#define EIP93_REG_PE_INBUF_COUNT 0x110
#define EIP93_REG_PE_OUTBUF_COUNT 0x114
#define EIP93_REG_PE_BUF_RW_PNTR 0x118 /* BUF_PNTR */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 196/957] ASoC: sti: Return errors from regmap_field_alloc()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 195/957] crypto: inside-secure/eip93 - fix register definition Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 197/957] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
` (766 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sander Vanheule, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sander Vanheule <sander@svanheule.net>
[ Upstream commit 272aabef50bc3fe58edd26de000f4cdd41bdbe60 ]
When regmap_field_alloc() fails, it can return an error. Specifically,
it will return PTR_ERR(-ENOMEM) when the allocation returns a NULL
pointer. The code then uses these allocations with a simple NULL check:
if (player->clk_sel) {
// May dereference invalid pointer (-ENOMEM)
err = regmap_field_write(player->clk_sel, ...);
}
Ensure initialization fails by forwarding the errors from
regmap_field_alloc(), thus avoiding the use of the invalid pointers.
Fixes: 76c2145ded6b ("ASoC: sti: Add CPU DAI driver for playback")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Link: https://patch.msgid.link/20260220152634.480766-2-sander@svanheule.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sti/uniperif_player.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/soc/sti/uniperif_player.c b/sound/soc/sti/uniperif_player.c
index 6d1ce030963c6..f1b7e76f97b58 100644
--- a/sound/soc/sti/uniperif_player.c
+++ b/sound/soc/sti/uniperif_player.c
@@ -1029,7 +1029,12 @@ static int uni_player_parse_dt_audio_glue(struct platform_device *pdev,
}
player->clk_sel = regmap_field_alloc(regmap, regfield[0]);
+ if (IS_ERR(player->clk_sel))
+ return PTR_ERR(player->clk_sel);
+
player->valid_sel = regmap_field_alloc(regmap, regfield[1]);
+ if (IS_ERR(player->valid_sel))
+ return PTR_ERR(player->valid_sel);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 197/957] ASoC: sti: use managed regmap_field allocations
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 196/957] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 198/957] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
` (765 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sander Vanheule, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sander Vanheule <sander@svanheule.net>
[ Upstream commit 1696fad8b259a2d46e51cd6e17e4bcdbe02279fa ]
The regmap_field objects allocated at player init are never freed and
may leak resources if the driver is removed.
Switch to devm_regmap_field_alloc() to automatically limit the lifetime
of the allocations the lifetime of the device.
Fixes: 76c2145ded6b ("ASoC: sti: Add CPU DAI driver for playback")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Link: https://patch.msgid.link/20260220152634.480766-3-sander@svanheule.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sti/uniperif_player.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sti/uniperif_player.c b/sound/soc/sti/uniperif_player.c
index f1b7e76f97b58..45d35b887e4eb 100644
--- a/sound/soc/sti/uniperif_player.c
+++ b/sound/soc/sti/uniperif_player.c
@@ -1028,11 +1028,11 @@ static int uni_player_parse_dt_audio_glue(struct platform_device *pdev,
return PTR_ERR(regmap);
}
- player->clk_sel = regmap_field_alloc(regmap, regfield[0]);
+ player->clk_sel = devm_regmap_field_alloc(&pdev->dev, regmap, regfield[0]);
if (IS_ERR(player->clk_sel))
return PTR_ERR(player->clk_sel);
- player->valid_sel = regmap_field_alloc(regmap, regfield[1]);
+ player->valid_sel = devm_regmap_field_alloc(&pdev->dev, regmap, regfield[1]);
if (IS_ERR(player->valid_sel))
return PTR_ERR(player->valid_sel);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 198/957] dm cache: fix null-deref with concurrent writes in passthrough mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 197/957] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 199/957] dm cache: fix write path cache coherency " Greg Kroah-Hartman
` (764 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 7d1f98d668ee34c1d15bdc0420fdd062f24a27c0 ]
In passthrough mode, when dm-cache starts to invalidate a cache
entry and bio prison cell lock fails due to concurrent write to
the same cached block, mg->cell remains NULL. The error path in
invalidate_complete() attempts to unlock and free the cell
unconditionally, causing a NULL pointer dereference:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 134 Comm: fio Not tainted 6.19.0-rc7 #3 PREEMPT
RIP: 0010:dm_cell_unlock_v2+0x3f/0x210
<snip>
Call Trace:
invalidate_complete+0xef/0x430
map_bio+0x130f/0x1a10
cache_map+0x320/0x6b0
__map_bio+0x458/0x510
dm_submit_bio+0x40e/0x16d0
__submit_bio+0x419/0x870
<snip>
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first cached block concurrently
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k
Fix by checking if mg->cell is valid before attempting to unlock it.
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 7bad7cc87d370..1296965cf94cf 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1462,8 +1462,10 @@ static void invalidate_complete(struct dm_cache_migration *mg, bool success)
struct cache *cache = mg->cache;
bio_list_init(&bios);
- if (dm_cell_unlock_v2(cache->prison, mg->cell, &bios))
- free_prison_cell(cache, mg->cell);
+ if (mg->cell) {
+ if (dm_cell_unlock_v2(cache->prison, mg->cell, &bios))
+ free_prison_cell(cache, mg->cell);
+ }
if (!success && mg->overwrite_bio)
bio_io_error(mg->overwrite_bio);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 199/957] dm cache: fix write path cache coherency in passthrough mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 198/957] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 200/957] dm cache: fix write hang " Greg Kroah-Hartman
` (763 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 0c5eef0aad508231d8e43ff8392692925e131b68 ]
In passthrough mode, dm-cache defers write bio submission until cache
invalidation completes to maintain existing coherency, requiring the
target map function to return DM_MAPIO_SUBMITTED. The current map_bio()
returns DM_MAPIO_REMAPPED, violating the required ordering constraint.
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into the cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first data block, and check io ordering using ftrace
echo 1 > /sys/kernel/debug/tracing/events/block/block_bio_queue/enable
echo 1 > /sys/kernel/debug/tracing/events/block/block_bio_complete/enable
echo 1 > /sys/kernel/debug/tracing/events/block/block_rq_complete/enable
fio --filename=/dev/mapper/cache --name=test --rw=write --bs=64k \
--direct=1 --size 64k
5. ftrace logs show that write operations to the cache origin (252:2)
and metadata operations (252:0) are unsynchronized: the origin write
occurs before metadata commit.
<snip>
fio-146 [000] ..... 420.139562: block_bio_queue: 252,3 WS 0 + 128 [fio]
fio-146 [000] ..... 420.149395: block_bio_queue: 252,2 WS 0 + 128 [fio]
fio-146 [000] ..... 420.149763: block_bio_queue: 8,32 WS 262144 + 128 [fio]
fio-146 [000] dNh1. 420.151446: block_rq_complete: 8,32 WS () 262144 + 128 be,0,4 [0]
fio-146 [000] dNh1. 420.152731: block_bio_complete: 252,2 WS 0 + 128 [0]
fio-146 [000] dNh1. 420.154229: block_bio_complete: 252,3 WS 0 + 128 [0]
kworker/0:0-9 [000] ..... 420.160530: block_bio_queue: 252,0 W 408 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.161641: block_bio_queue: 8,32 W 408 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.162533: block_bio_queue: 252,0 W 416 + 8 [kworker/0:0]
kworker/0:0-9 [000] ..... 420.162821: block_bio_queue: 8,32 W 416 + 8 [kworker/0:0]
<snip>
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 1296965cf94cf..69fa2f6479318 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1703,6 +1703,7 @@ static int map_bio(struct cache *cache, struct bio *bio, dm_oblock_t block,
bio_drop_shared_lock(cache, bio);
atomic_inc(&cache->stats.demotion);
invalidate_start(cache, cblock, block, bio);
+ return DM_MAPIO_SUBMITTED;
} else
remap_to_origin_clear_discard(cache, bio, block);
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 200/957] dm cache: fix write hang in passthrough mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 199/957] dm cache: fix write path cache coherency " Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 201/957] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
` (762 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 4ca8b8bd952df7c3ccdc68af9bd3419d0839a04b ]
The invalidate_remove() function has incomplete logic for handling write
hit bios after cache invalidation. It sets up the remapping for the
overwrite_bio but then drops it immediately without submission, causing
write operations to hang.
Fix by adding a new invalidate_committed() continuation that submits
the remapped writes to the cache origin after metadata commit completes,
while using the overwrite_endio hook to ensure proper completion
sequencing. This maintains existing coherency. Also improve error
handling in invalidate_complete() to preserve the original error status
instead of using bio_io_error() unconditionally.
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 69fa2f6479318..b191ea1361b40 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1467,8 +1467,14 @@ static void invalidate_complete(struct dm_cache_migration *mg, bool success)
free_prison_cell(cache, mg->cell);
}
- if (!success && mg->overwrite_bio)
- bio_io_error(mg->overwrite_bio);
+ if (mg->overwrite_bio) {
+ // Set generic error if the bio hasn't been issued yet,
+ // e.g., invalidation or metadata commit failed before bio
+ // submission. Otherwise preserve the bio's own error status.
+ if (!success && !mg->overwrite_bio->bi_status)
+ mg->overwrite_bio->bi_status = BLK_STS_IOERR;
+ bio_endio(mg->overwrite_bio);
+ }
free_migration(mg);
defer_bios(cache, &bios);
@@ -1508,6 +1514,22 @@ static int invalidate_cblock(struct cache *cache, dm_cblock_t cblock)
return r;
}
+static void invalidate_committed(struct work_struct *ws)
+{
+ struct dm_cache_migration *mg = ws_to_mg(ws);
+ struct cache *cache = mg->cache;
+ struct bio *bio = mg->overwrite_bio;
+ struct per_bio_data *pb = get_per_bio_data(bio);
+
+ if (mg->k.input)
+ invalidate_complete(mg, false);
+
+ init_continuation(&mg->k, invalidate_completed);
+ remap_to_origin_clear_discard(cache, bio, mg->invalidate_oblock);
+ dm_hook_bio(&pb->hook_info, bio, overwrite_endio, mg);
+ dm_submit_bio_remap(bio, NULL);
+}
+
static void invalidate_remove(struct work_struct *ws)
{
int r;
@@ -1520,10 +1542,8 @@ static void invalidate_remove(struct work_struct *ws)
return;
}
- init_continuation(&mg->k, invalidate_completed);
+ init_continuation(&mg->k, invalidate_committed);
continue_after_commit(&cache->committer, &mg->k);
- remap_to_origin_clear_discard(cache, mg->overwrite_bio, mg->invalidate_oblock);
- mg->overwrite_bio = NULL;
schedule_commit(&cache->committer);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 201/957] dm cache policy smq: fix missing locks in invalidating cache blocks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 200/957] dm cache: fix write hang " Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 202/957] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
` (761 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 2d1f7b65f5deedd2e6b09fdc6ea27f8375f24b45 ]
In passthrough mode, the policy invalidate_mapping operation is called
simultaneously from multiple workers, thus it should be protected by a
lock. Otherwise, we might end up with data races on the allocated blocks
counter, or even use-after-free issues with internal data structures
when doing concurrent writes.
Note that the existing FIXME in smq_invalidate_mapping() doesn't affect
passthrough mode since migration tasks don't exist there, but would need
attention if supporting fast device shrinking via suspend/resume without
target reloading.
Reproduce steps:
1. Create a cache device consisting of 1024 cache entries
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Populate the cache, and record the number of cached blocks
fio --name=populate --filename=/dev/mapper/cache --rw=randwrite --bs=4k \
--size=64m --direct=1
nr_cached=$(dmsetup status cache | awk '{split($7, a, "/"); print a[1]}')
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the passthrough cache. By setting multiple jobs with I/O
size equal to the cache block size, cache blocks are invalidated
concurrently from different workers.
fio --filename=/dev/mapper/cache --name=test --rw=randwrite --bs=64k \
--direct=1 --numjobs=2 --randrepeat=0 --size=64m
5. Check if demoted matches cached block count. These numbers should
match but may differ due to the data race.
nr_demoted=$(dmsetup status cache | awk '{print $12}')
echo "$nr_cached, $nr_demoted"
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-policy-smq.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/md/dm-cache-policy-smq.c b/drivers/md/dm-cache-policy-smq.c
index 7e1e8cc0e33a3..76a35cce85028 100644
--- a/drivers/md/dm-cache-policy-smq.c
+++ b/drivers/md/dm-cache-policy-smq.c
@@ -1589,14 +1589,18 @@ static int smq_invalidate_mapping(struct dm_cache_policy *p, dm_cblock_t cblock)
{
struct smq_policy *mq = to_smq_policy(p);
struct entry *e = get_entry(&mq->cache_alloc, from_cblock(cblock));
+ unsigned long flags;
if (!e->allocated)
return -ENODATA;
+ spin_lock_irqsave(&mq->lock, flags);
// FIXME: what if this block has pending background work?
del_queue(mq, e);
h_remove(&mq->table, e);
free_entry(&mq->cache_alloc, e);
+ spin_unlock_irqrestore(&mq->lock, flags);
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 202/957] dm cache: fix concurrent write failure in passthrough mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 201/957] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 203/957] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
` (760 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit e4f66341779d0cf4c83c74793753a84094286d9e ]
When bio prison cell lock acquisition fails due to concurrent writes to
the same block in passthrough mode, dm-cache incorrectly returns an I/O
error instead of properly handling the concurrency. This can occur in
both process and workqueue contexts when invalidate_lock() is called for
exclusive access to a data block. Fix this by deferring the write bios
to ensure proper block device behavior.
Reproduce steps:
1. Create a cache device
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. Promote the first data block into cache
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
3. Reload the cache into passthrough mode
dmsetup suspend cache
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
dmsetup resume cache
4. Write to the first cached block concurrently. Sometimes one of the
processes will receive I/O errors.
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --numjobs=2 --size 64k
<snip>
fio-3.41
fio: io_u error on file /dev/mapper/cache: Input/output error: write offset=4096, buflen=4096
fio: pid=106, err=5/file:io_u.c:2008, func=io_u error, error=Input/output error
test: (groupid=0, jobs=1): err= 0: pid=105
test: (groupid=0, jobs=1): err= 5 (file:io_u.c:2008, func=io_u error, error=Input/output error): pid=106
<snip>
Fixes: b29d4986d0da ("dm cache: significant rework to leverage dm-bio-prison-v2")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index b191ea1361b40..e8709950dc49d 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1561,6 +1561,15 @@ static int invalidate_lock(struct dm_cache_migration *mg)
READ_WRITE_LOCK_LEVEL, prealloc, &mg->cell);
if (r < 0) {
free_prison_cell(cache, prealloc);
+
+ /* Defer the bio for retrying the cell lock */
+ if (mg->overwrite_bio) {
+ struct bio *bio = mg->overwrite_bio;
+
+ mg->overwrite_bio = NULL;
+ defer_bio(cache, bio);
+ }
+
invalidate_complete(mg, false);
return r;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 203/957] dm cache: fix dirty mapping checking in passthrough mode switching
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 202/957] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 204/957] dm-mpath: dont stop probing paths at presuspend Greg Kroah-Hartman
` (759 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 322586745bd1a0e5f3559fd1635fdeb4dbd1d6b8 ]
As mentioned in commit 9b1cc9f251af ("dm cache: share cache-metadata
object across inactive and active DM tables"), dm-cache assumed table
reload occurs after suspension, while LVM's table preload breaks this
assumption. The dirty mapping check for passthrough mode was designed
around this assumption and is performed during table creation, causing
the check to fail with preload while metadata updates are ongoing. This
risks loading dirty mappings into passthrough mode, resulting in data
loss.
Reproduce steps:
1. Create a writeback cache with zero migration_threshold to produce
dirty mappings
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writeback smq \
2 migration_threshold 0"
2. Preload a table in passthrough mode
dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 passthrough smq 0"
3. Write to the first cache block to make it dirty
fio --filename=/dev/mapper/cache --name=populate --rw=write --bs=4k \
--direct=1 --size=64k
4. Resume the inactive table. Now it's possible to load the dirty block
into passthrough mode.
dmsetup resume cache
Fix by moving the checks to the preresume phase to support table
preloading. Also remove the unused function dm_cache_metadata_all_clean.
Fixes: 2ee57d587357 ("dm cache: add passthrough mode")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-metadata.c | 11 -----------
drivers/md/dm-cache-metadata.h | 5 -----
drivers/md/dm-cache-target.c | 25 ++++++++-----------------
3 files changed, 8 insertions(+), 33 deletions(-)
diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
index a9a1ab284076a..cf491c8508a42 100644
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1714,17 +1714,6 @@ int dm_cache_write_hints(struct dm_cache_metadata *cmd, struct dm_cache_policy *
return r;
}
-int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result)
-{
- int r;
-
- READ_LOCK(cmd);
- r = blocks_are_unmapped_or_clean(cmd, 0, cmd->cache_blocks, result);
- READ_UNLOCK(cmd);
-
- return r;
-}
-
void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd)
{
WRITE_LOCK_VOID(cmd);
diff --git a/drivers/md/dm-cache-metadata.h b/drivers/md/dm-cache-metadata.h
index 5f77890207fed..2f107e7c67d0a 100644
--- a/drivers/md/dm-cache-metadata.h
+++ b/drivers/md/dm-cache-metadata.h
@@ -135,11 +135,6 @@ int dm_cache_get_metadata_dev_size(struct dm_cache_metadata *cmd,
*/
int dm_cache_write_hints(struct dm_cache_metadata *cmd, struct dm_cache_policy *p);
-/*
- * Query method. Are all the blocks in the cache clean?
- */
-int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result);
-
int dm_cache_metadata_needs_check(struct dm_cache_metadata *cmd, bool *result);
int dm_cache_metadata_set_needs_check(struct dm_cache_metadata *cmd);
void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd);
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index e8709950dc49d..9c64fe56ecb6c 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2506,23 +2506,8 @@ static int cache_create(struct cache_args *ca, struct cache **result)
goto bad;
}
- if (passthrough_mode(cache)) {
- bool all_clean;
-
- r = dm_cache_metadata_all_clean(cache->cmd, &all_clean);
- if (r) {
- *error = "dm_cache_metadata_all_clean() failed";
- goto bad;
- }
-
- if (!all_clean) {
- *error = "Cannot enter passthrough mode unless all blocks are clean";
- r = -EINVAL;
- goto bad;
- }
-
+ if (passthrough_mode(cache))
policy_allow_migrations(cache->policy, false);
- }
spin_lock_init(&cache->lock);
bio_list_init(&cache->deferred_bios);
@@ -2849,6 +2834,12 @@ static int load_mapping(void *context, dm_oblock_t oblock, dm_cblock_t cblock,
struct cache *cache = context;
if (dirty) {
+ if (passthrough_mode(cache)) {
+ DMERR("%s: cannot enter passthrough mode unless all blocks are clean",
+ cache_device_name(cache));
+ return -EBUSY;
+ }
+
set_bit(from_cblock(cblock), cache->dirty_bitset);
atomic_inc(&cache->nr_dirty);
} else
@@ -3082,7 +3073,7 @@ static int cache_preresume(struct dm_target *ti)
load_filtered_mapping, cache);
if (r) {
DMERR("%s: could not load cache mappings", cache_device_name(cache));
- if (r != -EFBIG)
+ if (r != -EFBIG && r != -EBUSY)
metadata_operation_failed(cache, "dm_cache_load_mappings", r);
return r;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 204/957] dm-mpath: dont stop probing paths at presuspend
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 203/957] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 205/957] platform/chrome: chromeos_tbmc: Drop wakeup source on remove Greg Kroah-Hartman
` (758 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Marzinski, Martin Wilck,
Hanna Czenczek, Mikulas Patocka, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
[ Upstream commit 51d81e14fe6788dc6463064c7517480f2acd2724 ]
Commit 5c977f102315 ("dm-mpath: Don't grab work_mutex while probing
paths"), added code to make multipath quit probing paths early, if it
was trying to suspend. This isn't necessary. It was just an optimization
to try to keep path probing from delaying a suspend. However it causes
problems with the intended user of this code, qemu. The path probing
code was added because failed ioctls to multipath devices don't cause
paths to fail in cases where a regular IO failure would.
If an ioctl to a path failed because the path was down, and the
multipath device had passed presuspend, the M_MPATH_PROBE_PATHS ioctl
would exit early, without probing the path. The caller would then retry
the original ioctl, hoping to use a different path. But if there was
only one path in the pathgroup, it would pick the same non-working path
again, even if there were working paths in other pathgroups.
ioctls to a suspended dm device will return -EAGAIN, notifying the
caller that the device is suspended, but ioctls to a device that is just
preparing to suspend won't (and in general, shouldn't). This means that
the caller (qemu in this case) would get into a tight loop where it
would issue an ioctl that failed, skip probing the paths because the
device had already passed presuspend, and start over issuing the ioctl
again. This would continue until the multipath device finally fully
suspended, or the caller gave up and failed the ioctl.
multipath's path probing code could return -EAGAIN in this case, and the
caller could delay a bit before retrying, but the whole purpose of
skipping the probe after presuspend was to speed things up, and that
would just slow them down. Instead, remove the is_suspending flag, and
check dm_suspended() instead to decide whether to exit the probing code
early. This means that when the probing code exits early, future ioctls
will also be delayed, because the device is fully suspended.
Fixes: 5c977f102315 ("dm-mpath: Don't grab work_mutex while probing paths")
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Reviewed-by: Martin Wilck <mwilck@suse.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-mpath.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index 00df5be165759..3a25ec2993dc2 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -102,7 +102,6 @@ struct multipath {
struct bio_list queued_bios;
struct timer_list nopath_timer; /* Timeout for queue_if_no_path */
- bool is_suspending;
};
/*
@@ -1748,9 +1747,6 @@ static void multipath_presuspend(struct dm_target *ti)
{
struct multipath *m = ti->private;
- spin_lock_irq(&m->lock);
- m->is_suspending = true;
- spin_unlock_irq(&m->lock);
/* FIXME: bio-based shouldn't need to always disable queue_if_no_path */
if (m->queue_mode == DM_TYPE_BIO_BASED || !dm_noflush_suspending(m->ti))
queue_if_no_path(m, false, true, __func__);
@@ -1773,7 +1769,6 @@ static void multipath_resume(struct dm_target *ti)
struct multipath *m = ti->private;
spin_lock_irq(&m->lock);
- m->is_suspending = false;
if (test_bit(MPATHF_SAVED_QUEUE_IF_NO_PATH, &m->flags)) {
set_bit(MPATHF_QUEUE_IF_NO_PATH, &m->flags);
clear_bit(MPATHF_SAVED_QUEUE_IF_NO_PATH, &m->flags);
@@ -2100,7 +2095,7 @@ static int probe_active_paths(struct multipath *m)
if (m->current_pg == m->last_probed_pg)
goto skip_probe;
}
- if (!m->current_pg || m->is_suspending ||
+ if (!m->current_pg || dm_suspended(m->ti) ||
test_bit(MPATHF_QUEUE_IO, &m->flags))
goto skip_probe;
set_bit(MPATHF_DELAY_PG_SWITCH, &m->flags);
@@ -2109,7 +2104,7 @@ static int probe_active_paths(struct multipath *m)
list_for_each_entry(pgpath, &pg->pgpaths, list) {
if (pg != READ_ONCE(m->current_pg) ||
- READ_ONCE(m->is_suspending))
+ dm_suspended(m->ti))
goto out;
if (!pgpath->is_active)
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 205/957] platform/chrome: chromeos_tbmc: Drop wakeup source on remove
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 204/957] dm-mpath: dont stop probing paths at presuspend Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 206/957] PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix() Greg Kroah-Hartman
` (757 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Tzung-Bi Shih,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 5d441a4bc93642ed6f41da87327a39946b4e1455 ]
The wakeup source added by device_init_wakeup() in chromeos_tbmc_add()
needs to be dropped during driver removal, so add a .remove() callback
to the driver for this purpose.
Fixes: 0144c00ed86b ("platform/chrome: chromeos_tbmc: Report wake events")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/6151957.MhkbZ0Pkbq@rafael.j.wysocki
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/chrome/chromeos_tbmc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/platform/chrome/chromeos_tbmc.c b/drivers/platform/chrome/chromeos_tbmc.c
index d1cf8f3463ce3..e248567c0a182 100644
--- a/drivers/platform/chrome/chromeos_tbmc.c
+++ b/drivers/platform/chrome/chromeos_tbmc.c
@@ -95,6 +95,11 @@ static int chromeos_tbmc_add(struct acpi_device *adev)
return 0;
}
+static void chromeos_tbmc_remove(struct acpi_device *adev)
+{
+ device_init_wakeup(&adev->dev, false);
+}
+
static const struct acpi_device_id chromeos_tbmc_acpi_device_ids[] = {
{ ACPI_DRV_NAME, 0 },
{ }
@@ -110,6 +115,7 @@ static struct acpi_driver chromeos_tbmc_driver = {
.ids = chromeos_tbmc_acpi_device_ids,
.ops = {
.add = chromeos_tbmc_add,
+ .remove = chromeos_tbmc_remove,
.notify = chromeos_tbmc_notify,
},
.drv.pm = &chromeos_tbmc_pm_ops,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 206/957] PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 205/957] platform/chrome: chromeos_tbmc: Drop wakeup source on remove Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 207/957] PCI: dwc: Invoke post_init in dw_pcie_resume_noirq() Greg Kroah-Hartman
` (756 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aksh Garg, Manivannan Sadhasivam,
Niklas Cassel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aksh Garg <a-garg7@ti.com>
[ Upstream commit 271d0b1f058ae9815e75233d04b23e3558c3e4f4 ]
In dw_pcie_ep_set_msix(), while updating the MSI-X Table Size value for
individual functions, Message Control register is read from the passed
function number register space using dw_pcie_ep_readw_dbi(), but always
written back to the Function 0's register space using dw_pcie_writew_dbi().
This causes incorrect MSI-X configuration for the rest of the functions,
other than Function 0.
Fix this by using dw_pcie_ep_writew_dbi() to write to the correct
function's register space, matching the read operation.
Fixes: 70fa02ca1446 ("PCI: dwc: Add dw_pcie_ep_{read,write}_dbi[2] helpers")
Signed-off-by: Aksh Garg <a-garg7@ti.com>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Link: https://patch.msgid.link/20260224083817.916782-2-a-garg7@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware-ep.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware-ep.c b/drivers/pci/controller/dwc/pcie-designware-ep.c
index e2e18beb2951d..7350a703c4d19 100644
--- a/drivers/pci/controller/dwc/pcie-designware-ep.c
+++ b/drivers/pci/controller/dwc/pcie-designware-ep.c
@@ -538,7 +538,7 @@ static int dw_pcie_ep_set_msix(struct pci_epc *epc, u8 func_no, u8 vfunc_no,
val = dw_pcie_ep_readw_dbi(ep, func_no, reg);
val &= ~PCI_MSIX_FLAGS_QSIZE;
val |= nr_irqs - 1; /* encoded as N-1 */
- dw_pcie_writew_dbi(pci, reg, val);
+ dw_pcie_ep_writew_dbi(ep, func_no, reg, val);
reg = ep_func->msix_cap + PCI_MSIX_TABLE;
val = offset | bir;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 207/957] PCI: dwc: Invoke post_init in dw_pcie_resume_noirq()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 206/957] PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 208/957] PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq() Greg Kroah-Hartman
` (755 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Zhu, Manivannan Sadhasivam,
Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Zhu <hongxing.zhu@nxp.com>
[ Upstream commit c577ce2881f9c76892de5ffc1a122e3ef427ecee ]
In some SoCs like i.MX95, CLKREQ# is pulled low by the controller driver
before link up. After link up, if the 'supports-clkreq' property is
specified in DT, the driver will release CLKREQ# so that it can go high and
the endpoint can pull it low whenever required i.e., during exit from L1
Substates.
Hence, at the end of dw_pcie_resume_noirq(), invoke the '.post_init()'
callback if exists to perform the above mentioned action.
Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
[mani: reworded description]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20251015030428.2980427-9-hongxing.zhu@nxp.com
Stable-dep-of: edb5ca3262e2 ("PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware-host.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c
index 894bf23529df5..3fbece96faaad 100644
--- a/drivers/pci/controller/dwc/pcie-designware-host.c
+++ b/drivers/pci/controller/dwc/pcie-designware-host.c
@@ -1236,6 +1236,9 @@ int dw_pcie_resume_noirq(struct dw_pcie *pci)
if (ret)
return ret;
+ if (pci->pp.ops->post_init)
+ pci->pp.ops->post_init(&pci->pp);
+
return ret;
}
EXPORT_SYMBOL_GPL(dw_pcie_resume_noirq);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 208/957] PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 207/957] PCI: dwc: Invoke post_init in dw_pcie_resume_noirq() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 209/957] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
` (754 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Senchuan Zhang,
Manivannan Sadhasivam, Manivannan Sadhasivam, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit edb5ca3262e2255cf938a5948709d3472d4871ad ]
If the dw_pcie_resume_noirq() API fails, it just returns the errno without
doing cleanup in the error path, leading to resource leak.
So perform cleanup in the error path.
Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality")
Reported-by: Senchuan Zhang <zhangsenchuan@eswincomputing.com>
Closes: https://lore.kernel.org/linux-pci/78296255.3869.19c8eb694d6.Coremail.zhangsenchuan@eswincomputing.com
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://patch.msgid.link/20260226133951.296743-1-mani@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware-host.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c
index 3fbece96faaad..48e4a887bb1bb 100644
--- a/drivers/pci/controller/dwc/pcie-designware-host.c
+++ b/drivers/pci/controller/dwc/pcie-designware-host.c
@@ -1230,15 +1230,24 @@ int dw_pcie_resume_noirq(struct dw_pcie *pci)
ret = dw_pcie_start_link(pci);
if (ret)
- return ret;
+ goto err_deinit;
ret = dw_pcie_wait_for_link(pci);
- if (ret)
- return ret;
+ if (ret == -ETIMEDOUT)
+ goto err_stop_link;
if (pci->pp.ops->post_init)
pci->pp.ops->post_init(&pci->pp);
+ return 0;
+
+err_stop_link:
+ dw_pcie_stop_link(pci);
+
+err_deinit:
+ if (pci->pp.ops->deinit)
+ pci->pp.ops->deinit(&pci->pp);
+
return ret;
}
EXPORT_SYMBOL_GPL(dw_pcie_resume_noirq);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 209/957] dm cache metadata: fix memory leak on metadata abort retry
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 208/957] PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 210/957] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
` (753 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming-Hung Tsai, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 044ca491d4086dc5bf233e9fcb71db52df32f633 ]
When failing to acquire the root_lock in dm_cache_metadata_abort because
the block_manager is read-only, the temporary block_manager created
outside the root_lock is not properly released, causing a memory leak.
Reproduce steps:
This can be reproduced by reloading a new table while the metadata
is read-only. While the second call to dm_cache_metadata_abort is
caused by lack of support for table preload in dm-cache, mentioned
in commit 9b1cc9f251af ("dm cache: share cache-metadata object across
inactive and active DM tables"), it exposes the memory leak in
dm_cache_metadata_abort when the function is called multiple times.
Specifically, dm-cache fails to sync the new cache object's mode during
preresume, creating the reproducer condition.
This issue could also occur through concurrent metadata_operation_failed
calls due to races in cache mode updates, but the table preload scenario
below provides a reliable reproducer.
1. Create a cache device with some faulty trailing metadata blocks
dmsetup create cmeta <<EOF
0 200 linear /dev/sdc 0
200 7992 error
EOF
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 262144 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 131072 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 1 writethrough smq 0"
2. Suspend and resume the cache to start a new metadata transaction and
trigger metadata io errors on the next metadata commit.
dmsetup suspend cache
dmsetup resume cache
3. Write to the cache device to update metadata
fio --filename=/dev/mapper/cache --name test --rw=randwrite --bs=4k \
--randrepeat=0 --direct=1 --size 64k
4. Preload the same table
dmsetup reload cache --table "$(dmsetup table cache)"
5. Resume the new table. This triggers the memory leak.
dmsetup suspend cache
dmsetup resume cache
kmemleak logs:
<snip>
unreferenced object 0xffff8880080c2010 (size 16):
comm "dmsetup", pid 132, jiffies 4294982580
hex dump (first 16 bytes):
00 38 b9 07 80 88 ff ff 6a 6b 6b 6b 6b 6b 6b a5 ...
backtrace (crc 3118f31c):
kmemleak_alloc+0x28/0x40
__kmalloc_cache_noprof+0x3d9/0x510
dm_block_manager_create+0x51/0x140
dm_cache_metadata_abort+0x85/0x320
metadata_operation_failed+0x103/0x1e0
cache_preresume+0xacd/0xe70
dm_table_resume_targets+0xd3/0x320
__dm_resume+0x1b/0xf0
dm_resume+0x127/0x170
<snip>
Fixes: 352b837a5541 ("dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort")
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-metadata.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
index cf491c8508a42..db77ba58f64ac 100644
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1023,6 +1023,12 @@ static bool cmd_write_lock(struct dm_cache_metadata *cmd)
return; \
} while (0)
+#define WRITE_LOCK_OR_GOTO(cmd, label) \
+ do { \
+ if (!cmd_write_lock((cmd))) \
+ goto label; \
+ } while (0)
+
#define WRITE_UNLOCK(cmd) \
up_write(&(cmd)->root_lock)
@@ -1780,11 +1786,8 @@ int dm_cache_metadata_abort(struct dm_cache_metadata *cmd)
new_bm = dm_block_manager_create(cmd->bdev, DM_CACHE_METADATA_BLOCK_SIZE << SECTOR_SHIFT,
CACHE_MAX_CONCURRENT_LOCKS);
- WRITE_LOCK(cmd);
- if (cmd->fail_io) {
- WRITE_UNLOCK(cmd);
- goto out;
- }
+ /* cmd_write_lock() already checks fail_io with cmd->root_lock held */
+ WRITE_LOCK_OR_GOTO(cmd, out);
__destroy_persistent_data_objects(cmd, false);
old_bm = cmd->bm;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 210/957] dm log: fix out-of-bounds write due to region_count overflow
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 209/957] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 211/957] iopoll: fix function parameter names in read_poll_timeout_atomic() Greg Kroah-Hartman
` (752 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Mikulas Patocka, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit c20e36b7631d83e7535877f08af8b0af72c44b1a ]
The local variable region_count in create_log_context() is declared as
unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit).
When a device-mapper target has a sufficiently large ti->len with a small
region_size, the division result can exceed UINT_MAX. The truncated
value is then used to calculate bitset_size, causing clean_bits,
sync_bits, and recovering_bits to be allocated far smaller than needed
for the actual number of regions.
Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use
region indices derived from the full untruncated region space, causing
out-of-bounds writes to kernel heap memory allocated by vmalloc.
This can be reproduced by creating a mirror target whose region_count
overflows 32 bits:
dmsetup create bigzero --table '0 8589934594 zero'
dmsetup create mymirror --table '0 8589934594 mirror \
core 2 2 nosync 2 /dev/mapper/bigzero 0 \
/dev/mapper/bigzero 0'
The status output confirms the truncation (sync_count=1 instead of
4294967297, because 0x100000001 was truncated to 1):
$ dmsetup status mymirror
0 8589934594 mirror 2 254:1 254:1 1/4294967297 ...
This leads to a kernel crash in core_in_sync:
BUG: scheduling while atomic: (udev-worker)/9150/0x00000000
RIP: 0010:core_in_sync+0x14/0x30 [dm_log]
CR2: 0000000000000008
Fixing recursive fault but reboot is needed!
Fix by widening the local region_count to sector_t and adding an
explicit overflow check before the value is assigned to lc->region_count.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-log.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-log.c b/drivers/md/dm-log.c
index bced5a783ee33..4a1369b8f44a0 100644
--- a/drivers/md/dm-log.c
+++ b/drivers/md/dm-log.c
@@ -373,7 +373,7 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti,
struct log_c *lc;
uint32_t region_size;
- unsigned int region_count;
+ sector_t region_count;
size_t bitset_size, buf_size;
int r;
char dummy;
@@ -401,6 +401,10 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti,
}
region_count = dm_sector_div_up(ti->len, region_size);
+ if (region_count > UINT_MAX) {
+ DMWARN("region count exceeds limit of %u", UINT_MAX);
+ return -EINVAL;
+ }
lc = kmalloc(sizeof(*lc), GFP_KERNEL);
if (!lc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 211/957] iopoll: fix function parameter names in read_poll_timeout_atomic()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 210/957] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 212/957] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() Greg Kroah-Hartman
` (751 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Jani Nikula,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 878004e2852bc22ce0687c5597d6fe3909fb59f3 ]
Correct the function parameter names to avoid kernel-doc warnings
and to emphasize this function is atomic (non-sleeping).
Warning: include/linux/iopoll.h:169 function parameter 'sleep_us' not
described in 'read_poll_timeout_atomic'
Warning: ../include/linux/iopoll.h:169 function parameter
'sleep_before_read' not described in 'read_poll_timeout_atomic'
Fixes: 9df8043a546d ("iopoll: Generalize read_poll_timeout() into poll_timeout_us()")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patch.msgid.link/20260306221033.2357305-1-rdunlap@infradead.org
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/iopoll.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/iopoll.h b/include/linux/iopoll.h
index bdd2e0652bc30..53edd69acb9bd 100644
--- a/include/linux/iopoll.h
+++ b/include/linux/iopoll.h
@@ -159,7 +159,7 @@
*
* This macro does not rely on timekeeping. Hence it is safe to call even when
* timekeeping is suspended, at the expense of an underestimation of wall clock
- * time, which is rather minimal with a non-zero delay_us.
+ * time, which is rather minimal with a non-zero @delay_us.
*
* When available, you'll probably want to use one of the specialized
* macros defined below rather than this macro directly.
@@ -167,9 +167,9 @@
* Returns: 0 on success and -ETIMEDOUT upon a timeout. In either
* case, the last read value at @args is stored in @val.
*/
-#define read_poll_timeout_atomic(op, val, cond, sleep_us, timeout_us, \
- sleep_before_read, args...) \
- poll_timeout_us_atomic((val) = op(args), cond, sleep_us, timeout_us, sleep_before_read)
+#define read_poll_timeout_atomic(op, val, cond, delay_us, timeout_us, \
+ delay_before_read, args...) \
+ poll_timeout_us_atomic((val) = op(args), cond, delay_us, timeout_us, delay_before_read)
/**
* readx_poll_timeout - Periodically poll an address until a condition is met or a timeout occurs
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 212/957] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 211/957] iopoll: fix function parameter names in read_poll_timeout_atomic() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 213/957] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs Greg Kroah-Hartman
` (750 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jayesh Choudhary, Harikrishna Shenoy,
Luca Ceresoli, Tomi Valkeinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jayesh Choudhary <j-choudhary@ti.com>
[ Upstream commit 43d6508ddbf9fb974fbc359a033154f78c9d4c8b ]
In case if we get errors in cdns_mhdp_link_up() or cdns_mhdp_reg_read()
in atomic_enable, we will go to cdns_mhdp_modeset_retry_fn() and will hit
NULL pointer while trying to access the mutex. We need the connector to
be set before that. Unlike in legacy cases with flag
!DRM_BRIDGE_ATTACH_NO_CONNECTOR, we do not have connector initialised
in bridge_attach(), so add the mhdp->connector_ptr in device structure
to handle both cases with DRM_BRIDGE_ATTACH_NO_CONNECTOR and
!DRM_BRIDGE_ATTACH_NO_CONNECTOR, set it in atomic_enable() earlier to
avoid possible NULL pointer dereference in recovery paths like
modeset_retry_fn() with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set.
Fixes: c932ced6b585 ("drm/tidss: Update encoder/bridge chain connect model")
Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
Signed-off-by: Harikrishna Shenoy <h-shenoy@ti.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patch.msgid.link/20251209120332.3559893-2-h-shenoy@ti.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/bridge/cadence/cdns-mhdp8546-core.c | 29 ++++++++++---------
.../drm/bridge/cadence/cdns-mhdp8546-core.h | 1 +
.../drm/bridge/cadence/cdns-mhdp8546-hdcp.c | 18 +++++++++---
3 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index 38726ae1bf150..ef2d0ea606f78 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -740,7 +740,7 @@ static void cdns_mhdp_fw_cb(const struct firmware *fw, void *context)
bridge_attached = mhdp->bridge_attached;
spin_unlock(&mhdp->start_lock);
if (bridge_attached) {
- if (mhdp->connector.dev)
+ if (mhdp->connector_ptr)
drm_kms_helper_hotplug_event(mhdp->bridge.dev);
else
drm_bridge_hpd_notify(&mhdp->bridge, cdns_mhdp_detect(mhdp));
@@ -1636,6 +1636,7 @@ static int cdns_mhdp_connector_init(struct cdns_mhdp_device *mhdp)
return ret;
}
+ mhdp->connector_ptr = conn;
drm_connector_helper_add(conn, &cdns_mhdp_conn_helper_funcs);
ret = drm_display_info_set_bus_formats(&conn->display_info,
@@ -1915,17 +1916,25 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
struct cdns_mhdp_device *mhdp = bridge_to_mhdp(bridge);
struct cdns_mhdp_bridge_state *mhdp_state;
struct drm_crtc_state *crtc_state;
- struct drm_connector *connector;
struct drm_connector_state *conn_state;
struct drm_bridge_state *new_state;
const struct drm_display_mode *mode;
u32 resp;
- int ret;
+ int ret = 0;
dev_dbg(mhdp->dev, "bridge enable\n");
mutex_lock(&mhdp->link_mutex);
+ mhdp->connector_ptr = drm_atomic_get_new_connector_for_encoder(state,
+ bridge->encoder);
+ if (WARN_ON(!mhdp->connector_ptr))
+ goto out;
+
+ conn_state = drm_atomic_get_new_connector_state(state, mhdp->connector_ptr);
+ if (WARN_ON(!conn_state))
+ goto out;
+
if (mhdp->plugged && !mhdp->link_up) {
ret = cdns_mhdp_link_up(mhdp);
if (ret < 0)
@@ -1945,15 +1954,6 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
cdns_mhdp_reg_write(mhdp, CDNS_DPTX_CAR,
resp | CDNS_VIF_CLK_EN | CDNS_VIF_CLK_RSTN);
- connector = drm_atomic_get_new_connector_for_encoder(state,
- bridge->encoder);
- if (WARN_ON(!connector))
- goto out;
-
- conn_state = drm_atomic_get_new_connector_state(state, connector);
- if (WARN_ON(!conn_state))
- goto out;
-
if (mhdp->hdcp_supported &&
mhdp->hw_state == MHDP_HW_READY &&
conn_state->content_protection ==
@@ -2030,6 +2030,7 @@ static void cdns_mhdp_atomic_disable(struct drm_bridge *bridge,
if (mhdp->info && mhdp->info->ops && mhdp->info->ops->disable)
mhdp->info->ops->disable(mhdp);
+ mhdp->connector_ptr = NULL;
mutex_unlock(&mhdp->link_mutex);
}
@@ -2296,7 +2297,7 @@ static void cdns_mhdp_modeset_retry_fn(struct work_struct *work)
mhdp = container_of(work, typeof(*mhdp), modeset_retry_work);
- conn = &mhdp->connector;
+ conn = mhdp->connector_ptr;
/* Grab the locks before changing connector property */
mutex_lock(&conn->dev->mode_config.mutex);
@@ -2373,7 +2374,7 @@ static void cdns_mhdp_hpd_work(struct work_struct *work)
int ret;
ret = cdns_mhdp_update_link_status(mhdp);
- if (mhdp->connector.dev) {
+ if (mhdp->connector_ptr) {
if (ret < 0)
schedule_work(&mhdp->modeset_retry_work);
else
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h
index bad2fc0c73066..a76775c768956 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.h
@@ -376,6 +376,7 @@ struct cdns_mhdp_device {
struct mutex link_mutex;
struct drm_connector connector;
+ struct drm_connector *connector_ptr;
struct drm_bridge bridge;
struct cdns_mhdp_link link;
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c
index 42248f179b69d..21a7d2fb266e4 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-hdcp.c
@@ -394,7 +394,7 @@ static int _cdns_mhdp_hdcp_disable(struct cdns_mhdp_device *mhdp)
int ret;
dev_dbg(mhdp->dev, "[%s:%d] HDCP is being disabled...\n",
- mhdp->connector.name, mhdp->connector.base.id);
+ mhdp->connector_ptr->name, mhdp->connector_ptr->base.id);
ret = cdns_mhdp_hdcp_set_config(mhdp, 0, false);
@@ -436,6 +436,10 @@ static int cdns_mhdp_hdcp_check_link(struct cdns_mhdp_device *mhdp)
int ret = 0;
mutex_lock(&mhdp->hdcp.mutex);
+
+ if (!mhdp->connector_ptr)
+ goto out;
+
if (mhdp->hdcp.value == DRM_MODE_CONTENT_PROTECTION_UNDESIRED)
goto out;
@@ -445,7 +449,7 @@ static int cdns_mhdp_hdcp_check_link(struct cdns_mhdp_device *mhdp)
dev_err(mhdp->dev,
"[%s:%d] HDCP link failed, retrying authentication\n",
- mhdp->connector.name, mhdp->connector.base.id);
+ mhdp->connector_ptr->name, mhdp->connector_ptr->base.id);
ret = _cdns_mhdp_hdcp_disable(mhdp);
if (ret) {
@@ -487,13 +491,19 @@ static void cdns_mhdp_hdcp_prop_work(struct work_struct *work)
struct cdns_mhdp_device *mhdp = container_of(hdcp,
struct cdns_mhdp_device,
hdcp);
- struct drm_device *dev = mhdp->connector.dev;
+ struct drm_device *dev = NULL;
struct drm_connector_state *state;
+ if (mhdp->connector_ptr)
+ dev = mhdp->connector_ptr->dev;
+
+ if (!dev)
+ return;
+
drm_modeset_lock(&dev->mode_config.connection_mutex, NULL);
mutex_lock(&mhdp->hdcp.mutex);
if (mhdp->hdcp.value != DRM_MODE_CONTENT_PROTECTION_UNDESIRED) {
- state = mhdp->connector.state;
+ state = mhdp->connector_ptr->state;
state->content_protection = mhdp->hdcp.value;
}
mutex_unlock(&mhdp->hdcp.mutex);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 213/957] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 212/957] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 214/957] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check Greg Kroah-Hartman
` (749 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Jayesh Choudhary,
Harikrishna Shenoy, Luca Ceresoli, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jayesh Choudhary <j-choudhary@ti.com>
[ Upstream commit 6dbff34016052b099558b76632e4983e2df13fed ]
Add cdns_mhdp_bridge_mode_valid() to check if specific mode is valid for
this bridge or not. In the legacy usecase with
!DRM_BRIDGE_ATTACH_NO_CONNECTOR we were using the hook from
drm_connector_helper_funcs but with DRM_BRIDGE_ATTACH_NO_CONNECTOR
we need to have mode_valid() in drm_bridge_funcs.
Without this patch, when using DRM_BRIDGE_ATTACH_NO_CONNECTOR
flag, the cdns_mhdp_bandwidth_ok() function would not be called
during mode validation, potentially allowing modes that exceed
the bridge's bandwidth capabilities to be incorrectly marked as
valid.
Fixes: c932ced6b585 ("drm/tidss: Update encoder/bridge chain connect model")
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
Signed-off-by: Harikrishna Shenoy <h-shenoy@ti.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://patch.msgid.link/20251209120332.3559893-3-h-shenoy@ti.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/bridge/cadence/cdns-mhdp8546-core.c | 20 +++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index ef2d0ea606f78..2fb8acd363b14 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2162,6 +2162,25 @@ static const struct drm_edid *cdns_mhdp_bridge_edid_read(struct drm_bridge *brid
return cdns_mhdp_edid_read(mhdp, connector);
}
+static enum drm_mode_status
+cdns_mhdp_bridge_mode_valid(struct drm_bridge *bridge,
+ const struct drm_display_info *info,
+ const struct drm_display_mode *mode)
+{
+ struct cdns_mhdp_device *mhdp = bridge_to_mhdp(bridge);
+
+ mutex_lock(&mhdp->link_mutex);
+
+ if (!cdns_mhdp_bandwidth_ok(mhdp, mode, mhdp->link.num_lanes,
+ mhdp->link.rate)) {
+ mutex_unlock(&mhdp->link_mutex);
+ return MODE_CLOCK_HIGH;
+ }
+
+ mutex_unlock(&mhdp->link_mutex);
+ return MODE_OK;
+}
+
static const struct drm_bridge_funcs cdns_mhdp_bridge_funcs = {
.atomic_enable = cdns_mhdp_atomic_enable,
.atomic_disable = cdns_mhdp_atomic_disable,
@@ -2176,6 +2195,7 @@ static const struct drm_bridge_funcs cdns_mhdp_bridge_funcs = {
.edid_read = cdns_mhdp_bridge_edid_read,
.hpd_enable = cdns_mhdp_bridge_hpd_enable,
.hpd_disable = cdns_mhdp_bridge_hpd_disable,
+ .mode_valid = cdns_mhdp_bridge_mode_valid,
};
static bool cdns_mhdp_detect_hpd(struct cdns_mhdp_device *mhdp, bool *hpd_pulse)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 214/957] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 213/957] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 215/957] spi: nxp-fspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
` (748 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harikrishna Shenoy, Luca Ceresoli,
Tomi Valkeinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harikrishna Shenoy <h-shenoy@ti.com>
[ Upstream commit 4a8edd658489ec2a3d7e20482fa9e8d366153d8d ]
Now that we have DRM_BRIDGE_ATTACH_NO_CONNECTOR framework, handle the
HDCP state change in bridge atomic check as well to enable correct
functioning for HDCP in both DRM_BRIDGE_ATTACH_NO_CONNECTOR and
!DRM_BRIDGE_ATTACH_NO_CONNECTOR case.
Without this patch, when using DRM_BRIDGE_ATTACH_NO_CONNECTOR flag, HDCP
state changes would not be properly handled during atomic commits,
potentially leading to HDCP authentication failures or incorrect
protection status for content requiring HDCP encryption.
Fixes: 6a3608eae6d33 ("drm: bridge: cdns-mhdp8546: Enable HDCP")
Signed-off-by: Harikrishna Shenoy <h-shenoy@ti.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patch.msgid.link/20251209120332.3559893-4-h-shenoy@ti.com
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/bridge/cadence/cdns-mhdp8546-core.c | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index 2fb8acd363b14..7ee19b7cc92fc 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2123,6 +2123,10 @@ static int cdns_mhdp_atomic_check(struct drm_bridge *bridge,
{
struct cdns_mhdp_device *mhdp = bridge_to_mhdp(bridge);
const struct drm_display_mode *mode = &crtc_state->adjusted_mode;
+ struct drm_connector_state *old_state, *new_state;
+ struct drm_atomic_state *state = crtc_state->state;
+ struct drm_connector *conn = mhdp->connector_ptr;
+ u64 old_cp, new_cp;
mutex_lock(&mhdp->link_mutex);
@@ -2142,6 +2146,25 @@ static int cdns_mhdp_atomic_check(struct drm_bridge *bridge,
if (mhdp->info)
bridge_state->input_bus_cfg.flags = *mhdp->info->input_bus_flags;
+ if (conn && mhdp->hdcp_supported) {
+ old_state = drm_atomic_get_old_connector_state(state, conn);
+ new_state = drm_atomic_get_new_connector_state(state, conn);
+ old_cp = old_state->content_protection;
+ new_cp = new_state->content_protection;
+
+ if (old_state->hdcp_content_type != new_state->hdcp_content_type &&
+ new_cp != DRM_MODE_CONTENT_PROTECTION_UNDESIRED) {
+ new_state->content_protection = DRM_MODE_CONTENT_PROTECTION_DESIRED;
+ crtc_state = drm_atomic_get_new_crtc_state(state, new_state->crtc);
+ crtc_state->mode_changed = true;
+ }
+
+ if (!new_state->crtc) {
+ if (old_cp == DRM_MODE_CONTENT_PROTECTION_ENABLED)
+ new_state->content_protection = DRM_MODE_CONTENT_PROTECTION_DESIRED;
+ }
+ }
+
mutex_unlock(&mhdp->link_mutex);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 215/957] spi: nxp-fspi: Use reinit_completion() for repeated operations
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 214/957] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 216/957] spi: fsl-qspi: " Greg Kroah-Hartman
` (747 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Haibo Chen, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 68c8c93fdb0de7e528dc3dfb1d17eb0f652259b8 ]
The driver currently calls init_completion() during every spi_mem_op.
Tchnically it may work, but it's not the recommended pattern.
According to the kernel documentation: Calling init_completion() on
the same completion object twice is most likely a bug as it
re-initializes the queue to an empty queue and enqueued tasks
could get "lost" - use reinit_completion() in that case, but be
aware of other races.
So moves the initial initialization to probe function and uses
reinit_completion() for subsequent operations.
Fixes: a5356aef6a90 ("spi: spi-mem: Add driver for NXP FlexSPI controller")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20260304-spi-nxp-v2-2-cd7d7726a27e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-nxp-fspi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c
index 50a7e4916a600..95ccb1f7dfafa 100644
--- a/drivers/spi/spi-nxp-fspi.c
+++ b/drivers/spi/spi-nxp-fspi.c
@@ -996,7 +996,7 @@ static int nxp_fspi_do_op(struct nxp_fspi *f, const struct spi_mem_op *op)
reg = reg | FSPI_IPRXFCR_CLR;
fspi_writel(f, reg, base + FSPI_IPRXFCR);
- init_completion(&f->c);
+ reinit_completion(&f->c);
fspi_writel(f, op->addr.val, base + FSPI_IPCR0);
/*
@@ -1365,6 +1365,7 @@ static int nxp_fspi_probe(struct platform_device *pdev)
if (ret < 0)
return dev_err_probe(dev, ret, "Failed to disable clock");
+ init_completion(&f->c);
ret = devm_request_irq(dev, irq,
nxp_fspi_irq_handler, 0, pdev->name, f);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 216/957] spi: fsl-qspi: Use reinit_completion() for repeated operations
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 215/957] spi: nxp-fspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 217/957] media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe Greg Kroah-Hartman
` (746 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Haibo Chen, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 981b080a79724738882b0af1c5bb7ade30d94f24 ]
The driver currently calls init_completion() during every spi_mem_op.
Tchnically it may work, but it's not the recommended pattern.
According to the kernel documentation: Calling init_completion() on
the same completion object twice is most likely a bug as it
re-initializes the queue to an empty queue and enqueued tasks could
get "lost" - use reinit_completion() in that case, but be aware of
other races.
So moves the initial initialization to probe function and uses
reinit_completion() for subsequent operations.
Fixes: 84d043185dbe ("spi: Add a driver for the Freescale/NXP QuadSPI controller")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://patch.msgid.link/20260304-spi-nxp-v2-3-cd7d7726a27e@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-fsl-qspi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-fsl-qspi.c b/drivers/spi/spi-fsl-qspi.c
index c887abb028d77..3904d64ed4334 100644
--- a/drivers/spi/spi-fsl-qspi.c
+++ b/drivers/spi/spi-fsl-qspi.c
@@ -607,7 +607,7 @@ static int fsl_qspi_do_op(struct fsl_qspi *q, const struct spi_mem_op *op)
void __iomem *base = q->iobase;
int err = 0;
- init_completion(&q->c);
+ reinit_completion(&q->c);
/*
* Always start the sequence at the same index since we update
@@ -928,6 +928,7 @@ static int fsl_qspi_probe(struct platform_device *pdev)
if (ret < 0)
return ret;
+ init_completion(&q->c);
ret = devm_request_irq(dev, ret,
fsl_qspi_irq_handler, 0, pdev->name, q);
if (ret) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 217/957] media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 216/957] spi: fsl-qspi: " Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 218/957] drm/amd/pm: Fix xgmi max speed reporting Greg Kroah-Hartman
` (745 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Sakari Ailus,
Mauro Carvalho Chehab, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 535b7f106991c7d8f0e5b8e1769bfb8b1ce9d3d6 ]
It's necessary to finalize the camera sensor subdevice initialization on
driver probe and clean V4L2 subdevice data up on error paths and driver
removal.
The change fixes a previously reported by v4l2-compliance issue of
the failed VIDIOC_(UN)SUBSCRIBE_EVENT/DQEVENT test:
fail: v4l2-test-controls.cpp(1104): subscribe event for control 'User Controls' failed
Fixes: 472377febf84 ("media: Add a driver for the og01a1b camera sensor")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/og01a1b.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/media/i2c/og01a1b.c b/drivers/media/i2c/og01a1b.c
index c7184de6251ae..7b892b26203c0 100644
--- a/drivers/media/i2c/og01a1b.c
+++ b/drivers/media/i2c/og01a1b.c
@@ -1042,6 +1042,7 @@ static void og01a1b_remove(struct i2c_client *client)
struct og01a1b *og01a1b = to_og01a1b(sd);
v4l2_async_unregister_subdev(sd);
+ v4l2_subdev_cleanup(&og01a1b->sd);
media_entity_cleanup(&sd->entity);
v4l2_ctrl_handler_free(sd->ctrl_handler);
pm_runtime_disable(og01a1b->dev);
@@ -1153,11 +1154,18 @@ static int og01a1b_probe(struct i2c_client *client)
goto probe_error_v4l2_ctrl_handler_free;
}
+ ret = v4l2_subdev_init_finalize(&og01a1b->sd);
+ if (ret < 0) {
+ dev_err_probe(og01a1b->dev, ret,
+ "failed to finalize subdevice init\n");
+ goto probe_error_media_entity_cleanup;
+ }
+
ret = v4l2_async_register_subdev_sensor(&og01a1b->sd);
if (ret < 0) {
dev_err(og01a1b->dev, "failed to register V4L2 subdev: %d",
ret);
- goto probe_error_media_entity_cleanup;
+ goto probe_error_v4l2_subdev_cleanup;
}
/* Enable runtime PM and turn off the device */
@@ -1167,6 +1175,9 @@ static int og01a1b_probe(struct i2c_client *client)
return 0;
+probe_error_v4l2_subdev_cleanup:
+ v4l2_subdev_cleanup(&og01a1b->sd);
+
probe_error_media_entity_cleanup:
media_entity_cleanup(&og01a1b->sd.entity);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 218/957] drm/amd/pm: Fix xgmi max speed reporting
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 217/957] media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 219/957] selftests/sched_ext: Add missing error check for exit__load() Greg Kroah-Hartman
` (744 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lijo Lazar, Asad Kamal, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lijo Lazar <lijo.lazar@amd.com>
[ Upstream commit da16822ce5c32b5aca848eaea521936d4410d48c ]
Fix XGMI max bitrate/width reporting on SMUv13.0.12 SOCs. The data
format got changed when moved to static table from dynamic metrics
table.
Fixes: 1bec2f270766 ("drm/amd/pm: Fetch SMUv13.0.12 xgmi max speed/width")
Signed-off-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Asad Kamal <asad.kamal@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_12_ppt.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_12_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_12_ppt.c
index cb3fea9e8cf31..72d56cfd9d287 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_12_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_12_ppt.c
@@ -248,8 +248,9 @@ static void smu_v13_0_12_init_xgmi_data(struct smu_context *smu,
int ret;
if (smu_table->tables[SMU_TABLE_SMU_METRICS].version >= 0x13) {
- max_width = (uint8_t)static_metrics->MaxXgmiWidth;
- max_speed = (uint16_t)static_metrics->MaxXgmiBitrate;
+ max_width = (uint8_t)SMUQ10_ROUND(static_metrics->MaxXgmiWidth);
+ max_speed =
+ (uint16_t)SMUQ10_ROUND(static_metrics->MaxXgmiBitrate);
ret = 0;
} else {
MetricsTable_t *metrics = (MetricsTable_t *)smu_table->metrics_table;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 219/957] selftests/sched_ext: Add missing error check for exit__load()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 218/957] drm/amd/pm: Fix xgmi max speed reporting Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 220/957] drm/v3d: Handle error from drm_sched_entity_init() Greg Kroah-Hartman
` (743 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Carlier, Tejun Heo,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 1d02346fec8d13b05e54296ddc6ae29b7e1067df ]
exit__load(skel) was called without checking its return value.
Every other test in the suite wraps the load call with
SCX_FAIL_IF(). Add the missing check to be consistent with the
rest of the test suite.
Fixes: a5db7817af78 ("sched_ext: Add selftests")
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/sched_ext/exit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/sched_ext/exit.c b/tools/testing/selftests/sched_ext/exit.c
index ee25824b1cbe6..b987611789d16 100644
--- a/tools/testing/selftests/sched_ext/exit.c
+++ b/tools/testing/selftests/sched_ext/exit.c
@@ -33,7 +33,7 @@ static enum scx_test_status run(void *ctx)
skel = exit__open();
SCX_ENUM_INIT(skel);
skel->rodata->exit_point = tc;
- exit__load(skel);
+ SCX_FAIL_IF(exit__load(skel), "Failed to load skel");
link = bpf_map__attach_struct_ops(skel->maps.exit_ops);
if (!link) {
SCX_ERR("Failed to attach scheduler");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 220/957] drm/v3d: Handle error from drm_sched_entity_init()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 219/957] selftests/sched_ext: Add missing error check for exit__load() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 221/957] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
` (742 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Iago Toral Quiroga, Maíra Canal,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit 8cf1bec37b27846ad3169744c9f1a89a06dcb3fa ]
drm_sched_entity_init() can fail but its return value is currently being
ignored in v3d_open(). Check the return value and properly unwind
on failure by destroying any already-initialized scheduler entities.
Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+")
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-1-49864fe00692@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/v3d/v3d_drv.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/v3d/v3d_drv.c b/drivers/gpu/drm/v3d/v3d_drv.c
index f4da7a94e4016..7bbb2256ce7dc 100644
--- a/drivers/gpu/drm/v3d/v3d_drv.c
+++ b/drivers/gpu/drm/v3d/v3d_drv.c
@@ -130,7 +130,7 @@ v3d_open(struct drm_device *dev, struct drm_file *file)
struct v3d_dev *v3d = to_v3d_dev(dev);
struct v3d_file_priv *v3d_priv;
struct drm_gpu_scheduler *sched;
- int i;
+ int i, ret;
v3d_priv = kzalloc(sizeof(*v3d_priv), GFP_KERNEL);
if (!v3d_priv)
@@ -140,9 +140,11 @@ v3d_open(struct drm_device *dev, struct drm_file *file)
for (i = 0; i < V3D_MAX_QUEUES; i++) {
sched = &v3d->queue[i].sched;
- drm_sched_entity_init(&v3d_priv->sched_entity[i],
- DRM_SCHED_PRIORITY_NORMAL, &sched,
- 1, NULL);
+ ret = drm_sched_entity_init(&v3d_priv->sched_entity[i],
+ DRM_SCHED_PRIORITY_NORMAL, &sched,
+ 1, NULL);
+ if (ret)
+ goto err_sched;
memset(&v3d_priv->stats[i], 0, sizeof(v3d_priv->stats[i]));
seqcount_init(&v3d_priv->stats[i].lock);
@@ -152,6 +154,12 @@ v3d_open(struct drm_device *dev, struct drm_file *file)
file->driver_priv = v3d_priv;
return 0;
+
+err_sched:
+ for (i--; i >= 0; i--)
+ drm_sched_entity_destroy(&v3d_priv->sched_entity[i]);
+ kfree(v3d_priv);
+ return ret;
}
static void
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 221/957] drm/sun4i: Fix resource leaks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 220/957] drm/v3d: Handle error from drm_sched_entity_init() Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 222/957] crypto: inside-secure/eip93 - register hash before authenc algorithms Greg Kroah-Hartman
` (741 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Jernej Skrabec,
Chen-Yu Tsai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 127367ad2e0f4870de60c6d719ae82ecf68d674c ]
Three clocks are not being released in devm_regmap_init_mmio() error
path.
Add proper goto and set ret to the error code.
Fixes: 8270249fbeaf0 ("drm/sun4i: backend: Create regmap after access is possible")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://patch.msgid.link/20260226163836.10335-1-ethantidmore06@gmail.com
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sun4i/sun4i_backend.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/sun4i/sun4i_backend.c b/drivers/gpu/drm/sun4i/sun4i_backend.c
index 0484cc27c97ae..1518126e9fe32 100644
--- a/drivers/gpu/drm/sun4i/sun4i_backend.c
+++ b/drivers/gpu/drm/sun4i/sun4i_backend.c
@@ -880,7 +880,8 @@ static int sun4i_backend_bind(struct device *dev, struct device *master,
&sun4i_backend_regmap_config);
if (IS_ERR(backend->engine.regs)) {
dev_err(dev, "Couldn't create the backend regmap\n");
- return PTR_ERR(backend->engine.regs);
+ ret = PTR_ERR(backend->engine.regs);
+ goto err_disable_ram_clk;
}
list_add_tail(&backend->engine.list, &drv->engine_list);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 222/957] crypto: inside-secure/eip93 - register hash before authenc algorithms
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 221/957] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 223/957] iommu/riscv: Add IOTINVAL after updating DDT/PDT entries Greg Kroah-Hartman
` (740 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksander Jan Bajkowski, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksander Jan Bajkowski <olek2@wp.pl>
[ Upstream commit 5377032914b29b4643adece0ff1dfc67e36700f4 ]
Register hash before hmac and authenc algorithms. This will ensure
selftests pass at startup. Previously, selftests failed on the
crypto_alloc_ahash() function since the associated algorithm was
not yet registered.
Fixes following error:
...
[ 18.375811] alg: self-tests for authenc(hmac(sha1),cbc(aes)) using authenc(hmac(sha1-eip93),cbc(aes-eip93)) failed (rc=-2)
[ 18.382140] alg: self-tests for authenc(hmac(sha224),rfc3686(ctr(aes))) using authenc(hmac(sha224-eip93),rfc3686(ctr(aes-eip93))) failed (rc=-2)
[ 18.395029] alg: aead: authenc(hmac(sha256-eip93),cbc(des-eip93)) setkey failed on test vector 0; expected_error=0, actual_error=-2, flags=0x1
[ 18.409734] alg: aead: authenc(hmac(md5-eip93),cbc(des3_ede-eip93)) setkey failed on test vector 0; expected_error=0, actual_error=-2, flags=0x1
...
Fixes: 9739f5f93b78 ("crypto: eip93 - Add Inside Secure SafeXcel EIP-93 crypto engine support")
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/inside-secure/eip93/eip93-main.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/crypto/inside-secure/eip93/eip93-main.c b/drivers/crypto/inside-secure/eip93/eip93-main.c
index b7fd9795062d4..76858bb4fcc22 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-main.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-main.c
@@ -36,6 +36,14 @@ static struct eip93_alg_template *eip93_algs[] = {
&eip93_alg_cbc_aes,
&eip93_alg_ctr_aes,
&eip93_alg_rfc3686_aes,
+ &eip93_alg_md5,
+ &eip93_alg_sha1,
+ &eip93_alg_sha224,
+ &eip93_alg_sha256,
+ &eip93_alg_hmac_md5,
+ &eip93_alg_hmac_sha1,
+ &eip93_alg_hmac_sha224,
+ &eip93_alg_hmac_sha256,
&eip93_alg_authenc_hmac_md5_cbc_des,
&eip93_alg_authenc_hmac_sha1_cbc_des,
&eip93_alg_authenc_hmac_sha224_cbc_des,
@@ -52,14 +60,6 @@ static struct eip93_alg_template *eip93_algs[] = {
&eip93_alg_authenc_hmac_sha1_rfc3686_aes,
&eip93_alg_authenc_hmac_sha224_rfc3686_aes,
&eip93_alg_authenc_hmac_sha256_rfc3686_aes,
- &eip93_alg_md5,
- &eip93_alg_sha1,
- &eip93_alg_sha224,
- &eip93_alg_sha256,
- &eip93_alg_hmac_md5,
- &eip93_alg_hmac_sha1,
- &eip93_alg_hmac_sha224,
- &eip93_alg_hmac_sha256,
};
inline void eip93_irq_disable(struct eip93_device *eip93, u32 mask)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 223/957] iommu/riscv: Add IOTINVAL after updating DDT/PDT entries
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 222/957] crypto: inside-secure/eip93 - register hash before authenc algorithms Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 224/957] iommu/riscv: Add missing GENERIC_MSI_IRQ Greg Kroah-Hartman
` (739 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fangyu Yu, Andrew Jones,
Joerg Roedel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fangyu Yu <fangyu.yu@linux.alibaba.com>
[ Upstream commit f5c262b544975e067ea265fc7403aefbbea8563e ]
Add riscv_iommu_iodir_iotinval() to perform required TLB and context cache
invalidations after updating DDT or PDT entries, as mandated by the RISC-V
IOMMU specification (Section 6.3.1 and 6.3.2).
Fixes: 488ffbf18171 ("iommu/riscv: Paging domain support")
Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com>
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/riscv/iommu.c | 70 +++++++++++++++++++++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index ebb22979075df..c183818015813 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -996,7 +996,67 @@ static void riscv_iommu_iotlb_inval(struct riscv_iommu_domain *domain,
}
#define RISCV_IOMMU_FSC_BARE 0
+/*
+ * This function sends IOTINVAL commands as required by the RISC-V
+ * IOMMU specification (Section 6.3.1 and 6.3.2 in 1.0 spec version)
+ * after modifying DDT or PDT entries
+ */
+static void riscv_iommu_iodir_iotinval(struct riscv_iommu_device *iommu,
+ bool inval_pdt, unsigned long iohgatp,
+ struct riscv_iommu_dc *dc,
+ struct riscv_iommu_pc *pc)
+{
+ struct riscv_iommu_command cmd;
+
+ riscv_iommu_cmd_inval_vma(&cmd);
+ if (FIELD_GET(RISCV_IOMMU_DC_IOHGATP_MODE, iohgatp) ==
+ RISCV_IOMMU_DC_IOHGATP_MODE_BARE) {
+ if (inval_pdt) {
+ /*
+ * IOTINVAL.VMA with GV=AV=0, and PSCV=1, and
+ * PSCID=PC.PSCID
+ */
+ riscv_iommu_cmd_inval_set_pscid(&cmd,
+ FIELD_GET(RISCV_IOMMU_PC_TA_PSCID, pc->ta));
+ } else {
+ if (!FIELD_GET(RISCV_IOMMU_DC_TC_PDTV, dc->tc) &&
+ FIELD_GET(RISCV_IOMMU_DC_FSC_MODE, dc->fsc) !=
+ RISCV_IOMMU_DC_FSC_MODE_BARE) {
+ /*
+ * DC.tc.PDTV == 0 && DC.fsc.MODE != Bare
+ * IOTINVAL.VMA with GV=AV=0, and PSCV=1, and
+ * PSCID=DC.ta.PSCID
+ */
+ riscv_iommu_cmd_inval_set_pscid(&cmd,
+ FIELD_GET(RISCV_IOMMU_DC_TA_PSCID, dc->ta));
+ }
+ /* else: IOTINVAL.VMA with GV=AV=PSCV=0 */
+ }
+ } else {
+ riscv_iommu_cmd_inval_set_gscid(&cmd,
+ FIELD_GET(RISCV_IOMMU_DC_IOHGATP_GSCID, iohgatp));
+
+ if (inval_pdt) {
+ /*
+ * IOTINVAL.VMA with GV=1, AV=0, and PSCV=1, and
+ * GSCID=DC.iohgatp.GSCID, PSCID=PC.PSCID
+ */
+ riscv_iommu_cmd_inval_set_pscid(&cmd,
+ FIELD_GET(RISCV_IOMMU_PC_TA_PSCID, pc->ta));
+ }
+ /*
+ * else: IOTINVAL.VMA with GV=1,AV=PSCV=0,and
+ * GSCID=DC.iohgatp.GSCID
+ *
+ * IOTINVAL.GVMA with GV=1,AV=0,and
+ * GSCID=DC.iohgatp.GSCID
+ * TODO: For now, the Second-Stage feature have not yet been merged,
+ * also issue IOTINVAL.GVMA once second-stage support is merged.
+ */
+ }
+ riscv_iommu_cmd_send(iommu, &cmd);
+}
/*
* Update IODIR for the device.
*
@@ -1031,6 +1091,11 @@ static void riscv_iommu_iodir_update(struct riscv_iommu_device *iommu,
riscv_iommu_cmd_iodir_inval_ddt(&cmd);
riscv_iommu_cmd_iodir_set_did(&cmd, fwspec->ids[i]);
riscv_iommu_cmd_send(iommu, &cmd);
+ /*
+ * For now, the SVA and PASID features have not yet been merged, the
+ * default configuration is inval_pdt=false and pc=NULL.
+ */
+ riscv_iommu_iodir_iotinval(iommu, false, dc->iohgatp, dc, NULL);
sync_required = true;
}
@@ -1056,6 +1121,11 @@ static void riscv_iommu_iodir_update(struct riscv_iommu_device *iommu,
riscv_iommu_cmd_iodir_inval_ddt(&cmd);
riscv_iommu_cmd_iodir_set_did(&cmd, fwspec->ids[i]);
riscv_iommu_cmd_send(iommu, &cmd);
+ /*
+ * For now, the SVA and PASID features have not yet been merged, the
+ * default configuration is inval_pdt=false and pc=NULL.
+ */
+ riscv_iommu_iodir_iotinval(iommu, false, dc->iohgatp, dc, NULL);
}
riscv_iommu_cmd_sync(iommu, RISCV_IOMMU_IOTINVAL_TIMEOUT);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 224/957] iommu/riscv: Add missing GENERIC_MSI_IRQ
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 223/957] iommu/riscv: Add IOTINVAL after updating DDT/PDT entries Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 225/957] iommu/riscv: Stop polling when CQCSR reports an error Greg Kroah-Hartman
` (738 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Chen, Tomasz Jeznach,
Jason Gunthorpe, Joerg Roedel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit c70d20b25ca30d68b377b9363a2adca6eb2538e3 ]
The commit below added MSI related calls to the driver that depends on
GENERIC_MSI_IRQ. It is possible to build RISC-V without this selected.
This is also necessary to make the driver COMPILE_TEST.
Fixes: d5f88acdd6ff ("iommu/riscv: Add support for platform msi")
Tested-by: Vincent Chen <vincent.chen@sifive.com>
Tested-by: Tomasz Jeznach <tjeznach@rivosinc.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/riscv/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/iommu/riscv/Kconfig b/drivers/iommu/riscv/Kconfig
index c071816f59a67..fb8e217edc3d3 100644
--- a/drivers/iommu/riscv/Kconfig
+++ b/drivers/iommu/riscv/Kconfig
@@ -4,6 +4,7 @@
config RISCV_IOMMU
bool "RISC-V IOMMU Support"
depends on RISCV && 64BIT
+ depends on GENERIC_MSI_IRQ
default y
select IOMMU_API
help
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 225/957] iommu/riscv: Stop polling when CQCSR reports an error
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 224/957] iommu/riscv: Add missing GENERIC_MSI_IRQ Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 226/957] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
` (737 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fangyu Yu, Joerg Roedel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fangyu Yu <fangyu.yu@linux.alibaba.com>
[ Upstream commit b2e5684558edf3e9bbe18d0e0043854994eab1be ]
The cmdq wait loop busy-polls the consumer index until it advances
or the software timeout expires. If the IOMMU has already signaled
a command queue failure in CQCSR, continuing to poll for progress is
pointless.
Make riscv_iommu_queue_wait() also terminate the poll when any of these
CQCSR error bits are observed.
This helps the caller return earlier in failure cases and avoids
spinning until the full timeout interval when the hardware has already
reported an error. On single-core systems in particular, the current
busy-wait can delay servicing the command-timeout interrupt until the
software timeout expires (90s by default).
Fixes: 856c0cfe5c5f ("iommu/riscv: Command and fault queue support")
Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/riscv/iommu.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index c183818015813..1e8007a153c32 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -368,6 +368,8 @@ static int riscv_iommu_queue_wait(struct riscv_iommu_queue *queue,
unsigned int timeout_us)
{
unsigned int cons = atomic_read(&queue->head);
+ unsigned int flags = RISCV_IOMMU_CQCSR_CQMF | RISCV_IOMMU_CQCSR_CMD_TO |
+ RISCV_IOMMU_CQCSR_CMD_ILL;
/* Already processed by the consumer */
if ((int)(cons - index) > 0)
@@ -375,6 +377,7 @@ static int riscv_iommu_queue_wait(struct riscv_iommu_queue *queue,
/* Monitor consumer index */
return readx_poll_timeout(riscv_iommu_queue_cons, queue, cons,
+ (riscv_iommu_readl(queue->iommu, queue->qcr) & flags) ||
(int)(cons - index) > 0, 0, timeout_us);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 226/957] drm/amdgpu: Add default case in DVI mode validation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 225/957] iommu/riscv: Stop polling when CQCSR reports an error Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 227/957] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
` (736 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Timur Kristóf,
Alex Deucher, Christian König, Srinivasan Shanmugam,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit e6020a55b8e364d15eac27f9c788e13114eec6b7 ]
amdgpu_connector_dvi_mode_valid() assigns max_digital_pixel_clock_khz
based on connector_object_id using a switch statement that lacks a
default case.
In practice this code path should never be hit because the existing
cases already cover all digital connector types that this function is
used for. This is also legacy display code which is not used for new
hardware.
Add a default case returning MODE_BAD to make the switch exhaustive and
silence the static analyzer smatch error. The new branch is effectively
defensive and should never be reached during normal operation.
Fixes: 585b2f685c56 ("drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)")
Cc: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Timur Kristóf <timur.kristof@gmail.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index 47e9bfba06424..46b04e2203eba 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -1244,6 +1244,8 @@ static enum drm_mode_status amdgpu_connector_dvi_mode_valid(struct drm_connector
case CONNECTOR_OBJECT_ID_HDMI_TYPE_B:
max_digital_pixel_clock_khz = max_dvi_single_link_pixel_clock * 2;
break;
+ default:
+ return MODE_BAD;
}
/* When the display EDID claims that it's an HDMI display,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 227/957] dm init: ensure device probing has finished in dm-mod.waitfor=
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 226/957] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 228/957] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
` (735 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillaume Gonnet, Mikulas Patocka,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Gonnet <ggonnet.linux@gmail.com>
[ Upstream commit 99a2312f69805f4ba92d98a757625e0300a747ab ]
The early_lookup_bdev() function returns successfully when the disk
device is present but not necessarily its partitions. In this situation,
dm_early_create() fails as the partition block device does not exist
yet.
In my case, this phenomenon occurs quite often because the device is
an SD card with slow reading times, on which kernel takes time to
enumerate available partitions.
Fortunately, the underlying device is back to "probing" state while
enumerating partitions. Waiting for all probing to end is enough to fix
this issue.
That's also the reason why this problem never occurs with rootwait=
parameter: the while loop inside wait_for_root() explicitly waits for
probing to be done and then the function calls async_synchronize_full().
These lines were omitted in 035641b, even though the commit says it's
based on the rootwait logic...
Anyway, calling wait_for_device_probe() after our while loop does the
job (it both waits for probing and calls async_synchronize_full).
Fixes: 035641b01e72 ("dm init: add dm-mod.waitfor to wait for asynchronously probed block devices")
Signed-off-by: Guillaume Gonnet <ggonnet.linux@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-init.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
index b37bbe7625003..423269cbdd2bb 100644
--- a/drivers/md/dm-init.c
+++ b/drivers/md/dm-init.c
@@ -303,8 +303,10 @@ static int __init dm_init_init(void)
}
}
- if (waitfor[0])
+ if (waitfor[0]) {
+ wait_for_device_probe();
DMINFO("all devices available");
+ }
list_for_each_entry(dev, &devices, list) {
if (dm_early_create(&dev->dmi, dev->table,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 228/957] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 227/957] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 229/957] crypto: tegra - Disable softirqs before finalizing request Greg Kroah-Hartman
` (734 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Jason Yan,
Helge Deller, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit caf6144053b4e1c815aa56afb54745a176f999df ]
Clang is not happy about set but unused variable:
drivers/video/fbdev/matrox/g450_pll.c:412:18: error: variable 'mnp' set but not used
412 | unsigned int mnp;
| ^
1 error generated.
Since the commit 7b987887f97b ("video: fbdev: matroxfb: remove dead code
and set but not used variable") the 'mnp' became unused, but eliminating
that code might have side-effects. The question here is what should we do
with 'mnp'? The easiest way out is just mark it with __maybe_unused which
will shut the compiler up and won't change any possible IO flow. So does
this change.
A dive into the history of the driver:
The problem was revealed when the #if 0 guarded code along with unused
pixel_vco variable was removed. That code was introduced in the original
commit 213d22146d1f ("[PATCH] (1/3) matroxfb for 2.5.3"). And then guarded
in the commit 705e41f82988 ("matroxfb DVI updates: Handle DVI output on
G450/G550. Powerdown unused portions of G450/G550 DAC. Split G450/G550 DAC
from older DAC1064 handling. Modify PLL setting when both CRTCs use same
pixel clocks.").
NOTE: The two commits mentioned above pre-date Git era and available in
history.git repository for archaeological purposes.
Even without that guard the modern compilers may see that the pixel_vco
wasn't ever used and seems a leftover after some debug or review made
25 years ago.
The g450_mnp2vco() doesn't have any IO and as Jason said doesn't seem
to have any side effects either than some unneeded CPU processing during
runtime. I agree that's unlikely that timeout (or heating up the CPU) has
any effect on the HW (GPU/display) functionality.
Fixes: 7b987887f97b ("video: fbdev: matroxfb: remove dead code and set but not used variable")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/matrox/g450_pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/matrox/g450_pll.c b/drivers/video/fbdev/matrox/g450_pll.c
index e2c1478aa47f9..6a08f78cd1acb 100644
--- a/drivers/video/fbdev/matrox/g450_pll.c
+++ b/drivers/video/fbdev/matrox/g450_pll.c
@@ -409,7 +409,7 @@ static int __g450_setclk(struct matrox_fb_info *minfo, unsigned int fout,
case M_VIDEO_PLL:
{
u_int8_t tmp;
- unsigned int mnp;
+ unsigned int mnp __maybe_unused;
unsigned long flags;
matroxfb_DAC_lock_irqsave(flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 229/957] crypto: tegra - Disable softirqs before finalizing request
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 228/957] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 230/957] crypto: atmel - Use unregister_{aeads,ahashes,skciphers} Greg Kroah-Hartman
` (733 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangwu Zhang, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 2aeec9af775fb53aa086419b953302c6f4ad4984 ]
Softirqs must be disabled when calling the finalization fucntion on
a request.
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/tegra/tegra-se-aes.c | 9 +++++++++
drivers/crypto/tegra/tegra-se-hash.c | 3 +++
2 files changed, 12 insertions(+)
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
index 9210cceb4b7b2..30c78afe3dea6 100644
--- a/drivers/crypto/tegra/tegra-se-aes.c
+++ b/drivers/crypto/tegra/tegra-se-aes.c
@@ -4,6 +4,7 @@
* Crypto driver to handle block cipher algorithms using NVIDIA Security Engine.
*/
+#include <linux/bottom_half.h>
#include <linux/clk.h>
#include <linux/dma-mapping.h>
#include <linux/module.h>
@@ -333,7 +334,9 @@ static int tegra_aes_do_one_req(struct crypto_engine *engine, void *areq)
tegra_key_invalidate_reserved(ctx->se, key2_id, ctx->alg);
out_finalize:
+ local_bh_disable();
crypto_finalize_skcipher_request(se->engine, req, ret);
+ local_bh_enable();
return 0;
}
@@ -1262,7 +1265,9 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg);
out_finalize:
+ local_bh_disable();
crypto_finalize_aead_request(ctx->se->engine, req, ret);
+ local_bh_enable();
return 0;
}
@@ -1348,7 +1353,9 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg);
out_finalize:
+ local_bh_disable();
crypto_finalize_aead_request(ctx->se->engine, req, ret);
+ local_bh_enable();
return 0;
}
@@ -1746,7 +1753,9 @@ static int tegra_cmac_do_one_req(struct crypto_engine *engine, void *areq)
if (tegra_key_is_reserved(rctx->key_id))
tegra_key_invalidate_reserved(ctx->se, rctx->key_id, ctx->alg);
+ local_bh_disable();
crypto_finalize_hash_request(se->engine, req, ret);
+ local_bh_enable();
return 0;
}
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
index 06bb5bf0fa335..23d549801612e 100644
--- a/drivers/crypto/tegra/tegra-se-hash.c
+++ b/drivers/crypto/tegra/tegra-se-hash.c
@@ -4,6 +4,7 @@
* Crypto driver to handle HASH algorithms using NVIDIA Security Engine.
*/
+#include <linux/bottom_half.h>
#include <linux/clk.h>
#include <linux/dma-mapping.h>
#include <linux/module.h>
@@ -546,7 +547,9 @@ static int tegra_sha_do_one_req(struct crypto_engine *engine, void *areq)
}
out:
+ local_bh_disable();
crypto_finalize_hash_request(se->engine, req, ret);
+ local_bh_enable();
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 230/957] crypto: atmel - Use unregister_{aeads,ahashes,skciphers}
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 229/957] crypto: tegra - Disable softirqs before finalizing request Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 231/957] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs Greg Kroah-Hartman
` (732 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 2ffc1ef4e826f0c3274f9ff5eb42bc70a5571afd ]
Replace multiple for loops with calls to crypto_unregister_aeads(),
crypto_unregister_ahashes(), and crypto_unregister_skciphers().
Remove the definition of atmel_tdes_unregister_algs() because it is
equivalent to calling crypto_unregister_skciphers() directly, and the
function parameter 'struct atmel_tdes_dev *' is unused anyway.
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 57a13941c0bb ("crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/atmel-aes.c | 17 ++++++-----------
drivers/crypto/atmel-sha.c | 27 ++++++++++-----------------
drivers/crypto/atmel-tdes.c | 25 ++++++-------------------
3 files changed, 22 insertions(+), 47 deletions(-)
diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 5a6d64be81858..9b0cb97055dc5 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2201,12 +2201,10 @@ static irqreturn_t atmel_aes_irq(int irq, void *dev_id)
static void atmel_aes_unregister_algs(struct atmel_aes_dev *dd)
{
- int i;
-
#if IS_ENABLED(CONFIG_CRYPTO_DEV_ATMEL_AUTHENC)
if (dd->caps.has_authenc)
- for (i = 0; i < ARRAY_SIZE(aes_authenc_algs); i++)
- crypto_unregister_aead(&aes_authenc_algs[i]);
+ crypto_unregister_aeads(aes_authenc_algs,
+ ARRAY_SIZE(aes_authenc_algs));
#endif
if (dd->caps.has_xts)
@@ -2215,8 +2213,7 @@ static void atmel_aes_unregister_algs(struct atmel_aes_dev *dd)
if (dd->caps.has_gcm)
crypto_unregister_aead(&aes_gcm_alg);
- for (i = 0; i < ARRAY_SIZE(aes_algs); i++)
- crypto_unregister_skcipher(&aes_algs[i]);
+ crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
}
static void atmel_aes_crypto_alg_init(struct crypto_alg *alg)
@@ -2229,7 +2226,7 @@ static void atmel_aes_crypto_alg_init(struct crypto_alg *alg)
static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
{
- int err, i, j;
+ int err, i;
for (i = 0; i < ARRAY_SIZE(aes_algs); i++) {
atmel_aes_crypto_alg_init(&aes_algs[i].base);
@@ -2272,8 +2269,7 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
#if IS_ENABLED(CONFIG_CRYPTO_DEV_ATMEL_AUTHENC)
/* i = ARRAY_SIZE(aes_authenc_algs); */
err_aes_authenc_alg:
- for (j = 0; j < i; j++)
- crypto_unregister_aead(&aes_authenc_algs[j]);
+ crypto_unregister_aeads(aes_authenc_algs, i);
crypto_unregister_skcipher(&aes_xts_alg);
#endif
err_aes_xts_alg:
@@ -2281,8 +2277,7 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
err_aes_gcm_alg:
i = ARRAY_SIZE(aes_algs);
err_aes_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_skcipher(&aes_algs[j]);
+ crypto_unregister_skciphers(aes_algs, i);
return err;
}
diff --git a/drivers/crypto/atmel-sha.c b/drivers/crypto/atmel-sha.c
index 3d7573c7bd1ca..b02a71061708c 100644
--- a/drivers/crypto/atmel-sha.c
+++ b/drivers/crypto/atmel-sha.c
@@ -2418,27 +2418,23 @@ EXPORT_SYMBOL_GPL(atmel_sha_authenc_abort);
static void atmel_sha_unregister_algs(struct atmel_sha_dev *dd)
{
- int i;
-
if (dd->caps.has_hmac)
- for (i = 0; i < ARRAY_SIZE(sha_hmac_algs); i++)
- crypto_unregister_ahash(&sha_hmac_algs[i]);
+ crypto_unregister_ahashes(sha_hmac_algs,
+ ARRAY_SIZE(sha_hmac_algs));
- for (i = 0; i < ARRAY_SIZE(sha_1_256_algs); i++)
- crypto_unregister_ahash(&sha_1_256_algs[i]);
+ crypto_unregister_ahashes(sha_1_256_algs, ARRAY_SIZE(sha_1_256_algs));
if (dd->caps.has_sha224)
crypto_unregister_ahash(&sha_224_alg);
- if (dd->caps.has_sha_384_512) {
- for (i = 0; i < ARRAY_SIZE(sha_384_512_algs); i++)
- crypto_unregister_ahash(&sha_384_512_algs[i]);
- }
+ if (dd->caps.has_sha_384_512)
+ crypto_unregister_ahashes(sha_384_512_algs,
+ ARRAY_SIZE(sha_384_512_algs));
}
static int atmel_sha_register_algs(struct atmel_sha_dev *dd)
{
- int err, i, j;
+ int err, i;
for (i = 0; i < ARRAY_SIZE(sha_1_256_algs); i++) {
atmel_sha_alg_init(&sha_1_256_algs[i]);
@@ -2480,18 +2476,15 @@ static int atmel_sha_register_algs(struct atmel_sha_dev *dd)
/*i = ARRAY_SIZE(sha_hmac_algs);*/
err_sha_hmac_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_ahash(&sha_hmac_algs[j]);
+ crypto_unregister_ahashes(sha_hmac_algs, i);
i = ARRAY_SIZE(sha_384_512_algs);
err_sha_384_512_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_ahash(&sha_384_512_algs[j]);
+ crypto_unregister_ahashes(sha_384_512_algs, i);
crypto_unregister_ahash(&sha_224_alg);
err_sha_224_algs:
i = ARRAY_SIZE(sha_1_256_algs);
err_sha_1_256_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_ahash(&sha_1_256_algs[j]);
+ crypto_unregister_ahashes(sha_1_256_algs, i);
return err;
}
diff --git a/drivers/crypto/atmel-tdes.c b/drivers/crypto/atmel-tdes.c
index d3bd8b72c2c95..643e507f9c020 100644
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -897,38 +897,25 @@ static irqreturn_t atmel_tdes_irq(int irq, void *dev_id)
return IRQ_NONE;
}
-static void atmel_tdes_unregister_algs(struct atmel_tdes_dev *dd)
-{
- int i;
-
- for (i = 0; i < ARRAY_SIZE(tdes_algs); i++)
- crypto_unregister_skcipher(&tdes_algs[i]);
-}
-
static int atmel_tdes_register_algs(struct atmel_tdes_dev *dd)
{
- int err, i, j;
+ int err, i;
for (i = 0; i < ARRAY_SIZE(tdes_algs); i++) {
atmel_tdes_skcipher_alg_init(&tdes_algs[i]);
err = crypto_register_skcipher(&tdes_algs[i]);
- if (err)
- goto err_tdes_algs;
+ if (err) {
+ crypto_unregister_skciphers(tdes_algs, i);
+ return err;
+ }
}
return 0;
-
-err_tdes_algs:
- for (j = 0; j < i; j++)
- crypto_unregister_skcipher(&tdes_algs[j]);
-
- return err;
}
static void atmel_tdes_get_cap(struct atmel_tdes_dev *dd)
{
-
dd->caps.has_dma = 0;
/* keep only major version number */
@@ -1061,7 +1048,7 @@ static void atmel_tdes_remove(struct platform_device *pdev)
list_del(&tdes_dd->list);
spin_unlock(&atmel_tdes.lock);
- atmel_tdes_unregister_algs(tdes_dd);
+ crypto_unregister_skciphers(tdes_algs, ARRAY_SIZE(tdes_algs));
tasklet_kill(&tdes_dd->done_task);
tasklet_kill(&tdes_dd->queue_task);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 231/957] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 230/957] crypto: atmel - Use unregister_{aeads,ahashes,skciphers} Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 232/957] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
` (731 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 57a13941c0bb06ae24e3b34672d7b6f2172b253f ]
Ensure the device supports XTS and GCM with 'has_xts' and 'has_gcm'
before unregistering algorithms when XTS or authenc registration fails,
which would trigger a WARN in crypto_unregister_alg().
Currently, with the capabilities defined in atmel_aes_get_cap(), this
bug cannot happen because all devices that support XTS and authenc also
support GCM, but the error handling should still be correct regardless
of hardware capabilities.
Fixes: d52db5188a87 ("crypto: atmel-aes - add support to the XTS mode")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/atmel-aes.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
index 9b0cb97055dc5..b393689400b4c 100644
--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2270,10 +2270,12 @@ static int atmel_aes_register_algs(struct atmel_aes_dev *dd)
/* i = ARRAY_SIZE(aes_authenc_algs); */
err_aes_authenc_alg:
crypto_unregister_aeads(aes_authenc_algs, i);
- crypto_unregister_skcipher(&aes_xts_alg);
+ if (dd->caps.has_xts)
+ crypto_unregister_skcipher(&aes_xts_alg);
#endif
err_aes_xts_alg:
- crypto_unregister_aead(&aes_gcm_alg);
+ if (dd->caps.has_gcm)
+ crypto_unregister_aead(&aes_gcm_alg);
err_aes_gcm_alg:
i = ARRAY_SIZE(aes_algs);
err_aes_algs:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 232/957] padata: Remove cpu online check from cpu add and removal
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 231/957] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 233/957] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
` (730 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuyi Zhou, Daniel Jordan,
Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuyi Zhou <zhouchuyi@bytedance.com>
[ Upstream commit 73117ea6470dca787f70f33c001f9faf437a1c0b ]
During the CPU offline process, the dying CPU is cleared from the
cpu_online_mask in takedown_cpu(). After this step, various CPUHP_*_DEAD
callbacks are executed to perform cleanup jobs for the dead CPU, so this
cpu online check in padata_cpu_dead() is unnecessary.
Similarly, when executing padata_cpu_online() during the
CPUHP_AP_ONLINE_DYN phase, the CPU has already been set in the
cpu_online_mask, the action even occurs earlier than the
CPUHP_AP_ONLINE_IDLE stage.
Remove this unnecessary cpu online check in __padata_add_cpu() and
__padata_remove_cpu().
Signed-off-by: Chuyi Zhou <zhouchuyi@bytedance.com>
Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: c8c4a2972f83 ("padata: Put CPU offline callback in ONLINE section to allow failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 26 ++++++++------------------
1 file changed, 8 insertions(+), 18 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index f4def028c48c0..f53263d7c9d42 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -736,32 +736,22 @@ EXPORT_SYMBOL(padata_set_cpumask);
static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
{
- int err = 0;
-
- if (cpumask_test_cpu(cpu, cpu_online_mask)) {
- err = padata_replace(pinst);
+ int err = padata_replace(pinst);
- if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
- padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_start(pinst);
- }
+ if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
+ padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_start(pinst);
return err;
}
static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
{
- int err = 0;
-
- if (!cpumask_test_cpu(cpu, cpu_online_mask)) {
- if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
- !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_stop(pinst);
-
- err = padata_replace(pinst);
- }
+ if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
+ !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_stop(pinst);
- return err;
+ return padata_replace(pinst);
}
static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 233/957] padata: Put CPU offline callback in ONLINE section to allow failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 232/957] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 234/957] PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation Greg Kroah-Hartman
` (729 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+123e1b70473ce213f3af,
Daniel Jordan, Herbert Xu, Sasha Levin, Thomas Gleixner
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Jordan <daniel.m.jordan@oracle.com>
[ Upstream commit c8c4a2972f83c8b68ff03b43cecdb898939ff851 ]
syzbot reported the following warning:
DEAD callback error for CPU1
WARNING: kernel/cpu.c:1463 at _cpu_down+0x759/0x1020 kernel/cpu.c:1463, CPU#0: syz.0.1960/14614
at commit 4ae12d8bd9a8 ("Merge tag 'kbuild-fixes-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kbuild/linux")
which tglx traced to padata_cpu_dead() given it's the only
sub-CPUHP_TEARDOWN_CPU callback that returns an error.
Failure isn't allowed in hotplug states before CPUHP_TEARDOWN_CPU
so move the CPU offline callback to the ONLINE section where failure is
possible.
Fixes: 894c9ef9780c ("padata: validate cpumask without removed CPU during offline")
Reported-by: syzbot+123e1b70473ce213f3af@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69af0a05.050a0220.310d8.002f.GAE@google.com/
Debugged-by: Thomas Gleixner <tglx@kernel.org>
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/cpuhotplug.h | 1 -
include/linux/padata.h | 8 +--
kernel/padata.c | 120 +++++++++++++++++++------------------
3 files changed, 65 insertions(+), 64 deletions(-)
diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
index 62cd7b35a29c9..22ba327ec2278 100644
--- a/include/linux/cpuhotplug.h
+++ b/include/linux/cpuhotplug.h
@@ -92,7 +92,6 @@ enum cpuhp_state {
CPUHP_NET_DEV_DEAD,
CPUHP_IOMMU_IOVA_DEAD,
CPUHP_AP_ARM_CACHE_B15_RAC_DEAD,
- CPUHP_PADATA_DEAD,
CPUHP_AP_DTPM_CPU_DEAD,
CPUHP_RANDOM_PREPARE,
CPUHP_WORKQUEUE_PREP,
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 765f2778e264a..b6232bea6edf5 100644
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -149,23 +149,23 @@ struct padata_mt_job {
/**
* struct padata_instance - The overall control structure.
*
- * @cpu_online_node: Linkage for CPU online callback.
- * @cpu_dead_node: Linkage for CPU offline callback.
+ * @cpuhp_node: Linkage for CPU hotplug callbacks.
* @parallel_wq: The workqueue used for parallel work.
* @serial_wq: The workqueue used for serial work.
* @pslist: List of padata_shell objects attached to this instance.
* @cpumask: User supplied cpumasks for parallel and serial works.
+ * @validate_cpumask: Internal cpumask used to validate @cpumask during hotplug.
* @kobj: padata instance kernel object.
* @lock: padata instance lock.
* @flags: padata flags.
*/
struct padata_instance {
- struct hlist_node cpu_online_node;
- struct hlist_node cpu_dead_node;
+ struct hlist_node cpuhp_node;
struct workqueue_struct *parallel_wq;
struct workqueue_struct *serial_wq;
struct list_head pslist;
struct padata_cpumask cpumask;
+ cpumask_var_t validate_cpumask;
struct kobject kobj;
struct mutex lock;
u8 flags;
diff --git a/kernel/padata.c b/kernel/padata.c
index f53263d7c9d42..938c926711876 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -539,7 +539,8 @@ static void padata_init_reorder_list(struct parallel_data *pd)
}
/* Allocate and initialize the internal cpumask dependend resources. */
-static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
+static struct parallel_data *padata_alloc_pd(struct padata_shell *ps,
+ int offlining_cpu)
{
struct padata_instance *pinst = ps->pinst;
struct parallel_data *pd;
@@ -565,6 +566,10 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
cpumask_and(pd->cpumask.pcpu, pinst->cpumask.pcpu, cpu_online_mask);
cpumask_and(pd->cpumask.cbcpu, pinst->cpumask.cbcpu, cpu_online_mask);
+ if (offlining_cpu >= 0) {
+ __cpumask_clear_cpu(offlining_cpu, pd->cpumask.pcpu);
+ __cpumask_clear_cpu(offlining_cpu, pd->cpumask.cbcpu);
+ }
padata_init_reorder_list(pd);
padata_init_squeues(pd);
@@ -611,11 +616,11 @@ static void __padata_stop(struct padata_instance *pinst)
}
/* Replace the internal control structure with a new one. */
-static int padata_replace_one(struct padata_shell *ps)
+static int padata_replace_one(struct padata_shell *ps, int offlining_cpu)
{
struct parallel_data *pd_new;
- pd_new = padata_alloc_pd(ps);
+ pd_new = padata_alloc_pd(ps, offlining_cpu);
if (!pd_new)
return -ENOMEM;
@@ -625,7 +630,7 @@ static int padata_replace_one(struct padata_shell *ps)
return 0;
}
-static int padata_replace(struct padata_instance *pinst)
+static int padata_replace(struct padata_instance *pinst, int offlining_cpu)
{
struct padata_shell *ps;
int err = 0;
@@ -633,7 +638,7 @@ static int padata_replace(struct padata_instance *pinst)
pinst->flags |= PADATA_RESET;
list_for_each_entry(ps, &pinst->pslist, list) {
- err = padata_replace_one(ps);
+ err = padata_replace_one(ps, offlining_cpu);
if (err)
break;
}
@@ -650,9 +655,21 @@ static int padata_replace(struct padata_instance *pinst)
/* If cpumask contains no active cpu, we mark the instance as invalid. */
static bool padata_validate_cpumask(struct padata_instance *pinst,
- const struct cpumask *cpumask)
+ const struct cpumask *cpumask,
+ int offlining_cpu)
{
- if (!cpumask_intersects(cpumask, cpu_online_mask)) {
+ cpumask_copy(pinst->validate_cpumask, cpu_online_mask);
+
+ /*
+ * @offlining_cpu is still in cpu_online_mask, so remove it here for
+ * validation. Using a sub-CPUHP_TEARDOWN_CPU hotplug state where
+ * @offlining_cpu wouldn't be in the online mask doesn't work because
+ * padata_cpu_offline() can fail but such a state doesn't allow failure.
+ */
+ if (offlining_cpu >= 0)
+ __cpumask_clear_cpu(offlining_cpu, pinst->validate_cpumask);
+
+ if (!cpumask_intersects(cpumask, pinst->validate_cpumask)) {
pinst->flags |= PADATA_INVALID;
return false;
}
@@ -668,13 +685,13 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
int valid;
int err;
- valid = padata_validate_cpumask(pinst, pcpumask);
+ valid = padata_validate_cpumask(pinst, pcpumask, -1);
if (!valid) {
__padata_stop(pinst);
goto out_replace;
}
- valid = padata_validate_cpumask(pinst, cbcpumask);
+ valid = padata_validate_cpumask(pinst, cbcpumask, -1);
if (!valid)
__padata_stop(pinst);
@@ -682,7 +699,7 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
cpumask_copy(pinst->cpumask.pcpu, pcpumask);
cpumask_copy(pinst->cpumask.cbcpu, cbcpumask);
- err = padata_setup_cpumasks(pinst) ?: padata_replace(pinst);
+ err = padata_setup_cpumasks(pinst) ?: padata_replace(pinst, -1);
if (valid)
__padata_start(pinst);
@@ -734,26 +751,6 @@ EXPORT_SYMBOL(padata_set_cpumask);
#ifdef CONFIG_HOTPLUG_CPU
-static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
-{
- int err = padata_replace(pinst);
-
- if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
- padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_start(pinst);
-
- return err;
-}
-
-static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
-{
- if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
- !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
- __padata_stop(pinst);
-
- return padata_replace(pinst);
-}
-
static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
{
return cpumask_test_cpu(cpu, pinst->cpumask.pcpu) ||
@@ -765,27 +762,39 @@ static int padata_cpu_online(unsigned int cpu, struct hlist_node *node)
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, cpu_online_node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpuhp_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
mutex_lock(&pinst->lock);
- ret = __padata_add_cpu(pinst, cpu);
+
+ ret = padata_replace(pinst, -1);
+
+ if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu, -1) &&
+ padata_validate_cpumask(pinst, pinst->cpumask.cbcpu, -1))
+ __padata_start(pinst);
+
mutex_unlock(&pinst->lock);
return ret;
}
-static int padata_cpu_dead(unsigned int cpu, struct hlist_node *node)
+static int padata_cpu_offline(unsigned int cpu, struct hlist_node *node)
{
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, cpu_dead_node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpuhp_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
mutex_lock(&pinst->lock);
- ret = __padata_remove_cpu(pinst, cpu);
+
+ if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu, cpu) ||
+ !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu, cpu))
+ __padata_stop(pinst);
+
+ ret = padata_replace(pinst, cpu);
+
mutex_unlock(&pinst->lock);
return ret;
}
@@ -796,15 +805,14 @@ static enum cpuhp_state hp_online;
static void __padata_free(struct padata_instance *pinst)
{
#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD,
- &pinst->cpu_dead_node);
- cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpu_online_node);
+ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpuhp_node);
#endif
WARN_ON(!list_empty(&pinst->pslist));
free_cpumask_var(pinst->cpumask.pcpu);
free_cpumask_var(pinst->cpumask.cbcpu);
+ free_cpumask_var(pinst->validate_cpumask);
destroy_workqueue(pinst->serial_wq);
destroy_workqueue(pinst->parallel_wq);
kfree(pinst);
@@ -965,10 +973,10 @@ struct padata_instance *padata_alloc(const char *name)
if (!alloc_cpumask_var(&pinst->cpumask.pcpu, GFP_KERNEL))
goto err_free_serial_wq;
- if (!alloc_cpumask_var(&pinst->cpumask.cbcpu, GFP_KERNEL)) {
- free_cpumask_var(pinst->cpumask.pcpu);
- goto err_free_serial_wq;
- }
+ if (!alloc_cpumask_var(&pinst->cpumask.cbcpu, GFP_KERNEL))
+ goto err_free_p_mask;
+ if (!alloc_cpumask_var(&pinst->validate_cpumask, GFP_KERNEL))
+ goto err_free_cb_mask;
INIT_LIST_HEAD(&pinst->pslist);
@@ -976,7 +984,7 @@ struct padata_instance *padata_alloc(const char *name)
cpumask_copy(pinst->cpumask.cbcpu, cpu_possible_mask);
if (padata_setup_cpumasks(pinst))
- goto err_free_masks;
+ goto err_free_v_mask;
__padata_start(pinst);
@@ -985,18 +993,19 @@ struct padata_instance *padata_alloc(const char *name)
#ifdef CONFIG_HOTPLUG_CPU
cpuhp_state_add_instance_nocalls_cpuslocked(hp_online,
- &pinst->cpu_online_node);
- cpuhp_state_add_instance_nocalls_cpuslocked(CPUHP_PADATA_DEAD,
- &pinst->cpu_dead_node);
+ &pinst->cpuhp_node);
#endif
cpus_read_unlock();
return pinst;
-err_free_masks:
- free_cpumask_var(pinst->cpumask.pcpu);
+err_free_v_mask:
+ free_cpumask_var(pinst->validate_cpumask);
+err_free_cb_mask:
free_cpumask_var(pinst->cpumask.cbcpu);
+err_free_p_mask:
+ free_cpumask_var(pinst->cpumask.pcpu);
err_free_serial_wq:
destroy_workqueue(pinst->serial_wq);
err_put_cpus:
@@ -1039,7 +1048,7 @@ struct padata_shell *padata_alloc_shell(struct padata_instance *pinst)
ps->pinst = pinst;
cpus_read_lock();
- pd = padata_alloc_pd(ps);
+ pd = padata_alloc_pd(ps, -1);
cpus_read_unlock();
if (!pd)
@@ -1088,32 +1097,25 @@ void __init padata_init(void)
int ret;
ret = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN, "padata:online",
- padata_cpu_online, NULL);
+ padata_cpu_online, padata_cpu_offline);
if (ret < 0)
goto err;
hp_online = ret;
-
- ret = cpuhp_setup_state_multi(CPUHP_PADATA_DEAD, "padata:dead",
- NULL, padata_cpu_dead);
- if (ret < 0)
- goto remove_online_state;
#endif
possible_cpus = num_possible_cpus();
padata_works = kmalloc_array(possible_cpus, sizeof(struct padata_work),
GFP_KERNEL);
if (!padata_works)
- goto remove_dead_state;
+ goto remove_online_state;
for (i = 0; i < possible_cpus; ++i)
list_add(&padata_works[i].pw_list, &padata_free_works);
return;
-remove_dead_state:
-#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_remove_multi_state(CPUHP_PADATA_DEAD);
remove_online_state:
+#ifdef CONFIG_HOTPLUG_CPU
cpuhp_remove_multi_state(hp_online);
err:
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 234/957] PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 233/957] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 235/957] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
` (728 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koichiro Den, Manivannan Sadhasivam,
Bjorn Helgaas, Niklas Cassel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
[ Upstream commit 13f55a7ca773c731a1e645934c1ae48577f48785 ]
R-Car S4 Series (R8A779F[4-7]*) EP controller uses a 4K minimum iATU region
size (CX_ATU_MIN_REGION_SIZE = 4K) as per R19UH0161EJ0130 Rev.1.30. Also,
the controller itself can only be configured in the range 4 KB to 64 KB, so
the current 1 MB alignment requirement is incorrect.
Hence, change the alignment to the min size 4K as per the documentation.
This also fixes needless unusability of BAR4 on this platform when the
target address is fixed, such as for doorbell targets.
Fixes: e311b3834dfa ("PCI: rcar-gen4: Add endpoint mode support")
Signed-off-by: Koichiro Den <den@valinux.co.jp>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Link: https://patch.msgid.link/20260305151050.1834007-1-den@valinux.co.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-rcar-gen4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-rcar-gen4.c b/drivers/pci/controller/dwc/pcie-rcar-gen4.c
index 80778917d2ddd..7e171526b1ded 100644
--- a/drivers/pci/controller/dwc/pcie-rcar-gen4.c
+++ b/drivers/pci/controller/dwc/pcie-rcar-gen4.c
@@ -425,7 +425,7 @@ static const struct pci_epc_features rcar_gen4_pcie_epc_features = {
.bar[BAR_3] = { .type = BAR_RESERVED, },
.bar[BAR_4] = { .type = BAR_FIXED, .fixed_size = 256 },
.bar[BAR_5] = { .type = BAR_RESERVED, },
- .align = SZ_1M,
+ .align = SZ_4K,
};
static const struct pci_epc_features*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 235/957] drm/amdgpu/gfx10: look at the right prop for gfx queue priority
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 234/957] PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 236/957] drm/amdgpu/gfx11: " Greg Kroah-Hartman
` (727 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 355d96cdec5c61fd83f7eb54f1a28e38809645d6 ]
Look at hqd_queue_priority rather than hqd_pipe_priority.
In practice, it didn't matter as both were always set for
kernel queues, but that will change in the future.
Fixes: b07d1d73b09e ("drm/amd/amdgpu: Enable high priority gfx queue")
Reviewed-by:Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
index 003bcece715eb..234753a10361f 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
@@ -6751,7 +6751,7 @@ static void gfx_v10_0_gfx_mqd_set_priority(struct amdgpu_device *adev,
/* set up default queue priority level
* 0x0 = low priority, 0x1 = high priority
*/
- if (prop->hqd_pipe_priority == AMDGPU_GFX_PIPE_PRIO_HIGH)
+ if (prop->hqd_queue_priority == AMDGPU_GFX_QUEUE_PRIORITY_MAXIMUM)
priority = 1;
tmp = RREG32_SOC15(GC, 0, mmCP_GFX_HQD_QUEUE_PRIORITY);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 236/957] drm/amdgpu/gfx11: look at the right prop for gfx queue priority
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 235/957] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
@ 2026-05-20 16:11 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 237/957] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
` (726 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit f9a4e81bcbd04e6f967d851f9fe69d8bb3cc08b3 ]
Look at hqd_queue_priority rather than hqd_pipe_priority.
In practice, it didn't matter as both were always set for
kernel queues, but that will change in the future.
Fixes: 2e216b1e6ba2 ("drm/amdgpu/gfx11: handle priority setup for gfx pipe1")
Reviewed-by:Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
index feb56b6b31c9c..cf23b5da6dbbb 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
@@ -4080,7 +4080,7 @@ static void gfx_v11_0_gfx_mqd_set_priority(struct amdgpu_device *adev,
/* set up default queue priority level
* 0x0 = low priority, 0x1 = high priority
*/
- if (prop->hqd_pipe_priority == AMDGPU_GFX_PIPE_PRIO_HIGH)
+ if (prop->hqd_queue_priority == AMDGPU_GFX_QUEUE_PRIORITY_MAXIMUM)
priority = 1;
tmp = regCP_GFX_HQD_QUEUE_PRIORITY_DEFAULT;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 237/957] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-05-20 16:11 ` [PATCH 6.18 236/957] drm/amdgpu/gfx11: " Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 238/957] drm/imagination: Switch reset_reason fields from enum to u32 Greg Kroah-Hartman
` (725 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 9f61daf2c2debe9f5cf4e1a4471e56a89a6fe45a ]
The hisi_spi_flush_fifo()'s inner while loop that lacks any timeout
mechanism. Maybe the hardware never becomes empty, the loop will spin
forever, causing the CPU to hang.
Fix this by adding a inner_limit based on loops_per_jiffy. The inner loop
now exits after approximately one jiffy if the FIFO remains non-empty, logs
a ratelimited warning, and breaks out of the outer loop. Additionally, add
a cpu_relax() inside the busy loop to improve power efficiency.
Fixes: c770d8631e18 ("spi: Add HiSilicon SPI Controller Driver for Kunpeng SoCs")
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/d834ce28172886bfaeb9c8ca00cfd9bf1c65d5a1.1773889292.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-hisi-kunpeng.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-hisi-kunpeng.c b/drivers/spi/spi-hisi-kunpeng.c
index 80a1a15de0bc3..a38dcae6271ff 100644
--- a/drivers/spi/spi-hisi-kunpeng.c
+++ b/drivers/spi/spi-hisi-kunpeng.c
@@ -196,8 +196,18 @@ static void hisi_spi_flush_fifo(struct hisi_spi *hs)
unsigned long limit = loops_per_jiffy << 1;
do {
- while (hisi_spi_rx_not_empty(hs))
+ unsigned long inner_limit = loops_per_jiffy;
+
+ while (hisi_spi_rx_not_empty(hs) && --inner_limit) {
readl(hs->regs + HISI_SPI_DOUT);
+ cpu_relax();
+ }
+
+ if (!inner_limit) {
+ dev_warn_ratelimited(hs->dev, "RX FIFO flush timeout\n");
+ break;
+ }
+
} while (hisi_spi_busy(hs) && limit--);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 238/957] drm/imagination: Switch reset_reason fields from enum to u32
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 237/957] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 239/957] iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init() Greg Kroah-Hartman
` (724 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandru Dadu, Matt Coster,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Dadu <alexandru.dadu@imgtec.com>
[ Upstream commit d2f83a6cd598bf413f1acf34153bd1d71023fbab ]
Update the reset_reason fwif structure fields from enum to u32 to remove
any ambiguity from the interface (enum is not a fixed size thus is unfit
for the purpose of the data type).
Fixes: a26f067feac1f ("drm/imagination: Add FWIF headers")
Signed-off-by: Alexandru Dadu <alexandru.dadu@imgtec.com>
Reviewed-by: Matt Coster <matt.coster@imgtec.com>
Link: https://patch.msgid.link/20260323-b4-firmware-context-reset-notification-handling-v3-2-1a66049a9a65@imgtec.com
Signed-off-by: Matt Coster <matt.coster@imgtec.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imagination/pvr_rogue_fwif.h | 8 ++++++--
drivers/gpu/drm/imagination/pvr_rogue_fwif_shared.h | 6 +++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/imagination/pvr_rogue_fwif.h b/drivers/gpu/drm/imagination/pvr_rogue_fwif.h
index 172886be4c820..5d590c4c25663 100644
--- a/drivers/gpu/drm/imagination/pvr_rogue_fwif.h
+++ b/drivers/gpu/drm/imagination/pvr_rogue_fwif.h
@@ -1347,8 +1347,12 @@ struct rogue_fwif_fwccb_cmd_freelists_reconstruction_data {
struct rogue_fwif_fwccb_cmd_context_reset_data {
/* Context affected by the reset */
u32 server_common_context_id;
- /* Reason for reset */
- enum rogue_context_reset_reason reset_reason;
+ /*
+ * Reason for reset
+ * The valid values for reset_reason are the ones from
+ * enum rogue_context_reset_reason
+ */
+ u32 reset_reason;
/* Data Master affected by the reset */
u32 dm;
/* Job ref running at the time of reset */
diff --git a/drivers/gpu/drm/imagination/pvr_rogue_fwif_shared.h b/drivers/gpu/drm/imagination/pvr_rogue_fwif_shared.h
index 6c09c15bf9bd8..f95acd5a1f8e8 100644
--- a/drivers/gpu/drm/imagination/pvr_rogue_fwif_shared.h
+++ b/drivers/gpu/drm/imagination/pvr_rogue_fwif_shared.h
@@ -249,7 +249,11 @@ enum rogue_context_reset_reason {
};
struct rogue_context_reset_reason_data {
- enum rogue_context_reset_reason reset_reason;
+ /*
+ * The valid values for reset_reason are the ones from
+ * enum rogue_context_reset_reason
+ */
+ u32 reset_reason;
u32 reset_ext_job_ref;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 239/957] iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 238/957] drm/imagination: Switch reset_reason fields from enum to u32 Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 240/957] iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement Greg Kroah-Hartman
` (723 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Auger, Shameer Kolothum,
Nicolin Chen, Will Deacon, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
[ Upstream commit 803e41f36d227022ab9bbe780c82283fd4713b2e ]
vintf->hyp_own is finalized in tegra241_vintf_hw_init(). On the other hand,
tegra241_vcmdq_alloc_smmu_cmdq() is called via an init_structures callback,
which is earlier than tegra241_vintf_hw_init().
This results in the supports_cmd op always being set to the guest function,
although this doesn't break any functionality nor have some noticeable perf
impact since non-invalidation commands are not issued in the perf sensitive
context.
Fix this by moving supports_cmd to tegra241_vcmdq_hw_init().
After this change,
- For a guest kernel, this will be a status quo
- For a host kernel, non-invalidation commands will be issued to VCMDQ(s)
Fixes: a9d40285bdef ("iommu/tegra241-cmdqv: Limit CMDs for VCMDQs of a guest owned VINTF")
Reported-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Shameer Kolothum <skolothumtho@nvidia.com>
Closes: https://lore.kernel.org/qemu-devel/CH3PR12MB754836BEE54E39B30C7210C0AB44A@CH3PR12MB7548.namprd12.prod.outlook.com/
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Shameer Kolothum <skolothumtho@nvidia.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c
index 04cc7a9036e43..17591d8eb64b8 100644
--- a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c
+++ b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c
@@ -481,6 +481,10 @@ static int tegra241_vcmdq_hw_init(struct tegra241_vcmdq *vcmdq)
/* Reset VCMDQ */
tegra241_vcmdq_hw_deinit(vcmdq);
+ /* vintf->hyp_own is a HW state finalized in tegra241_vintf_hw_init() */
+ if (!vcmdq->vintf->hyp_own)
+ vcmdq->cmdq.supports_cmd = tegra241_guest_vcmdq_supports_cmd;
+
/* Configure and enable VCMDQ */
writeq_relaxed(vcmdq->cmdq.q.q_base, REG_VCMDQ_PAGE1(vcmdq, BASE));
@@ -641,9 +645,6 @@ static int tegra241_vcmdq_alloc_smmu_cmdq(struct tegra241_vcmdq *vcmdq)
q->q_base = q->base_dma & VCMDQ_ADDR;
q->q_base |= FIELD_PREP(VCMDQ_LOG2SIZE, q->llq.max_n_shift);
- if (!vcmdq->vintf->hyp_own)
- cmdq->supports_cmd = tegra241_guest_vcmdq_supports_cmd;
-
return arm_smmu_cmdq_init(smmu, cmdq);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 240/957] iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 239/957] iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 241/957] drm/msm: add missing MODULE_DEVICE_ID definitions Greg Kroah-Hartman
` (722 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Eric Auger,
Jason Gunthorpe, Will Deacon, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
[ Upstream commit 9dcef98dbee35b8ae784df04c041efffdd42a69c ]
>From hardware implementation perspective, a guest tegra241-cmdqv hardware
is different than the host hardware:
- Host HW is backed by a VINTF (HYP_OWN=1)
- Guest HW is backed by a VINTF (HYP_OWN=0)
The kernel driver has an implementation requirement of the HYP_OWN bit in
the VM. So, VMM must follow that to allow the same copy of Linux to work.
Add this requirement to the uAPI, which is currently missing.
Fixes: 4dc0d12474f9 ("iommu/tegra241-cmdqv: Add user-space use support")
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/iommufd.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/uapi/linux/iommufd.h b/include/uapi/linux/iommufd.h
index c218c89e0e2eb..bdd20666d1eb1 100644
--- a/include/uapi/linux/iommufd.h
+++ b/include/uapi/linux/iommufd.h
@@ -1003,6 +1003,11 @@ struct iommu_fault_alloc {
enum iommu_viommu_type {
IOMMU_VIOMMU_TYPE_DEFAULT = 0,
IOMMU_VIOMMU_TYPE_ARM_SMMUV3 = 1,
+ /*
+ * TEGRA241_CMDQV requirements (otherwise, VCMDQs will not work)
+ * - Kernel will allocate a VINTF (HYP_OWN=0) to back this VIOMMU. So,
+ * VMM must wire the HYP_OWN bit to 0 in guest VINTF_CONFIG register
+ */
IOMMU_VIOMMU_TYPE_TEGRA241_CMDQV = 2,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 241/957] drm/msm: add missing MODULE_DEVICE_ID definitions
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 240/957] iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 242/957] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
` (721 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Loïc Minier, Dmitry Baryshkov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit b21e85400ce763f2c6ad913e03fea5cadc323c13 ]
The drm/msm module bundles several drivers, each of them having a
separate OF match table, however only MDSS (subsystem), KMS devices and
GPU have corresponding MODULE_DEVICE_ID tables.
Add MODULE_DEVICE_ID to the display-related driver and to all other
drivers in this module, simplifying userspace job.
Fixes: 060530f1ea67 ("drm/msm: use componentised device support")
Reported-by: Loïc Minier <loic.minier@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/707960/
Link: https://lore.kernel.org/r/20260228-msm-device-id-v2-1-24b085919444@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_display.c | 1 +
drivers/gpu/drm/msm/dsi/dsi.c | 1 +
drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 1 +
drivers/gpu/drm/msm/hdmi/hdmi.c | 1 +
drivers/gpu/drm/msm/hdmi/hdmi_phy.c | 1 +
5 files changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
index f247aad553975..c79e624c11758 100644
--- a/drivers/gpu/drm/msm/dp/dp_display.c
+++ b/drivers/gpu/drm/msm/dp/dp_display.c
@@ -201,6 +201,7 @@ static const struct of_device_id msm_dp_dt_match[] = {
{ .compatible = "qcom,x1e80100-dp", .data = &msm_dp_desc_x1e80100 },
{}
};
+MODULE_DEVICE_TABLE(of, msm_dp_dt_match);
static struct msm_dp_display_private *dev_get_dp_display_private(struct device *dev)
{
diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c
index d8bb40ef820e2..3c9f01ed62713 100644
--- a/drivers/gpu/drm/msm/dsi/dsi.c
+++ b/drivers/gpu/drm/msm/dsi/dsi.c
@@ -198,6 +198,7 @@ static const struct of_device_id dt_match[] = {
{ .compatible = "qcom,dsi-ctrl-6g-qcm2290" },
{}
};
+MODULE_DEVICE_TABLE(of, dt_match);
static const struct dev_pm_ops dsi_pm_ops = {
SET_RUNTIME_PM_OPS(msm_dsi_runtime_suspend, msm_dsi_runtime_resume, NULL)
diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
index 4ea681130dbaf..5d627df687700 100644
--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
@@ -580,6 +580,7 @@ static const struct of_device_id dsi_phy_dt_match[] = {
#endif
{}
};
+MODULE_DEVICE_TABLE(of, dsi_phy_dt_match);
/*
* Currently, we only support one SoC for each PHY type. When we have multiple
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c
index 5afac09c0d334..d5ef5089c9e9c 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
@@ -441,6 +441,7 @@ static const struct of_device_id msm_hdmi_dt_match[] = {
{ .compatible = "qcom,hdmi-tx-8660", .data = &hdmi_tx_8960_config },
{}
};
+MODULE_DEVICE_TABLE(of, msm_hdmi_dt_match);
static struct platform_driver msm_hdmi_driver = {
.probe = msm_hdmi_dev_probe,
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi_phy.c b/drivers/gpu/drm/msm/hdmi/hdmi_phy.c
index 667573f1db7c6..f726555bb6810 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi_phy.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi_phy.c
@@ -204,6 +204,7 @@ static const struct of_device_id msm_hdmi_phy_dt_match[] = {
.data = &msm_hdmi_phy_8998_cfg },
{}
};
+MODULE_DEVICE_TABLE(of, msm_hdmi_phy_dt_match);
static struct platform_driver msm_hdmi_phy_platform_driver = {
.probe = msm_hdmi_phy_probe,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 242/957] drm/msm/dpu: fix mismatch between power and frequency
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 241/957] drm/msm: add missing MODULE_DEVICE_ID definitions Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 243/957] drm/msm/dsi: add the missing parameter description Greg Kroah-Hartman
` (720 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuanjie Yang, Konrad Dybcio,
Dmitry Baryshkov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
[ Upstream commit bc1dccc518cc5ab5140fba06c27e7188e0ed342b ]
During DPU runtime suspend, calling dev_pm_opp_set_rate(dev, 0) drops
the MMCX rail to MIN_SVS while the core clock frequency remains at its
original (highest) rate. When runtime resume re-enables the clock, this
may result in a mismatch between the rail voltage and the clock rate.
For example, in the DPU bind path, the sequence could be:
cpu0: dev_sync_state -> rpmhpd_sync_state
cpu1: dpu_kms_hw_init
timeline 0 ------------------------------------------------> t
After rpmhpd_sync_state, the voltage performance is no longer guaranteed
to stay at the highest level. During dpu_kms_hw_init, calling
dev_pm_opp_set_rate(dev, 0) drops the voltage, causing the MMCX rail to
fall to MIN_SVS while the core clock is still at its maximum frequency.
When the power is re-enabled, only the clock is enabled, leading to a
situation where the MMCX rail is at MIN_SVS but the core clock is at its
highest rate. In this state, the rail cannot sustain the clock rate,
which may cause instability or system crash.
Remove the call to dev_pm_opp_set_rate(dev, 0) from dpu_runtime_suspend
to ensure the correct vote is restored when DPU resumes.
Fixes: b0530eb11913 ("drm/msm/dpu: Use OPP API to set clk/perf state")
Signed-off-by: Yuanjie Yang <yuanjie.yang@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/710077/
Link: https://lore.kernel.org/r/20260309063720.13572-1-yuanjie.yang@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
index 4e5a8ecd31f75..bc1a016471411 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
@@ -1461,8 +1461,6 @@ static int __maybe_unused dpu_runtime_suspend(struct device *dev)
struct msm_drm_private *priv = platform_get_drvdata(pdev);
struct dpu_kms *dpu_kms = to_dpu_kms(priv->kms);
- /* Drop the performance state vote */
- dev_pm_opp_set_rate(dev, 0);
clk_bulk_disable_unprepare(dpu_kms->num_clocks, dpu_kms->clocks);
for (i = 0; i < dpu_kms->num_paths; i++)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 243/957] drm/msm/dsi: add the missing parameter description
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 242/957] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 244/957] drm/msm/dpu: dont try using 2 LMs if only one DSC is available Greg Kroah-Hartman
` (719 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Pengyu Luo,
Dmitry Baryshkov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit 958adefc4c0fddee3b12269da5dd7cb49bac953f ]
Add a description for is_bonded_dsi in dsi_adjust_pclk_for_compression
to match the existing kernel-doc comment.
Fixes: e4eb11b34d6c ("drm/msm/dsi: fix pclk rate calculation for bonded dsi")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603080314.XeqyRZ7A-lkp@intel.com/
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/710112/
Link: https://lore.kernel.org/r/20260309100254.877801-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index db6da99375a18..6cb634590e7a7 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -569,6 +569,7 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host)
* dsi_adjust_pclk_for_compression() - Adjust the pclk rate for compression case
* @mode: The selected mode for the DSI output
* @dsc: DRM DSC configuration for this DSI output
+ * @is_bonded_dsi: True if two DSI controllers are bonded
*
* Adjust the pclk rate by calculating a new hdisplay proportional to
* the compression ratio such that:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 244/957] drm/msm/dpu: dont try using 2 LMs if only one DSC is available
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 243/957] drm/msm/dsi: add the missing parameter description Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 245/957] drm/msm/dsi: fix bits_per_pclk Greg Kroah-Hartman
` (718 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Dmitry Baryshkov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit b9699dd862760e642807a2bc226e4d127e35dcb7 ]
Current topology code will try using 2 LMs with just one DSC, which
breaks cases like SC7280 / Fairphone5. Forbid using 2 LMs split in such
a case.
Fixes: 1ce69c265a53 ("drm/msm/dpu: move resource allocation to CRTC")
Reported-by: Luca Weiss <luca.weiss@fairphone.com>
Closes: https://lore.kernel.org/r/DH1IKLU0YZYU.2SW4WYO7H3H4R@fairphone.com/
Tested-by: Luca Weiss <luca.weiss@fairphone.com> # qcm6490-fairphone-fp5
Patchwork: https://patchwork.freedesktop.org/patch/712386/
Link: https://lore.kernel.org/r/20260317-fix-3d-dsc-v1-1-88b54f62f659@oss.qualcomm.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
index 2f8156051d9b0..6f5d90b7ba7d4 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
@@ -1354,7 +1354,8 @@ static struct msm_display_topology dpu_crtc_get_topology(
topology.num_lm = 2;
else if (topology.num_dsc == 2)
topology.num_lm = 2;
- else if (dpu_kms->catalog->caps->has_3d_merge)
+ else if (dpu_kms->catalog->caps->has_3d_merge &&
+ topology.num_dsc == 0)
topology.num_lm = (mode->hdisplay > MAX_HDISPLAY_SPLIT) ? 2 : 1;
else
topology.num_lm = 1;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 245/957] drm/msm/dsi: fix bits_per_pclk
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 244/957] drm/msm/dpu: dont try using 2 LMs if only one DSC is available Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 246/957] drm/msm/dsi: fix hdisplay calculation for CMD mode panel Greg Kroah-Hartman
` (717 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo, Dmitry Baryshkov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit 2d51cfb77daa30b10bc68c403f8ace35783d2922 ]
mipi_dsi_pixel_format_to_bpp return dst bpp not src bpp, dst bpp may
not be the uncompressed data size. use src bpc * 3 to get src bpp,
this aligns with pclk rate calculation.
Fixes: ac47870fd795 ("drm/msm/dsi: fix hdisplay calculation when programming dsi registers")
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Patchwork: https://patchwork.freedesktop.org/patch/709916/
Link: https://lore.kernel.org/r/20260307111250.105772-1-mitltlatltl@gmail.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 6cb634590e7a7..3efcc3f6c381c 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -1048,7 +1048,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
*/
h_total -= hdisplay;
if (wide_bus_enabled)
- bits_per_pclk = mipi_dsi_pixel_format_to_bpp(msm_host->format);
+ bits_per_pclk = dsc->bits_per_component * 3;
else
bits_per_pclk = 24;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 246/957] drm/msm/dsi: fix hdisplay calculation for CMD mode panel
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 245/957] drm/msm/dsi: fix bits_per_pclk Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 247/957] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
` (716 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengyu Luo, Dmitry Baryshkov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengyu Luo <mitltlatltl@gmail.com>
[ Upstream commit 82159db4371f5cef56444ebd0b8f96e2a6d709ff ]
Commit ac47870fd795 ("drm/msm/dsi: fix hdisplay calculation when
programming dsi registers") incorrecly broke hdisplay calculation for
CMD mode by specifying incorrect number of bytes per transfer, fix it.
Fixes: ac47870fd795 ("drm/msm/dsi: fix hdisplay calculation when programming dsi registers")
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Patchwork: https://patchwork.freedesktop.org/patch/709917/
Link: https://lore.kernel.org/r/20260307111250.105772-2-mitltlatltl@gmail.com
[DB: fixed commit message]
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 3efcc3f6c381c..1c0841a1c1013 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -1034,8 +1034,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
/*
* DPU sends 3 bytes per pclk cycle to DSI. If widebus is
* enabled, MDP always sends out 48-bit compressed data per
- * pclk and on average, DSI consumes an amount of compressed
- * data equivalent to the uncompressed pixel depth per pclk.
+ * pclk and on average, for video mode, DSI consumes only an
+ * amount of compressed data equivalent to the uncompressed
+ * pixel depth per pclk.
*
* Calculate the number of pclks needed to transmit one line of
* the compressed data.
@@ -1047,10 +1048,14 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi)
* unused anyway.
*/
h_total -= hdisplay;
- if (wide_bus_enabled)
- bits_per_pclk = dsc->bits_per_component * 3;
- else
+ if (wide_bus_enabled) {
+ if (msm_host->mode_flags & MIPI_DSI_MODE_VIDEO)
+ bits_per_pclk = dsc->bits_per_component * 3;
+ else
+ bits_per_pclk = 48;
+ } else {
bits_per_pclk = 24;
+ }
hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc) * 8, bits_per_pclk);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 247/957] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 246/957] drm/msm/dsi: fix hdisplay calculation for CMD mode panel Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 248/957] ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode Greg Kroah-Hartman
` (715 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Alexander Koskovich, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <akoskovich@pm.me>
[ Upstream commit 913a709dea0eff9c7b2e9470f8c8594b9a0114ab ]
The MSM8998 DSI controller is v2.0.0 as stated in commit 7b8c9e203039
("drm/msm/dsi: Add support for MSM8998 DSI controller"). The value was
always correct just the name was wrong.
Rename and reorder to maintain version sorting.
Fixes: 7b8c9e203039 ("drm/msm/dsi: Add support for MSM8998 DSI controller")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Patchwork: https://patchwork.freedesktop.org/patch/713717/
Link: https://lore.kernel.org/r/20260324-dsi-rgb101010-support-v5-3-ff6afc904115@pm.me
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dsi/dsi_cfg.c | 4 ++--
drivers/gpu/drm/msm/dsi/dsi_cfg.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
index fed8e9b67011c..cdcf0cab7aaa2 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c
@@ -306,10 +306,10 @@ static const struct msm_dsi_cfg_handler dsi_cfg_handlers[] = {
&msm8996_dsi_cfg, &msm_dsi_6g_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V1_4_2,
&msm8976_dsi_cfg, &msm_dsi_6g_host_ops},
+ {MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_0_0,
+ &msm8998_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_1_0,
&sdm660_dsi_cfg, &msm_dsi_6g_v2_host_ops},
- {MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_2_0,
- &msm8998_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_2_1,
&sdm845_dsi_cfg, &msm_dsi_6g_v2_host_ops},
{MSM_DSI_VER_MAJOR_6G, MSM_DSI_6G_VER_MINOR_V2_3_0,
diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.h b/drivers/gpu/drm/msm/dsi/dsi_cfg.h
index 38f303f2ed04c..4d760ffd8b4a8 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.h
+++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.h
@@ -19,8 +19,8 @@
#define MSM_DSI_6G_VER_MINOR_V1_3_1 0x10030001
#define MSM_DSI_6G_VER_MINOR_V1_4_1 0x10040001
#define MSM_DSI_6G_VER_MINOR_V1_4_2 0x10040002
+#define MSM_DSI_6G_VER_MINOR_V2_0_0 0x20000000
#define MSM_DSI_6G_VER_MINOR_V2_1_0 0x20010000
-#define MSM_DSI_6G_VER_MINOR_V2_2_0 0x20000000
#define MSM_DSI_6G_VER_MINOR_V2_2_1 0x20020001
#define MSM_DSI_6G_VER_MINOR_V2_3_0 0x20030000
#define MSM_DSI_6G_VER_MINOR_V2_3_1 0x20030001
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 248/957] ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 247/957] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 249/957] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first Greg Kroah-Hartman
` (714 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Charkov, Nicolas Frattaroli,
Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Charkov <alchark@flipper.net>
[ Upstream commit 8a6391ec669366cbe7bde92b468c561e8b309fd6 ]
Currently the slot width in non-TDM mode is always kept at the POR value
of 32 bits, regardless of the sample width, which doesn't work well for
some codecs such as NAU8822.
Set the slot width according to the sample width in non-TDM mode, which
is what other CPU DAI drivers do.
Tested on the following RK3576 configurations:
- SAI2 + NAU8822 (codec as the clock master), custom board
- SAI1 + ES8388 (codec as the clock master), RK3576 EVB1
- SAI2 + RT5616 (SAI as the clock master), FriendlyElec NanoPi M5
NAU8822 didn't work prior to this patch but works after the patch. Other
two configurations work both before and after the patch.
Fixes: cc78d1eaabad ("ASoC: rockchip: add Serial Audio Interface (SAI) driver")
Signed-off-by: Alexey Charkov <alchark@flipper.net>
Tested-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
Link: https://patch.msgid.link/20260318-sai-slot-width-v1-1-1f68186f71e3@flipper.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/rockchip/rockchip_sai.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/soc/rockchip/rockchip_sai.c b/sound/soc/rockchip/rockchip_sai.c
index 6695349ee561e..b38c2cb81f807 100644
--- a/sound/soc/rockchip/rockchip_sai.c
+++ b/sound/soc/rockchip/rockchip_sai.c
@@ -628,6 +628,10 @@ static int rockchip_sai_hw_params(struct snd_pcm_substream *substream,
regmap_update_bits(sai->regmap, reg, SAI_XCR_VDW_MASK | SAI_XCR_CSR_MASK, val);
+ if (!sai->is_tdm)
+ regmap_update_bits(sai->regmap, reg, SAI_XCR_SBW_MASK,
+ SAI_XCR_SBW(params_physical_width(params)));
+
regmap_read(sai->regmap, reg, &val);
slot_width = SAI_XCR_SBW_V(val);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 249/957] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 248/957] ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 250/957] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
` (713 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Douglas Anderson,
Neil Armstrong, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit c222177d7c7e1b2e0433d9e47ec2da7015345d50 ]
The DSI link must be powered up to let panel driver to talk to the panel
during prepare() callback execution. Set the prepare_prev_first flag to
guarantee this.
Fixes: 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260323-panel-fix-v1-1-9f12b09161e8@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
index 36abfa2e65e96..dd1eaba23ad3c 100644
--- a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
+++ b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
@@ -201,6 +201,7 @@ static int sharp_nt_panel_add(struct sharp_nt_panel *sharp_nt)
drm_panel_init(&sharp_nt->base, &sharp_nt->dsi->dev,
&sharp_nt_panel_funcs, DRM_MODE_CONNECTOR_DSI);
+ sharp_nt->base.prepare_prev_first = true;
ret = drm_panel_of_backlight(&sharp_nt->base);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 250/957] drm/panel: simple: Correct G190EAN01 prepare timing
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 249/957] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 251/957] PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support Greg Kroah-Hartman
` (712 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Ian Ray,
Neil Armstrong, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit f1080f82570b797598c1ba7e9c800ae9e94aafc6 ]
The prepare timing specified by the G190EAN01 datasheet should be
between 30 and 50 ms. Considering it might take some time for the
LVDS encoder to enable the signal, we should only wait the min.
required time in the panel driver and not the max. allowed time.
Fixes: 2f7b832fc992 ("drm/panel: simple: Add support for AUO G190EAN01 panel")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260217142528.68613-1-ian.ray@gehealthcare.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-simple.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
index 271f933991937..ef1c4b9299ee4 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -1295,7 +1295,7 @@ static const struct panel_desc auo_g190ean01 = {
.height = 301,
},
.delay = {
- .prepare = 50,
+ .prepare = 30,
.enable = 200,
.disable = 110,
.unprepare = 1000,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 251/957] PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 250/957] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 252/957] PCI: Use res_to_dev_res() in reassign_resources_sorted() Greg Kroah-Hartman
` (711 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krishna Chaitanya Chundru,
Manivannan Sadhasivam, Konrad Dybcio, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
[ Upstream commit 33a76fc3c3e61386524479b99f35423bd3d9a895 ]
Qcom PCIe Root Ports advertise hotplug capability in hardware, but do not
support hotplug command completion. As a result, the hotplug commands
issued by the pciehp driver never gets completion notification, leading to
repeated timeout warnings and multi-second delays during boot and
suspend/resume.
Commit a54db86ddc153 ("PCI: qcom: Do not advertise hotplug capability for
IPs v2.7.0 and v1.9.0") mistakenly assumed that the Root Ports doesn't
support Hotplug due to timeouts and disabled the Hotplug functionality
altogether. But the Root Ports does support reporting Hotplug events like
DL_Up/Down events.
So to fix the command completion timeout issues, just set the No Command
Completed Support (NCCS) bit and enable Hotplug in Slot Capability field
back.
Fixes: a54db86ddc153 ("PCI: qcom: Do not advertise hotplug capability for IPs v2.7.0 and v1.9.0")
Signed-off-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
[mani: renamed function, commit log and added comment]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Tested-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> # Hamoa CRD, tunneled link
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260314-hotplug-v1-1-96ac87d93867@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-qcom.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
index 789cc0e3c10da..43555ad9e5dcf 100644
--- a/drivers/pci/controller/dwc/pcie-qcom.c
+++ b/drivers/pci/controller/dwc/pcie-qcom.c
@@ -341,15 +341,20 @@ static void qcom_pcie_clear_aspm_l0s(struct dw_pcie *pci)
dw_pcie_dbi_ro_wr_dis(pci);
}
-static void qcom_pcie_clear_hpc(struct dw_pcie *pci)
+static void qcom_pcie_set_slot_nccs(struct dw_pcie *pci)
{
u16 offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP);
u32 val;
dw_pcie_dbi_ro_wr_en(pci);
+ /*
+ * Qcom PCIe Root Ports do not support generating command completion
+ * notifications for the Hot-Plug commands. So set the NCCS field to
+ * avoid waiting for the completions.
+ */
val = readl(pci->dbi_base + offset + PCI_EXP_SLTCAP);
- val &= ~PCI_EXP_SLTCAP_HPC;
+ val |= PCI_EXP_SLTCAP_NCCS;
writel(val, pci->dbi_base + offset + PCI_EXP_SLTCAP);
dw_pcie_dbi_ro_wr_dis(pci);
@@ -549,7 +554,7 @@ static int qcom_pcie_post_init_2_1_0(struct qcom_pcie *pcie)
writel(CFG_BRIDGE_SB_INIT,
pci->dbi_base + AXI_MSTR_RESP_COMP_CTRL1);
- qcom_pcie_clear_hpc(pcie->pci);
+ qcom_pcie_set_slot_nccs(pcie->pci);
return 0;
}
@@ -629,7 +634,7 @@ static int qcom_pcie_post_init_1_0_0(struct qcom_pcie *pcie)
writel(val, pcie->parf + PARF_AXI_MSTR_WR_ADDR_HALT);
}
- qcom_pcie_clear_hpc(pcie->pci);
+ qcom_pcie_set_slot_nccs(pcie->pci);
return 0;
}
@@ -722,7 +727,7 @@ static int qcom_pcie_post_init_2_3_2(struct qcom_pcie *pcie)
val |= EN;
writel(val, pcie->parf + PARF_AXI_MSTR_WR_ADDR_HALT_V2);
- qcom_pcie_clear_hpc(pcie->pci);
+ qcom_pcie_set_slot_nccs(pcie->pci);
return 0;
}
@@ -1028,7 +1033,7 @@ static int qcom_pcie_post_init_2_7_0(struct qcom_pcie *pcie)
writel(WR_NO_SNOOP_OVERRIDE_EN | RD_NO_SNOOP_OVERRIDE_EN,
pcie->parf + PARF_NO_SNOOP_OVERRIDE);
- qcom_pcie_clear_hpc(pcie->pci);
+ qcom_pcie_set_slot_nccs(pcie->pci);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 252/957] PCI: Use res_to_dev_res() in reassign_resources_sorted()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 251/957] PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 253/957] PCI: Fix premature removal from realloc_head list during resource assignment Greg Kroah-Hartman
` (710 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Bjorn Helgaas,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 4bee4fc0f4ee1086e498f9d197352237a0232598 ]
reassign_resources_sorted() contains a search loop for a particular
resource in the head list. res_to_dev_res() already implements the same
search so use it instead.
Drop unused found_match and dev_res variables.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20251219174036.16738-9-ilpo.jarvinen@linux.intel.com
Stable-dep-of: 1ee4716a5a28 ("PCI: Fix premature removal from realloc_head list during resource assignment")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/setup-bus.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index c2d640164f697..3ea6f3e726a8c 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -417,7 +417,6 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
struct list_head *head)
{
struct pci_dev_resource *add_res, *tmp;
- struct pci_dev_resource *dev_res;
struct pci_dev *dev;
struct resource *res;
const char *res_name;
@@ -425,8 +424,6 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
int idx;
list_for_each_entry_safe(add_res, tmp, realloc_head, list) {
- bool found_match = false;
-
res = add_res->res;
dev = add_res->dev;
idx = pci_resource_num(dev, res);
@@ -440,13 +437,7 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
goto out;
/* Skip this resource if not found in head list */
- list_for_each_entry(dev_res, head, list) {
- if (dev_res->res == res) {
- found_match = true;
- break;
- }
- }
- if (!found_match) /* Just skip */
+ if (!res_to_dev_res(head, res))
continue;
res_name = pci_resource_name(dev, idx);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 253/957] PCI: Fix premature removal from realloc_head list during resource assignment
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 252/957] PCI: Use res_to_dev_res() in reassign_resources_sorted() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 254/957] crypto: hisilicon/sec2 - prevent req used-after-free for sec Greg Kroah-Hartman
` (709 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Nisbet, Ilpo Järvinen,
Bjorn Helgaas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 1ee4716a5a28eaef81ae1f280d983258bee49623 ]
reassign_resources_sorted() checks for two things:
a) Resource assignment failures for mandatory resources by checking if the
resource remains unassigned, which are known to always repeat, and does
not attempt to assign them again.
b) That resource is not among the ones being processed/assigned at this
stage, leading to skip processing such resources in
reassign_resources_sorted() as well (resource assignment progresses
one PCI hierarchy level at a time).
The problem here is that a) is checked before b), but b) also implies the
resource is not being assigned yet, making also a) true. As a) only skips
resource assignment but still removes the resource from realloc_head, the
later stages that would need to process the information in realloc_head
cannot obtain the optional size information anymore. This leads to
considering only non-optional part for bridge windows deeper in the PCI
hierarchy.
This problem has been observed during rescan (add_size is not considered
while attempting assignment for 0000:e2:00.0 indicating the corresponding
entry was removed from realloc_head while processing resource assignments
for 0000:e1):
pci_bus 0000:e1: scanning bus
...
pci 0000:e3:01.0: bridge window [mem 0x800000000-0x1000ffffff 64bit pref] to [bus e4] add_size 60c000000 add_align 800000000
pci 0000:e3:01.0: bridge window [mem 0x00100000-0x000fffff] to [bus e4] add_size 200000 add_align 200000
pci 0000:e3:02.0: disabling bridge window [mem 0x00000000-0x000fffff 64bit pref] to [bus e5] (unused)
pci 0000:e2:00.0: bridge window [mem 0x800000000-0x1000ffffff 64bit pref] to [bus e3-e5] add_size 60c000000 add_align 800000000
pci 0000:e2:00.0: bridge window [mem 0x00100000-0x001fffff] to [bus e3-e5] add_size 200000 add_align 200000
pcieport 0000:e1:02.0: bridge window [io size 0x2000]: can't assign; no space
pcieport 0000:e1:02.0: bridge window [io size 0x2000]: failed to assign
pcieport 0000:e1:02.0: bridge window [io 0x1000-0x2fff]: resource restored
pcieport 0000:e1:02.0: bridge window [io 0x1000-0x2fff]: resource restored
pcieport 0000:e1:02.0: bridge window [io size 0x2000]: can't assign; no space
pcieport 0000:e1:02.0: bridge window [io size 0x2000]: failed to assign
pci 0000:e2:00.0: bridge window [mem 0x28f000000000-0x28f800ffffff 64bit pref]: assigned
Fixes: 96336ec70264 ("PCI: Perform reset_resource() and build fail list in sync")
Reported-by: Peter Nisbet <peter.nisbet@intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Peter Nisbet <peter.nisbet@intel.com>
Link: https://patch.msgid.link/20260313084551.1934-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/setup-bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index 3ea6f3e726a8c..29ad8d8718974 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -428,6 +428,10 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
dev = add_res->dev;
idx = pci_resource_num(dev, res);
+ /* Skip this resource if not found in head list */
+ if (!res_to_dev_res(head, res))
+ continue;
+
/*
* Skip resource that failed the earlier assignment and is
* not optional as it would just fail again.
@@ -436,10 +440,6 @@ static void reassign_resources_sorted(struct list_head *realloc_head,
!pci_resource_is_optional(dev, idx))
goto out;
- /* Skip this resource if not found in head list */
- if (!res_to_dev_res(head, res))
- continue;
-
res_name = pci_resource_name(dev, idx);
add_size = add_res->add_size;
align = add_res->min_align;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 254/957] crypto: hisilicon/sec2 - prevent req used-after-free for sec
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 253/957] PCI: Fix premature removal from realloc_head list during resource assignment Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 255/957] PCI: Fix alignment calculation for resource size larger than align Greg Kroah-Hartman
` (708 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenkai Lin, Chenghai Huang,
Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenkai Lin <linwenkai6@hisilicon.com>
[ Upstream commit 67b53a660e6bf0da2fa8d8872e897a14d8059eaf ]
During packet transmission, if the system is under heavy load,
the hardware might complete processing the packet and free the
request memory (req) before the transmission function finishes.
If the software subsequently accesses this req, a use-after-free
error will occur. The qp_ctx memory exists throughout the packet
sending process, so replace the req with the qp_ctx.
Fixes: f0ae287c5045 ("crypto: hisilicon/sec2 - implement full backlog mode for sec")
Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/sec2/sec_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
index c462b58d30343..2d0b248c59ebd 100644
--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
+++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
@@ -230,7 +230,7 @@ static int qp_send_message(struct sec_req *req)
spin_unlock_bh(&qp_ctx->req_lock);
- atomic64_inc(&req->ctx->sec->debug.dfx.send_cnt);
+ atomic64_inc(&qp_ctx->ctx->sec->debug.dfx.send_cnt);
return -EINPROGRESS;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 255/957] PCI: Fix alignment calculation for resource size larger than align
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 254/957] crypto: hisilicon/sec2 - prevent req used-after-free for sec Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 256/957] iommu/riscv: Skip IRQ count check when using MSI interrupts Greg Kroah-Hartman
` (707 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Ilpo Järvinen,
Bjorn Helgaas, Xifer, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit 8cb081667377709f4924ab6b3a88a0d7a761fe91 ]
The commit bc75c8e50711 ("PCI: Rewrite bridge window head alignment
function") did not use if (r_size <= align) check from pbus_size_mem() for
the new head alignment bookkeeping structure (aligns2[]). In some
configurations, this can result in producing a gap into the bridge window
which the resource larger than its alignment cannot fill.
The old alignment calculation algorithm was removed by the subsequent
commit 3958bf16e2fe ("PCI: Stop over-estimating bridge window size") which
renamed the aligns2[] array leaving only aligns[] array.
Add the if (r_size <= align) check back to avoid this problem.
Fixes: bc75c8e50711 ("PCI: Rewrite bridge window head alignment function")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Closes: https://lore.kernel.org/all/b05a6f14-979d-42c9-924c-d8408cb12ae7@roeck-us.net/
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Xifer <xiferdev@gmail.com>
Link: https://patch.msgid.link/20260324165633.4583-11-ilpo.jarvinen@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/setup-bus.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index 29ad8d8718974..522e25d725bad 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -1342,7 +1342,14 @@ static void pbus_size_mem(struct pci_bus *bus, unsigned long type,
}
size += max(r_size, align);
- aligns[order] += align;
+ /*
+ * If resource's size is larger than its alignment,
+ * some configurations result in an unwanted gap in
+ * the head space that the larger resource cannot
+ * fill.
+ */
+ if (r_size <= align)
+ aligns[order] += align;
if (order > max_order)
max_order = order;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 256/957] iommu/riscv: Skip IRQ count check when using MSI interrupts
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 255/957] PCI: Fix alignment calculation for resource size larger than align Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 257/957] iommu/riscv: Fix signedness bug Greg Kroah-Hartman
` (706 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yaxing Guo, Andrew Jones,
Joerg Roedel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yaxing Guo <guoyaxing@bosc.ac.cn>
[ Upstream commit 7217cee35aadbb07e12673bcf1dcf729e1b2f6c9 ]
In RISC-V IOMMU platform devices that use MSI interrupts (indicated by the
presence of 'msi-parent' in the device tree), there are no wired interrupt
lines, so calling platform_get_irq_count() returns 0 or -ENXIO, causing the
driver to fail during probe.
However, MSI interrupts are allocated dynamically via the MSI subsystem and
do not appear in the device tree 'interrupts' property. Therefore, the
driver should not require a non-zero IRQ count when 'msi-parent' is present.
This patch fixes the bug where probe fails when using MSI interrupts
(which do not have an 'interrupts' property in the device tree)..
Fixes: <d5f88acdd6ff> ("iommu/riscv: Add support for platform msi")
Signed-off-by: Yaxing Guo <guoyaxing@bosc.ac.cn>
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Stable-dep-of: 553a127cb665 ("iommu/riscv: Fix signedness bug")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/riscv/iommu-platform.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/iommu/riscv/iommu-platform.c b/drivers/iommu/riscv/iommu-platform.c
index 83a28c83f9914..8f15b06e84997 100644
--- a/drivers/iommu/riscv/iommu-platform.c
+++ b/drivers/iommu/riscv/iommu-platform.c
@@ -68,12 +68,7 @@ static int riscv_iommu_platform_probe(struct platform_device *pdev)
iommu->caps = riscv_iommu_readq(iommu, RISCV_IOMMU_REG_CAPABILITIES);
iommu->fctl = riscv_iommu_readl(iommu, RISCV_IOMMU_REG_FCTL);
- iommu->irqs_count = platform_irq_count(pdev);
- if (iommu->irqs_count <= 0)
- return dev_err_probe(dev, -ENODEV,
- "no IRQ resources provided\n");
- if (iommu->irqs_count > RISCV_IOMMU_INTR_COUNT)
- iommu->irqs_count = RISCV_IOMMU_INTR_COUNT;
+ iommu->irqs_count = RISCV_IOMMU_INTR_COUNT;
igs = FIELD_GET(RISCV_IOMMU_CAPABILITIES_IGS, iommu->caps);
switch (igs) {
@@ -120,6 +115,13 @@ static int riscv_iommu_platform_probe(struct platform_device *pdev)
fallthrough;
case RISCV_IOMMU_CAPABILITIES_IGS_WSI:
+ iommu->irqs_count = platform_irq_count(pdev);
+ if (iommu->irqs_count <= 0)
+ return dev_err_probe(dev, -ENODEV,
+ "no IRQ resources provided\n");
+ if (iommu->irqs_count > RISCV_IOMMU_INTR_COUNT)
+ iommu->irqs_count = RISCV_IOMMU_INTR_COUNT;
+
for (vec = 0; vec < iommu->irqs_count; vec++)
iommu->irqs[vec] = platform_get_irq(pdev, vec);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 257/957] iommu/riscv: Fix signedness bug
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 256/957] iommu/riscv: Skip IRQ count check when using MSI interrupts Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 258/957] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
` (705 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Andrew Jones,
Joerg Roedel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 553a127cb66523089bc10eb54640205495f4bb5b ]
The function platform_irq_count() returns negative error codes and
iommu->irqs_count is an unsigned integer, so the check
(iommu->irqs_count <= 0) is always impossible.
Make the return value of platform_irq_count() be assigned to ret, check
for error, and then assign iommu->irqs_count to ret.
Detected by Smatch:
drivers/iommu/riscv/iommu-platform.c:119 riscv_iommu_platform_probe() warn:
'iommu->irqs_count' unsigned <= 0
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Fixes: 5c0ebbd3c6c6 ("iommu/riscv: Add RISC-V IOMMU platform device driver")
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/riscv/iommu-platform.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/riscv/iommu-platform.c b/drivers/iommu/riscv/iommu-platform.c
index 8f15b06e84997..399ba8fe1b3e5 100644
--- a/drivers/iommu/riscv/iommu-platform.c
+++ b/drivers/iommu/riscv/iommu-platform.c
@@ -115,10 +115,13 @@ static int riscv_iommu_platform_probe(struct platform_device *pdev)
fallthrough;
case RISCV_IOMMU_CAPABILITIES_IGS_WSI:
- iommu->irqs_count = platform_irq_count(pdev);
- if (iommu->irqs_count <= 0)
+ ret = platform_irq_count(pdev);
+ if (ret <= 0)
return dev_err_probe(dev, -ENODEV,
"no IRQ resources provided\n");
+
+ iommu->irqs_count = ret;
+
if (iommu->irqs_count > RISCV_IOMMU_INTR_COUNT)
iommu->irqs_count = RISCV_IOMMU_INTR_COUNT;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 258/957] ALSA: core: Validate compress device numbers without dynamic minors
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 257/957] iommu/riscv: Fix signedness bug Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 259/957] ASoC: amd: acp: update dmic_num logic for acp pdm dmic Greg Kroah-Hartman
` (704 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 796e119e9b14763be905ad0d023c71a14bc2e931 ]
Without CONFIG_SND_DYNAMIC_MINORS, ALSA reserves only two fixed minors
for compress devices on each card: comprD0 and comprD1.
snd_find_free_minor() currently computes the compress minor as
type + dev without validating dev first, so device numbers greater than
1 spill into the HWDEP minor range instead of failing registration.
ASoC passes rtd->id to snd_compress_new(), so this can happen on real
non-dynamic-minor builds.
Add a dedicated fixed-minor check for SNDRV_DEVICE_TYPE_COMPRESS in
snd_find_free_minor() and reject out-of-range device numbers with
-EINVAL before constructing the minor.
Also remove the stale TODO in compress_offload.c that still claims
multiple compress nodes are missing.
Fixes: 3eafc959b32f ("ALSA: core: add support for compressed devices")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260325-alsa-compress-static-minors-v1-1-0628573bee1c@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/compress_offload.c | 7 -------
sound/core/sound.c | 7 +++++++
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index da514fef45bca..2181442e3a1da 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -41,13 +41,6 @@
#define COMPR_CODEC_CAPS_OVERFLOW
#endif
-/* TODO:
- * - add substream support for multiple devices in case of
- * SND_DYNAMIC_MINORS is not used
- * - Multiple node representation
- * driver should be able to register multiple nodes
- */
-
struct snd_compr_file {
unsigned long caps;
struct snd_compr_stream stream;
diff --git a/sound/core/sound.c b/sound/core/sound.c
index 6531a67f13b3e..7980b60f4ba0b 100644
--- a/sound/core/sound.c
+++ b/sound/core/sound.c
@@ -216,9 +216,16 @@ static int snd_find_free_minor(int type, struct snd_card *card, int dev)
case SNDRV_DEVICE_TYPE_RAWMIDI:
case SNDRV_DEVICE_TYPE_PCM_PLAYBACK:
case SNDRV_DEVICE_TYPE_PCM_CAPTURE:
+ if (snd_BUG_ON(!card))
+ return -EINVAL;
+ minor = SNDRV_MINOR(card->number, type + dev);
+ break;
case SNDRV_DEVICE_TYPE_COMPRESS:
if (snd_BUG_ON(!card))
return -EINVAL;
+ if (dev < 0 ||
+ dev >= SNDRV_MINOR_HWDEP - SNDRV_MINOR_COMPRESS)
+ return -EINVAL;
minor = SNDRV_MINOR(card->number, type + dev);
break;
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 259/957] ASoC: amd: acp: update dmic_num logic for acp pdm dmic
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 258/957] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 260/957] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
` (703 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vijendar Mukunda, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
[ Upstream commit 5902e1f3c501375797dcd7ca21b58e2c9abbe317 ]
Currently there is no mechanism to read dmic_num in mach_params
structure. In this scenario mach_params->dmic_num check always
returns 0 which fails to add component string for dmic.
Update the condition check with acp pdm dmic quirk check and
pass the dmic_num as 1.
Fixes: 2981d9b0789c ("ASoC: amd: acp: add soundwire machine driver for legacy stack")
Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20260330072431.3512358-2-Vijendar.Mukunda@amd.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp/acp-sdw-legacy-mach.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/amd/acp/acp-sdw-legacy-mach.c b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
index 2b2910b1856d5..798c73d7e26de 100644
--- a/sound/soc/amd/acp/acp-sdw-legacy-mach.c
+++ b/sound/soc/amd/acp/acp-sdw-legacy-mach.c
@@ -520,11 +520,11 @@ static int mc_probe(struct platform_device *pdev)
" cfg-amp:%d", amp_num);
if (!card->components)
return -ENOMEM;
- if (mach->mach_params.dmic_num) {
+ if (soc_sdw_quirk & ASOC_SDW_ACP_DMIC) {
card->components = devm_kasprintf(card->dev, GFP_KERNEL,
"%s mic:dmic cfg-mics:%d",
card->components,
- mach->mach_params.dmic_num);
+ 1);
if (!card->components)
return -ENOMEM;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 260/957] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 259/957] ASoC: amd: acp: update dmic_num logic for acp pdm dmic Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 261/957] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
` (702 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 894f0d34d66cb47fe718fe2ae5c18729d22c5218 ]
When MCLK DPM is disabled for any reason, populate the MCLK
table with the highest MCLK DPM level, so that the ASIC can
use the highest possible memory clock to get good performance
even when MCLK DPM is disabled.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 0cb7eaaba3844..71b1dad34926e 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1322,6 +1322,14 @@ static int ci_populate_all_memory_levels(struct pp_hwmgr *hwmgr)
return result;
}
+ if (data->mclk_dpm_key_disabled && dpm_table->mclk_table.count) {
+ /* Populate the table with the highest MCLK level when MCLK DPM is disabled */
+ for (i = 0; i < dpm_table->mclk_table.count - 1; i++) {
+ levels[i] = levels[dpm_table->mclk_table.count - 1];
+ levels[i].DisplayWatermark = PPSMC_DISPLAY_WATERMARK_HIGH;
+ }
+ }
+
smu_data->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
dev_id = adev->pdev->device;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 261/957] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 260/957] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 262/957] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
` (701 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 9851f29cb06c09f7dad3867d8b0feec3fc71b6c8 ]
There are two known cases where MCLK DPM can causes issues:
Radeon R9 M380 found in iMac computers from 2015.
The SMU in this GPU just hangs as soon as we send it the
PPSMC_MSG_MCLKDPM_Enable command, even when MCLK switching is
disabled, and even when we only populate one MCLK DPM level.
Apply workaround to all devices with the same subsystem ID.
Radeon R7 260X due to old memory controller microcode.
We only flash the MC ucode when it isn't set up by the VBIOS,
therefore there is no way to make sure that it has the correct
ucode version.
I verified that this patch fixes the SMU hang on the R9 M380
which would previously fail to boot. This also fixes the UVD
initialization error on that GPU which happened because the
SMU couldn't ungate the UVD after it hung.
Fixes: 86457c3b21cb ("drm/amd/powerplay: Add support for CI asics to hwmgr")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
index 2b5ac21fee399..1d6e30269d567 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/hwmgr.c
@@ -104,6 +104,21 @@ int hwmgr_early_init(struct pp_hwmgr *hwmgr)
PP_GFXOFF_MASK);
hwmgr->pp_table_version = PP_TABLE_V0;
hwmgr->od_enabled = false;
+ switch (hwmgr->chip_id) {
+ case CHIP_BONAIRE:
+ /* R9 M380 in iMac 2015: SMU hangs when enabling MCLK DPM
+ * R7 260X cards with old MC ucode: MCLK DPM is unstable
+ */
+ if (adev->pdev->subsystem_vendor == 0x106B ||
+ adev->pdev->device == 0x6658) {
+ dev_info(adev->dev, "disabling MCLK DPM on quirky ASIC");
+ adev->pm.pp_feature &= ~PP_MCLK_DPM_MASK;
+ hwmgr->feature_mask &= ~PP_MCLK_DPM_MASK;
+ }
+ break;
+ default:
+ break;
+ }
smu7_init_function_pointers(hwmgr);
break;
case AMDGPU_FAMILY_CZ:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 262/957] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 261/957] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 263/957] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
` (700 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 0138610c14130425be53423b35336561829965e0 ]
The DCE (display controller engine) requires a minimum voltage
in order to function correctly, depending on which clock level
it currently uses.
Add a new table that contains display clock frequency levels
and the corresponding required voltages. The clock frequency
levels are taken from DC (and the old radeon driver's voltage
dependency table for CI in cases where its values were lower).
The voltage levels are taken from the following function:
phm_initializa_dynamic_state_adjustment_rule_settings().
Furthermore, in case of CI, call smu7_patch_vddc() on the new
table to account for leakage voltage (like in radeon).
Use the display clock value from amd_pp_display_configuration
to look up the voltage level needed by the DCE. Send the
voltage to the SMU via the PPSMC_MSG_VddC_Request command.
The previous implementation of this feature was non-functional
because it relied on a "dal_power_level" field which was never
assigned; and it was not at all implemented for CI ASICs.
I verified this on a Radeon R9 M380 which previously booted to
a black screen with DC enabled (default since Linux 6.19), but
now works correctly.
Fixes: 599a7e9fe1b6 ("drm/amd/powerplay: implement smu7 hwmgr to manager asics with smu ip version 7.")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 88 ++++++++++++++++++-
drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h | 1 +
2 files changed, 86 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 9b28c07282699..07d946c38ec04 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -2802,6 +2802,10 @@ static int smu7_patch_dependency_tables_with_leakage(struct pp_hwmgr *hwmgr)
if (tmp)
return -EINVAL;
+ tmp = smu7_patch_vddc(hwmgr, hwmgr->dyn_state.vddc_dependency_on_display_clock);
+ if (tmp)
+ return -EINVAL;
+
tmp = smu7_patch_vce_vddc(hwmgr, hwmgr->dyn_state.vce_clock_voltage_dependency_table);
if (tmp)
return -EINVAL;
@@ -2885,6 +2889,8 @@ static int smu7_hwmgr_backend_fini(struct pp_hwmgr *hwmgr)
{
kfree(hwmgr->dyn_state.vddc_dep_on_dal_pwrl);
hwmgr->dyn_state.vddc_dep_on_dal_pwrl = NULL;
+ kfree(hwmgr->dyn_state.vddc_dependency_on_display_clock);
+ hwmgr->dyn_state.vddc_dependency_on_display_clock = NULL;
kfree(hwmgr->backend);
hwmgr->backend = NULL;
@@ -2955,6 +2961,51 @@ static int smu7_update_edc_leakage_table(struct pp_hwmgr *hwmgr)
return ret;
}
+static int smu7_init_voltage_dependency_on_display_clock_table(struct pp_hwmgr *hwmgr)
+{
+ struct phm_clock_voltage_dependency_table *table;
+
+ if (!amdgpu_device_ip_get_ip_block(hwmgr->adev, AMD_IP_BLOCK_TYPE_DCE))
+ return 0;
+
+ table = kzalloc(struct_size(table, entries, 4), GFP_KERNEL);
+ if (!table)
+ return -ENOMEM;
+
+ if (hwmgr->chip_id >= CHIP_POLARIS10) {
+ table->entries[0].clk = 38918;
+ table->entries[1].clk = 45900;
+ table->entries[2].clk = 66700;
+ table->entries[3].clk = 113200;
+
+ table->entries[0].v = 700;
+ table->entries[1].v = 740;
+ table->entries[2].v = 800;
+ table->entries[3].v = 900;
+ } else {
+ if (hwmgr->chip_family == AMDGPU_FAMILY_CZ) {
+ table->entries[0].clk = 35200;
+ table->entries[1].clk = 35200;
+ table->entries[2].clk = 46700;
+ table->entries[3].clk = 64300;
+ } else {
+ table->entries[0].clk = 0;
+ table->entries[1].clk = 35200;
+ table->entries[2].clk = 54000;
+ table->entries[3].clk = 62500;
+ }
+
+ table->entries[0].v = 0;
+ table->entries[1].v = 720;
+ table->entries[2].v = 810;
+ table->entries[3].v = 900;
+ }
+
+ table->count = 4;
+ hwmgr->dyn_state.vddc_dependency_on_display_clock = table;
+ return 0;
+}
+
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
struct amdgpu_device *adev = hwmgr->adev;
@@ -2983,6 +3034,10 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
smu7_get_elb_voltages(hwmgr);
}
+ result = smu7_init_voltage_dependency_on_display_clock_table(hwmgr);
+ if (result)
+ goto fail;
+
if (hwmgr->pp_table_version == PP_TABLE_V1) {
smu7_complete_dependency_tables(hwmgr);
smu7_set_private_data_based_on_pptable_v1(hwmgr);
@@ -3079,13 +3134,40 @@ static int smu7_force_dpm_highest(struct pp_hwmgr *hwmgr)
return 0;
}
+static uint32_t smu7_lookup_vddc_from_dispclk(struct pp_hwmgr *hwmgr)
+{
+ const struct amd_pp_display_configuration *cfg = hwmgr->display_config;
+ const struct phm_clock_voltage_dependency_table *vddc_dep_on_dispclk =
+ hwmgr->dyn_state.vddc_dependency_on_display_clock;
+ uint32_t i;
+
+ if (!vddc_dep_on_dispclk || !vddc_dep_on_dispclk->count ||
+ !cfg || !cfg->num_display || !cfg->display_clk)
+ return 0;
+
+ /* Start from 1 because ClocksStateUltraLow should not be used according to DC. */
+ for (i = 1; i < vddc_dep_on_dispclk->count; ++i)
+ if (vddc_dep_on_dispclk->entries[i].clk >= cfg->display_clk)
+ return vddc_dep_on_dispclk->entries[i].v;
+
+ return vddc_dep_on_dispclk->entries[vddc_dep_on_dispclk->count - 1].v;
+}
+
+static void smu7_apply_minimum_dce_voltage_request(struct pp_hwmgr *hwmgr)
+{
+ uint32_t req_vddc = smu7_lookup_vddc_from_dispclk(hwmgr);
+
+ smum_send_msg_to_smc_with_parameter(hwmgr,
+ PPSMC_MSG_VddC_Request,
+ req_vddc * VOLTAGE_SCALE,
+ NULL);
+}
+
static int smu7_upload_dpm_level_enable_mask(struct pp_hwmgr *hwmgr)
{
struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);
- if (hwmgr->pp_table_version == PP_TABLE_V1)
- phm_apply_dal_min_voltage_request(hwmgr);
-/* TO DO for v0 iceland and Ci*/
+ smu7_apply_minimum_dce_voltage_request(hwmgr);
if (!data->sclk_dpm_key_disabled) {
if (data->dpm_level_enable_mask.sclk_dpm_enable_mask)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
index c661185753b42..2f49c95342a14 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/inc/hwmgr.h
@@ -631,6 +631,7 @@ struct phm_dynamic_state_info {
struct phm_clock_voltage_dependency_table *vddci_dependency_on_mclk;
struct phm_clock_voltage_dependency_table *vddc_dependency_on_mclk;
struct phm_clock_voltage_dependency_table *mvdd_dependency_on_mclk;
+ struct phm_clock_voltage_dependency_table *vddc_dependency_on_display_clock;
struct phm_clock_voltage_dependency_table *vddc_dep_on_dal_pwrl;
struct phm_clock_array *valid_sclk_values;
struct phm_clock_array *valid_mclk_values;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 263/957] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 262/957] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 264/957] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
` (699 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit d784759c07924280f3c313f205fc48eb62d7cb71 ]
There is no AMD GPU with the ID 0x66B0, this looks like a typo.
It should be 0x67B0 which is actually part of the PCI ID list,
and should use the Hawaii XT powertune defaults according to
the old radeon driver.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 71b1dad34926e..1d99b4f9bc03e 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -245,7 +245,7 @@ static void ci_initialize_power_tune_defaults(struct pp_hwmgr *hwmgr)
smu_data->power_tune_defaults = &defaults_hawaii_pro;
break;
case 0x67B8:
- case 0x66B0:
+ case 0x67B0:
smu_data->power_tune_defaults = &defaults_hawaii_xt;
break;
case 0x6640:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 264/957] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 263/957] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 265/957] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
` (698 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 5facfd4c4c67e8500116ffec0d9da35d92b9c787 ]
Follow what radeon did and what amdgpu does for other GPUs with SMU7.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 1d99b4f9bc03e..1494143132eb5 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -1217,7 +1217,7 @@ static int ci_populate_single_memory_level(
}
memory_level->EnabledForThrottle = 1;
- memory_level->EnabledForActivity = 1;
+ memory_level->EnabledForActivity = 0;
memory_level->UpH = data->current_profile_setting.mclk_up_hyst;
memory_level->DownH = data->current_profile_setting.mclk_down_hyst;
memory_level->VoltageDownH = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 265/957] drm/amd/pm/ci: Fill DW8 fields from SMC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 264/957] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 266/957] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
` (697 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit baf28ec5795c077406d6f52b8ad39e614153bce6 ]
In ci_populate_dw8() we currently just read a value from the SMU
and then throw it away. Instead of throwing away the value,
we should use it to fill other fields in DW8 (like radeon).
Otherwise the value of the other fiels is just cleared when
we copy this data to the SMU later.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
index 1494143132eb5..aea3ad523cc03 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
@@ -543,12 +543,11 @@ static int ci_populate_dw8(struct pp_hwmgr *hwmgr, uint32_t fuse_table_offset)
{
struct ci_smumgr *smu_data = (struct ci_smumgr *)(hwmgr->smu_backend);
const struct ci_pt_defaults *defaults = smu_data->power_tune_defaults;
- uint32_t temp;
if (ci_read_smc_sram_dword(hwmgr,
fuse_table_offset +
offsetof(SMU7_Discrete_PmFuses, TdcWaterfallCtl),
- (uint32_t *)&temp, SMC_RAM_END))
+ (uint32_t *)&smu_data->power_tune_table.TdcWaterfallCtl, SMC_RAM_END))
PP_ASSERT_WITH_CODE(false,
"Attempt to read PmFuses.DW6 (SviLoadLineEn) from SMC Failed!",
return -EINVAL);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 266/957] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 265/957] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 267/957] drm/amdgpu/uvd4.2: Dont initialize UVD 4.2 when DPM is disabled Greg Kroah-Hartman
` (696 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 4724bc5b8d78c34b993594f9406135408ccb312a ]
On a specific Radeon R9 390X board, the GPU can "randomly" hang
while gaming. Initially I thought this was a RADV bug and tried
to work around this in Mesa:
commit 8ea08747b86b ("radv: Mitigate GPU hang on Hawaii in Dota 2 and RotTR")
However, I got some feedback from other users who are reporting
that the above mitigation causes a significant performance
regression for them, and they didn't experience the hang on their
GPU in the first place.
After some further investigation, it turns out that the problem
is that the highest SCLK DPM level on this board isn't stable.
Lowering SCLK to 1040 MHz (from 1070 MHz) works around the issue,
and has a negligible impact on performance compared to the Mesa
patch. (Note that increasing the voltage can also work around it,
but we felt that lowering the SCLK is the safer option.)
To solve the above issue, add an "sclk_cap" field to smu7_hwmgr
and set this field for the affected board. The capped SCLK value
correctly appears on the sysfs interface and shows up in GUI
tools such as LACT.
Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 30 ++++++++++++++++---
.../drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h | 1 +
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
index 07d946c38ec04..6529a91a613b6 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
@@ -787,7 +787,7 @@ static int smu7_setup_dpm_tables_v0(struct pp_hwmgr *hwmgr)
hwmgr->dyn_state.vddc_dependency_on_mclk;
struct phm_cac_leakage_table *std_voltage_table =
hwmgr->dyn_state.cac_leakage_table;
- uint32_t i;
+ uint32_t i, clk;
PP_ASSERT_WITH_CODE(allowed_vdd_sclk_table != NULL,
"SCLK dependency table is missing. This table is mandatory", return -EINVAL);
@@ -804,10 +804,12 @@ static int smu7_setup_dpm_tables_v0(struct pp_hwmgr *hwmgr)
data->dpm_table.sclk_table.count = 0;
for (i = 0; i < allowed_vdd_sclk_table->count; i++) {
+ clk = min(allowed_vdd_sclk_table->entries[i].clk, data->sclk_cap);
+
if (i == 0 || data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count-1].value !=
- allowed_vdd_sclk_table->entries[i].clk) {
+ clk) {
data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count].value =
- allowed_vdd_sclk_table->entries[i].clk;
+ clk;
data->dpm_table.sclk_table.dpm_levels[data->dpm_table.sclk_table.count].enabled = (i == 0) ? 1 : 0;
data->dpm_table.sclk_table.count++;
}
@@ -3006,6 +3008,25 @@ static int smu7_init_voltage_dependency_on_display_clock_table(struct pp_hwmgr *
return 0;
}
+static void smu7_set_sclk_cap(struct pp_hwmgr *hwmgr)
+{
+ struct amdgpu_device *adev = hwmgr->adev;
+ struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend);
+
+ data->sclk_cap = 0xffffffff;
+
+ if (hwmgr->od_enabled)
+ return;
+
+ /* R9 390X board: last sclk dpm level is unstable, use lower sclk */
+ if (adev->pdev->device == 0x67B0 &&
+ adev->pdev->subsystem_vendor == 0x1043)
+ data->sclk_cap = 104000; /* 1040 MHz */
+
+ if (data->sclk_cap != 0xffffffff)
+ dev_info(adev->dev, "sclk cap: %u kHz on quirky ASIC\n", data->sclk_cap * 10);
+}
+
static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
{
struct amdgpu_device *adev = hwmgr->adev;
@@ -3017,6 +3038,7 @@ static int smu7_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
return -ENOMEM;
hwmgr->backend = data;
+ smu7_set_sclk_cap(hwmgr);
smu7_patch_voltage_workaround(hwmgr);
smu7_init_dpm_defaults(hwmgr);
@@ -3903,7 +3925,7 @@ static int smu7_get_pp_table_entry_callback_func_v0(struct pp_hwmgr *hwmgr,
/* Performance levels are arranged from low to high. */
performance_level->memory_clock = memory_clock;
- performance_level->engine_clock = engine_clock;
+ performance_level->engine_clock = min(engine_clock, data->sclk_cap);
pcie_gen_from_bios = visland_clk_info->ucPCIEGen;
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
index d9e8b386bd4d3..66adabeab6a3a 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.h
@@ -234,6 +234,7 @@ struct smu7_hwmgr {
uint32_t pcie_gen_cap;
uint32_t pcie_lane_cap;
uint32_t pcie_spc_cap;
+ uint32_t sclk_cap;
struct smu7_leakage_voltage vddc_leakage;
struct smu7_leakage_voltage vddci_leakage;
struct smu7_leakage_voltage vddcgfx_leakage;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 267/957] drm/amdgpu/uvd4.2: Dont initialize UVD 4.2 when DPM is disabled
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 266/957] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 268/957] PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors Greg Kroah-Hartman
` (695 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 8b3e8fa6d7bdab292447a43f70532db437d5d4f5 ]
UVD 4.2 doesn't work at all when DPM is disabled because
the SMU is responsible for ungating it. So, Linux fails
to boot with CIK GPUs when using the amdgpu.dpm=0 parameter.
Fix this by returning -ENOENT from uvd_v4_2_early_init()
when amdgpu_dpm isn't enabled.
Note: amdgpu.dpm=0 is often suggested as a workaround
for issues and is useful for debugging.
Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
index 4b96fd5837720..d7302938e6662 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c
@@ -93,6 +93,11 @@ static void uvd_v4_2_ring_set_wptr(struct amdgpu_ring *ring)
static int uvd_v4_2_early_init(struct amdgpu_ip_block *ip_block)
{
struct amdgpu_device *adev = ip_block->adev;
+
+ /* UVD doesn't work without DPM, it needs DPM to ungate it. */
+ if (!amdgpu_dpm)
+ return -ENOENT;
+
adev->uvd.num_uvd_inst = 1;
uvd_v4_2_set_ring_funcs(adev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 268/957] PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 267/957] drm/amdgpu/uvd4.2: Dont initialize UVD 4.2 when DPM is disabled Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 269/957] hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback Greg Kroah-Hartman
` (694 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Goudar Manjunath Ramanagouda,
Kuppuswamy Sathyanarayanan, Bjorn Helgaas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
[ Upstream commit 97970e7c694356e3386a10e3b936d61eafd06bce ]
aer_print_error() skips printing if ratelimit_print[i] is not set. In the
native AER path, ratelimit_print is initialized by add_error_device()
during source device discovery, and is set to 1 for fatal errors to bypass
rate limiting since fatal errors should always be logged.
The DPC/EDR path uses the DPC-capable port as the error source and reads
its AER uncorrectable error status registers directly in
dpc_get_aer_uncorrect_severity(). Since it does not go through
add_error_device(), ratelimit_print[0] is left uninitialized and zero. As
a result, aer_print_error() silently drops all AER error messages for
DPC/EDR triggered events.
Set ratelimit_print[0] to 1 to bypass rate limiting and always print AER
logs for uncorrectable errors detected by the DPC port.
Fixes: a57f2bfb4a58 ("PCI/AER: Ratelimit correctable and non-fatal error logging")
Co-developed-by: Goudar Manjunath Ramanagouda <manjunath.ramanagouda.goudar@intel.com>
Signed-off-by: Goudar Manjunath Ramanagouda <manjunath.ramanagouda.goudar@intel.com>
Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20260318170449.2733581-1-sathyanarayanan.kuppuswamy@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pcie/dpc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
index fc18349614d7c..7605ddd9f0ba8 100644
--- a/drivers/pci/pcie/dpc.c
+++ b/drivers/pci/pcie/dpc.c
@@ -256,6 +256,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev,
info->dev[0] = dev;
info->error_dev_num = 1;
+ info->ratelimit_print[0] = 1;
return 1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 269/957] hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 268/957] PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 270/957] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
` (693 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Billy Tsai, Guenter Roeck,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Billy Tsai <billy_tsai@aspeedtech.com>
[ Upstream commit 46fef8583daa1bf78fda7eaa523c64d4440322ac ]
Drops the remove callback as it only asserts reset and the probe already
registers a devres action (devm_add_action_or_reset()) to call
aspeed_pwm_tach_reset_assert().
Fixes: 7e1449cd15d1 ("hwmon: (aspeed-g6-pwm-tacho): Support for ASPEED g6 PWM/Fan tach")
Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
Link: https://lore.kernel.org/r/20260309-pwm_fixes-v2-1-ca9768e70470@aspeedtech.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/aspeed-g6-pwm-tach.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/drivers/hwmon/aspeed-g6-pwm-tach.c b/drivers/hwmon/aspeed-g6-pwm-tach.c
index 4174b129d1fce..d1f7f43974824 100644
--- a/drivers/hwmon/aspeed-g6-pwm-tach.c
+++ b/drivers/hwmon/aspeed-g6-pwm-tach.c
@@ -517,13 +517,6 @@ static int aspeed_pwm_tach_probe(struct platform_device *pdev)
return 0;
}
-static void aspeed_pwm_tach_remove(struct platform_device *pdev)
-{
- struct aspeed_pwm_tach_data *priv = platform_get_drvdata(pdev);
-
- reset_control_assert(priv->reset);
-}
-
static const struct of_device_id aspeed_pwm_tach_match[] = {
{
.compatible = "aspeed,ast2600-pwm-tach",
@@ -534,7 +527,6 @@ MODULE_DEVICE_TABLE(of, aspeed_pwm_tach_match);
static struct platform_driver aspeed_pwm_tach_driver = {
.probe = aspeed_pwm_tach_probe,
- .remove = aspeed_pwm_tach_remove,
.driver = {
.name = "aspeed-g6-pwm-tach",
.of_match_table = aspeed_pwm_tach_match,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 270/957] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace })
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 269/957] hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 271/957] ASoC: SOF: Intel: hda: Place check before dereference Greg Kroah-Hartman
` (692 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lei Huang, Takashi Iwai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lei Huang <huanglei@kylinos.cn>
[ Upstream commit d1888bf848ade6a9e71c7ba516fd215aa1bd8d65 ]
Fix checkpatch code style errors:
ERROR: else should follow close brace '}'
#2300: FILE: sound/hda/codecs/realtek/alc269.c:2300:
+ }
+ else
Fixes: 31278997add6 ("ALSA: hda/realtek - Add headset quirk for Dell DT")
Signed-off-by: Lei Huang <huanglei@kylinos.cn>
Link: https://patch.msgid.link/20260331075405.78148-1-huanglei814@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index 844c4650230cd..a2ecbe1412632 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -2237,9 +2237,9 @@ static void alc_fixup_headset_mode_alc255_no_hp_mic(struct hda_codec *codec,
struct alc_spec *spec = codec->spec;
spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
alc255_set_default_jack_type(codec);
- }
- else
+ } else {
alc_fixup_headset_mode(codec, fix, action);
+ }
}
static void alc288_update_headset_jack_cb(struct hda_codec *codec,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 271/957] ASoC: SOF: Intel: hda: Place check before dereference
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 270/957] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 272/957] drm/msm/vma: Avoid lock in VM_BIND fence signaling path Greg Kroah-Hartman
` (691 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit 6cbc8360f51a3df2ea16a786b262b9fe44d4c68c ]
The struct hext_stream is dereferenced before it is checked for NULL.
Although it can never be NULL due to a check prior to
hda_dsp_iccmax_stream_hw_params() being called, this change clears any
confusion regarding hext_stream possibly being NULL.
Check hext_stream for NULL and then assign its members.
Detected by Smatch:
sound/soc/sof/intel/hda-stream.c:488 hda_dsp_iccmax_stream_hw_params() warn:
variable dereferenced before check 'hext_stream' (see line 486)
Fixes: aca961f196e5d ("ASoC: SOF: Intel: hda: Add helper function to program ICCMAX stream")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Link: https://patch.msgid.link/20260324173830.17563-1-ethantidmore06@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/intel/hda-stream.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/sound/soc/sof/intel/hda-stream.c b/sound/soc/sof/intel/hda-stream.c
index 9c3b3a9aaf83c..56faafb3dd0e5 100644
--- a/sound/soc/sof/intel/hda-stream.c
+++ b/sound/soc/sof/intel/hda-stream.c
@@ -445,16 +445,20 @@ int hda_dsp_iccmax_stream_hw_params(struct snd_sof_dev *sdev, struct hdac_ext_st
struct snd_dma_buffer *dmab,
struct snd_pcm_hw_params *params)
{
- struct hdac_stream *hstream = &hext_stream->hstream;
- int sd_offset = SOF_STREAM_SD_OFFSET(hstream);
+ struct hdac_stream *hstream;
+ int sd_offset;
int ret;
- u32 mask = 0x1 << hstream->index;
+ u32 mask;
if (!hext_stream) {
dev_err(sdev->dev, "error: no stream available\n");
return -ENODEV;
}
+ hstream = &hext_stream->hstream;
+ sd_offset = SOF_STREAM_SD_OFFSET(hstream);
+ mask = 0x1 << hstream->index;
+
if (!dmab) {
dev_err(sdev->dev, "error: no dma buffer allocated!\n");
return -ENODEV;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 272/957] drm/msm/vma: Avoid lock in VM_BIND fence signaling path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 271/957] ASoC: SOF: Intel: hda: Place check before dereference Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 273/957] drm/msm: Reject fb creation from _NO_SHARE objs Greg Kroah-Hartman
` (690 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Rob Clark,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit 8a7023b035355ef5bfa096bd323256fa8abbbc6a ]
Use msm_gem_unpin_active(), similar to what is used in the GEM_SUBMIT
path. This avoids needing to hold the obj lock, and the end result is
the same. (As with GEM_SUBMIT, we know the fence isn't signaled yet.)
Reported-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/712230/
Message-ID: <20260316184442.673558-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem.c | 3 +++
drivers/gpu/drm/msm/msm_gem_vma.c | 9 ++++++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index 9f7fbe577abb1..8636a7f031d24 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -533,8 +533,11 @@ void msm_gem_unpin_locked(struct drm_gem_object *obj)
*/
void msm_gem_unpin_active(struct drm_gem_object *obj)
{
+ struct msm_drm_private *priv = obj->dev->dev_private;
struct msm_gem_object *msm_obj = to_msm_bo(obj);
+ GEM_WARN_ON(!mutex_is_locked(&priv->lru.lock));
+
msm_obj->pin_count--;
GEM_WARN_ON(msm_obj->pin_count < 0);
update_lru_active(obj);
diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
index 89a95977f41ef..44bcc2b291e47 100644
--- a/drivers/gpu/drm/msm/msm_gem_vma.c
+++ b/drivers/gpu/drm/msm/msm_gem_vma.c
@@ -680,6 +680,7 @@ static struct dma_fence *
msm_vma_job_run(struct drm_sched_job *_job)
{
struct msm_vm_bind_job *job = to_msm_vm_bind_job(_job);
+ struct msm_drm_private *priv = job->vm->drm->dev_private;
struct msm_gem_vm *vm = to_msm_vm(job->vm);
struct drm_gem_object *obj;
int ret = vm->unusable ? -EINVAL : 0;
@@ -722,12 +723,14 @@ msm_vma_job_run(struct drm_sched_job *_job)
if (ret)
msm_gem_vm_unusable(job->vm);
+ mutex_lock(&priv->lru.lock);
+
job_foreach_bo (obj, job) {
- msm_gem_lock(obj);
- msm_gem_unpin_locked(obj);
- msm_gem_unlock(obj);
+ msm_gem_unpin_active(obj);
}
+ mutex_unlock(&priv->lru.lock);
+
/* VM_BIND ops are synchronous, so no fence to wait on: */
return NULL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 273/957] drm/msm: Reject fb creation from _NO_SHARE objs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 272/957] drm/msm/vma: Avoid lock in VM_BIND fence signaling path Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 274/957] drm/msm: Fix VM_BIND UNMAP locking Greg Kroah-Hartman
` (689 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rob Clark, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit cf50ccdb765b3a6f1cd8e75642b0439fea0263a5 ]
It would be an error to map these into kms->vm. So reject this as early
as possible, when creating an fb.
Fixes: b58e12a66e47 ("drm/msm: Add _NO_SHARE flag")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/714264/
Message-ID: <20260325185926.1265661-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_fb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_fb.c b/drivers/gpu/drm/msm/msm_fb.c
index 1eff615ff9bff..ce1725990a48d 100644
--- a/drivers/gpu/drm/msm/msm_fb.c
+++ b/drivers/gpu/drm/msm/msm_fb.c
@@ -219,7 +219,12 @@ static struct drm_framebuffer *msm_framebuffer_init(struct drm_device *dev,
+ mode_cmd->offsets[i];
if (bos[i]->size < min_size) {
- ret = -EINVAL;
+ ret = UERR(EINVAL, dev, "plane %d too small", i);
+ goto fail;
+ }
+
+ if (to_msm_bo(bos[i])->flags & MSM_BO_NO_SHARE) {
+ ret = UERR(EINVAL, dev, "Cannot map _NO_SHARE to kms vm");
goto fail;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 274/957] drm/msm: Fix VM_BIND UNMAP locking
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 273/957] drm/msm: Reject fb creation from _NO_SHARE objs Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 275/957] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
` (688 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victoria Brekenfeld, Rob Clark,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit 85042c2cd970a6b0e686329387096fe19989ae62 ]
Wrong argument meant that the objs involved in UNMAP ops were not always
getting locked.
Since _NO_SHARE objs share a common resv with the VM (which is always
locked) this would only show up with non-_NO_SHARE BOs.
Reported-by: Victoria Brekenfeld <victoria@system76.com>
Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl")
Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/94
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/713898/
Message-ID: <20260324220519.1221471-2-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem_vma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
index 44bcc2b291e47..9016ef978be5e 100644
--- a/drivers/gpu/drm/msm/msm_gem_vma.c
+++ b/drivers/gpu/drm/msm/msm_gem_vma.c
@@ -1232,7 +1232,7 @@ vm_bind_job_lock_objects(struct msm_vm_bind_job *job, struct drm_exec *exec)
case MSM_VM_BIND_OP_UNMAP:
ret = drm_gpuvm_sm_unmap_exec_lock(job->vm, exec,
op->iova,
- op->obj_offset);
+ op->range);
break;
case MSM_VM_BIND_OP_MAP:
case MSM_VM_BIND_OP_MAP_NULL: {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 275/957] drm/msm/a6xx: Fix HLSQ register dumping
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 274/957] drm/msm: Fix VM_BIND UNMAP locking Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 276/957] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
` (687 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Connor Abbott, Rob Clark,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit c289a6db9ba6cb974f0317da142e4f665d589566 ]
Fix the bitfield offset of HLSQ_READ_SEL state-type bitfield. Otherwise
we are always reading TP state when we wanted SP or HLSQ state.
Reported-by: Connor Abbott <cwabbott0@gmail.com>
Suggested-by: Connor Abbott <cwabbott0@gmail.com>
Fixes: 1707add81551 ("drm/msm/a6xx: Add a6xx gpu state")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/714236/
Message-ID: <20260325184043.1259312-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
index 9cec333e23e15..def021ba19299 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
@@ -1013,7 +1013,7 @@ static void a6xx_get_crashdumper_hlsq_registers(struct msm_gpu *gpu,
u64 out = dumper->iova + A6XX_CD_DATA_OFFSET;
int i, regcount = 0;
- in += CRASHDUMP_WRITE(in, REG_A6XX_HLSQ_DBG_READ_SEL, regs->val1);
+ in += CRASHDUMP_WRITE(in, REG_A6XX_HLSQ_DBG_READ_SEL, (regs->val1 & 0xff) << 8);
for (i = 0; i < regs->count; i += 2) {
u32 count = RANGE(regs->registers, i);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 276/957] drm/msm/shrinker: Fix can_block() logic
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 275/957] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 277/957] drm/msm/a6xx: Fix dumping A650+ debugbus blocks Greg Kroah-Hartman
` (686 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Boris Brezillon, Rob Clark,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robin.clark@oss.qualcomm.com>
[ Upstream commit df0f439e3926817cf577ca6272aad68468ff7624 ]
The intention here was to allow blocking if DIRECT_RECLAIM or if called
from kswapd and KSWAPD_RECLAIM is set.
Reported by Claude code review: https://lore.gitlab.freedesktop.org/drm-ai-reviews/review-patch9-20260309151119.290217-10-boris.brezillon@collabora.com/ on a panthor patch which had copied similar logic.
Reported-by: Boris Brezillon <boris.brezillon@collabora.com>
Fixes: 7860d720a84c ("drm/msm: Fix build break with recent mm tree")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Patchwork: https://patchwork.freedesktop.org/patch/714238/
Message-ID: <20260325184106.1259528-1-robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem_shrinker.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_shrinker.c b/drivers/gpu/drm/msm/msm_gem_shrinker.c
index 1039e3c0a47bf..31fa51a44f86e 100644
--- a/drivers/gpu/drm/msm/msm_gem_shrinker.c
+++ b/drivers/gpu/drm/msm/msm_gem_shrinker.c
@@ -26,9 +26,8 @@ static bool can_swap(void)
static bool can_block(struct shrink_control *sc)
{
- if (!(sc->gfp_mask & __GFP_DIRECT_RECLAIM))
- return false;
- return current_is_kswapd() || (sc->gfp_mask & __GFP_RECLAIM);
+ return (sc->gfp_mask & __GFP_DIRECT_RECLAIM) ||
+ (current_is_kswapd() && (sc->gfp_mask & __GFP_KSWAPD_RECLAIM));
}
static unsigned long
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 277/957] drm/msm/a6xx: Fix dumping A650+ debugbus blocks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 276/957] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 278/957] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
` (685 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Connor Abbott, Rob Clark,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Connor Abbott <cwabbott0@gmail.com>
[ Upstream commit cc83f71c9be0715fe93b963ffa9767d5d84354ed ]
These should be appended after the existing debugbus blocks, instead of
replacing them.
Fixes: 1e05bba5e2b8 ("drm/msm/a6xx: Update a6xx gpu coredump")
Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
Patchwork: https://patchwork.freedesktop.org/patch/714270/
Message-ID: <20260325-drm-msm-a650-debugbus-v1-1-dfbf358890a7@gmail.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
index def021ba19299..918d2e504adec 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
@@ -361,7 +361,7 @@ static void a6xx_get_debugbus_blocks(struct msm_gpu *gpu,
sizeof(*a6xx_state->debugbus));
if (a6xx_state->debugbus) {
- int i;
+ int i, j;
for (i = 0; i < ARRAY_SIZE(a6xx_debugbus_blocks); i++)
a6xx_get_debugbus_block(gpu,
@@ -369,8 +369,6 @@ static void a6xx_get_debugbus_blocks(struct msm_gpu *gpu,
&a6xx_debugbus_blocks[i],
&a6xx_state->debugbus[i]);
- a6xx_state->nr_debugbus = ARRAY_SIZE(a6xx_debugbus_blocks);
-
/*
* GBIF has same debugbus as of other GPU blocks, fall back to
* default path if GPU uses GBIF, also GBIF uses exactly same
@@ -381,17 +379,19 @@ static void a6xx_get_debugbus_blocks(struct msm_gpu *gpu,
&a6xx_gbif_debugbus_block,
&a6xx_state->debugbus[i]);
- a6xx_state->nr_debugbus += 1;
+ i++;
}
if (adreno_is_a650_family(to_adreno_gpu(gpu))) {
- for (i = 0; i < ARRAY_SIZE(a650_debugbus_blocks); i++)
+ for (j = 0; j < ARRAY_SIZE(a650_debugbus_blocks); i++, j++)
a6xx_get_debugbus_block(gpu,
a6xx_state,
- &a650_debugbus_blocks[i],
+ &a650_debugbus_blocks[j],
&a6xx_state->debugbus[i]);
}
+
+ a6xx_state->nr_debugbus = i;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 278/957] drm/msm/a6xx: Use barriers while updating HFI Q headers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 277/957] drm/msm/a6xx: Fix dumping A650+ debugbus blocks Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 279/957] ALSA: hda/cmedia: Remove duplicate pin configuration parsing Greg Kroah-Hartman
` (684 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Rob Clark,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
[ Upstream commit dc78b35d5ec09d1b0b8a937e6e640d2c5a030915 ]
To avoid harmful compiler optimizations and IO reordering in the HW, use
barriers and READ/WRITE_ONCE helpers as necessary while accessing the HFI
queue index variables.
Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/714653/
Message-ID: <20260327-a8xx-gpu-batch2-v2-1-2b53c38d2101@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
index 550de6ad68eff..ef1365afd767b 100644
--- a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c
@@ -33,7 +33,7 @@ static int a6xx_hfi_queue_read(struct a6xx_gmu *gmu,
struct a6xx_hfi_queue_header *header = queue->header;
u32 i, hdr, index = header->read_index;
- if (header->read_index == header->write_index) {
+ if (header->read_index == READ_ONCE(header->write_index)) {
header->rx_request = 1;
return 0;
}
@@ -61,7 +61,10 @@ static int a6xx_hfi_queue_read(struct a6xx_gmu *gmu,
if (!gmu->legacy)
index = ALIGN(index, 4) % header->size;
- header->read_index = index;
+ /* Ensure all memory operations are complete before updating the read index */
+ dma_mb();
+
+ WRITE_ONCE(header->read_index, index);
return HFI_HEADER_SIZE(hdr);
}
@@ -73,7 +76,7 @@ static int a6xx_hfi_queue_write(struct a6xx_gmu *gmu,
spin_lock(&queue->lock);
- space = CIRC_SPACE(header->write_index, header->read_index,
+ space = CIRC_SPACE(header->write_index, READ_ONCE(header->read_index),
header->size);
if (space < dwords) {
header->dropped++;
@@ -94,7 +97,10 @@ static int a6xx_hfi_queue_write(struct a6xx_gmu *gmu,
queue->data[index] = 0xfafafafa;
}
- header->write_index = index;
+ /* Ensure all memory operations are complete before updating the write index */
+ dma_mb();
+
+ WRITE_ONCE(header->write_index, index);
spin_unlock(&queue->lock);
gmu_write(gmu, REG_A6XX_GMU_HOST2GMU_INTR_SET, 0x01);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 279/957] ALSA: hda/cmedia: Remove duplicate pin configuration parsing
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 278/957] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 280/957] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
` (683 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
[ Upstream commit 579e7b820de5dd5124585413bb5e9c278d255436 ]
The cmedia_probe() function calls snd_hda_parse_pin_defcfg() and
snd_hda_gen_parse_auto_config() twice unnecessarily. Remove The
duplicate code.
Fixes: 0f1e8306dcbe ("ALSA: hda/cmedia: Rewrite to new probe method")
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Link: https://patch.msgid.link/20260401082625.157868-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/cmedia.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/sound/hda/codecs/cmedia.c b/sound/hda/codecs/cmedia.c
index 15e5a1118a6e8..a156bea7ca446 100644
--- a/sound/hda/codecs/cmedia.c
+++ b/sound/hda/codecs/cmedia.c
@@ -39,13 +39,6 @@ static int cmedia_probe(struct hda_codec *codec, const struct hda_device_id *id)
spec->out_vol_mask = (1ULL << 0x10);
}
- err = snd_hda_parse_pin_defcfg(codec, cfg, NULL, 0);
- if (err < 0)
- goto error;
- err = snd_hda_gen_parse_auto_config(codec, cfg);
- if (err < 0)
- goto error;
-
err = snd_hda_parse_pin_defcfg(codec, cfg, NULL, 0);
if (err < 0)
goto error;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 280/957] pmdomain: ti: omap_prm: Fix a reference leak on device node
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 279/957] ALSA: hda/cmedia: Remove duplicate pin configuration parsing Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 281/957] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
` (682 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Ulf Hansson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <gu_0233@qq.com>
[ Upstream commit 44c28e1c52764fef6dd1c1ada3a248728812e67f ]
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In omap_prm_domain_attach_dev, it does not release the reference.
Fixes: 58cbff023bfa ("soc: ti: omap-prm: Add basic power domain support")
Signed-off-by: Felix Gu <gu_0233@qq.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pmdomain/ti/omap_prm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pmdomain/ti/omap_prm.c b/drivers/pmdomain/ti/omap_prm.c
index 5142f064bf5cd..64a187f79a1a7 100644
--- a/drivers/pmdomain/ti/omap_prm.c
+++ b/drivers/pmdomain/ti/omap_prm.c
@@ -655,6 +655,7 @@ static int omap_prm_domain_attach_dev(struct generic_pm_domain *domain,
if (pd_args.args_count != 0)
dev_warn(dev, "%s: unusupported #power-domain-cells: %i\n",
prmd->pd.name, pd_args.args_count);
+ of_node_put(pd_args.np);
genpd_data = dev_gpd_data(dev);
genpd_data->data = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 281/957] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 280/957] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 282/957] PM: domains: De-constify fields in struct dev_pm_domain_attach_data Greg Kroah-Hartman
` (681 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Peng Fan, Ulf Hansson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit c8e9b6a55702be6c6d034e973d519c52c3848415 ]
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In imx_sc_pd_get_console_rsrc(), it does not release the reference.
Fixes: 893cfb99734f ("firmware: imx: scu-pd: do not power off console domain")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pmdomain/imx/scu-pd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pmdomain/imx/scu-pd.c b/drivers/pmdomain/imx/scu-pd.c
index 01d465d88f60d..3ec33667a308c 100644
--- a/drivers/pmdomain/imx/scu-pd.c
+++ b/drivers/pmdomain/imx/scu-pd.c
@@ -326,6 +326,7 @@ static void imx_sc_pd_get_console_rsrc(void)
return;
imx_con_rsrc = specs.args[0];
+ of_node_put(specs.np);
}
static int imx_sc_get_pd_power(struct device *dev, u32 rsrc)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 282/957] PM: domains: De-constify fields in struct dev_pm_domain_attach_data
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 281/957] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 283/957] drm/msm/dpu: drop INTF_0 on MSM8953 Greg Kroah-Hartman
` (680 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Ulf Hansson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 1877d3f258cbb57d64e275754fb9b18b089ce72d ]
It doesn't really make sense to keep u32 fields to be marked as const.
Having the const fields prevents their modification in the driver. Instead
the whole struct can be defined as const, if it is constant.
Fixes: 161e16a5e50a ("PM: domains: Add helper functions to attach/detach multiple PM domains")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/pm_domain.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/pm_domain.h b/include/linux/pm_domain.h
index f67a2cb7d7814..5ed1753a7cb47 100644
--- a/include/linux/pm_domain.h
+++ b/include/linux/pm_domain.h
@@ -49,8 +49,8 @@
struct dev_pm_domain_attach_data {
const char * const *pd_names;
- const u32 num_pd_names;
- const u32 pd_flags;
+ u32 num_pd_names;
+ u32 pd_flags;
};
struct dev_pm_domain_list {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 283/957] drm/msm/dpu: drop INTF_0 on MSM8953
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 282/957] PM: domains: De-constify fields in struct dev_pm_domain_attach_data Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 284/957] ASoC: fsl_micfil: Add access property for "VAD Detected" Greg Kroah-Hartman
` (679 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 7090420420d5a7d7c88b21d16962f2a230be3ef3 ]
There is no INTF_0 on MSM8953. Currently catalog lists dummy INTF_NONE
entry for it. Drop it from the catalog.
Fixes: 7a6109ce1c2c ("drm/msm/dpu: Add support for MSM8953")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/713990/
Link: https://lore.kernel.org/r/20260325-drop-8953-intf-v1-1-d80e214a1a75@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h
index b44d02b48418f..2162ff917b0f8 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h
+++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h
@@ -121,13 +121,6 @@ static const struct dpu_dspp_cfg msm8953_dspp[] = {
static const struct dpu_intf_cfg msm8953_intf[] = {
{
- .name = "intf_0", .id = INTF_0,
- .base = 0x6a000, .len = 0x268,
- .type = INTF_NONE,
- .prog_fetch_lines_worst_case = 14,
- .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 24),
- .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 25),
- }, {
.name = "intf_1", .id = INTF_1,
.base = 0x6a800, .len = 0x268,
.type = INTF_DSI,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 284/957] ASoC: fsl_micfil: Add access property for "VAD Detected"
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 283/957] drm/msm/dpu: drop INTF_0 on MSM8953 Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 285/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() Greg Kroah-Hartman
` (678 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit c7661bfc7422443df394c01e069ae4e5c3a7f04c ]
Add access property SNDRV_CTL_ELEM_ACCESS_READ for control "VAD
Detected", which doesn't support put operation, otherwise there will be
issue with mixer-test.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-2-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index cac26ba0aa4b0..ddc56f77f1455 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -424,7 +424,13 @@ static const struct snd_kcontrol_new fsl_micfil_snd_controls[] = {
SOC_SINGLE("HWVAD ZCD Adjustment", REG_MICFIL_VAD0_ZCD, 8, 15, 0),
SOC_SINGLE("HWVAD ZCD And Behavior Switch",
REG_MICFIL_VAD0_ZCD, 4, 1, 0),
- SOC_SINGLE_BOOL_EXT("VAD Detected", 0, hwvad_detected, NULL),
+ {
+ .iface = SNDRV_CTL_ELEM_IFACE_MIXER,
+ .access = SNDRV_CTL_ELEM_ACCESS_READ | SNDRV_CTL_ELEM_ACCESS_VOLATILE,
+ .name = "VAD Detected",
+ .info = snd_soc_info_bool_ext,
+ .get = hwvad_detected,
+ },
};
static int fsl_micfil_use_verid(struct device *dev)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 285/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 284/957] ASoC: fsl_micfil: Add access property for "VAD Detected" Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 286/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() Greg Kroah-Hartman
` (677 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 59b9061824f2179fe133e2636203548eaba3e528 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation hwvad_put_enable() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the vad_enabled
variable.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-3-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index ddc56f77f1455..668e6dbe5a712 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -306,10 +306,15 @@ static int hwvad_put_enable(struct snd_kcontrol *kcontrol,
unsigned int *item = ucontrol->value.enumerated.item;
struct fsl_micfil *micfil = snd_soc_component_get_drvdata(comp);
int val = snd_soc_enum_item_to_val(e, item[0]);
+ bool change = false;
+ if (val < 0 || val > 1)
+ return -EINVAL;
+
+ change = (micfil->vad_enabled != val);
micfil->vad_enabled = val;
- return 0;
+ return change;
}
static int hwvad_get_enable(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 286/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 285/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 287/957] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() Greg Kroah-Hartman
` (676 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 7e226209906906421f0d952d7304e48fdb0adabc ]
ALSA controls should return 1 if the value in the control changed but the
control put operation hwvad_put_init_mode() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the vad_init_mode
variable.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-4-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 668e6dbe5a712..36eefb7f0eb2f 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -336,13 +336,18 @@ static int hwvad_put_init_mode(struct snd_kcontrol *kcontrol,
unsigned int *item = ucontrol->value.enumerated.item;
struct fsl_micfil *micfil = snd_soc_component_get_drvdata(comp);
int val = snd_soc_enum_item_to_val(e, item[0]);
+ bool change = false;
+
+ if (val < MICFIL_HWVAD_ENVELOPE_MODE || val > MICFIL_HWVAD_ENERGY_MODE)
+ return -EINVAL;
/* 0 - Envelope-based Mode
* 1 - Energy-based Mode
*/
+ change = (micfil->vad_init_mode != val);
micfil->vad_init_mode = val;
- return 0;
+ return change;
}
static int hwvad_get_init_mode(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 287/957] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 286/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 288/957] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
` (675 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 7d2bd35100de370dc326b250e8f6b66bee06a2f3 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation micfil_put_dc_remover_state() only returns 0 or a
negative error code, causing ALSA to not generate any change events.
return the value of snd_soc_component_update_bits() directly, as it has
the capability of return check status of changed or not.
Also enable pm runtime before calling the function
snd_soc_component_update_bits() to make the regmap cache data align with
the value in hardware.
Fixes: 29dbfeecab85 ("ASoC: fsl_micfil: Add Hardware Voice Activity Detector support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-6-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 36eefb7f0eb2f..980c6e1d9b1ce 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -272,6 +272,10 @@ static int micfil_put_dc_remover_state(struct snd_kcontrol *kcontrol,
if (val < 0 || val > 3)
return -EINVAL;
+ ret = pm_runtime_resume_and_get(comp->dev);
+ if (ret)
+ return ret;
+
micfil->dc_remover = val;
/* Calculate total value for all channels */
@@ -281,10 +285,10 @@ static int micfil_put_dc_remover_state(struct snd_kcontrol *kcontrol,
/* Update DC Remover mode for all channels */
ret = snd_soc_component_update_bits(comp, REG_MICFIL_DC_CTRL,
MICFIL_DC_CTRL_CONFIG, reg_val);
- if (ret < 0)
- return ret;
- return 0;
+ pm_runtime_put_autosuspend(comp->dev);
+
+ return ret;
}
static int micfil_get_dc_remover_state(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 288/957] ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 287/957] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 289/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
` (674 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit e5785093b1b45af7ee57d18619b2854a8aed073a ]
ALSA controls should return 1 if the value in the control changed but the
control put operation micfil_quality_set() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the quality variable.
Also enable pm runtime before calling the function micfil_set_quality()
to make the regmap cache data align with the value in hardware.
Fixes: bea1d61d5892 ("ASoC: fsl_micfil: rework quality setting")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-7-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_micfil.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
index 980c6e1d9b1ce..09deb880bd37d 100644
--- a/sound/soc/fsl/fsl_micfil.c
+++ b/sound/soc/fsl/fsl_micfil.c
@@ -210,10 +210,34 @@ static int micfil_quality_set(struct snd_kcontrol *kcontrol,
{
struct snd_soc_component *cmpnt = snd_soc_kcontrol_component(kcontrol);
struct fsl_micfil *micfil = snd_soc_component_get_drvdata(cmpnt);
+ int val = ucontrol->value.integer.value[0];
+ bool change = false;
+ int old_val;
+ int ret;
+
+ if (val < QUALITY_HIGH || val > QUALITY_VLOW2)
+ return -EINVAL;
+
+ if (micfil->quality != val) {
+ ret = pm_runtime_resume_and_get(cmpnt->dev);
+ if (ret)
+ return ret;
+
+ old_val = micfil->quality;
+ micfil->quality = val;
+ ret = micfil_set_quality(micfil);
- micfil->quality = ucontrol->value.integer.value[0];
+ pm_runtime_put_autosuspend(cmpnt->dev);
- return micfil_set_quality(micfil);
+ if (ret) {
+ micfil->quality = old_val;
+ return ret;
+ }
+
+ change = true;
+ }
+
+ return change;
}
static const char * const micfil_hwvad_enable[] = {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 289/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 288/957] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 290/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
` (673 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 1b61c8103c9317a9c37fe544c2d83cee1c281149 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_xcvr_arc_mode_put() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the arc_mode
variable.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-8-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index a268fb81a2f86..008e45009c83f 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -115,10 +115,17 @@ static int fsl_xcvr_arc_mode_put(struct snd_kcontrol *kcontrol,
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
unsigned int *item = ucontrol->value.enumerated.item;
+ int val = snd_soc_enum_item_to_val(e, item[0]);
+ int ret;
- xcvr->arc_mode = snd_soc_enum_item_to_val(e, item[0]);
+ if (val < 0 || val > 1)
+ return -EINVAL;
- return 0;
+ ret = (xcvr->arc_mode != val);
+
+ xcvr->arc_mode = val;
+
+ return ret;
}
static int fsl_xcvr_arc_mode_get(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 290/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 289/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 291/957] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
` (672 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 64a496ba976324615b845d60739dfcdae3d57434 ]
ALSA controls should return 1 if the value in the control changed but the
control put operation fsl_xcvr_mode_put() only returns 0 or a negative
error code, causing ALSA to not generate any change events.
Add a suitable check in the function before updating the mode variable.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-9-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 008e45009c83f..d7a823384c08a 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -225,10 +225,17 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol,
struct fsl_xcvr *xcvr = snd_soc_dai_get_drvdata(dai);
struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
unsigned int *item = ucontrol->value.enumerated.item;
+ int val = snd_soc_enum_item_to_val(e, item[0]);
struct snd_soc_card *card = dai->component->card;
struct snd_soc_pcm_runtime *rtd;
+ int ret;
+
+ if (val < FSL_XCVR_MODE_SPDIF || val > FSL_XCVR_MODE_EARC)
+ return -EINVAL;
- xcvr->mode = snd_soc_enum_item_to_val(e, item[0]);
+ ret = (xcvr->mode != val);
+
+ xcvr->mode = val;
fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name,
(xcvr->mode == FSL_XCVR_MODE_ARC));
@@ -238,7 +245,7 @@ static int fsl_xcvr_mode_put(struct snd_kcontrol *kcontrol,
rtd = snd_soc_get_pcm_runtime(card, card->dai_link);
rtd->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream_count =
(xcvr->mode == FSL_XCVR_MODE_SPDIF ? 1 : 0);
- return 0;
+ return ret;
}
static int fsl_xcvr_mode_get(struct snd_kcontrol *kcontrol,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 291/957] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 290/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 292/957] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
` (671 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 00541b86fb578d4949cfdd6aff1f82d43fcf07af ]
Add check of input value's range in fsl_easrc_iec958_put_bits(),
otherwise the wrong value may be written from user space.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-10-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index 8e52e43a8ba85..8647df027c3fd 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -54,6 +54,9 @@ static int fsl_easrc_iec958_put_bits(struct snd_kcontrol *kcontrol,
unsigned int regval = ucontrol->value.integer.value[0];
int ret;
+ if (regval < EASRC_WIDTH_16_BIT || regval > EASRC_WIDTH_24_BIT)
+ return -EINVAL;
+
ret = (easrc_priv->bps_iec958[mc->regbase] != regval);
easrc_priv->bps_iec958[mc->regbase] = regval;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 292/957] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 291/957] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 293/957] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
` (670 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit aa21fe4a81458cf469c2615b08cbde5997dde25a ]
The value type of controls "Context 0 IEC958 Bits Per Sample" should be
integer, not enumerated, the issue is found by the mixer-test.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-11-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index 8647df027c3fd..725c7b65fe6b8 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -73,7 +73,7 @@ static int fsl_easrc_iec958_get_bits(struct snd_kcontrol *kcontrol,
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
- ucontrol->value.enumerated.item[0] = easrc_priv->bps_iec958[mc->regbase];
+ ucontrol->value.integer.value[0] = easrc_priv->bps_iec958[mc->regbase];
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 293/957] ASoC: fsl_easrc: Change the type for iec958 channel status controls
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 292/957] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 294/957] iommu/amd: Fix clone_alias() to use the original devices devid Greg Kroah-Hartman
` (669 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 47f28a5bd154a95d5aa563dde02a801bd32ddb81 ]
Use the type SNDRV_CTL_ELEM_TYPE_IEC958 for iec958 channel status
controls, the original type will cause mixer-test to iterate all 32bit
values, which costs a lot of time. And using IEC958 type can reduce the
control numbers.
Also enable pm runtime before updating registers to make the regmap cache
data align with the value in hardware.
Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20260401094226.2900532-12-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_easrc.c | 118 +++++++++++++++++++++++++++-----------
1 file changed, 84 insertions(+), 34 deletions(-)
diff --git a/sound/soc/fsl/fsl_easrc.c b/sound/soc/fsl/fsl_easrc.c
index 725c7b65fe6b8..59cdf18731a0a 100644
--- a/sound/soc/fsl/fsl_easrc.c
+++ b/sound/soc/fsl/fsl_easrc.c
@@ -78,17 +78,47 @@ static int fsl_easrc_iec958_get_bits(struct snd_kcontrol *kcontrol,
return 0;
}
+static int fsl_easrc_iec958_info(struct snd_kcontrol *kcontrol,
+ struct snd_ctl_elem_info *uinfo)
+{
+ uinfo->type = SNDRV_CTL_ELEM_TYPE_IEC958;
+ uinfo->count = 1;
+ return 0;
+}
+
static int fsl_easrc_get_reg(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
struct snd_soc_component *component = snd_kcontrol_chip(kcontrol);
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
- unsigned int regval;
+ struct fsl_asrc *easrc = snd_soc_component_get_drvdata(component);
+ unsigned int *regval = (unsigned int *)ucontrol->value.iec958.status;
+ int ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS0(mc->regbase), ®val[0]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS1(mc->regbase), ®val[1]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS2(mc->regbase), ®val[2]);
+ if (ret)
+ return ret;
- regval = snd_soc_component_read(component, mc->regbase);
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS3(mc->regbase), ®val[3]);
+ if (ret)
+ return ret;
+
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS4(mc->regbase), ®val[4]);
+ if (ret)
+ return ret;
- ucontrol->value.integer.value[0] = regval;
+ ret = regmap_read(easrc->regmap, REG_EASRC_CS5(mc->regbase), ®val[5]);
+ if (ret)
+ return ret;
return 0;
}
@@ -100,22 +130,62 @@ static int fsl_easrc_set_reg(struct snd_kcontrol *kcontrol,
struct soc_mreg_control *mc =
(struct soc_mreg_control *)kcontrol->private_value;
struct fsl_asrc *easrc = snd_soc_component_get_drvdata(component);
- unsigned int regval = ucontrol->value.integer.value[0];
- bool changed;
+ unsigned int *regval = (unsigned int *)ucontrol->value.iec958.status;
+ bool changed, changed_all = false;
int ret;
- ret = regmap_update_bits_check(easrc->regmap, mc->regbase,
- GENMASK(31, 0), regval, &changed);
- if (ret != 0)
+ ret = pm_runtime_resume_and_get(component->dev);
+ if (ret)
return ret;
- return changed;
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS0(mc->regbase),
+ GENMASK(31, 0), regval[0], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS1(mc->regbase),
+ GENMASK(31, 0), regval[1], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS2(mc->regbase),
+ GENMASK(31, 0), regval[2], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS3(mc->regbase),
+ GENMASK(31, 0), regval[3], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS4(mc->regbase),
+ GENMASK(31, 0), regval[4], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+
+ ret = regmap_update_bits_check(easrc->regmap, REG_EASRC_CS5(mc->regbase),
+ GENMASK(31, 0), regval[5], &changed);
+ if (ret != 0)
+ goto err;
+ changed_all |= changed;
+err:
+ pm_runtime_put_autosuspend(component->dev);
+
+ if (ret != 0)
+ return ret;
+ else
+ return changed_all;
}
#define SOC_SINGLE_REG_RW(xname, xreg) \
{ .iface = SNDRV_CTL_ELEM_IFACE_PCM, .name = (xname), \
.access = SNDRV_CTL_ELEM_ACCESS_READWRITE, \
- .info = snd_soc_info_xr_sx, .get = fsl_easrc_get_reg, \
+ .info = fsl_easrc_iec958_info, .get = fsl_easrc_get_reg, \
.put = fsl_easrc_set_reg, \
.private_value = (unsigned long)&(struct soc_mreg_control) \
{ .regbase = xreg, .regcount = 1, .nbits = 32, \
@@ -146,30 +216,10 @@ static const struct snd_kcontrol_new fsl_easrc_snd_controls[] = {
SOC_SINGLE_VAL_RW("Context 2 IEC958 Bits Per Sample", 2),
SOC_SINGLE_VAL_RW("Context 3 IEC958 Bits Per Sample", 3),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS0", REG_EASRC_CS0(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS0", REG_EASRC_CS0(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS0", REG_EASRC_CS0(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS0", REG_EASRC_CS0(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS1", REG_EASRC_CS1(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS1", REG_EASRC_CS1(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS1", REG_EASRC_CS1(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS1", REG_EASRC_CS1(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS2", REG_EASRC_CS2(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS2", REG_EASRC_CS2(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS2", REG_EASRC_CS2(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS2", REG_EASRC_CS2(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS3", REG_EASRC_CS3(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS3", REG_EASRC_CS3(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS3", REG_EASRC_CS3(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS3", REG_EASRC_CS3(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS4", REG_EASRC_CS4(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS4", REG_EASRC_CS4(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS4", REG_EASRC_CS4(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS4", REG_EASRC_CS4(3)),
- SOC_SINGLE_REG_RW("Context 0 IEC958 CS5", REG_EASRC_CS5(0)),
- SOC_SINGLE_REG_RW("Context 1 IEC958 CS5", REG_EASRC_CS5(1)),
- SOC_SINGLE_REG_RW("Context 2 IEC958 CS5", REG_EASRC_CS5(2)),
- SOC_SINGLE_REG_RW("Context 3 IEC958 CS5", REG_EASRC_CS5(3)),
+ SOC_SINGLE_REG_RW("Context 0 IEC958 CS", 0),
+ SOC_SINGLE_REG_RW("Context 1 IEC958 CS", 1),
+ SOC_SINGLE_REG_RW("Context 2 IEC958 CS", 2),
+ SOC_SINGLE_REG_RW("Context 3 IEC958 CS", 3),
};
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 294/957] iommu/amd: Fix clone_alias() to use the original devices devid
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 293/957] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 295/957] iommu/riscv: Remove overflows on the invalidation path Greg Kroah-Hartman
` (668 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vasant Hegde, Joerg Roedel,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasant Hegde <vasant.hegde@amd.com>
[ Upstream commit faad224fe0f0857a04ff2eb3c90f0de57f47d0f3 ]
Currently clone_alias() assumes first argument (pdev) is always the
original device pointer. This function is called by
pci_for_each_dma_alias() which based on topology decides to send
original or alias device details in first argument.
This meant that the source devid used to look up and copy the DTE
may be incorrect, leading to wrong or stale DTE entries being
propagated to alias device.
Fix this by passing the original pdev as the opaque data argument to
both the direct clone_alias() call and pci_for_each_dma_alias(). Inside
clone_alias(), retrieve the original device from data and compute devid
from it.
Fixes: 3332364e4ebc ("iommu/amd: Support multiple PCI DMA aliases in device table")
Signed-off-by: Vasant Hegde <vasant.hegde@amd.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/iommu.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 4beef73139611..5afd1621d715e 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -381,11 +381,12 @@ struct iommu_dev_data *search_dev_data(struct amd_iommu *iommu, u16 devid)
return NULL;
}
-static int clone_alias(struct pci_dev *pdev, u16 alias, void *data)
+static int clone_alias(struct pci_dev *pdev_origin, u16 alias, void *data)
{
struct dev_table_entry new;
struct amd_iommu *iommu;
struct iommu_dev_data *dev_data, *alias_data;
+ struct pci_dev *pdev = data;
u16 devid = pci_dev_id(pdev);
int ret = 0;
@@ -432,9 +433,9 @@ static void clone_aliases(struct amd_iommu *iommu, struct device *dev)
* part of the PCI DMA aliases if it's bus differs
* from the original device.
*/
- clone_alias(pdev, iommu->pci_seg->alias_table[pci_dev_id(pdev)], NULL);
+ clone_alias(pdev, iommu->pci_seg->alias_table[pci_dev_id(pdev)], pdev);
- pci_for_each_dma_alias(pdev, clone_alias, NULL);
+ pci_for_each_dma_alias(pdev, clone_alias, pdev);
}
static void setup_aliases(struct amd_iommu *iommu, struct device *dev)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 295/957] iommu/riscv: Remove overflows on the invalidation path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 294/957] iommu/amd: Fix clone_alias() to use the original devices devid Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 296/957] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
` (667 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Joerg Roedel,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 40a13b49957937427bc23e78eb50679df4396a47 ]
Since RISC-V supports a sign extended page table it should support
a gather->end of ULONG_MAX, but if this happens it will infinite loop
because of the overflow.
Also avoid overflow computing the length by moving the +1 to the other
side of the <
Fixes: 488ffbf18171 ("iommu/riscv: Paging domain support")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/riscv/iommu.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index 1e8007a153c32..de286563bd44e 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -931,8 +931,6 @@ static void riscv_iommu_iotlb_inval(struct riscv_iommu_domain *domain,
struct riscv_iommu_bond *bond;
struct riscv_iommu_device *iommu, *prev;
struct riscv_iommu_command cmd;
- unsigned long len = end - start + 1;
- unsigned long iova;
/*
* For each IOMMU linked with this protection domain (via bonds->dev),
@@ -975,11 +973,14 @@ static void riscv_iommu_iotlb_inval(struct riscv_iommu_domain *domain,
riscv_iommu_cmd_inval_vma(&cmd);
riscv_iommu_cmd_inval_set_pscid(&cmd, domain->pscid);
- if (len && len < RISCV_IOMMU_IOTLB_INVAL_LIMIT) {
- for (iova = start; iova < end; iova += PAGE_SIZE) {
+ if (end - start < RISCV_IOMMU_IOTLB_INVAL_LIMIT - 1) {
+ unsigned long iova = start;
+
+ do {
riscv_iommu_cmd_inval_set_addr(&cmd, iova);
riscv_iommu_cmd_send(iommu, &cmd);
- }
+ } while (!check_add_overflow(iova, PAGE_SIZE, &iova) &&
+ iova < end);
} else {
riscv_iommu_cmd_send(iommu, &cmd);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 296/957] ASoC: qcom: qdsp6: topology: check widget type before accessing data
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 295/957] iommu/riscv: Remove overflows on the invalidation path Greg Kroah-Hartman
@ 2026-05-20 16:12 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 297/957] PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value Greg Kroah-Hartman
` (666 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
[ Upstream commit d5bfdd28e0cdd45043ae6e0ac168a451d59283dc ]
Check widget type before accessing the private data, as this could a
virtual widget which is no associated with a dsp graph, container and
module. Accessing witout check could lead to incorrect memory access.
Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support")
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260402081118.348071-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/qcom/qdsp6/topology.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/sound/soc/qcom/qdsp6/topology.c b/sound/soc/qcom/qdsp6/topology.c
index f61285e7dcf20..f8d3bb83e3b0d 100644
--- a/sound/soc/qcom/qdsp6/topology.c
+++ b/sound/soc/qcom/qdsp6/topology.c
@@ -952,9 +952,6 @@ static int audioreach_widget_unload(struct snd_soc_component *scomp,
struct audioreach_container *cont;
struct audioreach_module *mod;
- mod = dobj->private;
- cont = mod->container;
-
if (w->id == snd_soc_dapm_mixer) {
/* virtual widget */
struct snd_ar_control *scontrol = dobj->private;
@@ -963,6 +960,11 @@ static int audioreach_widget_unload(struct snd_soc_component *scomp,
kfree(scontrol);
return 0;
}
+ mod = dobj->private;
+ if (!mod)
+ return 0;
+
+ cont = mod->container;
mutex_lock(&apm->lock);
idr_remove(&apm->modules_idr, mod->instance_id);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 297/957] PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-05-20 16:12 ` [PATCH 6.18 296/957] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 298/957] crypto: qat - disable 4xxx AE cluster when lead engine is fused off Greg Kroah-Hartman
` (665 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Zhang, Manivannan Sadhasivam,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Zhang <18255117159@163.com>
[ Upstream commit 445588a3b18bb0702d746cb61f7a443639027651 ]
kstrtou32_from_user() returns int, but the return value was stored in
a u32 variable 'val', risking sign loss. Use a dedicated int variable
to correctly handle the return code.
Fixes: 4fbfa17f9a07 ("PCI: dwc: Add debugfs based Silicon Debug support for DWC")
Signed-off-by: Hans Zhang <18255117159@163.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://patch.msgid.link/20260401023048.4182452-1-18255117159@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../controller/dwc/pcie-designware-debugfs.c | 21 +++++++++++--------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware-debugfs.c b/drivers/pci/controller/dwc/pcie-designware-debugfs.c
index df98fee69892b..afcc08efe2531 100644
--- a/drivers/pci/controller/dwc/pcie-designware-debugfs.c
+++ b/drivers/pci/controller/dwc/pcie-designware-debugfs.c
@@ -208,10 +208,11 @@ static ssize_t lane_detect_write(struct file *file, const char __user *buf,
struct dw_pcie *pci = file->private_data;
struct dwc_pcie_rasdes_info *rinfo = pci->debugfs->rasdes_info;
u32 lane, val;
+ int ret;
- val = kstrtou32_from_user(buf, count, 0, &lane);
- if (val)
- return val;
+ ret = kstrtou32_from_user(buf, count, 0, &lane);
+ if (ret)
+ return ret;
val = dw_pcie_readl_dbi(pci, rinfo->ras_cap_offset + SD_STATUS_L1LANE_REG);
val &= ~(LANE_SELECT);
@@ -347,10 +348,11 @@ static ssize_t counter_enable_write(struct file *file, const char __user *buf,
struct dw_pcie *pci = pdata->pci;
struct dwc_pcie_rasdes_info *rinfo = pci->debugfs->rasdes_info;
u32 val, enable;
+ int ret;
- val = kstrtou32_from_user(buf, count, 0, &enable);
- if (val)
- return val;
+ ret = kstrtou32_from_user(buf, count, 0, &enable);
+ if (ret)
+ return ret;
mutex_lock(&rinfo->reg_event_lock);
set_event_number(pdata, pci, rinfo);
@@ -408,10 +410,11 @@ static ssize_t counter_lane_write(struct file *file, const char __user *buf,
struct dw_pcie *pci = pdata->pci;
struct dwc_pcie_rasdes_info *rinfo = pci->debugfs->rasdes_info;
u32 val, lane;
+ int ret;
- val = kstrtou32_from_user(buf, count, 0, &lane);
- if (val)
- return val;
+ ret = kstrtou32_from_user(buf, count, 0, &lane);
+ if (ret)
+ return ret;
mutex_lock(&rinfo->reg_event_lock);
set_event_number(pdata, pci, rinfo);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 298/957] crypto: qat - disable 4xxx AE cluster when lead engine is fused off
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 297/957] PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 299/957] crypto: qat - disable 420xx " Greg Kroah-Hartman
` (664 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
[ Upstream commit b260d53561dd69b29505222ec44cf386ac2c2ca6 ]
The get_ae_mask() function only disables individual engines based on
the fuse register, but engines are organized in clusters of 4. If the
lead engine of a cluster is fused off, the entire cluster must be
disabled.
Replace the single bitmask inversion with explicit test_bit() checks
on the lead engine of each group, disabling the full ADF_AE_GROUP
when the lead bit is set.
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Fixes: 8c8268166e834 ("crypto: qat - add qat_4xxx driver")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c b/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c
index 740f68a36ac51..900f19b90b2dc 100644
--- a/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c
+++ b/drivers/crypto/intel/qat/qat_4xxx/adf_4xxx_hw_data.c
@@ -100,9 +100,19 @@ static struct adf_hw_device_class adf_4xxx_class = {
static u32 get_ae_mask(struct adf_hw_device_data *self)
{
- u32 me_disable = self->fuses[ADF_FUSECTL4];
+ unsigned long fuses = self->fuses[ADF_FUSECTL4];
+ u32 mask = ADF_4XXX_ACCELENGINES_MASK;
- return ~me_disable & ADF_4XXX_ACCELENGINES_MASK;
+ if (test_bit(0, &fuses))
+ mask &= ~ADF_AE_GROUP_0;
+
+ if (test_bit(4, &fuses))
+ mask &= ~ADF_AE_GROUP_1;
+
+ if (test_bit(8, &fuses))
+ mask &= ~ADF_AE_GROUP_2;
+
+ return mask;
}
static u32 get_accel_cap(struct adf_accel_dev *accel_dev)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 299/957] crypto: qat - disable 420xx AE cluster when lead engine is fused off
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 298/957] crypto: qat - disable 4xxx AE cluster when lead engine is fused off Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 300/957] crypto: qat - fix compression instance leak Greg Kroah-Hartman
` (663 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahsan Atta, Giovanni Cabiddu,
Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahsan Atta <ahsan.atta@intel.com>
[ Upstream commit f216e0f2d1787e662bb6662c9c522185aa3b855a ]
The get_ae_mask() function only disables individual engines based on
the fuse register, but engines are organized in clusters of 4. If the
lead engine of a cluster is fused off, the entire cluster must be
disabled.
Replace the single bitmask inversion with explicit test_bit() checks
on the lead engine of each group, disabling the full ADF_AE_GROUP
when the lead bit is set.
Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Fixes: fcf60f4bcf54 ("crypto: qat - add support for 420xx devices")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../intel/qat/qat_420xx/adf_420xx_hw_data.c | 20 +++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
index 53fa91d577ed0..cb52aaa323a7e 100644
--- a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
+++ b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
@@ -96,9 +96,25 @@ static struct adf_hw_device_class adf_420xx_class = {
static u32 get_ae_mask(struct adf_hw_device_data *self)
{
- u32 me_disable = self->fuses[ADF_FUSECTL4];
+ unsigned long fuses = self->fuses[ADF_FUSECTL4];
+ u32 mask = ADF_420XX_ACCELENGINES_MASK;
- return ~me_disable & ADF_420XX_ACCELENGINES_MASK;
+ if (test_bit(0, &fuses))
+ mask &= ~ADF_AE_GROUP_0;
+
+ if (test_bit(4, &fuses))
+ mask &= ~ADF_AE_GROUP_1;
+
+ if (test_bit(8, &fuses))
+ mask &= ~ADF_AE_GROUP_2;
+
+ if (test_bit(12, &fuses))
+ mask &= ~ADF_AE_GROUP_3;
+
+ if (test_bit(16, &fuses))
+ mask &= ~ADF_AE_GROUP_4;
+
+ return mask;
}
static u32 uof_get_num_objs(struct adf_accel_dev *accel_dev)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 300/957] crypto: qat - fix compression instance leak
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 299/957] crypto: qat - disable 420xx " Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 301/957] crypto: qat - fix type mismatch in RAS sysfs show functions Greg Kroah-Hartman
` (662 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Cabiddu, Laurent M Coquerel,
Ahsan Atta, Wojciech Drewek, Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
[ Upstream commit 795c24c677c7a1c12f5768daf22a874a2890662f ]
qat_comp_alg_init_tfm() acquires a compression instance via
qat_compression_get_instance_node() before calling qat_comp_build_ctx()
to initialize the compression context. If qat_comp_build_ctx() fails, the
function returns an error without releasing the compression instance,
causing a resource leak.
When qat_comp_build_ctx() fails, release the compression instance with
qat_compression_put_instance() and clear the context to avoid leaving a
stale reference to the released instance.
The issue was introduced when build_deflate_ctx() (which always returned
void) was replaced by qat_comp_build_ctx() (which can return an error)
without adding error handling for the failure path.
Fixes: cd0e7160f80f ("crypto: qat - refactor compression template logic")
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Laurent M Coquerel <laurent.m.coquerel@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/intel/qat/qat_common/qat_comp_algs.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_common/qat_comp_algs.c b/drivers/crypto/intel/qat/qat_common/qat_comp_algs.c
index 8b123472b71cc..4273a0ecb6c80 100644
--- a/drivers/crypto/intel/qat/qat_common/qat_comp_algs.c
+++ b/drivers/crypto/intel/qat/qat_common/qat_comp_algs.c
@@ -133,7 +133,7 @@ static int qat_comp_alg_init_tfm(struct crypto_acomp *acomp_tfm)
struct crypto_tfm *tfm = crypto_acomp_tfm(acomp_tfm);
struct qat_compression_ctx *ctx = crypto_tfm_ctx(tfm);
struct qat_compression_instance *inst;
- int node;
+ int node, ret;
if (tfm->node == NUMA_NO_NODE)
node = numa_node_id();
@@ -146,7 +146,13 @@ static int qat_comp_alg_init_tfm(struct crypto_acomp *acomp_tfm)
return -EINVAL;
ctx->inst = inst;
- return qat_comp_build_ctx(inst->accel_dev, ctx->comp_ctx, QAT_DEFLATE);
+ ret = qat_comp_build_ctx(inst->accel_dev, ctx->comp_ctx, QAT_DEFLATE);
+ if (ret) {
+ qat_compression_put_instance(inst);
+ memset(ctx, 0, sizeof(*ctx));
+ }
+
+ return ret;
}
static void qat_comp_alg_exit_tfm(struct crypto_acomp *acomp_tfm)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 301/957] crypto: qat - fix type mismatch in RAS sysfs show functions
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 300/957] crypto: qat - fix compression instance leak Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 302/957] crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table() Greg Kroah-Hartman
` (661 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Cabiddu, Ahsan Atta,
Andy Shevchenko, Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
[ Upstream commit ec23d75c4b77ae42af0777ea59599b1d4f611371 ]
ADF_RAS_ERR_CTR_READ() expands to atomic_read(), which returns int.
The local variable 'counter' was declared as 'unsigned long', causing
a type mismatch on the assignment. The format specifier '%ld' was
consequently wrong in two ways: wrong length modifier and wrong
signedness.
Use int to match the return type of atomic_read() and update the
format specifier to '%d' accordingly.
Fixes: 532d7f6bc458 ("crypto: qat - add error counters")
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../intel/qat/qat_common/adf_sysfs_ras_counters.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_common/adf_sysfs_ras_counters.c b/drivers/crypto/intel/qat/qat_common/adf_sysfs_ras_counters.c
index e97c67c87b3cf..6abb57bfd3285 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_sysfs_ras_counters.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_sysfs_ras_counters.c
@@ -13,14 +13,14 @@ static ssize_t errors_correctable_show(struct device *dev,
char *buf)
{
struct adf_accel_dev *accel_dev;
- unsigned long counter;
+ int counter;
accel_dev = adf_devmgr_pci_to_accel_dev(to_pci_dev(dev));
if (!accel_dev)
return -EINVAL;
counter = ADF_RAS_ERR_CTR_READ(accel_dev->ras_errors, ADF_RAS_CORR);
- return scnprintf(buf, PAGE_SIZE, "%ld\n", counter);
+ return scnprintf(buf, PAGE_SIZE, "%d\n", counter);
}
static ssize_t errors_nonfatal_show(struct device *dev,
@@ -28,14 +28,14 @@ static ssize_t errors_nonfatal_show(struct device *dev,
char *buf)
{
struct adf_accel_dev *accel_dev;
- unsigned long counter;
+ int counter;
accel_dev = adf_devmgr_pci_to_accel_dev(to_pci_dev(dev));
if (!accel_dev)
return -EINVAL;
counter = ADF_RAS_ERR_CTR_READ(accel_dev->ras_errors, ADF_RAS_UNCORR);
- return scnprintf(buf, PAGE_SIZE, "%ld\n", counter);
+ return scnprintf(buf, PAGE_SIZE, "%d\n", counter);
}
static ssize_t errors_fatal_show(struct device *dev,
@@ -43,14 +43,14 @@ static ssize_t errors_fatal_show(struct device *dev,
char *buf)
{
struct adf_accel_dev *accel_dev;
- unsigned long counter;
+ int counter;
accel_dev = adf_devmgr_pci_to_accel_dev(to_pci_dev(dev));
if (!accel_dev)
return -EINVAL;
counter = ADF_RAS_ERR_CTR_READ(accel_dev->ras_errors, ADF_RAS_FATAL);
- return scnprintf(buf, PAGE_SIZE, "%ld\n", counter);
+ return scnprintf(buf, PAGE_SIZE, "%d\n", counter);
}
static ssize_t reset_error_counters_store(struct device *dev,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 302/957] crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 301/957] crypto: qat - fix type mismatch in RAS sysfs show functions Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 303/957] crypto: qat - use swab32 macro Greg Kroah-Hartman
` (660 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Cabiddu,
Vinicius Costa Gomes, Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
[ Upstream commit 590fa5d69c27cfaecd2e8287aec78f902417c877 ]
The cpu counter used to compute the IAA device index is reset to zero
at the start of each NUMA node iteration. This causes CPUs on every
node to map starting from IAA index 0 instead of continuing from the
previous node's last index. On multi-node systems, this results in all
nodes mapping their CPUs to the same initial set of IAA devices,
leaving higher-indexed devices unused.
Move the cpu counter initialization before the for_each_node_with_cpus()
loop so that the IAA index computation accumulates correctly across all
nodes.
Fixes: 714ca27e9bf4 ("crypto: iaa - Optimize rebalance_wq_table()")
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/intel/iaa/iaa_crypto_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/intel/iaa/iaa_crypto_main.c b/drivers/crypto/intel/iaa/iaa_crypto_main.c
index da9b2bc515194..78218f3a3cd06 100644
--- a/drivers/crypto/intel/iaa/iaa_crypto_main.c
+++ b/drivers/crypto/intel/iaa/iaa_crypto_main.c
@@ -911,8 +911,8 @@ static void rebalance_wq_table(void)
return;
}
+ cpu = 0;
for_each_node_with_cpus(node) {
- cpu = 0;
node_cpus = cpumask_of_node(node);
for_each_cpu(node_cpu, node_cpus) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 303/957] crypto: qat - use swab32 macro
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 302/957] crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table() Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 304/957] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] Greg Kroah-Hartman
` (659 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Giovanni Cabiddu,
Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
[ Upstream commit 35ecb77ae0749a2f1b04872c9978d9d7ddbbeb79 ]
Replace __builtin_bswap32() with swab32 in icp_qat_hw_20_comp.h to fix
the following build errors on architectures without native byte-swap
support:
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.o: in function `adf_gen4_build_decomp_block':
drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:141:(.text+0xeec): undefined reference to `__bswapsi2'
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:141:(.text+0xef8): undefined reference to `__bswapsi2'
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.o: in function `adf_gen4_build_comp_block':
drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:57:(.text+0xf64): undefined reference to `__bswapsi2'
alpha-linux-ld: drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h:57:(.text+0xf7c): undefined reference to `__bswapsi2'
Fixes: 5b14b2b307e4 ("crypto: qat - enable deflate for QAT GEN4")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603290259.Ig9kDOmI-lkp@intel.com/
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h b/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h
index 7ea8962272f2f..d28732225c9e0 100644
--- a/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h
+++ b/drivers/crypto/intel/qat/qat_common/icp_qat_hw_20_comp.h
@@ -3,6 +3,8 @@
#ifndef _ICP_QAT_HW_20_COMP_H_
#define _ICP_QAT_HW_20_COMP_H_
+#include <linux/swab.h>
+
#include "icp_qat_hw_20_comp_defs.h"
#include "icp_qat_fw.h"
@@ -54,7 +56,7 @@ ICP_QAT_FW_COMP_20_BUILD_CONFIG_LOWER(struct icp_qat_hw_comp_20_config_csr_lower
QAT_FIELD_SET(val32, csr.abd, ICP_QAT_HW_COMP_20_CONFIG_CSR_ABD_BITPOS,
ICP_QAT_HW_COMP_20_CONFIG_CSR_ABD_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
struct icp_qat_hw_comp_20_config_csr_upper {
@@ -106,7 +108,7 @@ ICP_QAT_FW_COMP_20_BUILD_CONFIG_UPPER(struct icp_qat_hw_comp_20_config_csr_upper
ICP_QAT_HW_COMP_20_CONFIG_CSR_NICE_PARAM_BITPOS,
ICP_QAT_HW_COMP_20_CONFIG_CSR_NICE_PARAM_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
struct icp_qat_hw_decomp_20_config_csr_lower {
@@ -138,7 +140,7 @@ ICP_QAT_FW_DECOMP_20_BUILD_CONFIG_LOWER(struct icp_qat_hw_decomp_20_config_csr_l
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_LZ4_BLOCK_CHECKSUM_PRESENT_BITPOS,
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_LZ4_BLOCK_CHECKSUM_PRESENT_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
struct icp_qat_hw_decomp_20_config_csr_upper {
@@ -158,7 +160,7 @@ ICP_QAT_FW_DECOMP_20_BUILD_CONFIG_UPPER(struct icp_qat_hw_decomp_20_config_csr_u
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_MINI_CAM_CONTROL_BITPOS,
ICP_QAT_HW_DECOMP_20_CONFIG_CSR_MINI_CAM_CONTROL_MASK);
- return __builtin_bswap32(val32);
+ return swab32(val32);
}
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 304/957] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 303/957] crypto: qat - use swab32 macro Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 305/957] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
` (658 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Rastyogin, Kuninori Morimoto,
Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Rastyogin <gerben@altlinux.org>
[ Upstream commit f9e437cddf6cf9e603bdaefe148c1f4792aaf39c ]
component_dais[RSND_MAX_COMPONENT] is initially zero-initialized
and later populated in rsnd_dai_of_node(). However, the existing boundary check:
if (i >= RSND_MAX_COMPONENT)
does not guarantee that the last valid element remains zero. As a result,
the loop can rely on component_dais[RSND_MAX_COMPONENT] being zero,
which may lead to an out-of-bounds access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 547b02f74e4a ("ASoC: rsnd: enable multi Component support for Audio Graph Card/Card2")
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/20260327103311.459239-1-gerben@altlinux.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/renesas/rcar/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/renesas/rcar/core.c b/sound/soc/renesas/rcar/core.c
index 69fb19964a71d..2dc078358612d 100644
--- a/sound/soc/renesas/rcar/core.c
+++ b/sound/soc/renesas/rcar/core.c
@@ -1974,7 +1974,7 @@ static int rsnd_probe(struct platform_device *pdev)
* asoc register
*/
ci = 0;
- for (i = 0; priv->component_dais[i] > 0; i++) {
+ for (i = 0; i < RSND_MAX_COMPONENT && priv->component_dais[i] > 0; i++) {
int nr = priv->component_dais[i];
ret = devm_snd_soc_register_component(dev, &rsnd_soc_component,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 305/957] PCI: Enable AtomicOps only if Root Port supports them
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 304/957] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 306/957] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
` (657 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Schmidt, Gerd Bayer,
Bjorn Helgaas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gerd Bayer <gbayer@linux.ibm.com>
[ Upstream commit 1ae8c4ce157037e266184064a182af9ef9af278b ]
When inspecting the config space of a Connect-X physical function in an
s390 system after it was initialized by the mlx5_core device driver, we
found the function to be enabled to request AtomicOps despite the Root Port
lacking support for completing them:
00:00.1 Ethernet controller: Mellanox Technologies MT2894 Family [ConnectX-6 Lx]
Subsystem: Mellanox Technologies Device 0002
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-
AtomicOpsCtl: ReqEn+
On s390 and many virtualized guests, the Endpoint is visible but the Root
Port is not. In this case, pci_enable_atomic_ops_to_root() previously
enabled AtomicOps in the Endpoint even though it can't tell whether the
Root Port supports them as a completer.
Change pci_enable_atomic_ops_to_root() to fail if there's no Root Port or
the Root Port doesn't support AtomicOps.
Fixes: 430a23689dea ("PCI: Add pci_enable_atomic_ops_to_root()")
Reported-by: Alexander Schmidt <alexs@linux.ibm.com>
Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
[bhelgaas: commit log, check RP first to simplify flow]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20260330-fix_pciatops-v7-2-f601818417e8@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci.c | 41 ++++++++++++++++++++---------------------
1 file changed, 20 insertions(+), 21 deletions(-)
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index a62ed5560c68f..0b6a23405f167 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -3818,8 +3818,7 @@ int pci_rebar_set_size(struct pci_dev *pdev, int bar, int size)
*/
int pci_enable_atomic_ops_to_root(struct pci_dev *dev, u32 cap_mask)
{
- struct pci_bus *bus = dev->bus;
- struct pci_dev *bridge;
+ struct pci_dev *root, *bridge;
u32 cap, ctl2;
/*
@@ -3849,35 +3848,35 @@ int pci_enable_atomic_ops_to_root(struct pci_dev *dev, u32 cap_mask)
return -EINVAL;
}
- while (bus->parent) {
- bridge = bus->self;
+ root = pcie_find_root_port(dev);
+ if (!root)
+ return -EINVAL;
- pcie_capability_read_dword(bridge, PCI_EXP_DEVCAP2, &cap);
+ pcie_capability_read_dword(root, PCI_EXP_DEVCAP2, &cap);
+ if ((cap & cap_mask) != cap_mask)
+ return -EINVAL;
+ bridge = pci_upstream_bridge(dev);
+ while (bridge != root) {
switch (pci_pcie_type(bridge)) {
- /* Ensure switch ports support AtomicOp routing */
case PCI_EXP_TYPE_UPSTREAM:
- case PCI_EXP_TYPE_DOWNSTREAM:
- if (!(cap & PCI_EXP_DEVCAP2_ATOMIC_ROUTE))
- return -EINVAL;
- break;
-
- /* Ensure root port supports all the sizes we care about */
- case PCI_EXP_TYPE_ROOT_PORT:
- if ((cap & cap_mask) != cap_mask)
- return -EINVAL;
- break;
- }
-
- /* Ensure upstream ports don't block AtomicOps on egress */
- if (pci_pcie_type(bridge) == PCI_EXP_TYPE_UPSTREAM) {
+ /* Upstream ports must not block AtomicOps on egress */
pcie_capability_read_dword(bridge, PCI_EXP_DEVCTL2,
&ctl2);
if (ctl2 & PCI_EXP_DEVCTL2_ATOMIC_EGRESS_BLOCK)
return -EINVAL;
+ fallthrough;
+
+ /* All switch ports need to route AtomicOps */
+ case PCI_EXP_TYPE_DOWNSTREAM:
+ pcie_capability_read_dword(bridge, PCI_EXP_DEVCAP2,
+ &cap);
+ if (!(cap & PCI_EXP_DEVCAP2_ATOMIC_ROUTE))
+ return -EINVAL;
+ break;
}
- bus = bus->parent;
+ bridge = pci_upstream_bridge(bridge);
}
pcie_capability_set_word(dev, PCI_EXP_DEVCTL2,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 306/957] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 305/957] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 307/957] gpu: nova-core: register: use field type for Into implementation Greg Kroah-Hartman
` (656 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai, Manivannan Sadhasivam,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 5573c44cb3fd01a9f62d569ae9ac870ef5f0e0ba ]
In mtk_pcie_setup_irq(), the IRQ domains are allocated before the
controller's IRQ is fetched. If the latter fails, the function
directly returns an error, without cleaning up the allocated domains.
Hence, reverse the order so that the IRQ domains are allocated after the
controller's IRQ is found.
This was flagged by Sashiko during a review of "[PATCH v6 0/7] PCI:
mediatek-gen3: add power control support".
Fixes: 814cceebba9b ("PCI: mediatek-gen3: Add INTx support")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://sashiko.dev/#/patchset/20260324052002.4072430-1-wenst%40chromium.org
Link: https://patch.msgid.link/20260324093542.18523-1-wenst@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-mediatek-gen3.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/controller/pcie-mediatek-gen3.c b/drivers/pci/controller/pcie-mediatek-gen3.c
index 75ddb8bee168f..e45c43ccc84c2 100644
--- a/drivers/pci/controller/pcie-mediatek-gen3.c
+++ b/drivers/pci/controller/pcie-mediatek-gen3.c
@@ -851,14 +851,14 @@ static int mtk_pcie_setup_irq(struct mtk_gen3_pcie *pcie)
struct platform_device *pdev = to_platform_device(dev);
int err;
- err = mtk_pcie_init_irq_domains(pcie);
- if (err)
- return err;
-
pcie->irq = platform_get_irq(pdev, 0);
if (pcie->irq < 0)
return pcie->irq;
+ err = mtk_pcie_init_irq_domains(pcie);
+ if (err)
+ return err;
+
irq_set_chained_handler_and_data(pcie->irq, mtk_pcie_irq_handler, pcie);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 307/957] gpu: nova-core: register: use field type for Into implementation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 306/957] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 308/957] gpu: nova-core: bitfield: Move bitfield-specific code from register! into new macro Greg Kroah-Hartman
` (655 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edwin Peer, Joel Fernandes,
Alexandre Courbot, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Courbot <acourbot@nvidia.com>
[ Upstream commit 3f674dc4ef1b3783f9d8dae33b46bf50eaac7c79 ]
The getter method of a field works with the field type, but its setter
expects the type of the register. This leads to an asymmetry in the
From/Into implementations required for a field with a dedicated type.
For instance, a field declared as
pub struct ControlReg(u32) {
3:0 mode as u8 ?=> Mode;
...
}
currently requires the following implementations:
impl TryFrom<u8> for Mode {
...
}
impl From<Mode> for u32 {
...
}
Change this so the `From<Mode>` now needs to be implemented for `u8`,
i.e. the primitive type of the field. This is more consistent, and will
become a requirement once we start using the TryFrom/Into derive macros
to implement these automatically.
Reported-by: Edwin Peer <epeer@nvidia.com>
Closes: https://lore.kernel.org/rust-for-linux/F3853912-2C1C-4F9B-89B0-3168689F35B3@nvidia.com/
Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Message-ID: <20251016151323.1201196-2-joelagnelf@nvidia.com>
Stable-dep-of: de0aca13509b ("gpu: nova-core: bitfield: fix broken Default implementation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/nova-core/falcon.rs | 38 ++++++++++++++++++++--------
drivers/gpu/nova-core/regs/macros.rs | 10 ++++----
2 files changed, 32 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/nova-core/falcon.rs b/drivers/gpu/nova-core/falcon.rs
index 37e6298195e49..3f505b8706011 100644
--- a/drivers/gpu/nova-core/falcon.rs
+++ b/drivers/gpu/nova-core/falcon.rs
@@ -22,11 +22,11 @@ mod hal;
pub(crate) mod sec2;
// TODO[FPRI]: Replace with `ToPrimitive`.
-macro_rules! impl_from_enum_to_u32 {
+macro_rules! impl_from_enum_to_u8 {
($enum_type:ty) => {
- impl From<$enum_type> for u32 {
+ impl From<$enum_type> for u8 {
fn from(value: $enum_type) -> Self {
- value as u32
+ value as u8
}
}
};
@@ -46,7 +46,7 @@ pub(crate) enum FalconCoreRev {
Rev6 = 6,
Rev7 = 7,
}
-impl_from_enum_to_u32!(FalconCoreRev);
+impl_from_enum_to_u8!(FalconCoreRev);
// TODO[FPRI]: replace with `FromPrimitive`.
impl TryFrom<u8> for FalconCoreRev {
@@ -81,7 +81,7 @@ pub(crate) enum FalconCoreRevSubversion {
Subversion2 = 2,
Subversion3 = 3,
}
-impl_from_enum_to_u32!(FalconCoreRevSubversion);
+impl_from_enum_to_u8!(FalconCoreRevSubversion);
// TODO[FPRI]: replace with `FromPrimitive`.
impl TryFrom<u8> for FalconCoreRevSubversion {
@@ -125,7 +125,7 @@ pub(crate) enum FalconSecurityModel {
/// Also known as High-Secure, Privilege Level 3 or PL3.
Heavy = 3,
}
-impl_from_enum_to_u32!(FalconSecurityModel);
+impl_from_enum_to_u8!(FalconSecurityModel);
// TODO[FPRI]: replace with `FromPrimitive`.
impl TryFrom<u8> for FalconSecurityModel {
@@ -157,7 +157,7 @@ pub(crate) enum FalconModSelAlgo {
#[default]
Rsa3k = 1,
}
-impl_from_enum_to_u32!(FalconModSelAlgo);
+impl_from_enum_to_u8!(FalconModSelAlgo);
// TODO[FPRI]: replace with `FromPrimitive`.
impl TryFrom<u8> for FalconModSelAlgo {
@@ -179,7 +179,7 @@ pub(crate) enum DmaTrfCmdSize {
#[default]
Size256B = 0x6,
}
-impl_from_enum_to_u32!(DmaTrfCmdSize);
+impl_from_enum_to_u8!(DmaTrfCmdSize);
// TODO[FPRI]: replace with `FromPrimitive`.
impl TryFrom<u8> for DmaTrfCmdSize {
@@ -202,7 +202,6 @@ pub(crate) enum PeregrineCoreSelect {
/// RISC-V core is active.
Riscv = 1,
}
-impl_from_enum_to_u32!(PeregrineCoreSelect);
impl From<bool> for PeregrineCoreSelect {
fn from(value: bool) -> Self {
@@ -213,6 +212,15 @@ impl From<bool> for PeregrineCoreSelect {
}
}
+impl From<PeregrineCoreSelect> for bool {
+ fn from(value: PeregrineCoreSelect) -> Self {
+ match value {
+ PeregrineCoreSelect::Falcon => false,
+ PeregrineCoreSelect::Riscv => true,
+ }
+ }
+}
+
/// Different types of memory present in a falcon core.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub(crate) enum FalconMem {
@@ -236,7 +244,7 @@ pub(crate) enum FalconFbifTarget {
/// Non-coherent system memory (System DRAM).
NoncoherentSysmem = 2,
}
-impl_from_enum_to_u32!(FalconFbifTarget);
+impl_from_enum_to_u8!(FalconFbifTarget);
// TODO[FPRI]: replace with `FromPrimitive`.
impl TryFrom<u8> for FalconFbifTarget {
@@ -263,7 +271,6 @@ pub(crate) enum FalconFbifMemType {
/// Physical memory addresses.
Physical = 1,
}
-impl_from_enum_to_u32!(FalconFbifMemType);
/// Conversion from a single-bit register field.
impl From<bool> for FalconFbifMemType {
@@ -275,6 +282,15 @@ impl From<bool> for FalconFbifMemType {
}
}
+impl From<FalconFbifMemType> for bool {
+ fn from(value: FalconFbifMemType) -> Self {
+ match value {
+ FalconFbifMemType::Virtual => false,
+ FalconFbifMemType::Physical => true,
+ }
+ }
+}
+
/// Type used to represent the `PFALCON` registers address base for a given falcon engine.
pub(crate) struct PFalconBase(());
diff --git a/drivers/gpu/nova-core/regs/macros.rs b/drivers/gpu/nova-core/regs/macros.rs
index 8058e1696df97..1c54a4533822e 100644
--- a/drivers/gpu/nova-core/regs/macros.rs
+++ b/drivers/gpu/nova-core/regs/macros.rs
@@ -482,7 +482,7 @@ macro_rules! register {
register!(
@leaf_accessor $name $hi:$lo $field
{ |f| <$into_type>::from(if f != 0 { true } else { false }) }
- $into_type => $into_type $(, $comment)?;
+ bool $into_type => $into_type $(, $comment)?;
);
};
@@ -499,7 +499,7 @@ macro_rules! register {
$(, $comment:literal)?;
) => {
register!(@leaf_accessor $name $hi:$lo $field
- { |f| <$try_into_type>::try_from(f as $type) } $try_into_type =>
+ { |f| <$try_into_type>::try_from(f as $type) } $type $try_into_type =>
::core::result::Result<
$try_into_type,
<$try_into_type as ::core::convert::TryFrom<$type>>::Error
@@ -513,7 +513,7 @@ macro_rules! register {
$(, $comment:literal)?;
) => {
register!(@leaf_accessor $name $hi:$lo $field
- { |f| <$into_type>::from(f as $type) } $into_type => $into_type $(, $comment)?;);
+ { |f| <$into_type>::from(f as $type) } $type $into_type => $into_type $(, $comment)?;);
};
// Shortcut for non-boolean fields defined without the `=>` or `?=>` syntax.
@@ -527,7 +527,7 @@ macro_rules! register {
// Generates the accessor methods for a single field.
(
@leaf_accessor $name:ident $hi:tt:$lo:tt $field:ident
- { $process:expr } $to_type:ty => $res_type:ty $(, $comment:literal)?;
+ { $process:expr } $prim_type:tt $to_type:ty => $res_type:ty $(, $comment:literal)?;
) => {
::kernel::macros::paste!(
const [<$field:upper _RANGE>]: ::core::ops::RangeInclusive<u8> = $lo..=$hi;
@@ -559,7 +559,7 @@ macro_rules! register {
pub(crate) fn [<set_ $field>](mut self, value: $to_type) -> Self {
const MASK: u32 = $name::[<$field:upper _MASK>];
const SHIFT: u32 = $name::[<$field:upper _SHIFT>];
- let value = (u32::from(value) << SHIFT) & MASK;
+ let value = (u32::from($prim_type::from(value)) << SHIFT) & MASK;
self.0 = (self.0 & !MASK) | value;
self
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 308/957] gpu: nova-core: bitfield: Move bitfield-specific code from register! into new macro
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 307/957] gpu: nova-core: register: use field type for Into implementation Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 309/957] gpu: nova-core: bitfield: fix broken Default implementation Greg Kroah-Hartman
` (654 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Elle Rhumsaa, Alexandre Courbot,
Edwin Peer, Joel Fernandes, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Fernandes <joelagnelf@nvidia.com>
[ Upstream commit 71ea85be25b4f54a53ec03d5deaed52f5ee65da8 ]
Move the bitfield-specific code from the register macro into a new macro
called bitfield. This will be used to define structs with bitfields,
similar to C language.
Reviewed-by: Elle Rhumsaa <elle@weathered-steel.dev>
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Reviewed-by: Edwin Peer <epeer@nvidia.com>
Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Message-ID: <20251016151323.1201196-3-joelagnelf@nvidia.com>
Stable-dep-of: de0aca13509b ("gpu: nova-core: bitfield: fix broken Default implementation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/nova-core/bitfield.rs | 319 +++++++++++++++++++++++++++
drivers/gpu/nova-core/nova_core.rs | 3 +
drivers/gpu/nova-core/regs/macros.rs | 259 +---------------------
3 files changed, 332 insertions(+), 249 deletions(-)
create mode 100644 drivers/gpu/nova-core/bitfield.rs
diff --git a/drivers/gpu/nova-core/bitfield.rs b/drivers/gpu/nova-core/bitfield.rs
new file mode 100644
index 0000000000000..fb60800898c55
--- /dev/null
+++ b/drivers/gpu/nova-core/bitfield.rs
@@ -0,0 +1,319 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Bitfield library for Rust structures
+//!
+//! Support for defining bitfields in Rust structures. Also used by the [`register!`] macro.
+
+/// Defines a struct with accessors to access bits within an inner unsigned integer.
+///
+/// # Syntax
+///
+/// ```rust
+/// use nova_core::bitfield;
+///
+/// #[derive(Debug, Clone, Copy, Default)]
+/// enum Mode {
+/// #[default]
+/// Low = 0,
+/// High = 1,
+/// Auto = 2,
+/// }
+///
+/// impl TryFrom<u8> for Mode {
+/// type Error = u8;
+/// fn try_from(value: u8) -> Result<Self, Self::Error> {
+/// match value {
+/// 0 => Ok(Mode::Low),
+/// 1 => Ok(Mode::High),
+/// 2 => Ok(Mode::Auto),
+/// _ => Err(value),
+/// }
+/// }
+/// }
+///
+/// impl From<Mode> for u8 {
+/// fn from(mode: Mode) -> u8 {
+/// mode as u8
+/// }
+/// }
+///
+/// #[derive(Debug, Clone, Copy, Default)]
+/// enum State {
+/// #[default]
+/// Inactive = 0,
+/// Active = 1,
+/// }
+///
+/// impl From<bool> for State {
+/// fn from(value: bool) -> Self {
+/// if value { State::Active } else { State::Inactive }
+/// }
+/// }
+///
+/// impl From<State> for bool {
+/// fn from(state: State) -> bool {
+/// match state {
+/// State::Inactive => false,
+/// State::Active => true,
+/// }
+/// }
+/// }
+///
+/// bitfield! {
+/// struct ControlReg {
+/// 7:7 state as bool => State;
+/// 3:0 mode as u8 ?=> Mode;
+/// }
+/// }
+/// ```
+///
+/// This generates a struct with:
+/// - Field accessors: `mode()`, `state()`, etc.
+/// - Field setters: `set_mode()`, `set_state()`, etc. (supports chaining with builder pattern).
+/// - Debug and Default implementations.
+///
+/// Fields are defined as follows:
+///
+/// - `as <type>` simply returns the field value casted to <type>, typically `u32`, `u16`, `u8` or
+/// `bool`. Note that `bool` fields must have a range of 1 bit.
+/// - `as <type> => <into_type>` calls `<into_type>`'s `From::<<type>>` implementation and returns
+/// the result.
+/// - `as <type> ?=> <try_into_type>` calls `<try_into_type>`'s `TryFrom::<<type>>` implementation
+/// and returns the result. This is useful with fields for which not all values are valid.
+macro_rules! bitfield {
+ // Main entry point - defines the bitfield struct with fields
+ (struct $name:ident $(, $comment:literal)? { $($fields:tt)* }) => {
+ bitfield!(@core $name $(, $comment)? { $($fields)* });
+ };
+
+ // All rules below are helpers.
+
+ // Defines the wrapper `$name` type, as well as its relevant implementations (`Debug`,
+ // `Default`, `BitOr`, and conversion to the value type) and field accessor methods.
+ (@core $name:ident $(, $comment:literal)? { $($fields:tt)* }) => {
+ $(
+ #[doc=$comment]
+ )?
+ #[repr(transparent)]
+ #[derive(Clone, Copy)]
+ pub(crate) struct $name(u32);
+
+ impl ::core::ops::BitOr for $name {
+ type Output = Self;
+
+ fn bitor(self, rhs: Self) -> Self::Output {
+ Self(self.0 | rhs.0)
+ }
+ }
+
+ impl ::core::convert::From<$name> for u32 {
+ fn from(val: $name) -> u32 {
+ val.0
+ }
+ }
+
+ bitfield!(@fields_dispatcher $name { $($fields)* });
+ };
+
+ // Captures the fields and passes them to all the implementers that require field information.
+ //
+ // Used to simplify the matching rules for implementers, so they don't need to match the entire
+ // complex fields rule even though they only make use of part of it.
+ (@fields_dispatcher $name:ident {
+ $($hi:tt:$lo:tt $field:ident as $type:tt
+ $(?=> $try_into_type:ty)?
+ $(=> $into_type:ty)?
+ $(, $comment:literal)?
+ ;
+ )*
+ }
+ ) => {
+ bitfield!(@field_accessors $name {
+ $(
+ $hi:$lo $field as $type
+ $(?=> $try_into_type)?
+ $(=> $into_type)?
+ $(, $comment)?
+ ;
+ )*
+ });
+ bitfield!(@debug $name { $($field;)* });
+ bitfield!(@default $name { $($field;)* });
+ };
+
+ // Defines all the field getter/setter methods for `$name`.
+ (
+ @field_accessors $name:ident {
+ $($hi:tt:$lo:tt $field:ident as $type:tt
+ $(?=> $try_into_type:ty)?
+ $(=> $into_type:ty)?
+ $(, $comment:literal)?
+ ;
+ )*
+ }
+ ) => {
+ $(
+ bitfield!(@check_field_bounds $hi:$lo $field as $type);
+ )*
+
+ #[allow(dead_code)]
+ impl $name {
+ $(
+ bitfield!(@field_accessor $name $hi:$lo $field as $type
+ $(?=> $try_into_type)?
+ $(=> $into_type)?
+ $(, $comment)?
+ ;
+ );
+ )*
+ }
+ };
+
+ // Boolean fields must have `$hi == $lo`.
+ (@check_field_bounds $hi:tt:$lo:tt $field:ident as bool) => {
+ #[allow(clippy::eq_op)]
+ const _: () = {
+ ::kernel::build_assert!(
+ $hi == $lo,
+ concat!("boolean field `", stringify!($field), "` covers more than one bit")
+ );
+ };
+ };
+
+ // Non-boolean fields must have `$hi >= $lo`.
+ (@check_field_bounds $hi:tt:$lo:tt $field:ident as $type:tt) => {
+ #[allow(clippy::eq_op)]
+ const _: () = {
+ ::kernel::build_assert!(
+ $hi >= $lo,
+ concat!("field `", stringify!($field), "`'s MSB is smaller than its LSB")
+ );
+ };
+ };
+
+ // Catches fields defined as `bool` and convert them into a boolean value.
+ (
+ @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as bool => $into_type:ty
+ $(, $comment:literal)?;
+ ) => {
+ bitfield!(
+ @leaf_accessor $name $hi:$lo $field
+ { |f| <$into_type>::from(if f != 0 { true } else { false }) }
+ bool $into_type => $into_type $(, $comment)?;
+ );
+ };
+
+ // Shortcut for fields defined as `bool` without the `=>` syntax.
+ (
+ @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as bool $(, $comment:literal)?;
+ ) => {
+ bitfield!(@field_accessor $name $hi:$lo $field as bool => bool $(, $comment)?;);
+ };
+
+ // Catches the `?=>` syntax for non-boolean fields.
+ (
+ @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as $type:tt ?=> $try_into_type:ty
+ $(, $comment:literal)?;
+ ) => {
+ bitfield!(@leaf_accessor $name $hi:$lo $field
+ { |f| <$try_into_type>::try_from(f as $type) } $type $try_into_type =>
+ ::core::result::Result<
+ $try_into_type,
+ <$try_into_type as ::core::convert::TryFrom<$type>>::Error
+ >
+ $(, $comment)?;);
+ };
+
+ // Catches the `=>` syntax for non-boolean fields.
+ (
+ @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as $type:tt => $into_type:ty
+ $(, $comment:literal)?;
+ ) => {
+ bitfield!(@leaf_accessor $name $hi:$lo $field
+ { |f| <$into_type>::from(f as $type) } $type $into_type => $into_type $(, $comment)?;);
+ };
+
+ // Shortcut for non-boolean fields defined without the `=>` or `?=>` syntax.
+ (
+ @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as $type:tt
+ $(, $comment:literal)?;
+ ) => {
+ bitfield!(@field_accessor $name $hi:$lo $field as $type => $type $(, $comment)?;);
+ };
+
+ // Generates the accessor methods for a single field.
+ (
+ @leaf_accessor $name:ident $hi:tt:$lo:tt $field:ident
+ { $process:expr } $prim_type:tt $to_type:ty => $res_type:ty $(, $comment:literal)?;
+ ) => {
+ ::kernel::macros::paste!(
+ const [<$field:upper _RANGE>]: ::core::ops::RangeInclusive<u8> = $lo..=$hi;
+ const [<$field:upper _MASK>]: u32 = ((((1 << $hi) - 1) << 1) + 1) - ((1 << $lo) - 1);
+ const [<$field:upper _SHIFT>]: u32 = Self::[<$field:upper _MASK>].trailing_zeros();
+ );
+
+ $(
+ #[doc="Returns the value of this field:"]
+ #[doc=$comment]
+ )?
+ #[inline(always)]
+ pub(crate) fn $field(self) -> $res_type {
+ ::kernel::macros::paste!(
+ const MASK: u32 = $name::[<$field:upper _MASK>];
+ const SHIFT: u32 = $name::[<$field:upper _SHIFT>];
+ );
+ let field = ((self.0 & MASK) >> SHIFT);
+
+ $process(field)
+ }
+
+ ::kernel::macros::paste!(
+ $(
+ #[doc="Sets the value of this field:"]
+ #[doc=$comment]
+ )?
+ #[inline(always)]
+ pub(crate) fn [<set_ $field>](mut self, value: $to_type) -> Self {
+ const MASK: u32 = $name::[<$field:upper _MASK>];
+ const SHIFT: u32 = $name::[<$field:upper _SHIFT>];
+ let value = (u32::from($prim_type::from(value)) << SHIFT) & MASK;
+ self.0 = (self.0 & !MASK) | value;
+
+ self
+ }
+ );
+ };
+
+ // Generates the `Debug` implementation for `$name`.
+ (@debug $name:ident { $($field:ident;)* }) => {
+ impl ::kernel::fmt::Debug for $name {
+ fn fmt(&self, f: &mut ::kernel::fmt::Formatter<'_>) -> ::kernel::fmt::Result {
+ f.debug_struct(stringify!($name))
+ .field("<raw>", &::kernel::prelude::fmt!("{:#x}", &self.0))
+ $(
+ .field(stringify!($field), &self.$field())
+ )*
+ .finish()
+ }
+ }
+ };
+
+ // Generates the `Default` implementation for `$name`.
+ (@default $name:ident { $($field:ident;)* }) => {
+ /// Returns a value for the bitfield where all fields are set to their default value.
+ impl ::core::default::Default for $name {
+ fn default() -> Self {
+ #[allow(unused_mut)]
+ let mut value = Self(Default::default());
+
+ ::kernel::macros::paste!(
+ $(
+ value.[<set_ $field>](Default::default());
+ )*
+ );
+
+ value
+ }
+ }
+ };
+}
diff --git a/drivers/gpu/nova-core/nova_core.rs b/drivers/gpu/nova-core/nova_core.rs
index fffcaee2249fe..112277c7921eb 100644
--- a/drivers/gpu/nova-core/nova_core.rs
+++ b/drivers/gpu/nova-core/nova_core.rs
@@ -2,6 +2,9 @@
//! Nova Core GPU Driver
+#[macro_use]
+mod bitfield;
+
mod dma;
mod driver;
mod falcon;
diff --git a/drivers/gpu/nova-core/regs/macros.rs b/drivers/gpu/nova-core/regs/macros.rs
index 1c54a4533822e..945d15a2c529d 100644
--- a/drivers/gpu/nova-core/regs/macros.rs
+++ b/drivers/gpu/nova-core/regs/macros.rs
@@ -8,7 +8,8 @@
//!
//! The `register!` macro in this module provides an intuitive and readable syntax for defining a
//! dedicated type for each register. Each such type comes with its own field accessors that can
-//! return an error if a field's value is invalid.
+//! return an error if a field's value is invalid. Please look at the [`bitfield`] macro for the
+//! complete syntax of fields definitions.
/// Trait providing a base address to be added to the offset of a relative register to obtain
/// its actual offset.
@@ -54,15 +55,6 @@ pub(crate) trait RegisterBase<T> {
/// BOOT_0::alter(&bar, |r| r.set_major_revision(3).set_minor_revision(10));
/// ```
///
-/// Fields are defined as follows:
-///
-/// - `as <type>` simply returns the field value casted to <type>, typically `u32`, `u16`, `u8` or
-/// `bool`. Note that `bool` fields must have a range of 1 bit.
-/// - `as <type> => <into_type>` calls `<into_type>`'s `From::<<type>>` implementation and returns
-/// the result.
-/// - `as <type> ?=> <try_into_type>` calls `<try_into_type>`'s `TryFrom::<<type>>` implementation
-/// and returns the result. This is useful with fields for which not all values are valid.
-///
/// The documentation strings are optional. If present, they will be added to the type's
/// definition, or the field getter and setter methods they are attached to.
///
@@ -284,25 +276,25 @@ pub(crate) trait RegisterBase<T> {
macro_rules! register {
// Creates a register at a fixed offset of the MMIO space.
($name:ident @ $offset:literal $(, $comment:literal)? { $($fields:tt)* } ) => {
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_fixed $name @ $offset);
};
// Creates an alias register of fixed offset register `alias` with its own fields.
($name:ident => $alias:ident $(, $comment:literal)? { $($fields:tt)* } ) => {
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_fixed $name @ $alias::OFFSET);
};
// Creates a register at a relative offset from a base address provider.
($name:ident @ $base:ty [ $offset:literal ] $(, $comment:literal)? { $($fields:tt)* } ) => {
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_relative $name @ $base [ $offset ]);
};
// Creates an alias register of relative offset register `alias` with its own fields.
($name:ident => $base:ty [ $alias:ident ] $(, $comment:literal)? { $($fields:tt)* }) => {
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_relative $name @ $base [ $alias::OFFSET ]);
};
@@ -313,7 +305,7 @@ macro_rules! register {
}
) => {
static_assert!(::core::mem::size_of::<u32>() <= $stride);
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_array $name @ $offset [ $size ; $stride ]);
};
@@ -334,7 +326,7 @@ macro_rules! register {
$(, $comment:literal)? { $($fields:tt)* }
) => {
static_assert!(::core::mem::size_of::<u32>() <= $stride);
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_relative_array $name @ $base [ $offset [ $size ; $stride ] ]);
};
@@ -356,7 +348,7 @@ macro_rules! register {
}
) => {
static_assert!($idx < $alias::SIZE);
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_relative $name @ $base [ $alias::OFFSET + $idx * $alias::STRIDE ] );
};
@@ -365,241 +357,10 @@ macro_rules! register {
// to avoid it being interpreted in place of the relative register array alias rule.
($name:ident => $alias:ident [ $idx:expr ] $(, $comment:literal)? { $($fields:tt)* }) => {
static_assert!($idx < $alias::SIZE);
- register!(@core $name $(, $comment)? { $($fields)* } );
+ bitfield!(struct $name $(, $comment)? { $($fields)* } );
register!(@io_fixed $name @ $alias::OFFSET + $idx * $alias::STRIDE );
};
- // All rules below are helpers.
-
- // Defines the wrapper `$name` type, as well as its relevant implementations (`Debug`,
- // `Default`, `BitOr`, and conversion to the value type) and field accessor methods.
- (@core $name:ident $(, $comment:literal)? { $($fields:tt)* }) => {
- $(
- #[doc=$comment]
- )?
- #[repr(transparent)]
- #[derive(Clone, Copy)]
- pub(crate) struct $name(u32);
-
- impl ::core::ops::BitOr for $name {
- type Output = Self;
-
- fn bitor(self, rhs: Self) -> Self::Output {
- Self(self.0 | rhs.0)
- }
- }
-
- impl ::core::convert::From<$name> for u32 {
- fn from(reg: $name) -> u32 {
- reg.0
- }
- }
-
- register!(@fields_dispatcher $name { $($fields)* });
- };
-
- // Captures the fields and passes them to all the implementers that require field information.
- //
- // Used to simplify the matching rules for implementers, so they don't need to match the entire
- // complex fields rule even though they only make use of part of it.
- (@fields_dispatcher $name:ident {
- $($hi:tt:$lo:tt $field:ident as $type:tt
- $(?=> $try_into_type:ty)?
- $(=> $into_type:ty)?
- $(, $comment:literal)?
- ;
- )*
- }
- ) => {
- register!(@field_accessors $name {
- $(
- $hi:$lo $field as $type
- $(?=> $try_into_type)?
- $(=> $into_type)?
- $(, $comment)?
- ;
- )*
- });
- register!(@debug $name { $($field;)* });
- register!(@default $name { $($field;)* });
- };
-
- // Defines all the field getter/methods methods for `$name`.
- (
- @field_accessors $name:ident {
- $($hi:tt:$lo:tt $field:ident as $type:tt
- $(?=> $try_into_type:ty)?
- $(=> $into_type:ty)?
- $(, $comment:literal)?
- ;
- )*
- }
- ) => {
- $(
- register!(@check_field_bounds $hi:$lo $field as $type);
- )*
-
- #[allow(dead_code)]
- impl $name {
- $(
- register!(@field_accessor $name $hi:$lo $field as $type
- $(?=> $try_into_type)?
- $(=> $into_type)?
- $(, $comment)?
- ;
- );
- )*
- }
- };
-
- // Boolean fields must have `$hi == $lo`.
- (@check_field_bounds $hi:tt:$lo:tt $field:ident as bool) => {
- #[allow(clippy::eq_op)]
- const _: () = {
- ::kernel::build_assert!(
- $hi == $lo,
- concat!("boolean field `", stringify!($field), "` covers more than one bit")
- );
- };
- };
-
- // Non-boolean fields must have `$hi >= $lo`.
- (@check_field_bounds $hi:tt:$lo:tt $field:ident as $type:tt) => {
- #[allow(clippy::eq_op)]
- const _: () = {
- ::kernel::build_assert!(
- $hi >= $lo,
- concat!("field `", stringify!($field), "`'s MSB is smaller than its LSB")
- );
- };
- };
-
- // Catches fields defined as `bool` and convert them into a boolean value.
- (
- @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as bool => $into_type:ty
- $(, $comment:literal)?;
- ) => {
- register!(
- @leaf_accessor $name $hi:$lo $field
- { |f| <$into_type>::from(if f != 0 { true } else { false }) }
- bool $into_type => $into_type $(, $comment)?;
- );
- };
-
- // Shortcut for fields defined as `bool` without the `=>` syntax.
- (
- @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as bool $(, $comment:literal)?;
- ) => {
- register!(@field_accessor $name $hi:$lo $field as bool => bool $(, $comment)?;);
- };
-
- // Catches the `?=>` syntax for non-boolean fields.
- (
- @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as $type:tt ?=> $try_into_type:ty
- $(, $comment:literal)?;
- ) => {
- register!(@leaf_accessor $name $hi:$lo $field
- { |f| <$try_into_type>::try_from(f as $type) } $type $try_into_type =>
- ::core::result::Result<
- $try_into_type,
- <$try_into_type as ::core::convert::TryFrom<$type>>::Error
- >
- $(, $comment)?;);
- };
-
- // Catches the `=>` syntax for non-boolean fields.
- (
- @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as $type:tt => $into_type:ty
- $(, $comment:literal)?;
- ) => {
- register!(@leaf_accessor $name $hi:$lo $field
- { |f| <$into_type>::from(f as $type) } $type $into_type => $into_type $(, $comment)?;);
- };
-
- // Shortcut for non-boolean fields defined without the `=>` or `?=>` syntax.
- (
- @field_accessor $name:ident $hi:tt:$lo:tt $field:ident as $type:tt
- $(, $comment:literal)?;
- ) => {
- register!(@field_accessor $name $hi:$lo $field as $type => $type $(, $comment)?;);
- };
-
- // Generates the accessor methods for a single field.
- (
- @leaf_accessor $name:ident $hi:tt:$lo:tt $field:ident
- { $process:expr } $prim_type:tt $to_type:ty => $res_type:ty $(, $comment:literal)?;
- ) => {
- ::kernel::macros::paste!(
- const [<$field:upper _RANGE>]: ::core::ops::RangeInclusive<u8> = $lo..=$hi;
- const [<$field:upper _MASK>]: u32 = ((((1 << $hi) - 1) << 1) + 1) - ((1 << $lo) - 1);
- const [<$field:upper _SHIFT>]: u32 = Self::[<$field:upper _MASK>].trailing_zeros();
- );
-
- $(
- #[doc="Returns the value of this field:"]
- #[doc=$comment]
- )?
- #[inline(always)]
- pub(crate) fn $field(self) -> $res_type {
- ::kernel::macros::paste!(
- const MASK: u32 = $name::[<$field:upper _MASK>];
- const SHIFT: u32 = $name::[<$field:upper _SHIFT>];
- );
- let field = ((self.0 & MASK) >> SHIFT);
-
- $process(field)
- }
-
- ::kernel::macros::paste!(
- $(
- #[doc="Sets the value of this field:"]
- #[doc=$comment]
- )?
- #[inline(always)]
- pub(crate) fn [<set_ $field>](mut self, value: $to_type) -> Self {
- const MASK: u32 = $name::[<$field:upper _MASK>];
- const SHIFT: u32 = $name::[<$field:upper _SHIFT>];
- let value = (u32::from($prim_type::from(value)) << SHIFT) & MASK;
- self.0 = (self.0 & !MASK) | value;
-
- self
- }
- );
- };
-
- // Generates the `Debug` implementation for `$name`.
- (@debug $name:ident { $($field:ident;)* }) => {
- impl ::kernel::fmt::Debug for $name {
- fn fmt(&self, f: &mut ::kernel::fmt::Formatter<'_>) -> ::kernel::fmt::Result {
- f.debug_struct(stringify!($name))
- .field("<raw>", &::kernel::prelude::fmt!("{:#x}", &self.0))
- $(
- .field(stringify!($field), &self.$field())
- )*
- .finish()
- }
- }
- };
-
- // Generates the `Default` implementation for `$name`.
- (@default $name:ident { $($field:ident;)* }) => {
- /// Returns a value for the register where all fields are set to their default value.
- impl ::core::default::Default for $name {
- fn default() -> Self {
- #[allow(unused_mut)]
- let mut value = Self(Default::default());
-
- ::kernel::macros::paste!(
- $(
- value.[<set_ $field>](Default::default());
- )*
- );
-
- value
- }
- }
- };
-
// Generates the IO accessors for a fixed offset register.
(@io_fixed $name:ident @ $offset:expr) => {
#[allow(dead_code)]
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 309/957] gpu: nova-core: bitfield: fix broken Default implementation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 308/957] gpu: nova-core: bitfield: Move bitfield-specific code from register! into new macro Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 310/957] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
` (653 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eliot Courtney, Danilo Krummrich,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eliot Courtney <ecourtney@nvidia.com>
[ Upstream commit de0aca13509bf47a2d49bc7a26d56079c758c95f ]
The current implementation does not actually set the default values for
the fields in the bitfield.
Fixes: 3fa145bef533 ("gpu: nova-core: register: generate correct `Default` implementation")
Signed-off-by: Eliot Courtney <ecourtney@nvidia.com>
Link: https://patch.msgid.link/20260401-fix-bitfield-v2-1-2fa68c98114a@nvidia.com
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/nova-core/bitfield.rs | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/nova-core/bitfield.rs b/drivers/gpu/nova-core/bitfield.rs
index fb60800898c55..1d4931c251bf4 100644
--- a/drivers/gpu/nova-core/bitfield.rs
+++ b/drivers/gpu/nova-core/bitfield.rs
@@ -303,12 +303,11 @@ macro_rules! bitfield {
/// Returns a value for the bitfield where all fields are set to their default value.
impl ::core::default::Default for $name {
fn default() -> Self {
- #[allow(unused_mut)]
- let mut value = Self(Default::default());
+ let value = Self(Default::default());
::kernel::macros::paste!(
$(
- value.[<set_ $field>](Default::default());
+ let value = value.[<set_ $field>](Default::default());
)*
);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 310/957] selftests/mm: skip migration tests if NUMA is unavailable
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 309/957] gpu: nova-core: bitfield: fix broken Default implementation Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 311/957] kho: make debugfs interface optional Greg Kroah-Hartman
` (652 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AnishMulay, SeongJae Park, Dev Jain,
Anshuman Khandual, Sayali Patil, David Hildenbrand (Arm),
Liam Howlett, Lorenzo Stoakes, Michal Hocko, Mike Rapoport,
Shuah Khan, Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: AnishMulay <anishm7030@gmail.com>
[ Upstream commit 54218f10dfbe88c8e41c744fd45a756cde60b8c4 ]
Currently, the migration test asserts that numa_available() returns 0. On
systems where NUMA is not available (returning -1), such as certain ARM64
configurations or single-node systems, this assertion fails and crashes
the test.
Update the test to check the return value of numa_available(). If it is
less than 0, skip the test gracefully instead of failing.
This aligns the behavior with other MM selftests (like rmap) that skip
when NUMA support is missing.
Link: https://lkml.kernel.org/r/20260218163941.13499-1-anishm7030@gmail.com
Fixes: 0c2d08728470 ("mm: add selftests for migration entries")
Signed-off-by: AnishMulay <anishm7030@gmail.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Tested-by: Sayali Patil <sayalip@linux.ibm.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/mm/migration.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/mm/migration.c b/tools/testing/selftests/mm/migration.c
index ea945eebec2f6..aa556c708d6bc 100644
--- a/tools/testing/selftests/mm/migration.c
+++ b/tools/testing/selftests/mm/migration.c
@@ -36,7 +36,8 @@ FIXTURE_SETUP(migration)
{
int n;
- ASSERT_EQ(numa_available(), 0);
+ if (numa_available() < 0)
+ SKIP(return, "NUMA not available");
self->nthreads = numa_num_task_cpus() - 1;
self->n1 = -1;
self->n2 = -1;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 311/957] kho: make debugfs interface optional
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 310/957] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 312/957] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
` (651 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Rapoport (Microsoft),
Pasha Tatashin, Pratyush Yadav, Alexander Graf, Christian Brauner,
Jason Gunthorpe, Jonathan Corbet, Masahiro Yamada, Miguel Ojeda,
Randy Dunlap, Tejun Heo, Changyuan Lyu, Jason Gunthorpe,
Simon Horman, Zhu Yanjun, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pasha Tatashin <pasha.tatashin@soleen.com>
[ Upstream commit 03d3963464a43654703938a66503cd686c5fc54e ]
Patch series "liveupdate: Rework KHO for in-kernel users", v9.
This series refactors the KHO framework to better support in-kernel users
like the upcoming LUO. The current design, which relies on a notifier
chain and debugfs for control, is too restrictive for direct programmatic
use.
The core of this rework is the removal of the notifier chain in favor of a
direct registration API. This decouples clients from the shutdown-time
finalization sequence, allowing them to manage their preserved state more
flexibly and at any time.
In support of this new model, this series also:
- Makes the debugfs interface optional.
- Introduces APIs to unpreserve memory and fixes a bug in the abort
path where client state was being incorrectly discarded. Note that
this is an interim step, as a more comprehensive fix is planned as
part of the stateless KHO work [1].
- Moves all KHO code into a new kernel/liveupdate/ directory to
consolidate live update components.
This patch (of 9):
Currently, KHO is controlled via debugfs interface, but once LUO is
introduced, it can control KHO, and the debug interface becomes optional.
Add a separate config CONFIG_KEXEC_HANDOVER_DEBUGFS that enables the
debugfs interface, and allows to inspect the tree.
Move all debugfs related code to a new file to keep the .c files clear of
ifdefs.
Link: https://lkml.kernel.org/r/20251101142325.1326536-1-pasha.tatashin@soleen.com
Link: https://lkml.kernel.org/r/20251101142325.1326536-2-pasha.tatashin@soleen.com
Link: https://lore.kernel.org/all/20251020100306.2709352-1-jasonmiu@google.com [1]
Co-developed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Cc: Alexander Graf <graf@amazon.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Changyuan Lyu <changyuanl@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Simon Horman <horms@kernel.org>
Cc: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 019fc3687237 ("kho: fix KASAN support for restored vmalloc regions")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
MAINTAINERS | 2 +-
kernel/Kconfig.kexec | 12 +-
kernel/Makefile | 1 +
kernel/kexec_handover.c | 269 +++++---------------------
kernel/kexec_handover_debugfs.c | 216 +++++++++++++++++++++
kernel/kexec_handover_internal.h | 35 ++++
tools/testing/selftests/kho/vmtest.sh | 1 +
7 files changed, 314 insertions(+), 222 deletions(-)
create mode 100644 kernel/kexec_handover_debugfs.c
diff --git a/MAINTAINERS b/MAINTAINERS
index e8f06145fb54c..554e881b05bea 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -13798,7 +13798,7 @@ S: Maintained
F: Documentation/admin-guide/mm/kho.rst
F: Documentation/core-api/kho/*
F: include/linux/kexec_handover.h
-F: kernel/kexec_handover.c
+F: kernel/kexec_handover*
F: lib/test_kho.c
F: tools/testing/selftests/kho/
diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec
index 54e5810726176..cc6743137946f 100644
--- a/kernel/Kconfig.kexec
+++ b/kernel/Kconfig.kexec
@@ -100,7 +100,6 @@ config KEXEC_HANDOVER
depends on !DEFERRED_STRUCT_PAGE_INIT
select MEMBLOCK_KHO_SCRATCH
select KEXEC_FILE
- select DEBUG_FS
select LIBFDT
select CMA
help
@@ -118,6 +117,17 @@ config KEXEC_HANDOVER_DEBUG
scenarios and the extra code might be adding overhead it is
only optionally enabled.
+config KEXEC_HANDOVER_DEBUGFS
+ bool "kexec handover debugfs interface"
+ default KEXEC_HANDOVER
+ depends on KEXEC_HANDOVER
+ select DEBUG_FS
+ help
+ Allow to control kexec handover device tree via debugfs
+ interface, i.e. finalize the state or aborting the finalization.
+ Also, enables inspecting the KHO fdt trees with the debugfs binary
+ blobs.
+
config CRASH_DUMP
bool "kernel crash dumps"
default ARCH_DEFAULT_CRASH_DUMP
diff --git a/kernel/Makefile b/kernel/Makefile
index 9fe722305c9be..2cf7909a74e56 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -84,6 +84,7 @@ obj-$(CONFIG_KEXEC_FILE) += kexec_file.o
obj-$(CONFIG_KEXEC_ELF) += kexec_elf.o
obj-$(CONFIG_KEXEC_HANDOVER) += kexec_handover.o
obj-$(CONFIG_KEXEC_HANDOVER_DEBUG) += kexec_handover_debug.o
+obj-$(CONFIG_KEXEC_HANDOVER_DEBUGFS) += kexec_handover_debugfs.o
obj-$(CONFIG_BACKTRACE_SELF_TEST) += backtracetest.o
obj-$(CONFIG_COMPAT) += compat.o
obj-$(CONFIG_CGROUPS) += cgroup/
diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c
index 2da4bd994322f..c13b99f7c9891 100644
--- a/kernel/kexec_handover.c
+++ b/kernel/kexec_handover.c
@@ -11,7 +11,6 @@
#include <linux/cleanup.h>
#include <linux/cma.h>
#include <linux/count_zeros.h>
-#include <linux/debugfs.h>
#include <linux/kexec.h>
#include <linux/kexec_handover.h>
#include <linux/libfdt.h>
@@ -30,6 +29,7 @@
*/
#include "../mm/internal.h"
#include "kexec_internal.h"
+#include "kexec_handover_internal.h"
#define KHO_FDT_COMPATIBLE "kho-v1"
#define PROP_PRESERVED_MEMORY_MAP "preserved-memory-map"
@@ -105,8 +105,6 @@ struct khoser_mem_chunk;
struct kho_serialization {
struct page *fdt;
- struct list_head fdt_list;
- struct dentry *sub_fdt_dir;
struct kho_mem_track track;
/* First chunk of serialized preserved memory map */
struct khoser_mem_chunk *preserved_mem_map;
@@ -114,20 +112,16 @@ struct kho_serialization {
struct kho_out {
struct blocking_notifier_head chain_head;
-
- struct dentry *dir;
-
struct mutex lock; /* protects KHO FDT finalization */
-
struct kho_serialization ser;
bool finalized;
+ struct kho_debugfs dbg;
};
static struct kho_out kho_out = {
.chain_head = BLOCKING_NOTIFIER_INIT(kho_out.chain_head),
.lock = __MUTEX_INITIALIZER(kho_out.lock),
.ser = {
- .fdt_list = LIST_HEAD_INIT(kho_out.ser.fdt_list),
.track = {
.orders = XARRAY_INIT(kho_out.ser.track.orders, 0),
},
@@ -678,37 +672,6 @@ static void __init kho_reserve_scratch(void)
kho_enable = false;
}
-struct fdt_debugfs {
- struct list_head list;
- struct debugfs_blob_wrapper wrapper;
- struct dentry *file;
-};
-
-static int kho_debugfs_fdt_add(struct list_head *list, struct dentry *dir,
- const char *name, const void *fdt)
-{
- struct fdt_debugfs *f;
- struct dentry *file;
-
- f = kmalloc(sizeof(*f), GFP_KERNEL);
- if (!f)
- return -ENOMEM;
-
- f->wrapper.data = (void *)fdt;
- f->wrapper.size = fdt_totalsize(fdt);
-
- file = debugfs_create_blob(name, 0400, dir, &f->wrapper);
- if (IS_ERR(file)) {
- kfree(f);
- return PTR_ERR(file);
- }
-
- f->file = file;
- list_add(&f->list, list);
-
- return 0;
-}
-
/**
* kho_add_subtree - record the physical address of a sub FDT in KHO root tree.
* @ser: serialization control object passed by KHO notifiers.
@@ -720,7 +683,8 @@ static int kho_debugfs_fdt_add(struct list_head *list, struct dentry *dir,
* by KHO for the new kernel to retrieve it after kexec.
*
* A debugfs blob entry is also created at
- * ``/sys/kernel/debug/kho/out/sub_fdts/@name``.
+ * ``/sys/kernel/debug/kho/out/sub_fdts/@name`` when kernel is configured with
+ * CONFIG_KEXEC_HANDOVER_DEBUGFS
*
* Return: 0 on success, error code on failure
*/
@@ -737,7 +701,7 @@ int kho_add_subtree(struct kho_serialization *ser, const char *name, void *fdt)
if (err)
return err;
- return kho_debugfs_fdt_add(&ser->fdt_list, ser->sub_fdt_dir, name, fdt);
+ return kho_debugfs_fdt_add(&kho_out.dbg, name, fdt, false);
}
EXPORT_SYMBOL_GPL(kho_add_subtree);
@@ -1069,30 +1033,7 @@ void *kho_restore_vmalloc(const struct kho_vmalloc *preservation)
}
EXPORT_SYMBOL_GPL(kho_restore_vmalloc);
-/* Handling for debug/kho/out */
-
-static struct dentry *debugfs_root;
-
-static int kho_out_update_debugfs_fdt(void)
-{
- int err = 0;
- struct fdt_debugfs *ff, *tmp;
-
- if (kho_out.finalized) {
- err = kho_debugfs_fdt_add(&kho_out.ser.fdt_list, kho_out.dir,
- "fdt", page_to_virt(kho_out.ser.fdt));
- } else {
- list_for_each_entry_safe(ff, tmp, &kho_out.ser.fdt_list, list) {
- debugfs_remove(ff->file);
- list_del(&ff->list);
- kfree(ff);
- }
- }
-
- return err;
-}
-
-static int kho_abort(void)
+static int __kho_abort(void)
{
int err;
unsigned long order;
@@ -1125,7 +1066,28 @@ static int kho_abort(void)
return err;
}
-static int kho_finalize(void)
+int kho_abort(void)
+{
+ int ret = 0;
+
+ if (!kho_enable)
+ return -EOPNOTSUPP;
+
+ guard(mutex)(&kho_out.lock);
+ if (!kho_out.finalized)
+ return -ENOENT;
+
+ ret = __kho_abort();
+ if (ret)
+ return ret;
+
+ kho_out.finalized = false;
+ kho_debugfs_cleanup(&kho_out.dbg);
+
+ return 0;
+}
+
+static int __kho_finalize(void)
{
int err = 0;
u64 *preserved_mem_map;
@@ -1168,118 +1130,46 @@ static int kho_finalize(void)
abort:
if (err) {
pr_err("Failed to convert KHO state tree: %d\n", err);
- kho_abort();
+ __kho_abort();
}
return err;
}
-static int kho_out_finalize_get(void *data, u64 *val)
-{
- mutex_lock(&kho_out.lock);
- *val = kho_out.finalized;
- mutex_unlock(&kho_out.lock);
-
- return 0;
-}
-
-static int kho_out_finalize_set(void *data, u64 _val)
+int kho_finalize(void)
{
- int ret = 0;
- bool val = !!_val;
-
- mutex_lock(&kho_out.lock);
+ int ret;
- if (val == kho_out.finalized) {
- if (kho_out.finalized)
- ret = -EEXIST;
- else
- ret = -ENOENT;
- goto unlock;
- }
+ if (!kho_enable)
+ return -EOPNOTSUPP;
- if (val)
- ret = kho_finalize();
- else
- ret = kho_abort();
+ guard(mutex)(&kho_out.lock);
+ if (kho_out.finalized)
+ return -EEXIST;
+ ret = __kho_finalize();
if (ret)
- goto unlock;
-
- kho_out.finalized = val;
- ret = kho_out_update_debugfs_fdt();
-
-unlock:
- mutex_unlock(&kho_out.lock);
- return ret;
-}
-
-DEFINE_DEBUGFS_ATTRIBUTE(fops_kho_out_finalize, kho_out_finalize_get,
- kho_out_finalize_set, "%llu\n");
-
-static int scratch_phys_show(struct seq_file *m, void *v)
-{
- for (int i = 0; i < kho_scratch_cnt; i++)
- seq_printf(m, "0x%llx\n", kho_scratch[i].addr);
-
- return 0;
-}
-DEFINE_SHOW_ATTRIBUTE(scratch_phys);
+ return ret;
-static int scratch_len_show(struct seq_file *m, void *v)
-{
- for (int i = 0; i < kho_scratch_cnt; i++)
- seq_printf(m, "0x%llx\n", kho_scratch[i].size);
+ kho_out.finalized = true;
- return 0;
+ return kho_debugfs_fdt_add(&kho_out.dbg, "fdt",
+ page_to_virt(kho_out.ser.fdt), true);
}
-DEFINE_SHOW_ATTRIBUTE(scratch_len);
-static __init int kho_out_debugfs_init(void)
+bool kho_finalized(void)
{
- struct dentry *dir, *f, *sub_fdt_dir;
-
- dir = debugfs_create_dir("out", debugfs_root);
- if (IS_ERR(dir))
- return -ENOMEM;
-
- sub_fdt_dir = debugfs_create_dir("sub_fdts", dir);
- if (IS_ERR(sub_fdt_dir))
- goto err_rmdir;
-
- f = debugfs_create_file("scratch_phys", 0400, dir, NULL,
- &scratch_phys_fops);
- if (IS_ERR(f))
- goto err_rmdir;
-
- f = debugfs_create_file("scratch_len", 0400, dir, NULL,
- &scratch_len_fops);
- if (IS_ERR(f))
- goto err_rmdir;
-
- f = debugfs_create_file("finalize", 0600, dir, NULL,
- &fops_kho_out_finalize);
- if (IS_ERR(f))
- goto err_rmdir;
-
- kho_out.dir = dir;
- kho_out.ser.sub_fdt_dir = sub_fdt_dir;
- return 0;
-
-err_rmdir:
- debugfs_remove_recursive(dir);
- return -ENOENT;
+ guard(mutex)(&kho_out.lock);
+ return kho_out.finalized;
}
struct kho_in {
- struct dentry *dir;
phys_addr_t fdt_phys;
phys_addr_t scratch_phys;
- struct list_head fdt_list;
+ struct kho_debugfs dbg;
};
static struct kho_in kho_in = {
- .fdt_list = LIST_HEAD_INIT(kho_in.fdt_list),
};
static const void *kho_get_fdt(void)
@@ -1343,56 +1233,6 @@ int kho_retrieve_subtree(const char *name, phys_addr_t *phys)
}
EXPORT_SYMBOL_GPL(kho_retrieve_subtree);
-/* Handling for debugfs/kho/in */
-
-static __init int kho_in_debugfs_init(const void *fdt)
-{
- struct dentry *sub_fdt_dir;
- int err, child;
-
- kho_in.dir = debugfs_create_dir("in", debugfs_root);
- if (IS_ERR(kho_in.dir))
- return PTR_ERR(kho_in.dir);
-
- sub_fdt_dir = debugfs_create_dir("sub_fdts", kho_in.dir);
- if (IS_ERR(sub_fdt_dir)) {
- err = PTR_ERR(sub_fdt_dir);
- goto err_rmdir;
- }
-
- err = kho_debugfs_fdt_add(&kho_in.fdt_list, kho_in.dir, "fdt", fdt);
- if (err)
- goto err_rmdir;
-
- fdt_for_each_subnode(child, fdt, 0) {
- int len = 0;
- const char *name = fdt_get_name(fdt, child, NULL);
- const u64 *fdt_phys;
-
- fdt_phys = fdt_getprop(fdt, child, "fdt", &len);
- if (!fdt_phys)
- continue;
- if (len != sizeof(*fdt_phys)) {
- pr_warn("node `%s`'s prop `fdt` has invalid length: %d\n",
- name, len);
- continue;
- }
- err = kho_debugfs_fdt_add(&kho_in.fdt_list, sub_fdt_dir, name,
- phys_to_virt(*fdt_phys));
- if (err) {
- pr_warn("failed to add fdt `%s` to debugfs: %d\n", name,
- err);
- continue;
- }
- }
-
- return 0;
-
-err_rmdir:
- debugfs_remove_recursive(kho_in.dir);
- return err;
-}
-
static __init int kho_init(void)
{
int err = 0;
@@ -1407,27 +1247,16 @@ static __init int kho_init(void)
goto err_free_scratch;
}
- debugfs_root = debugfs_create_dir("kho", NULL);
- if (IS_ERR(debugfs_root)) {
- err = -ENOENT;
+ err = kho_debugfs_init();
+ if (err)
goto err_free_fdt;
- }
- err = kho_out_debugfs_init();
+ err = kho_out_debugfs_init(&kho_out.dbg);
if (err)
goto err_free_fdt;
if (fdt) {
- err = kho_in_debugfs_init(fdt);
- /*
- * Failure to create /sys/kernel/debug/kho/in does not prevent
- * reviving state from KHO and setting up KHO for the next
- * kexec.
- */
- if (err)
- pr_err("failed exposing handover FDT in debugfs: %d\n",
- err);
-
+ kho_in_debugfs_init(&kho_in.dbg, fdt);
return 0;
}
diff --git a/kernel/kexec_handover_debugfs.c b/kernel/kexec_handover_debugfs.c
new file mode 100644
index 0000000000000..a91b279f1b232
--- /dev/null
+++ b/kernel/kexec_handover_debugfs.c
@@ -0,0 +1,216 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * kexec_handover_debugfs.c - kexec handover debugfs interfaces
+ * Copyright (C) 2023 Alexander Graf <graf@amazon.com>
+ * Copyright (C) 2025 Microsoft Corporation, Mike Rapoport <rppt@kernel.org>
+ * Copyright (C) 2025 Google LLC, Changyuan Lyu <changyuanl@google.com>
+ * Copyright (C) 2025 Google LLC, Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+
+#define pr_fmt(fmt) "KHO: " fmt
+
+#include <linux/init.h>
+#include <linux/io.h>
+#include <linux/libfdt.h>
+#include <linux/mm.h>
+#include "kexec_handover_internal.h"
+
+static struct dentry *debugfs_root;
+
+struct fdt_debugfs {
+ struct list_head list;
+ struct debugfs_blob_wrapper wrapper;
+ struct dentry *file;
+};
+
+static int __kho_debugfs_fdt_add(struct list_head *list, struct dentry *dir,
+ const char *name, const void *fdt)
+{
+ struct fdt_debugfs *f;
+ struct dentry *file;
+
+ f = kmalloc(sizeof(*f), GFP_KERNEL);
+ if (!f)
+ return -ENOMEM;
+
+ f->wrapper.data = (void *)fdt;
+ f->wrapper.size = fdt_totalsize(fdt);
+
+ file = debugfs_create_blob(name, 0400, dir, &f->wrapper);
+ if (IS_ERR(file)) {
+ kfree(f);
+ return PTR_ERR(file);
+ }
+
+ f->file = file;
+ list_add(&f->list, list);
+
+ return 0;
+}
+
+int kho_debugfs_fdt_add(struct kho_debugfs *dbg, const char *name,
+ const void *fdt, bool root)
+{
+ struct dentry *dir;
+
+ if (root)
+ dir = dbg->dir;
+ else
+ dir = dbg->sub_fdt_dir;
+
+ return __kho_debugfs_fdt_add(&dbg->fdt_list, dir, name, fdt);
+}
+
+void kho_debugfs_cleanup(struct kho_debugfs *dbg)
+{
+ struct fdt_debugfs *ff, *tmp;
+
+ list_for_each_entry_safe(ff, tmp, &dbg->fdt_list, list) {
+ debugfs_remove(ff->file);
+ list_del(&ff->list);
+ kfree(ff);
+ }
+}
+
+static int kho_out_finalize_get(void *data, u64 *val)
+{
+ *val = kho_finalized();
+
+ return 0;
+}
+
+static int kho_out_finalize_set(void *data, u64 val)
+{
+ if (val)
+ return kho_finalize();
+ else
+ return kho_abort();
+}
+
+DEFINE_DEBUGFS_ATTRIBUTE(kho_out_finalize_fops, kho_out_finalize_get,
+ kho_out_finalize_set, "%llu\n");
+
+static int scratch_phys_show(struct seq_file *m, void *v)
+{
+ for (int i = 0; i < kho_scratch_cnt; i++)
+ seq_printf(m, "0x%llx\n", kho_scratch[i].addr);
+
+ return 0;
+}
+DEFINE_SHOW_ATTRIBUTE(scratch_phys);
+
+static int scratch_len_show(struct seq_file *m, void *v)
+{
+ for (int i = 0; i < kho_scratch_cnt; i++)
+ seq_printf(m, "0x%llx\n", kho_scratch[i].size);
+
+ return 0;
+}
+DEFINE_SHOW_ATTRIBUTE(scratch_len);
+
+__init void kho_in_debugfs_init(struct kho_debugfs *dbg, const void *fdt)
+{
+ struct dentry *dir, *sub_fdt_dir;
+ int err, child;
+
+ INIT_LIST_HEAD(&dbg->fdt_list);
+
+ dir = debugfs_create_dir("in", debugfs_root);
+ if (IS_ERR(dir)) {
+ err = PTR_ERR(dir);
+ goto err_out;
+ }
+
+ sub_fdt_dir = debugfs_create_dir("sub_fdts", dir);
+ if (IS_ERR(sub_fdt_dir)) {
+ err = PTR_ERR(sub_fdt_dir);
+ goto err_rmdir;
+ }
+
+ err = __kho_debugfs_fdt_add(&dbg->fdt_list, dir, "fdt", fdt);
+ if (err)
+ goto err_rmdir;
+
+ fdt_for_each_subnode(child, fdt, 0) {
+ int len = 0;
+ const char *name = fdt_get_name(fdt, child, NULL);
+ const u64 *fdt_phys;
+
+ fdt_phys = fdt_getprop(fdt, child, "fdt", &len);
+ if (!fdt_phys)
+ continue;
+ if (len != sizeof(*fdt_phys)) {
+ pr_warn("node %s prop fdt has invalid length: %d\n",
+ name, len);
+ continue;
+ }
+ err = __kho_debugfs_fdt_add(&dbg->fdt_list, sub_fdt_dir, name,
+ phys_to_virt(*fdt_phys));
+ if (err) {
+ pr_warn("failed to add fdt %s to debugfs: %d\n", name,
+ err);
+ continue;
+ }
+ }
+
+ dbg->dir = dir;
+ dbg->sub_fdt_dir = sub_fdt_dir;
+
+ return;
+err_rmdir:
+ debugfs_remove_recursive(dir);
+err_out:
+ /*
+ * Failure to create /sys/kernel/debug/kho/in does not prevent
+ * reviving state from KHO and setting up KHO for the next
+ * kexec.
+ */
+ if (err)
+ pr_err("failed exposing handover FDT in debugfs: %d\n", err);
+}
+
+__init int kho_out_debugfs_init(struct kho_debugfs *dbg)
+{
+ struct dentry *dir, *f, *sub_fdt_dir;
+
+ INIT_LIST_HEAD(&dbg->fdt_list);
+
+ dir = debugfs_create_dir("out", debugfs_root);
+ if (IS_ERR(dir))
+ return -ENOMEM;
+
+ sub_fdt_dir = debugfs_create_dir("sub_fdts", dir);
+ if (IS_ERR(sub_fdt_dir))
+ goto err_rmdir;
+
+ f = debugfs_create_file("scratch_phys", 0400, dir, NULL,
+ &scratch_phys_fops);
+ if (IS_ERR(f))
+ goto err_rmdir;
+
+ f = debugfs_create_file("scratch_len", 0400, dir, NULL,
+ &scratch_len_fops);
+ if (IS_ERR(f))
+ goto err_rmdir;
+
+ f = debugfs_create_file("finalize", 0600, dir, NULL,
+ &kho_out_finalize_fops);
+ if (IS_ERR(f))
+ goto err_rmdir;
+
+ dbg->dir = dir;
+ dbg->sub_fdt_dir = sub_fdt_dir;
+ return 0;
+
+err_rmdir:
+ debugfs_remove_recursive(dir);
+ return -ENOENT;
+}
+
+__init int kho_debugfs_init(void)
+{
+ debugfs_root = debugfs_create_dir("kho", NULL);
+ if (IS_ERR(debugfs_root))
+ return -ENOENT;
+ return 0;
+}
diff --git a/kernel/kexec_handover_internal.h b/kernel/kexec_handover_internal.h
index 3c3c7148ceed4..217b8b25a5422 100644
--- a/kernel/kexec_handover_internal.h
+++ b/kernel/kexec_handover_internal.h
@@ -3,11 +3,46 @@
#define LINUX_KEXEC_HANDOVER_INTERNAL_H
#include <linux/kexec_handover.h>
+#include <linux/list.h>
#include <linux/types.h>
+#ifdef CONFIG_KEXEC_HANDOVER_DEBUGFS
+#include <linux/debugfs.h>
+
+struct kho_debugfs {
+ struct dentry *dir;
+ struct dentry *sub_fdt_dir;
+ struct list_head fdt_list;
+};
+
+#else
+struct kho_debugfs {};
+#endif
+
extern struct kho_scratch *kho_scratch;
extern unsigned int kho_scratch_cnt;
+bool kho_finalized(void);
+int kho_finalize(void);
+int kho_abort(void);
+
+#ifdef CONFIG_KEXEC_HANDOVER_DEBUGFS
+int kho_debugfs_init(void);
+void kho_in_debugfs_init(struct kho_debugfs *dbg, const void *fdt);
+int kho_out_debugfs_init(struct kho_debugfs *dbg);
+int kho_debugfs_fdt_add(struct kho_debugfs *dbg, const char *name,
+ const void *fdt, bool root);
+void kho_debugfs_cleanup(struct kho_debugfs *dbg);
+#else
+static inline int kho_debugfs_init(void) { return 0; }
+static inline void kho_in_debugfs_init(struct kho_debugfs *dbg,
+ const void *fdt) { }
+static inline int kho_out_debugfs_init(struct kho_debugfs *dbg) { return 0; }
+static inline int kho_debugfs_fdt_add(struct kho_debugfs *dbg, const char *name,
+ const void *fdt, bool root) { return 0; }
+static inline void kho_debugfs_cleanup(struct kho_debugfs *dbg) {}
+#endif /* CONFIG_KEXEC_HANDOVER_DEBUGFS */
+
#ifdef CONFIG_KEXEC_HANDOVER_DEBUG
bool kho_scratch_overlap(phys_addr_t phys, size_t size);
#else
diff --git a/tools/testing/selftests/kho/vmtest.sh b/tools/testing/selftests/kho/vmtest.sh
index 3f6c171668467..49fdac8e8b159 100755
--- a/tools/testing/selftests/kho/vmtest.sh
+++ b/tools/testing/selftests/kho/vmtest.sh
@@ -59,6 +59,7 @@ function build_kernel() {
tee "$kconfig" > "$kho_config" <<EOF
CONFIG_BLK_DEV_INITRD=y
CONFIG_KEXEC_HANDOVER=y
+CONFIG_KEXEC_HANDOVER_DEBUGFS=y
CONFIG_TEST_KEXEC_HANDOVER=y
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_VM=y
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 312/957] Documentation: fix a hugetlbfs reservation statement
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 311/957] kho: make debugfs interface optional Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 313/957] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
` (650 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jane Chu, David Hildenbrand,
Hillf Danton, Jonathan Corbet, Liam Howlett, Lorenzo Stoakes,
Michal Hocko, Mike Rapoport, Muchun Song, Oscar Salvador,
Shuah Khan, Suren Baghdasaryan, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jane Chu <jane.chu@oracle.com>
[ Upstream commit 7a197d346a44384a1a858a98ef03766840e561d4 ]
Documentation/mm/hugetlbfs_reserv.rst has
if (resv_needed <= (resv_huge_pages - free_huge_pages))
resv_huge_pages += resv_needed;
which describes this code in gather_surplus_pages()
needed = (h->resv_huge_pages + delta) - h->free_huge_pages;
if (needed <= 0) {
h->resv_huge_pages += delta;
return 0;
}
which means if there are enough free hugepages to account for the new
reservation, simply update the global reservation count without
further action.
But the description is backwards, it should be
if (resv_needed <= (free_huge_pages - resv_huge_pages))
instead.
Link: https://lkml.kernel.org/r/20260302201015.1824798-1-jane.chu@oracle.com
Fixes: 70bc0dc578b3 ("Documentation: vm, add hugetlbfs reservation overview")
Signed-off-by: Jane Chu <jane.chu@oracle.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/mm/hugetlbfs_reserv.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/mm/hugetlbfs_reserv.rst b/Documentation/mm/hugetlbfs_reserv.rst
index 4914fbf07966c..a49115db18c76 100644
--- a/Documentation/mm/hugetlbfs_reserv.rst
+++ b/Documentation/mm/hugetlbfs_reserv.rst
@@ -155,7 +155,7 @@ are enough free huge pages to accommodate the reservation. If there are,
the global reservation count resv_huge_pages is adjusted something like the
following::
- if (resv_needed <= (resv_huge_pages - free_huge_pages))
+ if (resv_needed <= (free_huge_pages - resv_huge_pages)
resv_huge_pages += resv_needed;
Note that the global lock hugetlb_lock is held when checking and adjusting
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 313/957] selftest: memcg: skip memcg_sock test if address family not supported
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 312/957] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 314/957] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
` (649 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Michal Koutný,
Shakeel Butt, Johannes Weiner, Michal Hocko, Mike Rapoport,
Muchun Song, Roman Gushchin, Shuah Khan, Tejun Heo, Andrew Morton,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 2d028f3e4bbbfd448928a8d3d2814b0b04c214f4 ]
The test_memcg_sock test in memcontrol.c sets up an IPv6 socket and send
data over it to consume memory and verify that memory.stat.sock and
memory.current values are close.
On systems where IPv6 isn't enabled or not configured to support
SOCK_STREAM, the test_memcg_sock test always fails. When the socket()
call fails, there is no way we can test the memory consumption and verify
the above claim. I believe it is better to just skip the test in this
case instead of reporting a test failure hinting that there may be
something wrong with the memcg code.
Link: https://lkml.kernel.org/r/20260311200526.885899-1-longman@redhat.com
Fixes: 5f8f019380b8 ("selftests: cgroup/memcontrol: add basic test for socket accounting")
Signed-off-by: Waiman Long <longman@redhat.com>
Acked-by: Michal Koutný <mkoutny@suse.com>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Michal Koutný <mkoutny@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/cgroup/test_memcontrol.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c
index a680f773f2d54..1f64db1afa212 100644
--- a/tools/testing/selftests/cgroup/test_memcontrol.c
+++ b/tools/testing/selftests/cgroup/test_memcontrol.c
@@ -1278,8 +1278,11 @@ static int tcp_server(const char *cgroup, void *arg)
saddr.sin6_port = htons(srv_args->port);
sk = socket(AF_INET6, SOCK_STREAM, 0);
- if (sk < 0)
+ if (sk < 0) {
+ /* Pass back errno to the ctl_fd */
+ write(ctl_fd, &errno, sizeof(errno));
return ret;
+ }
if (setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) < 0)
goto cleanup;
@@ -1409,6 +1412,12 @@ static int test_memcg_sock(const char *root)
goto cleanup;
close(args.ctl[0]);
+ /* Skip if address family not supported by protocol */
+ if (err == EAFNOSUPPORT) {
+ ret = KSFT_SKIP;
+ goto cleanup;
+ }
+
if (!err)
break;
if (err != EADDRINUSE)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 314/957] ALSA: scarlett2: Add missing sentinel initializer field
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 313/957] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 315/957] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
` (648 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Panagiotis Petrakopoulos,
Takashi Iwai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
[ Upstream commit 2428cd6e8b6fa80c36db4652702ca0acd2ce3f08 ]
A "-Wmissing-field-initializers" warning was emitted when compiling the
module using the W=2 option. There is a sentinel initializer field
missing in the end of scarlett2_devices[]. Tested using a
Scarlett Solo 4th gen.
Fixes: d98cc489029d ("ALSA: scarlett2: Move USB IDs out from device_info struct")
Signed-off-by: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
Link: https://patch.msgid.link/20260405222548.8903-1-npetrakopoulos2003@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_scarlett2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c
index 48d77030a63d8..a75a4610663e9 100644
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -2262,7 +2262,7 @@ static const struct scarlett2_device_entry scarlett2_devices[] = {
{ USB_ID(0x1235, 0x820c), &clarett_8pre_info, "Clarett+" },
/* End of list */
- { 0, NULL },
+ { 0, NULL, NULL },
};
/* get the starting port index number for a given port type/direction */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 315/957] ASoC: SOF: compress: return the configured codec from get_params
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 314/957] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 316/957] PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports Greg Kroah-Hartman
` (647 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 2c4fdd055f92a2fc8602dcd88bcea08c374b7e8b ]
The SOF compressed offload path accepts codec parameters in
sof_compr_set_params() and forwards them to firmware as
extended data in the SOF IPC stream params message.
However, sof_compr_get_params() still returns success without
filling the snd_codec structure. Since the compress core allocates
that structure zeroed and copies it back to userspace on success,
SNDRV_COMPRESS_GET_PARAMS returns an all-zero codec description
even after the stream has been configured successfully.
The stale TODO in this callback conflates get_params() with capability
discovery. Supported codec enumeration belongs in get_caps() and
get_codec_caps(). get_params() should report the current codec settings.
Cache the codec accepted by sof_compr_set_params() in the per-stream SOF
compress state and return it from sof_compr_get_params().
Fixes: 6324cf901e14 ("ASoC: SOF: compr: Add compress ops implementation")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260325-sof-compr-get-params-v1-1-0758815f13c7@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/compress.c | 8 +++++---
sound/soc/sof/sof-priv.h | 2 ++
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/sound/soc/sof/compress.c b/sound/soc/sof/compress.c
index 593b8c7474846..31455ebb0f5bb 100644
--- a/sound/soc/sof/compress.c
+++ b/sound/soc/sof/compress.c
@@ -247,6 +247,7 @@ static int sof_compr_set_params(struct snd_soc_component *component,
sstream->sampling_rate = params->codec.sample_rate;
sstream->channels = params->codec.ch_out;
sstream->sample_container_bytes = pcm->params.sample_container_bytes;
+ sstream->codec_params = params->codec;
spcm->prepared[cstream->direction] = true;
@@ -259,9 +260,10 @@ static int sof_compr_set_params(struct snd_soc_component *component,
static int sof_compr_get_params(struct snd_soc_component *component,
struct snd_compr_stream *cstream, struct snd_codec *params)
{
- /* TODO: we don't query the supported codecs for now, if the
- * application asks for an unsupported codec the set_params() will fail.
- */
+ struct sof_compr_stream *sstream = cstream->runtime->private_data;
+
+ *params = sstream->codec_params;
+
return 0;
}
diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
index 0f624d8cde201..985284a7b4ec9 100644
--- a/sound/soc/sof/sof-priv.h
+++ b/sound/soc/sof/sof-priv.h
@@ -17,6 +17,7 @@
#include <sound/sof/info.h>
#include <sound/sof/pm.h>
#include <sound/sof/trace.h>
+#include <sound/compress_params.h>
#include <uapi/sound/sof/fw.h>
#include <sound/sof/ext_manifest.h>
@@ -111,6 +112,7 @@ struct sof_compr_stream {
u32 sampling_rate;
u16 channels;
u16 sample_container_bytes;
+ struct snd_codec codec_params;
size_t posn_offset;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 316/957] PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 315/957] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 317/957] ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream Greg Kroah-Hartman
` (646 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Cheng, Bjorn Helgaas,
Lukas Wunner, Kai-Heng Feng, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Cheng <icheng@nvidia.com>
[ Upstream commit 16d021c878dca22532c984668c9e8cf4722d6a49 ]
NPEM registers LED classdevs on PCI endpoint that may be behind
hotplug-capable ports. During hot-removal, led_classdev_unregister() calls
led_set_brightness(LED_OFF) which leads to a PCI config read to a
disconnected device, which fails and returns -ENODEV (topology details in
msgid.link below):
leds 0003:01:00.0:enclosure:ok: Setting an LED's brightness failed (-19)
The LED core already suppresses this for devices with LED_HW_PLUGGABLE set,
but NPEM never sets it. Add the flag since NPEM LEDs are on hot-pluggable
hardware by nature.
Fixes: 4e893545ef87 ("PCI/NPEM: Add Native PCIe Enclosure Management support")
Signed-off-by: Richard Cheng <icheng@nvidia.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Kai-Heng Feng <kaihengf@nvidia.com>
Link: https://patch.msgid.link/20260402093850.23075-1-icheng@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/npem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/npem.c b/drivers/pci/npem.c
index 97507e0df769b..b5d012edebf35 100644
--- a/drivers/pci/npem.c
+++ b/drivers/pci/npem.c
@@ -504,7 +504,7 @@ static int pci_npem_set_led_classdev(struct npem *npem, struct npem_led *nled)
led->brightness_get = brightness_get;
led->max_brightness = 1;
led->default_trigger = "none";
- led->flags = 0;
+ led->flags = LED_HW_PLUGGABLE;
ret = led_classdev_register(&npem->dev->dev, led);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 317/957] ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 316/957] PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 318/957] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
` (645 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, songxiebing,
Takashi Iwai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: songxiebing <songxiebing@kylinos.cn>
[ Upstream commit 292286b2d229fb732421429b027d38ac3f969383 ]
Fix sparse warning:
sound/usb/qcom/qc_audio_offload.c:943:27: sparse: incorrect type in argument 2
expected unsigned int val but got snd_pcm_format_t.
Explicitly cast pcm_format to unsigned int for snd_mask_leave().
Fixes: 326bbc348298 ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202604062109.Oxi8JjWW-lkp@intel.com/
Signed-off-by: songxiebing <songxiebing@kylinos.cn>
Link: https://patch.msgid.link/20260408083311.774173-1-songxiebing@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/qcom/qc_audio_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/qcom/qc_audio_offload.c b/sound/usb/qcom/qc_audio_offload.c
index 542eae3a57d9d..fc25e709ed4b2 100644
--- a/sound/usb/qcom/qc_audio_offload.c
+++ b/sound/usb/qcom/qc_audio_offload.c
@@ -948,7 +948,7 @@ static int enable_audio_stream(struct snd_usb_substream *subs,
_snd_pcm_hw_params_any(¶ms);
m = hw_param_mask(¶ms, SNDRV_PCM_HW_PARAM_FORMAT);
- snd_mask_leave(m, pcm_format);
+ snd_mask_leave(m, (__force unsigned int)pcm_format);
i = hw_param_interval(¶ms, SNDRV_PCM_HW_PARAM_CHANNELS);
snd_interval_setinteger(i);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 318/957] PCI: tegra194: Fix polling delay for L2 state
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 317/957] ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 319/957] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
` (644 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit adaffed907f14f954096555665ad6af2ae724d83 ]
As per PCIe r7.0, sec 5.3.3.2.1, after sending PME_Turn_Off message, Root
Port should wait for 1-10 msec for PME_TO_Ack message. Currently, driver is
polling for 10 msec with 1 usec delay which is aggressive. Use existing
macro PCIE_PME_TO_L2_TIMEOUT_US to poll for 10 msec with 1 msec delay.
Since this function is used in non-atomic context only, use non-atomic poll
function.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-2-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 3934757baa30c..d2d3139e81d36 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -198,8 +198,6 @@
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_MASK GENMASK(11, 8)
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_SHIFT 8
-#define PME_ACK_TIMEOUT 10000
-
#define LTSSM_TIMEOUT 50000 /* 50ms */
#define GEN3_GEN4_EQ_PRESET_INIT 5
@@ -1582,9 +1580,10 @@ static int tegra_pcie_try_link_l2(struct tegra_pcie_dw *pcie)
val |= APPL_PM_XMT_TURNOFF_STATE;
appl_writel(pcie, val, APPL_RADM_STATUS);
- return readl_poll_timeout_atomic(pcie->appl_base + APPL_DEBUG, val,
- val & APPL_DEBUG_PM_LINKST_IN_L2_LAT,
- 1, PME_ACK_TIMEOUT);
+ return readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
+ val & APPL_DEBUG_PM_LINKST_IN_L2_LAT,
+ PCIE_PME_TO_L2_TIMEOUT_US/10,
+ PCIE_PME_TO_L2_TIMEOUT_US);
}
static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 319/957] PCI: tegra194: Increase LTSSM poll time on surprise link down
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 318/957] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 320/957] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
` (643 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 74dd8efe4d6cead433162147333af989a568aac7 ]
On surprise link down, LTSSM state transits from L0 -> Recovery.RcvrLock ->
Recovery.RcvrSpeed -> Gen1 Recovery.RcvrLock -> Detect. Recovery.RcvrLock
and Recovery.RcvrSpeed transit times are 24 ms and 48 ms respectively, so
the total time from L0 to Detect is ~96 ms. Increase the poll timeout to
120 ms to account for this.
While at it, add LTSSM state defines for Detect-related states and use them
in the poll condition. Use readl_poll_timeout() instead of
readl_poll_timeout_atomic() in tegra_pcie_dw_pme_turnoff() since that path
runs in non-atomic context.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-3-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 36 +++++++++++++---------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index d2d3139e81d36..d2fefd5c8b08f 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -137,7 +137,11 @@
#define APPL_DEBUG_PM_LINKST_IN_L0 0x11
#define APPL_DEBUG_LTSSM_STATE_MASK GENMASK(8, 3)
#define APPL_DEBUG_LTSSM_STATE_SHIFT 3
-#define LTSSM_STATE_PRE_DETECT 5
+#define LTSSM_STATE_DETECT_QUIET 0x00
+#define LTSSM_STATE_DETECT_ACT 0x08
+#define LTSSM_STATE_PRE_DETECT_QUIET 0x28
+#define LTSSM_STATE_DETECT_WAIT 0x30
+#define LTSSM_STATE_L2_IDLE 0xa8
#define APPL_RADM_STATUS 0xE4
#define APPL_PM_XMT_TURNOFF_STATE BIT(0)
@@ -198,7 +202,8 @@
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_MASK GENMASK(11, 8)
#define CAP_SPCIE_CAP_OFF_USP_TX_PRESET0_SHIFT 8
-#define LTSSM_TIMEOUT 50000 /* 50ms */
+#define LTSSM_DELAY_US 10000 /* 10 ms */
+#define LTSSM_TIMEOUT_US 120000 /* 120 ms */
#define GEN3_GEN4_EQ_PRESET_INIT 5
@@ -1626,15 +1631,14 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
data &= ~APPL_CTRL_LTSSM_EN;
writel(data, pcie->appl_base + APPL_CTRL);
- err = readl_poll_timeout_atomic(pcie->appl_base + APPL_DEBUG,
- data,
- ((data &
- APPL_DEBUG_LTSSM_STATE_MASK) >>
- APPL_DEBUG_LTSSM_STATE_SHIFT) ==
- LTSSM_STATE_PRE_DETECT,
- 1, LTSSM_TIMEOUT);
+ err = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, data,
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_PRE_DETECT_QUIET) ||
+ ((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_WAIT),
+ LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (err)
- dev_info(pcie->dev, "Link didn't go to detect state\n");
+ dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", data, err);
}
/*
* DBI registers may not be accessible after this as PLL-E would be
@@ -1714,12 +1718,14 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
appl_writel(pcie, val, APPL_CTRL);
ret = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
- ((val & APPL_DEBUG_LTSSM_STATE_MASK) >>
- APPL_DEBUG_LTSSM_STATE_SHIFT) ==
- LTSSM_STATE_PRE_DETECT,
- 1, LTSSM_TIMEOUT);
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_PRE_DETECT_QUIET) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_WAIT) ||
+ ((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_L2_IDLE),
+ LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (ret)
- dev_err(pcie->dev, "Failed to go Detect state: %d\n", ret);
+ dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", val, ret);
reset_control_assert(pcie->core_rst);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 320/957] PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 319/957] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 321/957] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
` (642 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 9fa0c242f8d7acf1b124d4462d18f4023573ac1c ]
After the link reaches a Detect-related LTSSM state, disable LTSSM so it
does not keep toggling between Polling and Detect. Do this by polling for
the Detect state first, then clearing APPL_CTRL_LTSSM_EN in both
tegra_pcie_dw_pme_turnoff() and pex_ep_event_pex_rst_assert().
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-4-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 29 ++++++++++++----------
1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index d2fefd5c8b08f..b3a1161f49daf 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1623,14 +1623,6 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
data &= ~APPL_PINMUX_PEX_RST;
appl_writel(pcie, data, APPL_PINMUX);
- /*
- * Some cards do not go to detect state even after de-asserting
- * PERST#. So, de-assert LTSSM to bring link to detect state.
- */
- data = readl(pcie->appl_base + APPL_CTRL);
- data &= ~APPL_CTRL_LTSSM_EN;
- writel(data, pcie->appl_base + APPL_CTRL);
-
err = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, data,
((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
((data & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
@@ -1639,6 +1631,14 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
LTSSM_DELAY_US, LTSSM_TIMEOUT_US);
if (err)
dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", data, err);
+
+ /*
+ * Deassert LTSSM state to stop the state toggling between
+ * Polling and Detect.
+ */
+ data = readl(pcie->appl_base + APPL_CTRL);
+ data &= ~APPL_CTRL_LTSSM_EN;
+ writel(data, pcie->appl_base + APPL_CTRL);
}
/*
* DBI registers may not be accessible after this as PLL-E would be
@@ -1712,11 +1712,6 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
if (pcie->ep_state == EP_STATE_DISABLED)
return;
- /* Disable LTSSM */
- val = appl_readl(pcie, APPL_CTRL);
- val &= ~APPL_CTRL_LTSSM_EN;
- appl_writel(pcie, val, APPL_CTRL);
-
ret = readl_poll_timeout(pcie->appl_base + APPL_DEBUG, val,
((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_QUIET) ||
((val & APPL_DEBUG_LTSSM_STATE_MASK) == LTSSM_STATE_DETECT_ACT) ||
@@ -1727,6 +1722,14 @@ static void pex_ep_event_pex_rst_assert(struct tegra_pcie_dw *pcie)
if (ret)
dev_info(pcie->dev, "LTSSM state: 0x%x detect timeout: %d\n", val, ret);
+ /*
+ * Deassert LTSSM state to stop the state toggling between
+ * Polling and Detect.
+ */
+ val = appl_readl(pcie, APPL_CTRL);
+ val &= ~APPL_CTRL_LTSSM_EN;
+ appl_writel(pcie, val, APPL_CTRL);
+
reset_control_assert(pcie->core_rst);
tegra_pcie_disable_phy(pcie);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 321/957] PCI: tegra194: Dont force the device into the D0 state before L2
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 320/957] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 322/957] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
` (641 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 71d9f67701e1affc82d18ca88ae798c5361beddf ]
As per PCIe CEM r6.0, sec 2.3, the PCIe Endpoint device should be in D3cold
to assert WAKE# pin. The previous workaround that forced downstream devices
to D0 before taking the link to L2 cited PCIe r4.0, sec 5.2, "Link State
Power Management"; however, that spec does not explicitly require putting
the device into D0 and only indicates that power removal may be initiated
without transitioning to D3hot.
Remove the D0 workaround so that Endpoint devices can use wake
functionality (WAKE# from D3). With some Endpoints the link may not enter
L2 when they remain in D3, but the Root Port continues with the usual flow
after PME timeout, so there is no functional issue.
Fixes: 56e15a238d92 ("PCI: tegra: Add Tegra194 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-5-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 41 ----------------------
1 file changed, 41 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index b3a1161f49daf..112fd5ea5a0ab 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1287,44 +1287,6 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
return 0;
}
-static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
-{
- struct dw_pcie_rp *pp = &pcie->pci.pp;
- struct pci_bus *child, *root_port_bus = NULL;
- struct pci_dev *pdev;
-
- /*
- * link doesn't go into L2 state with some of the endpoints with Tegra
- * if they are not in D0 state. So, need to make sure that immediate
- * downstream devices are in D0 state before sending PME_TurnOff to put
- * link into L2 state.
- * This is as per PCI Express Base r4.0 v1.0 September 27-2017,
- * 5.2 Link State Power Management (Page #428).
- */
-
- list_for_each_entry(child, &pp->bridge->bus->children, node) {
- if (child->parent == pp->bridge->bus) {
- root_port_bus = child;
- break;
- }
- }
-
- if (!root_port_bus) {
- dev_err(pcie->dev, "Failed to find downstream bus of Root Port\n");
- return;
- }
-
- /* Bring downstream devices to D0 if they are not already in */
- list_for_each_entry(pdev, &root_port_bus->devices, bus_list) {
- if (PCI_SLOT(pdev->devfn) == 0) {
- if (pci_set_power_state(pdev, PCI_D0))
- dev_err(pcie->dev,
- "Failed to transition %s to D0 state\n",
- dev_name(&pdev->dev));
- }
- }
-}
-
static int tegra_pcie_get_slot_regulators(struct tegra_pcie_dw *pcie)
{
pcie->slot_ctl_3v3 = devm_regulator_get_optional(pcie->dev, "vpcie3v3");
@@ -1654,7 +1616,6 @@ static void tegra_pcie_dw_pme_turnoff(struct tegra_pcie_dw *pcie)
static void tegra_pcie_deinit_controller(struct tegra_pcie_dw *pcie)
{
- tegra_pcie_downstream_dev_to_D0(pcie);
dw_pcie_host_deinit(&pcie->pci.pp);
tegra_pcie_dw_pme_turnoff(pcie);
tegra_pcie_unconfig_controller(pcie);
@@ -2370,7 +2331,6 @@ static int tegra_pcie_dw_suspend_noirq(struct device *dev)
if (!pcie->link_state)
return 0;
- tegra_pcie_downstream_dev_to_D0(pcie);
tegra_pcie_dw_pme_turnoff(pcie);
tegra_pcie_unconfig_controller(pcie);
@@ -2444,7 +2404,6 @@ static void tegra_pcie_dw_shutdown(struct platform_device *pdev)
return;
debugfs_remove_recursive(pcie->debugfs);
- tegra_pcie_downstream_dev_to_D0(pcie);
disable_irq(pcie->pci.pp.irq);
if (IS_ENABLED(CONFIG_PCI_MSI))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 322/957] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 321/957] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 323/957] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
` (640 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 40658a31b6e134169c648041efc84944c4c71dcd ]
The PERST# GPIO interrupt is only registered when the controller is
operating in Endpoint mode. In Root Port mode, the PERST# GPIO is
configured as an output to control downstream devices, and no interrupt is
registered for it.
Currently, tegra_pcie_dw_stop_link() unconditionally calls disable_irq()
on pex_rst_irq, which causes issues in Root Port mode where this IRQ is
not registered.
Fix this by only disabling the PERST# IRQ when operating in Endpoint mode,
where the interrupt is actually registered and used to detect PERST#
assertion/deassertion from the host.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-6-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 112fd5ea5a0ab..68920c6263a41 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1054,7 +1054,8 @@ static void tegra_pcie_dw_stop_link(struct dw_pcie *pci)
{
struct tegra_pcie_dw *pcie = to_tegra_pcie(pci);
- disable_irq(pcie->pex_rst_irq);
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ disable_irq(pcie->pex_rst_irq);
}
static const struct dw_pcie_ops tegra_dw_pcie_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 323/957] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 322/957] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 324/957] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
` (639 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit f62bc7917de1374dce86a852ffba8baf9cb7a56a ]
The GPIO DT property "nvidia,refclk-select", to select the PCIe reference
clock is optional. Use devm_gpiod_get_optional() to get it.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-7-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 68920c6263a41..2557217f9df16 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1196,9 +1196,9 @@ static int tegra_pcie_dw_parse_dt(struct tegra_pcie_dw *pcie)
return err;
}
- pcie->pex_refclk_sel_gpiod = devm_gpiod_get(pcie->dev,
- "nvidia,refclk-select",
- GPIOD_OUT_HIGH);
+ pcie->pex_refclk_sel_gpiod = devm_gpiod_get_optional(pcie->dev,
+ "nvidia,refclk-select",
+ GPIOD_OUT_HIGH);
if (IS_ERR(pcie->pex_refclk_sel_gpiod)) {
int err = PTR_ERR(pcie->pex_refclk_sel_gpiod);
const char *level = KERN_ERR;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 324/957] PCI: tegra194: Disable direct speed change for Endpoint mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 323/957] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 325/957] PCI: tegra194: Set LTR message request before PCIe link up in " Greg Kroah-Hartman
` (638 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 976f6763f57970388bcd7118931f33f447916927 ]
Pre-silicon simulation showed the controller operating in Endpoint mode
initiating link speed change after completing Secondary Bus Reset. Ideally,
the Root Port or the Switch Downstream Port should initiate the link speed
change post SBR, not the Endpoint.
So, as per the hardware team recommendation, disable direct speed change
for the Endpoint mode to prevent it from initiating speed change after the
physical layer link is up at Gen1, leaving speed change ownership with the
host.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-8-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 2557217f9df16..698012f2a9465 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1834,6 +1834,10 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
reset_control_deassert(pcie->core_rst);
+ val = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
+ val &= ~PORT_LOGIC_SPEED_CHANGE;
+ dw_pcie_writel_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL, val);
+
if (pcie->update_fc_fixup) {
val = dw_pcie_readl_dbi(pci, CFG_TIMER_CTRL_MAX_FUNC_NUM_OFF);
val |= 0x1 << CFG_TIMER_CTRL_ACK_NAK_SHIFT;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 325/957] PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 324/957] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 326/957] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
` (637 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit b256493bf8cacf0e524bf4c10b5c4901d0c6cefe ]
LTR message should be sent as soon as the Root Port enables LTR in the
Endpoint mode. So set snoop and no-snoop LTR timing and LTR message request
before the PCIe link comes up, so that the LTR message is sent upstream as
soon as LTR is enabled.
Without programming these values, the Endpoint would send latencies of 0 to
the host, which will be inaccurate.
Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[mani: commit log]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-9-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 698012f2a9465..7d3ea4309e9bb 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -487,15 +487,6 @@ static irqreturn_t tegra_pcie_ep_irq_thread(int irq, void *arg)
if (val & PCI_COMMAND_MASTER) {
ktime_t timeout;
- /* 110us for both snoop and no-snoop */
- val = FIELD_PREP(PCI_LTR_VALUE_MASK, 110) |
- FIELD_PREP(PCI_LTR_SCALE_MASK, 2) |
- LTR_MSG_REQ |
- FIELD_PREP(PCI_LTR_NOSNOOP_VALUE, 110) |
- FIELD_PREP(PCI_LTR_NOSNOOP_SCALE, 2) |
- LTR_NOSNOOP_MSG_REQ;
- appl_writel(pcie, val, APPL_LTR_MSG_1);
-
/* Send LTR upstream */
val = appl_readl(pcie, APPL_LTR_MSG_2);
val |= APPL_LTR_MSG_2_LTR_MSG_REQ_STATE;
@@ -1832,6 +1823,15 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
val |= APPL_INTR_EN_L1_0_0_RDLH_LINK_UP_INT_EN;
appl_writel(pcie, val, APPL_INTR_EN_L1_0_0);
+ /* 110us for both snoop and no-snoop */
+ val = FIELD_PREP(PCI_LTR_VALUE_MASK, 110) |
+ FIELD_PREP(PCI_LTR_SCALE_MASK, 2) |
+ LTR_MSG_REQ |
+ FIELD_PREP(PCI_LTR_NOSNOOP_VALUE, 110) |
+ FIELD_PREP(PCI_LTR_NOSNOOP_SCALE, 2) |
+ LTR_NOSNOOP_MSG_REQ;
+ appl_writel(pcie, val, APPL_LTR_MSG_1);
+
reset_control_deassert(pcie->core_rst);
val = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 326/957] PCI: tegra194: Allow system suspend when the Endpoint link is not up
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 325/957] PCI: tegra194: Set LTR message request before PCIe link up in " Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 327/957] PCI: tegra194: Free up Endpoint resources during remove() Greg Kroah-Hartman
` (636 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit c76f8eae7d4695b1176c4ea5eb93c17e16a20272 ]
Host software initiates the L2 sequence. PCIe link is kept in L2 state
during suspend. If Endpoint mode is enabled and the link is up, the
software cannot proceed with suspend. However, when the PCIe Endpoint
driver is probed, but the PCIe link is not up, Tegra can go into suspend
state. So, allow system to suspend in this case.
Fixes: de2bbf2b71bb ("PCI: tegra194: Don't allow suspend when Tegra PCIe is in EP mode")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-10-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 31 +++++++++++++++++-----
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 7d3ea4309e9bb..f4784945c04bb 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -2304,16 +2304,28 @@ static void tegra_pcie_dw_remove(struct platform_device *pdev)
gpiod_set_value(pcie->pex_refclk_sel_gpiod, 0);
}
-static int tegra_pcie_dw_suspend_late(struct device *dev)
+static int tegra_pcie_dw_suspend(struct device *dev)
{
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
- u32 val;
if (pcie->of_data->mode == DW_PCIE_EP_TYPE) {
- dev_err(dev, "Failed to Suspend as Tegra PCIe is in EP mode\n");
- return -EPERM;
+ if (pcie->ep_state == EP_STATE_ENABLED) {
+ dev_err(dev, "Tegra PCIe is in EP mode, suspend not allowed\n");
+ return -EPERM;
+ }
+
+ disable_irq(pcie->pex_rst_irq);
+ return 0;
}
+ return 0;
+}
+
+static int tegra_pcie_dw_suspend_late(struct device *dev)
+{
+ struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
+ u32 val;
+
if (!pcie->link_state)
return 0;
@@ -2333,6 +2345,9 @@ static int tegra_pcie_dw_suspend_noirq(struct device *dev)
{
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ return 0;
+
if (!pcie->link_state)
return 0;
@@ -2347,6 +2362,9 @@ static int tegra_pcie_dw_resume_noirq(struct device *dev)
struct tegra_pcie_dw *pcie = dev_get_drvdata(dev);
int ret;
+ if (pcie->of_data->mode == DW_PCIE_EP_TYPE)
+ return 0;
+
if (!pcie->link_state)
return 0;
@@ -2379,8 +2397,8 @@ static int tegra_pcie_dw_resume_early(struct device *dev)
u32 val;
if (pcie->of_data->mode == DW_PCIE_EP_TYPE) {
- dev_err(dev, "Suspend is not supported in EP mode");
- return -ENOTSUPP;
+ enable_irq(pcie->pex_rst_irq);
+ return 0;
}
if (!pcie->link_state)
@@ -2485,6 +2503,7 @@ static const struct of_device_id tegra_pcie_dw_of_match[] = {
};
static const struct dev_pm_ops tegra_pcie_dw_pm_ops = {
+ .suspend = tegra_pcie_dw_suspend,
.suspend_late = tegra_pcie_dw_suspend_late,
.suspend_noirq = tegra_pcie_dw_suspend_noirq,
.resume_noirq = tegra_pcie_dw_resume_noirq,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 327/957] PCI: tegra194: Free up Endpoint resources during remove()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 326/957] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 328/957] PCI: tegra194: Use DWC IP core version Greg Kroah-Hartman
` (635 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 8870f02f7868209eb9bdc5dc53540a6262cf9227 ]
Free up the resources during remove() that were acquired by the DesignWare
driver for the Endpoint mode during probe().
Fixes: bb617cbd8151 ("PCI: tegra194: Clean up the exit path for Endpoint mode")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-11-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index f4784945c04bb..eb6fecf2e6f42 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -2285,6 +2285,7 @@ static int tegra_pcie_dw_probe(struct platform_device *pdev)
static void tegra_pcie_dw_remove(struct platform_device *pdev)
{
struct tegra_pcie_dw *pcie = platform_get_drvdata(pdev);
+ struct dw_pcie_ep *ep = &pcie->pci.ep;
if (pcie->of_data->mode == DW_PCIE_RC_TYPE) {
if (!pcie->link_state)
@@ -2296,6 +2297,7 @@ static void tegra_pcie_dw_remove(struct platform_device *pdev)
} else {
disable_irq(pcie->pex_rst_irq);
pex_ep_event_pex_rst_assert(pcie);
+ dw_pcie_ep_deinit(ep);
}
pm_runtime_disable(pcie->dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 328/957] PCI: tegra194: Use DWC IP core version
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 327/957] PCI: tegra194: Free up Endpoint resources during remove() Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 329/957] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well Greg Kroah-Hartman
` (634 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit ea60ca067f0f098043610c96a915d162113c1aac ]
Tegra194 PCIe driver used custom version numbers to detect Tegra194 and
Tegra234 IPs. With version detect logic added, version check results in
mismatch warnings:
tegra194-pcie 14100000.pcie: Versions don't match (0000562a != 3536322a)
Use HW version numbers which match to PORT_LOGIC.PCIE_VERSION_OFF in
Tegra194 driver to avoid these kernel warnings.
Fixes: a54e19073718 ("PCI: tegra194: Add Tegra234 PCIe support")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-12-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware.h | 2 ++
drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
index d32ee1fa3cf85..aa27211b68dd1 100644
--- a/drivers/pci/controller/dwc/pcie-designware.h
+++ b/drivers/pci/controller/dwc/pcie-designware.h
@@ -34,8 +34,10 @@
#define DW_PCIE_VER_470A 0x3437302a
#define DW_PCIE_VER_480A 0x3438302a
#define DW_PCIE_VER_490A 0x3439302a
+#define DW_PCIE_VER_500A 0x3530302a
#define DW_PCIE_VER_520A 0x3532302a
#define DW_PCIE_VER_540A 0x3534302a
+#define DW_PCIE_VER_562A 0x3536322a
#define __dw_pcie_ver_cmp(_pci, _ver, _op) \
((_pci)->version _op DW_PCIE_VER_ ## _ver)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index eb6fecf2e6f42..f740e0afafa94 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -35,8 +35,8 @@
#include <soc/tegra/bpmp-abi.h>
#include "../../pci.h"
-#define TEGRA194_DWC_IP_VER 0x490A
-#define TEGRA234_DWC_IP_VER 0x562A
+#define TEGRA194_DWC_IP_VER DW_PCIE_VER_500A
+#define TEGRA234_DWC_IP_VER DW_PCIE_VER_562A
#define APPL_PINMUX 0x0
#define APPL_PINMUX_PEX_RST BIT(0)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 329/957] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 328/957] PCI: tegra194: Use DWC IP core version Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 330/957] PCI: tegra194: Remove unnecessary L1SS disable code Greg Kroah-Hartman
` (633 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 40805f32dceadebb7381d911003100bec7b8cd51 ]
The ECRC (TLP digest) workaround was originally added for DesignWare
version 4.90a. Tegra234 SoC has 5.00a DWC HW version, which has the same
ATU TD override behaviour, so apply the workaround for 5.00a too.
Fixes: a54e19073718 ("PCI: tegra194: Add Tegra234 PCIe support")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-13-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
index 345365ea97c74..2c1dd6ffa27db 100644
--- a/drivers/pci/controller/dwc/pcie-designware.c
+++ b/drivers/pci/controller/dwc/pcie-designware.c
@@ -486,13 +486,13 @@ static inline void dw_pcie_writel_atu_ob(struct dw_pcie *pci, u32 index, u32 reg
static inline u32 dw_pcie_enable_ecrc(u32 val)
{
/*
- * DesignWare core version 4.90A has a design issue where the 'TD'
- * bit in the Control register-1 of the ATU outbound region acts
- * like an override for the ECRC setting, i.e., the presence of TLP
- * Digest (ECRC) in the outgoing TLPs is solely determined by this
- * bit. This is contrary to the PCIe spec which says that the
- * enablement of the ECRC is solely determined by the AER
- * registers.
+ * DWC versions 0x3530302a and 0x3536322a have a design issue where
+ * the 'TD' bit in the Control register-1 of the ATU outbound
+ * region acts like an override for the ECRC setting, i.e., the
+ * presence of TLP Digest (ECRC) in the outgoing TLPs is solely
+ * determined by this bit. This is contrary to the PCIe spec which
+ * says that the enablement of the ECRC is solely determined by the
+ * AER registers.
*
* Because of this, even when the ECRC is enabled through AER
* registers, the transactions going through ATU won't have TLP
@@ -559,7 +559,7 @@ int dw_pcie_prog_outbound_atu(struct dw_pcie *pci,
if (upper_32_bits(limit_addr) > upper_32_bits(parent_bus_addr) &&
dw_pcie_ver_is_ge(pci, 460A))
val |= PCIE_ATU_INCREASE_REGION_SIZE;
- if (dw_pcie_ver_is(pci, 490A))
+ if (dw_pcie_ver_is(pci, 490A) || dw_pcie_ver_is(pci, 500A))
val = dw_pcie_enable_ecrc(val);
dw_pcie_writel_atu_ob(pci, atu->index, PCIE_ATU_REGION_CTRL1, val);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 330/957] PCI: tegra194: Remove unnecessary L1SS disable code
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 329/957] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 331/957] PCI: tegra194: Disable L1.2 capability of Tegra234 EP Greg Kroah-Hartman
` (632 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
[ Upstream commit 07c99eac0bc2c1fe962e56d8b5dc5b1152d421bf ]
The DWC core clears the L1 Substates Supported bits unless the driver sets
the "dw_pcie.l1ss_support" flag.
The tegra194 init_host_aspm() sets "dw_pcie.l1ss_support" if the platform
has the "supports-clkreq" DT property. If "supports-clkreq" is absent,
"dw_pcie.l1ss_support" is not set, and the DWC core will clear the L1
Substates Supported bits.
The tegra194 code to clear the L1 Substates Supported bits is unnecessary,
so remove it.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20251118214312.2598220-3-helgaas@kernel.org
Stable-dep-of: f59df1d9e6bd ("PCI: tegra194: Disable L1.2 capability of Tegra234 EP")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 45 +++-------------------
1 file changed, 5 insertions(+), 40 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index f740e0afafa94..257965ada3bd0 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -263,7 +263,6 @@ struct tegra_pcie_dw {
u32 msi_ctrl_int;
u32 num_lanes;
u32 cid;
- u32 cfg_link_cap_l1sub;
u32 ras_des_cap;
u32 pcie_cap_base;
u32 aspm_cmrt;
@@ -478,8 +477,7 @@ static irqreturn_t tegra_pcie_ep_irq_thread(int irq, void *arg)
return IRQ_HANDLED;
/* If EP doesn't advertise L1SS, just return */
- val = dw_pcie_readl_dbi(pci, pcie->cfg_link_cap_l1sub);
- if (!(val & (PCI_L1SS_CAP_ASPM_L1_1 | PCI_L1SS_CAP_ASPM_L1_2)))
+ if (!pci->l1ss_support)
return IRQ_HANDLED;
/* Check if BME is set to '1' */
@@ -602,24 +600,6 @@ static struct pci_ops tegra_pci_ops = {
};
#if defined(CONFIG_PCIEASPM)
-static void disable_aspm_l11(struct tegra_pcie_dw *pcie)
-{
- u32 val;
-
- val = dw_pcie_readl_dbi(&pcie->pci, pcie->cfg_link_cap_l1sub);
- val &= ~PCI_L1SS_CAP_ASPM_L1_1;
- dw_pcie_writel_dbi(&pcie->pci, pcie->cfg_link_cap_l1sub, val);
-}
-
-static void disable_aspm_l12(struct tegra_pcie_dw *pcie)
-{
- u32 val;
-
- val = dw_pcie_readl_dbi(&pcie->pci, pcie->cfg_link_cap_l1sub);
- val &= ~PCI_L1SS_CAP_ASPM_L1_2;
- dw_pcie_writel_dbi(&pcie->pci, pcie->cfg_link_cap_l1sub, val);
-}
-
static inline u32 event_counter_prog(struct tegra_pcie_dw *pcie, u32 event)
{
u32 val;
@@ -676,10 +656,9 @@ static int aspm_state_cnt(struct seq_file *s, void *data)
static void init_host_aspm(struct tegra_pcie_dw *pcie)
{
struct dw_pcie *pci = &pcie->pci;
- u32 val;
+ u32 l1ss, val;
- val = dw_pcie_find_ext_capability(pci, PCI_EXT_CAP_ID_L1SS);
- pcie->cfg_link_cap_l1sub = val + PCI_L1SS_CAP;
+ l1ss = dw_pcie_find_ext_capability(pci, PCI_EXT_CAP_ID_L1SS);
pcie->ras_des_cap = dw_pcie_find_ext_capability(&pcie->pci,
PCI_EXT_CAP_ID_VNDR);
@@ -691,11 +670,11 @@ static void init_host_aspm(struct tegra_pcie_dw *pcie)
PCIE_RAS_DES_EVENT_COUNTER_CONTROL, val);
/* Program T_cmrt and T_pwr_on values */
- val = dw_pcie_readl_dbi(pci, pcie->cfg_link_cap_l1sub);
+ val = dw_pcie_readl_dbi(pci, l1ss + PCI_L1SS_CAP);
val &= ~(PCI_L1SS_CAP_CM_RESTORE_TIME | PCI_L1SS_CAP_P_PWR_ON_VALUE);
val |= (pcie->aspm_cmrt << 8);
val |= (pcie->aspm_pwr_on_t << 19);
- dw_pcie_writel_dbi(pci, pcie->cfg_link_cap_l1sub, val);
+ dw_pcie_writel_dbi(pci, l1ss + PCI_L1SS_CAP, val);
if (pcie->supports_clkreq)
pci->l1ss_support = true;
@@ -723,8 +702,6 @@ static void init_debugfs(struct tegra_pcie_dw *pcie)
aspm_state_cnt);
}
#else
-static inline void disable_aspm_l12(struct tegra_pcie_dw *pcie) { return; }
-static inline void disable_aspm_l11(struct tegra_pcie_dw *pcie) { return; }
static inline void init_host_aspm(struct tegra_pcie_dw *pcie) { return; }
static inline void init_debugfs(struct tegra_pcie_dw *pcie) { return; }
#endif
@@ -928,12 +905,6 @@ static int tegra_pcie_dw_host_init(struct dw_pcie_rp *pp)
init_host_aspm(pcie);
- /* Disable ASPM-L1SS advertisement if there is no CLKREQ routing */
- if (!pcie->supports_clkreq) {
- disable_aspm_l11(pcie);
- disable_aspm_l12(pcie);
- }
-
if (!pcie->of_data->has_l1ss_exit_fix) {
val = dw_pcie_readl_dbi(pci, GEN3_RELATED_OFF);
val &= ~GEN3_RELATED_OFF_GEN3_ZRXDC_NONCOMPL;
@@ -1848,12 +1819,6 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
init_host_aspm(pcie);
- /* Disable ASPM-L1SS advertisement if there is no CLKREQ routing */
- if (!pcie->supports_clkreq) {
- disable_aspm_l11(pcie);
- disable_aspm_l12(pcie);
- }
-
if (!pcie->of_data->has_l1ss_exit_fix) {
val = dw_pcie_readl_dbi(pci, GEN3_RELATED_OFF);
val &= ~GEN3_RELATED_OFF_GEN3_ZRXDC_NONCOMPL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 331/957] PCI: tegra194: Disable L1.2 capability of Tegra234 EP
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 330/957] PCI: tegra194: Remove unnecessary L1SS disable code Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 332/957] PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on Greg Kroah-Hartman
` (631 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit f59df1d9e6bdb6bd7ef65fb5d200900ac40c20ba ]
When Tegra234 is operating in the Endpoint mode with L1.2 enabled, PCIe
link goes down during L1.2 exit. This is because Tegra234 powers up UPHY
PLL immediately without making sure that the REFCLK is stable.
This causes UPHY PLL to fail to lock to the correct frequency and leads to
link going down. There is no hardware fix for this, hence do not advertise
the L1.2 capability in the Endpoint mode.
Fixes: a54e19073718 ("PCI: tegra194: Add Tegra234 PCIe support")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-14-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index 257965ada3bd0..c37be61f2b90a 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -234,6 +234,7 @@ struct tegra_pcie_dw_of_data {
bool has_sbr_reset_fix;
bool has_l1ss_exit_fix;
bool has_ltr_req_fix;
+ bool disable_l1_2;
u32 cdm_chk_int_en_bit;
u32 gen4_preset_vec;
u8 n_fts[2];
@@ -679,6 +680,23 @@ static void init_host_aspm(struct tegra_pcie_dw *pcie)
if (pcie->supports_clkreq)
pci->l1ss_support = true;
+ /*
+ * Disable L1.2 capability advertisement for Tegra234 Endpoint mode.
+ * Tegra234 has a hardware bug where during L1.2 exit, the UPHY PLL is
+ * powered up immediately without waiting for REFCLK to stabilize. This
+ * causes the PLL to fail to lock to the correct frequency, resulting in
+ * PCIe link loss. Since there is no hardware fix available, we prevent
+ * the Endpoint from advertising L1.2 support by clearing the L1.2 bits
+ * in the L1 PM Substates Capabilities register. This ensures the host
+ * will not attempt to enter L1.2 state with this Endpoint.
+ */
+ if (pcie->of_data->disable_l1_2 &&
+ pcie->of_data->mode == DW_PCIE_EP_TYPE) {
+ val = dw_pcie_readl_dbi(pci, l1ss + PCI_L1SS_CAP);
+ val &= ~(PCI_L1SS_CAP_PCIPM_L1_2 | PCI_L1SS_CAP_ASPM_L1_2);
+ dw_pcie_writel_dbi(pci, l1ss + PCI_L1SS_CAP, val);
+ }
+
/* Program L0s and L1 entrance latencies */
val = dw_pcie_readl_dbi(pci, PCIE_PORT_AFR);
val &= ~PORT_AFR_L0S_ENTRANCE_LAT_MASK;
@@ -2443,6 +2461,7 @@ static const struct tegra_pcie_dw_of_data tegra234_pcie_dw_ep_of_data = {
.mode = DW_PCIE_EP_TYPE,
.has_l1ss_exit_fix = true,
.has_ltr_req_fix = true,
+ .disable_l1_2 = true,
.cdm_chk_int_en_bit = BIT(18),
/* Gen4 - 6, 8 and 9 presets enabled */
.gen4_preset_vec = 0x340,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 332/957] PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 331/957] PCI: tegra194: Disable L1.2 capability of Tegra234 EP Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 333/957] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
` (630 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manikanta Maddireddy,
Manivannan Sadhasivam, Bjorn Helgaas, Jon Hunter, Vidya Sagar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manikanta Maddireddy <mmaddireddy@nvidia.com>
[ Upstream commit 34b3eef48d980cd37b876e128bbf314f69fb5d70 ]
When PERST# is deasserted twice (assert -> deassert -> assert -> deassert),
a CBB (Control Backbone) timeout occurs at DBI register offset 0x8bc
(PCIE_MISC_CONTROL_1_OFF). This happens because pci_epc_deinit_notify()
and dw_pcie_ep_cleanup() are called before reset_control_deassert() powers
on the controller core.
The call chain that causes the timeout:
pex_ep_event_pex_rst_deassert()
pci_epc_deinit_notify()
pci_epf_test_epc_deinit()
pci_epf_test_clear_bar()
pci_epc_clear_bar()
dw_pcie_ep_clear_bar()
__dw_pcie_ep_reset_bar()
dw_pcie_dbi_ro_wr_en() <- Accesses 0x8bc DBI register
reset_control_deassert(pcie->core_rst) <- Core powered on HERE
The DBI registers, including PCIE_MISC_CONTROL_1_OFF (0x8bc), are only
accessible after the controller core is powered on via
reset_control_deassert(pcie->core_rst). Accessing them before this point
results in a CBB timeout because the hardware is not yet operational.
Fix this by moving pci_epc_deinit_notify() and dw_pcie_ep_cleanup() to
after reset_control_deassert(pcie->core_rst), ensuring the controller is
fully powered on before any DBI register accesses occur.
Fixes: 40e2125381dc ("PCI: tegra194: Move controller cleanups to pex_ep_event_pex_rst_deassert()")
Signed-off-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Link: https://patch.msgid.link/20260324190755.1094879-15-mmaddireddy@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-tegra194.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
index c37be61f2b90a..fdbf440fb3819 100644
--- a/drivers/pci/controller/dwc/pcie-tegra194.c
+++ b/drivers/pci/controller/dwc/pcie-tegra194.c
@@ -1750,10 +1750,6 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
goto fail_phy;
}
- /* Perform cleanup that requires refclk */
- pci_epc_deinit_notify(pcie->pci.ep.epc);
- dw_pcie_ep_cleanup(&pcie->pci.ep);
-
/* Clear any stale interrupt statuses */
appl_writel(pcie, 0xFFFFFFFF, APPL_INTR_STATUS_L0);
appl_writel(pcie, 0xFFFFFFFF, APPL_INTR_STATUS_L1_0_0);
@@ -1823,6 +1819,10 @@ static void pex_ep_event_pex_rst_deassert(struct tegra_pcie_dw *pcie)
reset_control_deassert(pcie->core_rst);
+ /* Perform cleanup that requires refclk and core reset deasserted */
+ pci_epc_deinit_notify(pcie->pci.ep.epc);
+ dw_pcie_ep_cleanup(&pcie->pci.ep);
+
val = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
val &= ~PORT_LOGIC_SPEED_CHANGE;
dw_pcie_writel_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL, val);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 333/957] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 332/957] PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 334/957] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
` (629 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit ab00febad191d7a4400aa1c3468279fb508258d4 ]
mtk_snand_probe() registers the on-host NAND ECC engine, but teardown was
missing from both probe unwind and remove-time cleanup. Add a devm cleanup
action after successful registration so
nand_ecc_unregister_on_host_hw_engine() runs automatically on probe
failures and during device removal.
Fixes: 764f1b748164 ("spi: add driver for MTK SPI NAND Flash Interface")
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/20263f885f1a9c9d559f95275298cd6de4b11ed5.1775546401.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-mtk-snfi.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/spi/spi-mtk-snfi.c b/drivers/spi/spi-mtk-snfi.c
index ae38c244e2581..a026b0e61994b 100644
--- a/drivers/spi/spi-mtk-snfi.c
+++ b/drivers/spi/spi-mtk-snfi.c
@@ -1303,6 +1303,13 @@ static const struct spi_controller_mem_caps mtk_snand_mem_caps = {
.ecc = true,
};
+static void mtk_unregister_ecc_engine(void *data)
+{
+ struct nand_ecc_engine *eng = data;
+
+ nand_ecc_unregister_on_host_hw_engine(eng);
+}
+
static irqreturn_t mtk_snand_irq(int irq, void *id)
{
struct mtk_snand *snf = id;
@@ -1443,6 +1450,13 @@ static int mtk_snand_probe(struct platform_device *pdev)
goto release_ecc;
}
+ ret = devm_add_action_or_reset(&pdev->dev, mtk_unregister_ecc_engine,
+ &ms->ecc_eng);
+ if (ret) {
+ dev_err_probe(&pdev->dev, ret, "failed to add ECC unregister action\n");
+ goto release_ecc;
+ }
+
ctlr->num_chipselect = 1;
ctlr->mem_ops = &mtk_snand_mem_ops;
ctlr->mem_caps = &mtk_snand_mem_caps;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 334/957] ALSA: sc6000: Keep the programmed board state in card-private data
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 333/957] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 335/957] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
` (628 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit fb79bf127ac2577b4876132da6dba768018aad4c ]
The driver may auto-select IRQ and DMA resources at probe time, but
sc6000_init_board() still derives the SC-6000 soft configuration from
the module parameter arrays. When irq=auto or dma=auto is used, the
codec is created with the selected resources while the board is
programmed with the unresolved values.
Store the mapped ports and generated SC-6000 board configuration in
card-private data, build that configuration from the live probe
results instead of the raw module parameters, and keep the probe-time
board programming in a shared helper.
This fixes the resource-programming mismatch and leaves the driver
with a stable board-state block that can be reused by suspend/resume.
Fixes: c282866101bf ("ALSA: sc6000: add support for SC-6600 and SC-7000")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260410-alsa-sc6000-pm-v1-1-4d9e95493d26@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/isa/sc6000.c | 152 +++++++++++++++++++++++++++------------------
1 file changed, 92 insertions(+), 60 deletions(-)
diff --git a/sound/isa/sc6000.c b/sound/isa/sc6000.c
index 6d618cc2ba457..9949e06403f61 100644
--- a/sound/isa/sc6000.c
+++ b/sound/isa/sc6000.c
@@ -100,6 +100,15 @@ MODULE_PARM_DESC(joystick, "Enable gameport.");
#define PFX "sc6000: "
#define DRV_NAME "SC-6000"
+struct snd_sc6000 {
+ char __iomem *vport;
+ char __iomem *vmss_port;
+ u8 mss_config;
+ u8 config;
+ u8 hw_cfg[2];
+ bool old_dsp;
+};
+
/* hardware dependent functions */
/*
@@ -267,7 +276,7 @@ static int sc6000_dsp_reset(char __iomem *vport)
/* detection and initialization */
static int sc6000_hw_cfg_write(struct device *devptr,
- char __iomem *vport, const int *cfg)
+ char __iomem *vport, const u8 *cfg)
{
if (sc6000_write(devptr, vport, COMMAND_6C) < 0) {
dev_warn(devptr, "CMD 0x%x: failed!\n", COMMAND_6C);
@@ -353,8 +362,7 @@ static int sc6000_init_mss(struct device *devptr,
return 0;
}
-static void sc6000_hw_cfg_encode(struct device *devptr,
- char __iomem *vport, int *cfg,
+static void sc6000_hw_cfg_encode(struct device *devptr, u8 *cfg,
long xport, long xmpu,
long xmss_port, int joystick)
{
@@ -376,27 +384,83 @@ static void sc6000_hw_cfg_encode(struct device *devptr,
dev_dbg(devptr, "hw cfg %x, %x\n", cfg[0], cfg[1]);
}
-static int sc6000_init_board(struct device *devptr,
- char __iomem *vport,
- char __iomem *vmss_port, int dev)
+static void sc6000_prepare_board(struct device *devptr,
+ struct snd_sc6000 *sc6000,
+ unsigned int dev, int xirq, int xdma)
+{
+ sc6000->mss_config = sc6000_irq_to_softcfg(xirq) |
+ sc6000_dma_to_softcfg(xdma);
+ sc6000->config = sc6000->mss_config |
+ sc6000_mpu_irq_to_softcfg(mpu_irq[dev]);
+ sc6000_hw_cfg_encode(devptr, sc6000->hw_cfg, port[dev], mpu_port[dev],
+ mss_port[dev], joystick[dev]);
+}
+
+static void sc6000_detect_old_dsp(struct device *devptr,
+ struct snd_sc6000 *sc6000)
+{
+ sc6000_write(devptr, sc6000->vport, COMMAND_5C);
+ sc6000->old_dsp = sc6000_read(sc6000->vport) < 0;
+}
+
+static int sc6000_program_board(struct device *devptr,
+ struct snd_sc6000 *sc6000)
+{
+ int err;
+
+ if (!sc6000->old_dsp) {
+ if (sc6000_hw_cfg_write(devptr, sc6000->vport,
+ sc6000->hw_cfg) < 0) {
+ dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
+ return -EIO;
+ }
+ }
+
+ err = sc6000_setup_board(devptr, sc6000->vport, sc6000->config);
+ if (err < 0) {
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
+ return -ENODEV;
+ }
+
+ sc6000_dsp_reset(sc6000->vport);
+
+ if (!sc6000->old_dsp) {
+ sc6000_write(devptr, sc6000->vport, COMMAND_60);
+ sc6000_write(devptr, sc6000->vport, 0x02);
+ sc6000_dsp_reset(sc6000->vport);
+ }
+
+ err = sc6000_setup_board(devptr, sc6000->vport, sc6000->config);
+ if (err < 0) {
+ dev_err(devptr, "sc6000_setup_board: failed!\n");
+ return -ENODEV;
+ }
+
+ err = sc6000_init_mss(devptr, sc6000->vport, sc6000->config,
+ sc6000->vmss_port, sc6000->mss_config);
+ if (err < 0) {
+ dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
+static int sc6000_init_board(struct device *devptr, struct snd_sc6000 *sc6000)
{
char answer[15];
char version[2];
- int mss_config = sc6000_irq_to_softcfg(irq[dev]) |
- sc6000_dma_to_softcfg(dma[dev]);
- int config = mss_config |
- sc6000_mpu_irq_to_softcfg(mpu_irq[dev]);
int err;
- int old = 0;
- err = sc6000_dsp_reset(vport);
+ err = sc6000_dsp_reset(sc6000->vport);
if (err < 0) {
dev_err(devptr, "sc6000_dsp_reset: failed!\n");
return err;
}
memset(answer, 0, sizeof(answer));
- err = sc6000_dsp_get_answer(devptr, vport, GET_DSP_COPYRIGHT, answer, 15);
+ err = sc6000_dsp_get_answer(devptr, sc6000->vport, GET_DSP_COPYRIGHT,
+ answer, 15);
if (err <= 0) {
dev_err(devptr, "sc6000_dsp_copyright: failed!\n");
return -ENODEV;
@@ -408,54 +472,17 @@ static int sc6000_init_board(struct device *devptr,
if (strncmp("SC-6000", answer, 7))
dev_warn(devptr, "Warning: non SC-6000 audio card!\n");
- if (sc6000_dsp_get_answer(devptr, vport, GET_DSP_VERSION, version, 2) < 2) {
+ if (sc6000_dsp_get_answer(devptr, sc6000->vport,
+ GET_DSP_VERSION, version, 2) < 2) {
dev_err(devptr, "sc6000_dsp_version: failed!\n");
return -ENODEV;
}
dev_info(devptr, "Detected model: %s, DSP version %d.%d\n",
answer, version[0], version[1]);
- /* set configuration */
- sc6000_write(devptr, vport, COMMAND_5C);
- if (sc6000_read(vport) < 0)
- old = 1;
-
- if (!old) {
- int cfg[2];
- sc6000_hw_cfg_encode(devptr,
- vport, &cfg[0], port[dev], mpu_port[dev],
- mss_port[dev], joystick[dev]);
- if (sc6000_hw_cfg_write(devptr, vport, cfg) < 0) {
- dev_err(devptr, "sc6000_hw_cfg_write: failed!\n");
- return -EIO;
- }
- }
- err = sc6000_setup_board(devptr, vport, config);
- if (err < 0) {
- dev_err(devptr, "sc6000_setup_board: failed!\n");
- return -ENODEV;
- }
-
- sc6000_dsp_reset(vport);
-
- if (!old) {
- sc6000_write(devptr, vport, COMMAND_60);
- sc6000_write(devptr, vport, 0x02);
- sc6000_dsp_reset(vport);
- }
+ sc6000_detect_old_dsp(devptr, sc6000);
- err = sc6000_setup_board(devptr, vport, config);
- if (err < 0) {
- dev_err(devptr, "sc6000_setup_board: failed!\n");
- return -ENODEV;
- }
- err = sc6000_init_mss(devptr, vport, config, vmss_port, mss_config);
- if (err < 0) {
- dev_err(devptr, "Cannot initialize Microsoft Sound System mode.\n");
- return -ENODEV;
- }
-
- return 0;
+ return sc6000_program_board(devptr, sc6000);
}
static int snd_sc6000_mixer(struct snd_wss *chip)
@@ -538,10 +565,10 @@ static int snd_sc6000_match(struct device *devptr, unsigned int dev)
static void snd_sc6000_free(struct snd_card *card)
{
- char __iomem *vport = (char __force __iomem *)card->private_data;
+ struct snd_sc6000 *sc6000 = card->private_data;
- if (vport)
- sc6000_setup_board(card->dev, vport, 0);
+ if (sc6000->vport)
+ sc6000_setup_board(card->dev, sc6000->vport, 0);
}
static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
@@ -552,15 +579,17 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
int xirq = irq[dev];
int xdma = dma[dev];
struct snd_card *card;
+ struct snd_sc6000 *sc6000;
struct snd_wss *chip;
struct snd_opl3 *opl3;
char __iomem *vport;
char __iomem *vmss_port;
err = snd_devm_card_new(devptr, index[dev], id[dev], THIS_MODULE,
- 0, &card);
+ sizeof(*sc6000), &card);
if (err < 0)
return err;
+ sc6000 = card->private_data;
if (xirq == SNDRV_AUTO_IRQ) {
xirq = snd_legacy_find_free_irq(possible_irqs);
@@ -587,7 +616,7 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
dev_err(devptr, "I/O port cannot be iomapped.\n");
return -EBUSY;
}
- card->private_data = (void __force *)vport;
+ sc6000->vport = vport;
/* to make it marked as used */
if (!devm_request_region(devptr, mss_port[dev], 4, DRV_NAME)) {
@@ -600,12 +629,15 @@ static int __snd_sc6000_probe(struct device *devptr, unsigned int dev)
dev_err(devptr, "MSS port I/O cannot be iomapped.\n");
return -EBUSY;
}
+ sc6000->vmss_port = vmss_port;
dev_dbg(devptr, "Initializing BASE[0x%lx] IRQ[%d] DMA[%d] MIRQ[%d]\n",
port[dev], xirq, xdma,
mpu_irq[dev] == SNDRV_AUTO_IRQ ? 0 : mpu_irq[dev]);
- err = sc6000_init_board(devptr, vport, vmss_port, dev);
+ sc6000_prepare_board(devptr, sc6000, dev, xirq, xdma);
+
+ err = sc6000_init_board(devptr, sc6000);
if (err < 0)
return err;
card->private_free = snd_sc6000_free;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 335/957] dm cache: fix missing return in invalidate_committeds error path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 334/957] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 336/957] sched_ext: Track @ps rq lock across set_cpus_allowed_scx -> ops.set_cpumask Greg Kroah-Hartman
` (627 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Ming-Hung Tsai,
Mikulas Patocka, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
[ Upstream commit 8c0ee19db81f0fa1ff25fd75b22b17c0cc2acde3 ]
In passthrough mode, dm-cache defers write submission until after
metadata commit completes via the invalidate_committed() continuation.
On commit error, invalidate_committed() calls invalidate_complete() to
end the bio and free the migration struct, after which it should return
immediately.
The patch 4ca8b8bd952d ("dm cache: fix write hang in passthrough mode")
omitted this early return, causing execution to fall through into the
success path on error. This results in use-after-free on the migration
struct in the subsequent calls.
Fix by adding the missing return after the invalidate_complete() call.
Fixes: 4ca8b8bd952d ("dm cache: fix write hang in passthrough mode")
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/dm-devel/adjMq6T5RRjv_uxM@stanley.mountain/
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-target.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index 9c64fe56ecb6c..bb0b484d4d687 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1521,8 +1521,10 @@ static void invalidate_committed(struct work_struct *ws)
struct bio *bio = mg->overwrite_bio;
struct per_bio_data *pb = get_per_bio_data(bio);
- if (mg->k.input)
+ if (mg->k.input) {
invalidate_complete(mg, false);
+ return;
+ }
init_continuation(&mg->k, invalidate_completed);
remap_to_origin_clear_discard(cache, bio, mg->invalidate_oblock);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 336/957] sched_ext: Track @ps rq lock across set_cpus_allowed_scx -> ops.set_cpumask
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 335/957] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 337/957] sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking Greg Kroah-Hartman
` (626 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tejun Heo, Andrea Righi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 9fb457074f6d118b30458624223abef985725a88 ]
The SCX_CALL_OP_TASK call site passes rq=NULL incorrectly, leaving
scx_locked_rq() unset. Pass task_rq(p) instead so update_locked_rq()
reflects reality.
v2: Add Fixes: tag (Andrea Righi).
Fixes: 18853ba782be ("sched_ext: Track currently locked rq")
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 177bbf31116d0..17905ad77598c 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -2606,7 +2606,7 @@ static void set_cpus_allowed_scx(struct task_struct *p,
* designation pointless. Cast it away when calling the operation.
*/
if (SCX_HAS_OP(sch, set_cpumask))
- SCX_CALL_OP_TASK(sch, SCX_KF_REST, set_cpumask, NULL,
+ SCX_CALL_OP_TASK(sch, SCX_KF_REST, set_cpumask, task_rq(p),
p, (struct cpumask *)p->cpus_ptr);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 337/957] sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 336/957] sched_ext: Track @ps rq lock across set_cpus_allowed_scx -> ops.set_cpumask Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 338/957] crypto: jitterentropy - replace long-held spinlock with mutex Greg Kroah-Hartman
` (625 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tejun Heo, Andrea Righi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit b470e37c1fad72731be6f437e233cb6b16618f41 ]
sched_move_task() invokes ops.cgroup_move() inside task_rq_lock(tsk), so
@p's rq lock is held. The SCX_CALL_OP_TASK invocation mislabels this:
- kf_mask = SCX_KF_UNLOCKED (== 0), claiming no lock is held.
- rq = NULL, so update_locked_rq() doesn't run and scx_locked_rq()
returns NULL.
Switch to SCX_KF_REST and pass task_rq(p), matching ops.set_cpumask()
from set_cpus_allowed_scx().
Three effects:
- scx_bpf_task_cgroup() becomes callable (was rejected by
scx_kf_allowed(__SCX_KF_RQ_LOCKED)). Safe; rq lock is held.
- scx_bpf_dsq_move() is now rejected (was allowed via the unlocked
branch). Calling it while holding an unrelated task's rq lock is
risky; rejection is correct.
- scx_bpf_select_cpu_*() previously took the unlocked branch in
select_cpu_from_kfunc() and called task_rq_lock(p, &rf), which
would deadlock against the already-held pi_lock. Now it takes the
locked-rq branch and is rejected with -EPERM via the existing
kf_allowed(SCX_KF_SELECT_CPU | SCX_KF_ENQUEUE) check. Latent
deadlock fix.
No in-tree scheduler is known to call any of these from ops.cgroup_move().
v2: Add Fixes: tag (Andrea Righi).
Fixes: 18853ba782be ("sched_ext: Track currently locked rq")
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 17905ad77598c..32bb89559716e 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -3225,7 +3225,7 @@ void scx_cgroup_move_task(struct task_struct *p)
*/
if (SCX_HAS_OP(sch, cgroup_move) &&
!WARN_ON_ONCE(!p->scx.cgrp_moving_from))
- SCX_CALL_OP_TASK(sch, SCX_KF_UNLOCKED, cgroup_move, NULL,
+ SCX_CALL_OP_TASK(sch, SCX_KF_REST, cgroup_move, task_rq(p),
p, p->scx.cgrp_moving_from,
tg_cgrp(task_group(p)));
p->scx.cgrp_moving_from = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 338/957] crypto: jitterentropy - replace long-held spinlock with mutex
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 337/957] sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 339/957] ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
` (624 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Haixin Xu, Stephan Mueller, Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haixin Xu <jerryxucs@gmail.com>
[ Upstream commit 01d798e9feb30212952d4e992801ba6bd6a82351 ]
jent_kcapi_random() serializes the shared jitterentropy state, but it
currently holds a spinlock across the jent_read_entropy() call. That
path performs expensive jitter collection and SHA3 conditioning, so
parallel readers can trigger stalls as contending waiters spin for
the same lock.
To prevent non-preemptible lock hold, replace rng->jent_lock with a
mutex so contended readers sleep instead of spinning on a shared lock
held across expensive entropy generation.
Fixes: bb5530e40824 ("crypto: jitterentropy - add jitterentropy RNG")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Haixin Xu <jerryxucs@gmail.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/jitterentropy-kcapi.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index a53de7affe8d1..e9cd2b27d1e3c 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -42,6 +42,7 @@
#include <linux/fips.h>
#include <linux/kernel.h>
#include <linux/module.h>
+#include <linux/mutex.h>
#include <linux/slab.h>
#include <linux/time.h>
#include <crypto/internal/rng.h>
@@ -193,7 +194,7 @@ int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len)
***************************************************************************/
struct jitterentropy {
- spinlock_t jent_lock;
+ struct mutex jent_lock;
struct rand_data *entropy_collector;
struct crypto_shash *tfm;
struct shash_desc *sdesc;
@@ -203,7 +204,7 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
{
struct jitterentropy *rng = crypto_tfm_ctx(tfm);
- spin_lock(&rng->jent_lock);
+ mutex_lock(&rng->jent_lock);
if (rng->sdesc) {
shash_desc_zero(rng->sdesc);
@@ -218,7 +219,7 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
if (rng->entropy_collector)
jent_entropy_collector_free(rng->entropy_collector);
rng->entropy_collector = NULL;
- spin_unlock(&rng->jent_lock);
+ mutex_unlock(&rng->jent_lock);
}
static int jent_kcapi_init(struct crypto_tfm *tfm)
@@ -228,7 +229,7 @@ static int jent_kcapi_init(struct crypto_tfm *tfm)
struct shash_desc *sdesc;
int size, ret = 0;
- spin_lock_init(&rng->jent_lock);
+ mutex_init(&rng->jent_lock);
/*
* Use SHA3-256 as conditioner. We allocate only the generic
@@ -265,7 +266,6 @@ static int jent_kcapi_init(struct crypto_tfm *tfm)
goto err;
}
- spin_lock_init(&rng->jent_lock);
return 0;
err:
@@ -280,7 +280,7 @@ static int jent_kcapi_random(struct crypto_rng *tfm,
struct jitterentropy *rng = crypto_rng_ctx(tfm);
int ret = 0;
- spin_lock(&rng->jent_lock);
+ mutex_lock(&rng->jent_lock);
ret = jent_read_entropy(rng->entropy_collector, rdata, dlen);
@@ -306,7 +306,7 @@ static int jent_kcapi_random(struct crypto_rng *tfm,
ret = -EINVAL;
}
- spin_unlock(&rng->jent_lock);
+ mutex_unlock(&rng->jent_lock);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 339/957] ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 338/957] crypto: jitterentropy - replace long-held spinlock with mutex Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 340/957] ALSA: hda/realtek - fixed speaker no sound update Greg Kroah-Hartman
` (623 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
[ Upstream commit a47306a74c31557b1e5cab54642950bbb20294cb ]
Same issue as the other 1st Gen Scarletts: QUIRK_FLAG_SKIP_IFACE_SETUP
causes distorted audio on the Scarlett 18i20 1st Gen (1235:800c).
Fixes: 38c322068a26 ("ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP")
Reported-by: tucktuckg00se [https://github.com/geoffreybennett/linux-fcp/issues/54]
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Link: https://patch.msgid.link/ad0ozNnkcFrcjVQz@m.b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index a2c039a1b3cd6..f21e708675422 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2426,6 +2426,7 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_VALIDATE_RATES),
DEVICE_FLG(0x1235, 0x8006, 0), /* Focusrite Scarlett 2i2 1st Gen */
DEVICE_FLG(0x1235, 0x800a, 0), /* Focusrite Scarlett 2i4 1st Gen */
+ DEVICE_FLG(0x1235, 0x800c, 0), /* Focusrite Scarlett 18i20 1st Gen */
DEVICE_FLG(0x1235, 0x8016, 0), /* Focusrite Scarlett 2i2 1st Gen */
DEVICE_FLG(0x1235, 0x801c, 0), /* Focusrite Scarlett Solo 1st Gen */
VENDOR_FLG(0x1235, /* Focusrite Novation */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 340/957] ALSA: hda/realtek - fixed speaker no sound update
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 339/957] ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 341/957] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
` (622 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kailang Yang, Takashi Iwai,
Sasha Levin, Jeremy Bethmont
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kailang Yang <kailang@realtek.com>
[ Upstream commit 46c862f5419e0a86b60b9f9558d247f6084c99f9 ]
Fixed speaker has pop noise on Lenovo Thinkpad X11 Carbon Gen 12.
Fixes: 630fbc6e870e ("ALSA: hda/realtek - fixed speaker no sound")
Reported-and-tested-by: Jeremy Bethmont <jeremy.bethmont@gmail.com>
Closes: https://lore.kernel.org/CAC88DfsHrhyhy0Pn1O-z9egBvMYu=6NYgcvcC6KCgwh_-Ldkxg@mail.gmail.com
Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index a2ecbe1412632..e14caa040fc92 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -3615,22 +3615,11 @@ static void alc287_alc1318_playback_pcm_hook(struct hda_pcm_stream *hinfo,
struct snd_pcm_substream *substream,
int action)
{
- static const struct coef_fw dis_coefs[] = {
- WRITE_COEF(0x24, 0x0013), WRITE_COEF(0x25, 0x0000), WRITE_COEF(0x26, 0xC203),
- WRITE_COEF(0x28, 0x0004), WRITE_COEF(0x29, 0xb023),
- }; /* Disable AMP silence detection */
- static const struct coef_fw en_coefs[] = {
- WRITE_COEF(0x24, 0x0013), WRITE_COEF(0x25, 0x0000), WRITE_COEF(0x26, 0xC203),
- WRITE_COEF(0x28, 0x0084), WRITE_COEF(0x29, 0xb023),
- }; /* Enable AMP silence detection */
-
switch (action) {
case HDA_GEN_PCM_ACT_OPEN:
- alc_process_coef_fw(codec, dis_coefs);
alc_write_coefex_idx(codec, 0x5a, 0x00, 0x954f); /* write gpio3 to high */
break;
case HDA_GEN_PCM_ACT_CLOSE:
- alc_process_coef_fw(codec, en_coefs);
alc_write_coefex_idx(codec, 0x5a, 0x00, 0x554f); /* write gpio3 as default value */
break;
}
@@ -3653,10 +3642,15 @@ static void alc287_fixup_lenovo_thinkpad_with_alc1318(struct hda_codec *codec,
WRITE_COEF(0x24, 0x0013), WRITE_COEF(0x25, 0x0000), WRITE_COEF(0x26, 0xC301),
WRITE_COEF(0x28, 0x0001), WRITE_COEF(0x29, 0xb023),
};
+ static const struct coef_fw dis_coefs[] = {
+ WRITE_COEF(0x24, 0x0013), WRITE_COEF(0x25, 0x0000), WRITE_COEF(0x26, 0xC203),
+ WRITE_COEF(0x28, 0x0004), WRITE_COEF(0x29, 0xb023),
+ }; /* Disable AMP silence detection */
if (action != HDA_FIXUP_ACT_PRE_PROBE)
return;
alc_update_coef_idx(codec, 0x10, 1<<11, 1<<11);
+ alc_process_coef_fw(codec, dis_coefs);
alc_process_coef_fw(codec, coefs);
spec->power_hook = alc287_s4_power_gpio3_default;
spec->gen.pcm_playback_hook = alc287_alc1318_playback_pcm_hook;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 341/957] gfs2: Call unlock_new_inode before d_instantiate
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 340/957] ALSA: hda/realtek - fixed speaker no sound update Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 342/957] fanotify: avoid/silence premature LSM capability checks Greg Kroah-Hartman
` (621 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0ea5108a1f5fb4fcc2d8,
Andreas Gruenbacher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 2ff7cf7e0640ff071ebc5c7e3dc2df024a7c91e6 ]
As Neil Brown describes in detail in the link referenced below, new
inodes must be unlocked before they can be instantiated.
An even better fix is to use d_instantiate_new(), which combines
d_instantiate() and unlock_new_inode().
Fixes: 3d36e57ff768 ("gfs2: gfs2_create_inode rework")
Reported-by: syzbot+0ea5108a1f5fb4fcc2d8@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-fsdevel/177153754005.8396.8777398743501764194@noble.neil.brown.name/
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/inode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 03dd54fb7e8c8..12e5792190650 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -892,7 +892,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
goto fail_gunlock4;
mark_inode_dirty(inode);
- d_instantiate(dentry, inode);
+ d_instantiate_new(dentry, inode);
/* After instantiate, errors should result in evict which will destroy
* both inode and iopen glocks properly. */
if (file) {
@@ -904,7 +904,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
gfs2_glock_dq_uninit(&gh);
gfs2_glock_put(io_gl);
gfs2_qa_put(dip);
- unlock_new_inode(inode);
return error;
fail_gunlock4:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 342/957] fanotify: avoid/silence premature LSM capability checks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 341/957] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 343/957] fanotify: call fanotify_events_supported() before path_permission() and security_path_notify() Greg Kroah-Hartman
` (620 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Mosnacek, Paul Moore,
Amir Goldstein, Jan Kara, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 0d5ee3373426395478c355f3e93ba4b1118a04e9 ]
Make sure calling capable()/ns_capable() actually leads to access denied
when false is returned, because these functions emit an audit record
when a Linux Security Module denies the capability, which makes it
difficult to avoid allowing/silencing unnecessary permissions in
security policies (namely with SELinux).
Where the return value just used to set a flag, use the non-auditing
ns_capable_noaudit() instead.
Fixes: 7cea2a3c505e ("fanotify: support limited functionality for unprivileged users")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Link: https://patch.msgid.link/20260216150625.793013-2-omosnace@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/notify/fanotify/fanotify_user.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 1dadda82cae51..1c05c11e3cb25 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1611,17 +1611,18 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
pr_debug("%s: flags=%x event_f_flags=%x\n",
__func__, flags, event_f_flags);
- if (!capable(CAP_SYS_ADMIN)) {
- /*
- * An unprivileged user can setup an fanotify group with
- * limited functionality - an unprivileged group is limited to
- * notification events with file handles or mount ids and it
- * cannot use unlimited queue/marks.
- */
- if ((flags & FANOTIFY_ADMIN_INIT_FLAGS) ||
- !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT)))
- return -EPERM;
+ /*
+ * An unprivileged user can setup an fanotify group with limited
+ * functionality - an unprivileged group is limited to notification
+ * events with file handles or mount ids and it cannot use unlimited
+ * queue/marks.
+ */
+ if (((flags & FANOTIFY_ADMIN_INIT_FLAGS) ||
+ !(flags & (FANOTIFY_FID_BITS | FAN_REPORT_MNT))) &&
+ !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ if (!ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) {
/*
* Setting the internal flag FANOTIFY_UNPRIV on the group
* prevents setting mount/filesystem marks on this group and
@@ -2006,8 +2007,8 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
* A user is allowed to setup sb/mount/mntns marks only if it is
* capable in the user ns where the group was created.
*/
- if (!ns_capable(group->user_ns, CAP_SYS_ADMIN) &&
- mark_type != FAN_MARK_INODE)
+ if (mark_type != FAN_MARK_INODE &&
+ !ns_capable(group->user_ns, CAP_SYS_ADMIN))
return -EPERM;
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 343/957] fanotify: call fanotify_events_supported() before path_permission() and security_path_notify()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 342/957] fanotify: avoid/silence premature LSM capability checks Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 344/957] fuse: fix premature writetrhough request for large folio Greg Kroah-Hartman
` (619 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Mosnacek, Amir Goldstein,
Paul Moore, Jan Kara, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 66052a768d4726a31e939b5ac902f2b0b452c8d5 ]
The latter trigger LSM (e.g. SELinux) checks, which will log a denial
when permission is denied, so it's better to do them after validity
checks to avoid logging a denial when the operation would fail anyway.
Fixes: 0b3b094ac9a7 ("fanotify: Disallow permission events for proc filesystem")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20260216150625.793013-3-omosnace@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/notify/fanotify/fanotify_user.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 1c05c11e3cb25..5c30f4d8c7c16 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1210,6 +1210,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
*path = fd_file(f)->f_path;
path_get(path);
+ ret = 0;
} else {
unsigned int lookup_flags = 0;
@@ -1219,22 +1220,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
lookup_flags |= LOOKUP_DIRECTORY;
ret = user_path_at(dfd, filename, lookup_flags, path);
- if (ret)
- goto out;
}
-
- /* you can only watch an inode if you have read permissions on it */
- ret = path_permission(path, MAY_READ);
- if (ret) {
- path_put(path);
- goto out;
- }
-
- ret = security_path_notify(path, mask, obj_type);
- if (ret)
- path_put(path);
-
-out:
return ret;
}
@@ -2074,6 +2060,15 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
goto path_put_and_out;
}
+ /* you can only watch an inode if you have read permissions on it */
+ ret = path_permission(&path, MAY_READ);
+ if (ret)
+ goto path_put_and_out;
+
+ ret = security_path_notify(&path, mask, obj_type);
+ if (ret)
+ goto path_put_and_out;
+
if (fid_mode) {
ret = fanotify_test_fsid(path.dentry, flags, &__fsid);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 344/957] fuse: fix premature writetrhough request for large folio
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 343/957] fanotify: call fanotify_events_supported() before path_permission() and security_path_notify() Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 345/957] dcache: export shrink_dentry_list() and add new helper d_dispose_if_unused() Greg Kroah-Hartman
` (618 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horst Birthelmer, Joanne Koong,
Jingbo Xu, Miklos Szeredi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingbo Xu <jefflexu@linux.alibaba.com>
[ Upstream commit 5223e0470e7bb7910038fe3d31171490e00fbbb9 ]
When large folio is enabled and the initial folio offset exceeds
PAGE_SIZE, e.g. the position resides in the second page of a large
folio, after the folio copying the offset (in the page) won't be updated
to 0 even though the expected range is successfully copied until the end
of the folio. In this case fuse_fill_write_pages() exits prematurelly
before the request has reached the max_write/max_pages limit.
Fix this by eliminating page offset entirely and use folio offset
instead.
Fixes: d60a6015e1a2 ("fuse: support large folios for writethrough writes")
Reviewed-by: Horst Birthelmer <hbirthelmer@ddn.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/file.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 6014d588845cd..00ff6374dc76b 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1183,7 +1183,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
{
struct fuse_args_pages *ap = &ia->ap;
struct fuse_conn *fc = get_fuse_conn(mapping->host);
- unsigned offset = pos & (PAGE_SIZE - 1);
size_t count = 0;
unsigned int num;
int err = 0;
@@ -1210,7 +1209,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
if (mapping_writably_mapped(mapping))
flush_dcache_folio(folio);
- folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset;
+ folio_offset = offset_in_folio(folio, pos);
bytes = min(folio_size(folio) - folio_offset, num);
tmp = copy_folio_from_iter_atomic(folio, folio_offset, bytes, ii);
@@ -1240,9 +1239,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
count += tmp;
pos += tmp;
num -= tmp;
- offset += tmp;
- if (offset == folio_size(folio))
- offset = 0;
/* If we copied full folio, mark it uptodate */
if (tmp == folio_size(folio))
@@ -1254,7 +1250,9 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
ia->write.folio_locked = true;
break;
}
- if (!fc->big_writes || offset != 0)
+ if (!fc->big_writes)
+ break;
+ if (folio_offset + tmp != folio_size(folio))
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 345/957] dcache: export shrink_dentry_list() and add new helper d_dispose_if_unused()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 344/957] fuse: fix premature writetrhough request for large folio Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 346/957] fuse: new work queue to periodically invalidate expired dentries Greg Kroah-Hartman
` (617 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miklos Szeredi, Luis Henriques,
Miklos Szeredi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques <luis@igalia.com>
[ Upstream commit 395b95530343e7f4bdd2870190d985a222997fb6 ]
Add and export a new helper d_dispose_if_unused() which is simply a wrapper
around to_shrink_list(), to add an entry to a dispose list if it's not used
anymore.
Also export shrink_dentry_list() to kill all dentries in a dispose list.
Suggested-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Luis Henriques <luis@igalia.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Stable-dep-of: 5a6baf204610 ("fuse: fix uninit-value in fuse_dentry_revalidate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/dcache.c | 18 ++++++++++++------
include/linux/dcache.h | 2 ++
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/fs/dcache.c b/fs/dcache.c
index 8bf82b002b4d4..fcc8ddf7d3fa4 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1086,6 +1086,15 @@ struct dentry *d_find_alias_rcu(struct inode *inode)
return de;
}
+void d_dispose_if_unused(struct dentry *dentry, struct list_head *dispose)
+{
+ spin_lock(&dentry->d_lock);
+ if (!dentry->d_lockref.count)
+ to_shrink_list(dentry, dispose);
+ spin_unlock(&dentry->d_lock);
+}
+EXPORT_SYMBOL(d_dispose_if_unused);
+
/*
* Try to kill dentries associated with this inode.
* WARNING: you must own a reference to inode.
@@ -1096,12 +1105,8 @@ void d_prune_aliases(struct inode *inode)
struct dentry *dentry;
spin_lock(&inode->i_lock);
- hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
- spin_lock(&dentry->d_lock);
- if (!dentry->d_lockref.count)
- to_shrink_list(dentry, &dispose);
- spin_unlock(&dentry->d_lock);
- }
+ hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias)
+ d_dispose_if_unused(dentry, &dispose);
spin_unlock(&inode->i_lock);
shrink_dentry_list(&dispose);
}
@@ -1141,6 +1146,7 @@ void shrink_dentry_list(struct list_head *list)
shrink_kill(dentry);
}
}
+EXPORT_SYMBOL(shrink_dentry_list);
static enum lru_status dentry_lru_isolate(struct list_head *item,
struct list_lru_one *lru, void *arg)
diff --git a/include/linux/dcache.h b/include/linux/dcache.h
index c83e02b943894..2bc1339bf6d03 100644
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -268,6 +268,8 @@ extern void d_tmpfile(struct file *, struct inode *);
extern struct dentry *d_find_alias(struct inode *);
extern void d_prune_aliases(struct inode *);
+extern void d_dispose_if_unused(struct dentry *, struct list_head *);
+extern void shrink_dentry_list(struct list_head *);
extern struct dentry *d_find_alias_rcu(struct inode *);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 346/957] fuse: new work queue to periodically invalidate expired dentries
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 345/957] dcache: export shrink_dentry_list() and add new helper d_dispose_if_unused() Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 18:45 ` Miklos Szeredi
2026-05-20 16:13 ` [PATCH 6.18 347/957] fuse: fix uninit-value in fuse_dentry_revalidate() Greg Kroah-Hartman
` (616 subsequent siblings)
962 siblings, 1 reply; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luis Henriques, Miklos Szeredi,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques <luis@igalia.com>
[ Upstream commit ab84ad5973869a660ca3ad0c54a2b84d975d47c4 ]
This patch adds the necessary infrastructure to keep track of all dentries
created for FUSE file systems. A set of rbtrees, protected by hashed
locks, will be used to keep all these dentries sorted by expiry time.
A new module parameter 'inval_wq' is also added. When set, it will start
a work queue which will periodically invalidate expired dentries. The
value of this new parameter is the period, in seconds, for this work
queue. Once this parameter is set, every new dentry will be added to one
of the rbtrees.
When the work queue is executed, it will check all the rbtrees and will
invalidate those dentries that have timed-out.
The work queue period can not be smaller than 5 seconds, but can be
disabled by setting 'inval_wq' to zero (which is the default).
Signed-off-by: Luis Henriques <luis@igalia.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Stable-dep-of: 5a6baf204610 ("fuse: fix uninit-value in fuse_dentry_revalidate()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dir.c | 216 ++++++++++++++++++++++++++++++++++++++++++-----
fs/fuse/fuse_i.h | 10 +++
fs/fuse/inode.c | 3 +
3 files changed, 208 insertions(+), 21 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index ecaec0fea3a13..77982fdbcf278 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -27,6 +27,67 @@ module_param(allow_sys_admin_access, bool, 0644);
MODULE_PARM_DESC(allow_sys_admin_access,
"Allow users with CAP_SYS_ADMIN in initial userns to bypass allow_other access check");
+struct dentry_bucket {
+ struct rb_root tree;
+ spinlock_t lock;
+};
+
+#define HASH_BITS 5
+#define HASH_SIZE (1 << HASH_BITS)
+static struct dentry_bucket dentry_hash[HASH_SIZE];
+struct delayed_work dentry_tree_work;
+
+/* Minimum invalidation work queue frequency */
+#define FUSE_DENTRY_INVAL_FREQ_MIN 5
+
+unsigned __read_mostly inval_wq;
+static int inval_wq_set(const char *val, const struct kernel_param *kp)
+{
+ unsigned int num;
+ unsigned int old = inval_wq;
+ int ret;
+
+ if (!val)
+ return -EINVAL;
+
+ ret = kstrtouint(val, 0, &num);
+ if (ret)
+ return ret;
+
+ if ((num < FUSE_DENTRY_INVAL_FREQ_MIN) && (num != 0))
+ return -EINVAL;
+
+ /* This should prevent overflow in secs_to_jiffies() */
+ if (num > USHRT_MAX)
+ return -EINVAL;
+
+ *((unsigned int *)kp->arg) = num;
+
+ if (num && !old)
+ schedule_delayed_work(&dentry_tree_work,
+ secs_to_jiffies(num));
+ else if (!num && old)
+ cancel_delayed_work_sync(&dentry_tree_work);
+
+ return 0;
+}
+static const struct kernel_param_ops inval_wq_ops = {
+ .set = inval_wq_set,
+ .get = param_get_uint,
+};
+module_param_cb(inval_wq, &inval_wq_ops, &inval_wq, 0644);
+__MODULE_PARM_TYPE(inval_wq, "uint");
+MODULE_PARM_DESC(inval_wq,
+ "Dentries invalidation work queue period in secs (>= "
+ __stringify(FUSE_DENTRY_INVAL_FREQ_MIN) ").");
+
+static inline struct dentry_bucket *get_dentry_bucket(struct dentry *dentry)
+{
+ int i = hash_ptr(dentry, HASH_BITS);
+
+ return &dentry_hash[i];
+}
+
static void fuse_advise_use_readdirplus(struct inode *dir)
{
struct fuse_inode *fi = get_fuse_inode(dir);
@@ -34,33 +95,131 @@ static void fuse_advise_use_readdirplus(struct inode *dir)
set_bit(FUSE_I_ADVISE_RDPLUS, &fi->state);
}
-#if BITS_PER_LONG >= 64
-static inline void __fuse_dentry_settime(struct dentry *entry, u64 time)
+struct fuse_dentry {
+ u64 time;
+ union {
+ struct rcu_head rcu;
+ struct rb_node node;
+ };
+ struct dentry *dentry;
+};
+
+static void __fuse_dentry_tree_del_node(struct fuse_dentry *fd,
+ struct dentry_bucket *bucket)
{
- entry->d_fsdata = (void *) time;
+ if (!RB_EMPTY_NODE(&fd->node)) {
+ rb_erase(&fd->node, &bucket->tree);
+ RB_CLEAR_NODE(&fd->node);
+ }
}
-static inline u64 fuse_dentry_time(const struct dentry *entry)
+static void fuse_dentry_tree_del_node(struct dentry *dentry)
{
- return (u64)entry->d_fsdata;
+ struct fuse_dentry *fd = dentry->d_fsdata;
+ struct dentry_bucket *bucket = get_dentry_bucket(dentry);
+
+ spin_lock(&bucket->lock);
+ __fuse_dentry_tree_del_node(fd, bucket);
+ spin_unlock(&bucket->lock);
}
-#else
-union fuse_dentry {
- u64 time;
- struct rcu_head rcu;
-};
+static void fuse_dentry_tree_add_node(struct dentry *dentry)
+{
+ struct fuse_dentry *fd = dentry->d_fsdata;
+ struct dentry_bucket *bucket;
+ struct fuse_dentry *cur;
+ struct rb_node **p, *parent = NULL;
+
+ if (!inval_wq)
+ return;
+
+ bucket = get_dentry_bucket(dentry);
+
+ spin_lock(&bucket->lock);
+
+ __fuse_dentry_tree_del_node(fd, bucket);
+
+ p = &bucket->tree.rb_node;
+ while (*p) {
+ parent = *p;
+ cur = rb_entry(*p, struct fuse_dentry, node);
+ if (fd->time < cur->time)
+ p = &(*p)->rb_left;
+ else
+ p = &(*p)->rb_right;
+ }
+ rb_link_node(&fd->node, parent, p);
+ rb_insert_color(&fd->node, &bucket->tree);
+ spin_unlock(&bucket->lock);
+}
+
+/*
+ * work queue which, when enabled, will periodically check for expired dentries
+ * in the dentries tree.
+ */
+static void fuse_dentry_tree_work(struct work_struct *work)
+{
+ LIST_HEAD(dispose);
+ struct fuse_dentry *fd;
+ struct rb_node *node;
+ int i;
+
+ for (i = 0; i < HASH_SIZE; i++) {
+ spin_lock(&dentry_hash[i].lock);
+ node = rb_first(&dentry_hash[i].tree);
+ while (node) {
+ fd = rb_entry(node, struct fuse_dentry, node);
+ if (time_after64(get_jiffies_64(), fd->time)) {
+ rb_erase(&fd->node, &dentry_hash[i].tree);
+ RB_CLEAR_NODE(&fd->node);
+ spin_unlock(&dentry_hash[i].lock);
+ d_dispose_if_unused(fd->dentry, &dispose);
+ cond_resched();
+ spin_lock(&dentry_hash[i].lock);
+ } else
+ break;
+ node = rb_first(&dentry_hash[i].tree);
+ }
+ spin_unlock(&dentry_hash[i].lock);
+ shrink_dentry_list(&dispose);
+ }
+
+ if (inval_wq)
+ schedule_delayed_work(&dentry_tree_work,
+ secs_to_jiffies(inval_wq));
+}
+
+void fuse_dentry_tree_init(void)
+{
+ int i;
+
+ for (i = 0; i < HASH_SIZE; i++) {
+ spin_lock_init(&dentry_hash[i].lock);
+ dentry_hash[i].tree = RB_ROOT;
+ }
+ INIT_DELAYED_WORK(&dentry_tree_work, fuse_dentry_tree_work);
+}
+
+void fuse_dentry_tree_cleanup(void)
+{
+ int i;
+
+ inval_wq = 0;
+ cancel_delayed_work_sync(&dentry_tree_work);
+
+ for (i = 0; i < HASH_SIZE; i++)
+ WARN_ON_ONCE(!RB_EMPTY_ROOT(&dentry_hash[i].tree));
+}
static inline void __fuse_dentry_settime(struct dentry *dentry, u64 time)
{
- ((union fuse_dentry *) dentry->d_fsdata)->time = time;
+ ((struct fuse_dentry *) dentry->d_fsdata)->time = time;
}
static inline u64 fuse_dentry_time(const struct dentry *entry)
{
- return ((union fuse_dentry *) entry->d_fsdata)->time;
+ return ((struct fuse_dentry *) entry->d_fsdata)->time;
}
-#endif
static void fuse_dentry_settime(struct dentry *dentry, u64 time)
{
@@ -81,6 +240,7 @@ static void fuse_dentry_settime(struct dentry *dentry, u64 time)
}
__fuse_dentry_settime(dentry, time);
+ fuse_dentry_tree_add_node(dentry);
}
/*
@@ -283,21 +443,36 @@ static int fuse_dentry_revalidate(struct inode *dir, const struct qstr *name,
goto out;
}
-#if BITS_PER_LONG < 64
static int fuse_dentry_init(struct dentry *dentry)
{
- dentry->d_fsdata = kzalloc(sizeof(union fuse_dentry),
- GFP_KERNEL_ACCOUNT | __GFP_RECLAIMABLE);
+ struct fuse_dentry *fd;
- return dentry->d_fsdata ? 0 : -ENOMEM;
+ fd = kzalloc(sizeof(struct fuse_dentry),
+ GFP_KERNEL_ACCOUNT | __GFP_RECLAIMABLE);
+ if (!fd)
+ return -ENOMEM;
+
+ fd->dentry = dentry;
+ RB_CLEAR_NODE(&fd->node);
+ dentry->d_fsdata = fd;
+
+ return 0;
+}
+
+static void fuse_dentry_prune(struct dentry *dentry)
+{
+ struct fuse_dentry *fd = dentry->d_fsdata;
+
+ if (!RB_EMPTY_NODE(&fd->node))
+ fuse_dentry_tree_del_node(dentry);
}
+
static void fuse_dentry_release(struct dentry *dentry)
{
- union fuse_dentry *fd = dentry->d_fsdata;
+ struct fuse_dentry *fd = dentry->d_fsdata;
kfree_rcu(fd, rcu);
}
-#endif
static int fuse_dentry_delete(const struct dentry *dentry)
{
@@ -331,10 +506,9 @@ static struct vfsmount *fuse_dentry_automount(struct path *path)
const struct dentry_operations fuse_dentry_operations = {
.d_revalidate = fuse_dentry_revalidate,
.d_delete = fuse_dentry_delete,
-#if BITS_PER_LONG < 64
.d_init = fuse_dentry_init,
+ .d_prune = fuse_dentry_prune,
.d_release = fuse_dentry_release,
-#endif
.d_automount = fuse_dentry_automount,
};
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index c288f28f6c6ea..276dfddce5b53 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -54,6 +54,13 @@
/** Frequency (in jiffies) of request timeout checks, if opted into */
extern const unsigned long fuse_timeout_timer_freq;
+/*
+ * Dentries invalidation workqueue period, in seconds. The value of this
+ * parameter shall be >= FUSE_DENTRY_INVAL_FREQ_MIN seconds, or 0 (zero), in
+ * which case no workqueue will be created.
+ */
+extern unsigned inval_wq __read_mostly;
+
/** Maximum of max_pages received in init_out */
extern unsigned int fuse_max_pages_limit;
/*
@@ -1278,6 +1285,9 @@ void fuse_wait_aborted(struct fuse_conn *fc);
/* Check if any requests timed out */
void fuse_check_timeout(struct work_struct *work);
+void fuse_dentry_tree_init(void);
+void fuse_dentry_tree_cleanup(void);
+
/**
* Invalidate inode attributes
*/
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index e9ed693fc7b37..a090c91abb89d 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -2296,6 +2296,8 @@ static int __init fuse_init(void)
if (res)
goto err_sysfs_cleanup;
+ fuse_dentry_tree_init();
+
sanitize_global_limit(&max_user_bgreq);
sanitize_global_limit(&max_user_congthresh);
@@ -2315,6 +2317,7 @@ static void __exit fuse_exit(void)
{
pr_debug("exit\n");
+ fuse_dentry_tree_cleanup();
fuse_ctl_cleanup();
fuse_sysfs_cleanup();
fuse_fs_cleanup();
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 347/957] fuse: fix uninit-value in fuse_dentry_revalidate()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 346/957] fuse: new work queue to periodically invalidate expired dentries Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 348/957] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
` (615 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+fdebb2dc960aa56c600a,
Luis Henriques, Miklos Szeredi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques <luis@igalia.com>
[ Upstream commit 5a6baf204610589f8a5b5a1cd69d1fe661d9d3cd ]
fuse_dentry_revalidate() may be called with a dentry that didn't had
->d_time initialised. The issue was found with KMSAN, where lookup_open()
calls __d_alloc(), followed by d_revalidate(), as shown below:
=====================================================
BUG: KMSAN: uninit-value in fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394
fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394
d_revalidate fs/namei.c:1030 [inline]
lookup_open fs/namei.c:4405 [inline]
open_last_lookups fs/namei.c:4583 [inline]
path_openat+0x1614/0x64c0 fs/namei.c:4827
do_file_open+0x2aa/0x680 fs/namei.c:4859
[...]
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4466 [inline]
slab_alloc_node mm/slub.c:4788 [inline]
kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4807
__d_alloc+0x55/0xa00 fs/dcache.c:1740
d_alloc_parallel+0x99/0x2740 fs/dcache.c:2604
lookup_open fs/namei.c:4398 [inline]
open_last_lookups fs/namei.c:4583 [inline]
path_openat+0x135f/0x64c0 fs/namei.c:4827
do_file_open+0x2aa/0x680 fs/namei.c:4859
[...]
=====================================================
Reported-by: syzbot+fdebb2dc960aa56c600a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69917e0d.050a0220.340abe.02e2.GAE@google.com
Fixes: 2396356a945b ("fuse: add more control over cache invalidation behaviour")
Signed-off-by: Luis Henriques <luis@igalia.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dir.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 77982fdbcf278..98b174bd802f0 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -455,6 +455,11 @@ static int fuse_dentry_init(struct dentry *dentry)
fd->dentry = dentry;
RB_CLEAR_NODE(&fd->node);
dentry->d_fsdata = fd;
+ /*
+ * Initialising d_time (epoch) to '0' ensures the dentry is invalid
+ * if compared to fc->epoch, which is initialized to '1'.
+ */
+ dentry->d_time = 0;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 348/957] ktest: Avoid undef warning when WARNINGS_FILE is unset
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 347/957] fuse: fix uninit-value in fuse_dentry_revalidate() Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 349/957] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
` (614 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit 057854f8a595160656fe77ed7bf0d2403724b915 ]
check_buildlog() probes $warnings_file with -f even when WARNINGS_FILE is
not configured. Perl warns about the uninitialized value and adds noise to
the test log, which can hide the output we actually care about.
Check that WARNINGS_FILE is defined before testing whether the file exists.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-1-565d412f4925@suse.com
Fixes: 4283b169abfb ("ktest: Add make_warnings_file and process full warnings")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 88de775097fef..28643812184bc 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -2508,7 +2508,7 @@ sub check_buildlog {
my $save_no_reboot = $no_reboot;
$no_reboot = 1;
- if (-f $warnings_file) {
+ if (defined($warnings_file) && -f $warnings_file) {
open(IN, $warnings_file) or
dodie "Error opening $warnings_file";
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 349/957] ktest: Honor empty per-test option overrides
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 348/957] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 350/957] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
` (613 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit a2de57a3c8192dcd67cccaff6c341b93748d799b ]
A per-test override can clear an inherited default option by assigning an
empty value, but __set_test_option() still used option_defined() to decide
whether a per-test key existed. That turned an empty per-test assignment
back into "fall back to the default", so tests still could not clear
inherited settings.
For example:
DEFAULTS
(...)
LOG_FILE = /tmp/ktest-empty-override.log
CLEAR_LOG = 1
ADD_CONFIG = /tmp/.config
TEST_START
TEST_TYPE = build
BUILD_TYPE = nobuild
ADD_CONFIG =
This would run the test with ADD_CONFIG[1] = /tmp/.config
Fix by checking whether the per-test key exists before falling back. If it
does exist but is empty, treat it as unset for that test and stop the
fallback chain there.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-4-565d412f4925@suse.com
Fixes: 22c37a9ac49d ("ktest: Allow tests to undefine default options")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 28643812184bc..924e17df56f74 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -4183,7 +4183,8 @@ sub __set_test_option {
my $option = "$name\[$i\]";
- if (option_defined($option)) {
+ if (exists($opt{$option})) {
+ return undef if (!option_defined($option));
return $opt{$option};
}
@@ -4191,7 +4192,8 @@ sub __set_test_option {
if ($i >= $test &&
$i < $test + $repeat_tests{$test}) {
$option = "$name\[$test\]";
- if (option_defined($option)) {
+ if (exists($opt{$option})) {
+ return undef if (!option_defined($option));
return $opt{$option};
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 350/957] ktest: Run POST_KTEST hooks on failure and cancellation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 349/957] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 351/957] rtla: Fix -C/--cgroup interface Greg Kroah-Hartman
` (612 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Hawley, Andrea Righi,
Marcos Paulo de Souza, Matthieu Baerts,
Fernando Fernandez Mancera, Pedro Falcato,
Ricardo B . Marlière, Steven Rostedt, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo B. Marlière <rbm@suse.com>
[ Upstream commit bc6e165a452da909cef0efbc286e6695624db372 ]
PRE_KTEST can be useful for setting up the environment and POST_KTEST to
tear it down, however POST_KTEST only runs on the normal end-of-run path.
It is skipped when ktest exits through dodie() or cancel_test(). Final
cleanup hooks are skipped.
Factor the final hook execution into run_post_ktest(), call it from the
normal exit path and from the early exit paths, and guard it so the hook
runs at most once.
Cc: John Hawley <warthog9@eaglescrag.net>
Cc: Andrea Righi <arighi@nvidia.com>
Cc: Marcos Paulo de Souza <mpdesouza@suse.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: Pedro Falcato <pfalcato@suse.de>
Link: https://patch.msgid.link/20260307-ktest-fixes-v1-8-565d412f4925@suse.com
Fixes: 921ed4c7208e ("ktest: Add PRE/POST_KTEST and TEST options")
Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 924e17df56f74..17bdce9cafac2 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -100,6 +100,7 @@ my $test_type;
my $build_type;
my $build_options;
my $final_post_ktest;
+my $post_ktest_done = 0;
my $pre_ktest;
my $post_ktest;
my $pre_test;
@@ -1575,6 +1576,24 @@ sub get_test_name() {
return $name;
}
+sub run_post_ktest {
+ my $cmd;
+
+ return if ($post_ktest_done);
+
+ if (defined($final_post_ktest)) {
+ $cmd = $final_post_ktest;
+ } elsif (defined($post_ktest)) {
+ $cmd = $post_ktest;
+ } else {
+ return;
+ }
+
+ my $cp_post_ktest = eval_kernel_version($cmd);
+ run_command $cp_post_ktest;
+ $post_ktest_done = 1;
+}
+
sub dodie {
# avoid recursion
return if ($in_die);
@@ -1634,6 +1653,7 @@ sub dodie {
if (defined($post_test)) {
run_command $post_test;
}
+ run_post_ktest;
die @_, "\n";
}
@@ -4300,6 +4320,7 @@ sub cancel_test {
send_email("KTEST: Your [$name] test was cancelled",
"Your test started at $script_start_time was cancelled: sig int");
}
+ run_post_ktest;
die "\nCaught Sig Int, test interrupted: $!\n"
}
@@ -4661,11 +4682,7 @@ for (my $i = 1; $i <= $opt{"NUM_TESTS"}; $i++) {
success $i;
}
-if (defined($final_post_ktest)) {
-
- my $cp_final_post_ktest = eval_kernel_version $final_post_ktest;
- run_command $cp_final_post_ktest;
-}
+run_post_ktest;
if ($opt{"POWEROFF_ON_SUCCESS"}) {
halt;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 351/957] rtla: Fix -C/--cgroup interface
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 350/957] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 352/957] rtla: Replace atoi() with a robust strtoi() Greg Kroah-Hartman
` (611 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Pravdin, Tomas Glozar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Pravdin <ipravdin.official@gmail.com>
[ Upstream commit 7b71f3a6986c93defbb72bb6c143e04122720cb1 ]
Currently, user can only specify cgroup to the tracer's thread the
following ways:
`-C[cgroup]`
`-C[=cgroup]`
`--cgroup[=cgroup]`
If user tries to specify cgroup as `-C [cgroup]` or `--cgroup [cgroup]`,
the parser silently fails and rtla's cgroup is used for the tracer
threads.
To make interface more user-friendly, allow user to specify cgroup in
the aforementioned way, i.e. `-C [cgroup]` and `--cgroup [cgroup]`.
Refactor identical logic between -t/--trace and -C/--cgroup into a
common function.
Change documentation to reflect this user interface change.
Fixes: a957cbc02531 ("rtla: Add -C cgroup support")
Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
Reviewed-by: Tomas Glozar <tglozar@redhat.com>
Link: https://lore.kernel.org/r/16132f1565cf5142b5fbd179975be370b529ced7.1762186418.git.ipravdin.official@gmail.com
[ use capital letter in subject, as required by tracing subsystem ]
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
Stable-dep-of: 5b6dc659ad79 ("rtla/utils: Fix resource leak in set_comm_sched_attr()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/tools/rtla/common_options.txt | 2 +-
tools/tracing/rtla/src/osnoise_hist.c | 26 ++++++---------------
tools/tracing/rtla/src/osnoise_top.c | 26 ++++++---------------
tools/tracing/rtla/src/timerlat_hist.c | 26 ++++++---------------
tools/tracing/rtla/src/timerlat_top.c | 26 ++++++---------------
tools/tracing/rtla/src/utils.c | 26 +++++++++++++++++++++
tools/tracing/rtla/src/utils.h | 1 +
7 files changed, 56 insertions(+), 77 deletions(-)
diff --git a/Documentation/tools/rtla/common_options.txt b/Documentation/tools/rtla/common_options.txt
index 77ef35d3f8317..edc8e850f5d01 100644
--- a/Documentation/tools/rtla/common_options.txt
+++ b/Documentation/tools/rtla/common_options.txt
@@ -42,7 +42,7 @@
- *f:prio* - use SCHED_FIFO with *prio*;
- *d:runtime[us|ms|s]:period[us|ms|s]* - use SCHED_DEADLINE with *runtime* and *period* in nanoseconds.
-**-C**, **--cgroup**\[*=cgroup*]
+**-C**, **--cgroup** \[*cgroup*]
Set a *cgroup* to the tracer's threads. If the **-C** option is passed without arguments, the tracer's thread will inherit **rtla**'s *cgroup*. Otherwise, the threads will be placed on the *cgroup* passed to the option.
diff --git a/tools/tracing/rtla/src/osnoise_hist.c b/tools/tracing/rtla/src/osnoise_hist.c
index d22feb4d6cc9d..ae8426f40f8f4 100644
--- a/tools/tracing/rtla/src/osnoise_hist.c
+++ b/tools/tracing/rtla/src/osnoise_hist.c
@@ -428,9 +428,9 @@ static void osnoise_hist_usage(char *usage)
static const char * const msg[] = {
"",
" usage: rtla osnoise hist [-h] [-D] [-d s] [-a us] [-p us] [-r us] [-s us] [-S us] \\",
- " [-T us] [-t[file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] \\",
+ " [-T us] [-t [file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] \\",
" [-c cpu-list] [-H cpu-list] [-P priority] [-b N] [-E N] [--no-header] [--no-summary] \\",
- " [--no-index] [--with-zeros] [-C[=cgroup_name]] [--warm-up]",
+ " [--no-index] [--with-zeros] [-C [cgroup_name]] [--warm-up]",
"",
" -h/--help: print this menu",
" -a/--auto: set automatic trace mode, stopping the session if argument in us sample is hit",
@@ -441,10 +441,10 @@ static void osnoise_hist_usage(char *usage)
" -T/--threshold us: the minimum delta to be considered a noise",
" -c/--cpus cpu-list: list of cpus to run osnoise threads",
" -H/--house-keeping cpus: run rtla control threads only on the given cpus",
- " -C/--cgroup[=cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
+ " -C/--cgroup [cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
" -d/--duration time[s|m|h|d]: duration of the session",
" -D/--debug: print debug info",
- " -t/--trace[file]: save the stopped trace to [file|osnoise_trace.txt]",
+ " -t/--trace [file]: save the stopped trace to [file|osnoise_trace.txt]",
" -e/--event <sys:event>: enable the <sys:event> in the trace instance, multiple -e are allowed",
" --filter <filter>: enable a trace event filter to the previous -e event",
" --trigger <trigger>: enable a trace event trigger to the previous -e event",
@@ -575,13 +575,7 @@ static struct common_params
break;
case 'C':
params->common.cgroup = 1;
- if (!optarg) {
- /* will inherit this cgroup */
- params->common.cgroup_name = NULL;
- } else if (*optarg == '=') {
- /* skip the = */
- params->common.cgroup_name = ++optarg;
- }
+ params->common.cgroup_name = parse_optional_arg(argc, argv);
break;
case 'D':
config_debug = 1;
@@ -647,14 +641,8 @@ static struct common_params
params->threshold = get_llong_from_str(optarg);
break;
case 't':
- if (optarg) {
- if (optarg[0] == '=')
- trace_output = &optarg[1];
- else
- trace_output = &optarg[0];
- } else if (optind < argc && argv[optind][0] != '0')
- trace_output = argv[optind];
- else
+ trace_output = parse_optional_arg(argc, argv);
+ if (!trace_output)
trace_output = "osnoise_trace.txt";
break;
case '0': /* no header */
diff --git a/tools/tracing/rtla/src/osnoise_top.c b/tools/tracing/rtla/src/osnoise_top.c
index a8d31030c4122..6ae7cdb3bdc0d 100644
--- a/tools/tracing/rtla/src/osnoise_top.c
+++ b/tools/tracing/rtla/src/osnoise_top.c
@@ -263,8 +263,8 @@ static void osnoise_top_usage(struct osnoise_params *params, char *usage)
static const char * const msg[] = {
" [-h] [-q] [-D] [-d s] [-a us] [-p us] [-r us] [-s us] [-S us] \\",
- " [-T us] [-t[file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] \\",
- " [-c cpu-list] [-H cpu-list] [-P priority] [-C[=cgroup_name]] [--warm-up s]",
+ " [-T us] [-t [file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] \\",
+ " [-c cpu-list] [-H cpu-list] [-P priority] [-C [cgroup_name]] [--warm-up s]",
"",
" -h/--help: print this menu",
" -a/--auto: set automatic trace mode, stopping the session if argument in us sample is hit",
@@ -275,10 +275,10 @@ static void osnoise_top_usage(struct osnoise_params *params, char *usage)
" -T/--threshold us: the minimum delta to be considered a noise",
" -c/--cpus cpu-list: list of cpus to run osnoise threads",
" -H/--house-keeping cpus: run rtla control threads only on the given cpus",
- " -C/--cgroup[=cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
+ " -C/--cgroup [cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
" -d/--duration time[s|m|h|d]: duration of the session",
" -D/--debug: print debug info",
- " -t/--trace[file]: save the stopped trace to [file|osnoise_trace.txt]",
+ " -t/--trace [file]: save the stopped trace to [file|osnoise_trace.txt]",
" -e/--event <sys:event>: enable the <sys:event> in the trace instance, multiple -e are allowed",
" --filter <filter>: enable a trace event filter to the previous -e event",
" --trigger <trigger>: enable a trace event trigger to the previous -e event",
@@ -409,13 +409,7 @@ struct common_params *osnoise_top_parse_args(int argc, char **argv)
break;
case 'C':
params->common.cgroup = 1;
- if (!optarg) {
- /* will inherit this cgroup */
- params->common.cgroup_name = NULL;
- } else if (*optarg == '=') {
- /* skip the = */
- params->common.cgroup_name = ++optarg;
- }
+ params->common.cgroup_name = parse_optional_arg(argc, argv);
break;
case 'D':
config_debug = 1;
@@ -475,14 +469,8 @@ struct common_params *osnoise_top_parse_args(int argc, char **argv)
params->common.stop_total_us = get_llong_from_str(optarg);
break;
case 't':
- if (optarg) {
- if (optarg[0] == '=')
- trace_output = &optarg[1];
- else
- trace_output = &optarg[0];
- } else if (optind < argc && argv[optind][0] != '-')
- trace_output = argv[optind];
- else
+ trace_output = parse_optional_arg(argc, argv);
+ if (!trace_output)
trace_output = "osnoise_trace.txt";
break;
case 'T':
diff --git a/tools/tracing/rtla/src/timerlat_hist.c b/tools/tracing/rtla/src/timerlat_hist.c
index 3d56df3d5fa0d..311c4f18ce4c6 100644
--- a/tools/tracing/rtla/src/timerlat_hist.c
+++ b/tools/tracing/rtla/src/timerlat_hist.c
@@ -717,9 +717,9 @@ static void timerlat_hist_usage(char *usage)
char *msg[] = {
"",
" usage: [rtla] timerlat hist [-h] [-q] [-d s] [-D] [-n] [-a us] [-p us] [-i us] [-T us] [-s us] \\",
- " [-t[file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] [-c cpu-list] [-H cpu-list]\\",
+ " [-t [file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] [-c cpu-list] [-H cpu-list]\\",
" [-P priority] [-E N] [-b N] [--no-irq] [--no-thread] [--no-header] [--no-summary] \\",
- " [--no-index] [--with-zeros] [--dma-latency us] [-C[=cgroup_name]] [--no-aa] [--dump-task] [-u|-k]",
+ " [--no-index] [--with-zeros] [--dma-latency us] [-C [cgroup_name]] [--no-aa] [--dump-task] [-u|-k]",
" [--warm-up s] [--deepest-idle-state n]",
"",
" -h/--help: print this menu",
@@ -730,11 +730,11 @@ static void timerlat_hist_usage(char *usage)
" -s/--stack us: save the stack trace at the IRQ if a thread latency is higher than the argument in us",
" -c/--cpus cpus: run the tracer only on the given cpus",
" -H/--house-keeping cpus: run rtla control threads only on the given cpus",
- " -C/--cgroup[=cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
+ " -C/--cgroup [cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
" -d/--duration time[m|h|d]: duration of the session in seconds",
" --dump-tasks: prints the task running on all CPUs if stop conditions are met (depends on !--no-aa)",
" -D/--debug: print debug info",
- " -t/--trace[file]: save the stopped trace to [file|timerlat_trace.txt]",
+ " -t/--trace [file]: save the stopped trace to [file|timerlat_trace.txt]",
" -e/--event <sys:event>: enable the <sys:event> in the trace instance, multiple -e are allowed",
" --filter <filter>: enable a trace event filter to the previous -e event",
" --trigger <trigger>: enable a trace event trigger to the previous -e event",
@@ -890,13 +890,7 @@ static struct common_params
break;
case 'C':
params->common.cgroup = 1;
- if (!optarg) {
- /* will inherit this cgroup */
- params->common.cgroup_name = NULL;
- } else if (*optarg == '=') {
- /* skip the = */
- params->common.cgroup_name = ++optarg;
- }
+ params->common.cgroup_name = parse_optional_arg(argc, argv);
break;
case 'b':
params->common.hist.bucket_size = get_llong_from_str(optarg);
@@ -969,14 +963,8 @@ static struct common_params
params->common.stop_total_us = get_llong_from_str(optarg);
break;
case 't':
- if (optarg) {
- if (optarg[0] == '=')
- trace_output = &optarg[1];
- else
- trace_output = &optarg[0];
- } else if (optind < argc && argv[optind][0] != '-')
- trace_output = argv[optind];
- else
+ trace_output = parse_optional_arg(argc, argv);
+ if (!trace_output)
trace_output = "timerlat_trace.txt";
break;
case 'u':
diff --git a/tools/tracing/rtla/src/timerlat_top.c b/tools/tracing/rtla/src/timerlat_top.c
index 6cc9a3607c665..3a3b11b5beaaa 100644
--- a/tools/tracing/rtla/src/timerlat_top.c
+++ b/tools/tracing/rtla/src/timerlat_top.c
@@ -483,8 +483,8 @@ static void timerlat_top_usage(char *usage)
static const char *const msg[] = {
"",
" usage: rtla timerlat [top] [-h] [-q] [-a us] [-d s] [-D] [-n] [-p us] [-i us] [-T us] [-s us] \\",
- " [[-t[file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] [-c cpu-list] [-H cpu-list]\\",
- " [-P priority] [--dma-latency us] [--aa-only us] [-C[=cgroup_name]] [-u|-k] [--warm-up s] [--deepest-idle-state n]",
+ " [[-t [file]] [-e sys[:event]] [--filter <filter>] [--trigger <trigger>] [-c cpu-list] [-H cpu-list]\\",
+ " [-P priority] [--dma-latency us] [--aa-only us] [-C [cgroup_name]] [-u|-k] [--warm-up s] [--deepest-idle-state n]",
"",
" -h/--help: print this menu",
" -a/--auto: set automatic trace mode, stopping the session if argument in us latency is hit",
@@ -495,11 +495,11 @@ static void timerlat_top_usage(char *usage)
" -s/--stack us: save the stack trace at the IRQ if a thread latency is higher than the argument in us",
" -c/--cpus cpus: run the tracer only on the given cpus",
" -H/--house-keeping cpus: run rtla control threads only on the given cpus",
- " -C/--cgroup[=cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
+ " -C/--cgroup [cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
" -d/--duration time[s|m|h|d]: duration of the session",
" -D/--debug: print debug info",
" --dump-tasks: prints the task running on all CPUs if stop conditions are met (depends on !--no-aa)",
- " -t/--trace[file]: save the stopped trace to [file|timerlat_trace.txt]",
+ " -t/--trace [file]: save the stopped trace to [file|timerlat_trace.txt]",
" -e/--event <sys:event>: enable the <sys:event> in the trace instance, multiple -e are allowed",
" --filter <command>: enable a trace event filter to the previous -e event",
" --trigger <command>: enable a trace event trigger to the previous -e event",
@@ -654,13 +654,7 @@ static struct common_params
break;
case 'C':
params->common.cgroup = 1;
- if (!optarg) {
- /* will inherit this cgroup */
- params->common.cgroup_name = NULL;
- } else if (*optarg == '=') {
- /* skip the = */
- params->common.cgroup_name = ++optarg;
- }
+ params->common.cgroup_name = optarg;
break;
case 'D':
config_debug = 1;
@@ -723,14 +717,8 @@ static struct common_params
params->common.stop_total_us = get_llong_from_str(optarg);
break;
case 't':
- if (optarg) {
- if (optarg[0] == '=')
- trace_output = &optarg[1];
- else
- trace_output = &optarg[0];
- } else if (optind < argc && argv[optind][0] != '-')
- trace_output = argv[optind];
- else
+ trace_output = parse_optional_arg(argc, argv);
+ if (!trace_output)
trace_output = "timerlat_trace.txt";
break;
case 'u':
diff --git a/tools/tracing/rtla/src/utils.c b/tools/tracing/rtla/src/utils.c
index d6ab15dcb4907..bd5f34b446480 100644
--- a/tools/tracing/rtla/src/utils.c
+++ b/tools/tracing/rtla/src/utils.c
@@ -959,3 +959,29 @@ int auto_house_keeping(cpu_set_t *monitored_cpus)
return 1;
}
+
+/**
+ * parse_optional_arg - Parse optional argument value
+ *
+ * Parse optional argument value, which can be in the form of:
+ * -sarg, -s/--long=arg, -s/--long arg
+ *
+ * Returns arg value if found, NULL otherwise.
+ */
+char *parse_optional_arg(int argc, char **argv)
+{
+ if (optarg) {
+ if (optarg[0] == '=') {
+ /* skip the = */
+ return &optarg[1];
+ } else {
+ return optarg;
+ }
+ /* parse argument of form -s [arg] and --long [arg]*/
+ } else if (optind < argc && argv[optind][0] != '-') {
+ /* consume optind */
+ return argv[optind++];
+ } else {
+ return NULL;
+ }
+}
diff --git a/tools/tracing/rtla/src/utils.h b/tools/tracing/rtla/src/utils.h
index a2a6f89f342d0..d8d83abf0f0d0 100644
--- a/tools/tracing/rtla/src/utils.h
+++ b/tools/tracing/rtla/src/utils.h
@@ -24,6 +24,7 @@ long parse_seconds_duration(char *val);
void get_duration(time_t start_time, char *output, int output_size);
int parse_cpu_list(char *cpu_list, char **monitored_cpus);
+char *parse_optional_arg(int argc, char **argv);
long long get_llong_from_str(char *start);
static inline void
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 352/957] rtla: Replace atoi() with a robust strtoi()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 351/957] rtla: Fix -C/--cgroup interface Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 353/957] rtla/utils: Fix resource leak in set_comm_sched_attr() Greg Kroah-Hartman
` (610 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wander Lairson Costa, Tomas Glozar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wander Lairson Costa <wander@redhat.com>
[ Upstream commit 7e9dfccf8f11c26208211457c4597a466135b56a ]
The atoi() function does not perform error checking, which can lead to
undefined behavior when parsing invalid or out-of-range strings. This
can cause issues when parsing user-provided numerical inputs, such as
signal numbers, PIDs, or CPU lists.
To address this, introduce a new strtoi() helper function that safely
converts a string to an integer. This function validates the input and
checks for overflows, returning a negative value on failure.
Replace all calls to atoi() with the new strtoi() function and add
proper error handling to make the parsing more robust and prevent
potential issues.
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260106133655.249887-5-wander@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
Stable-dep-of: 5b6dc659ad79 ("rtla/utils: Fix resource leak in set_comm_sched_attr()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/tracing/rtla/src/actions.c | 7 +++---
tools/tracing/rtla/src/utils.c | 40 ++++++++++++++++++++++++++++----
tools/tracing/rtla/src/utils.h | 2 ++
3 files changed, 41 insertions(+), 8 deletions(-)
diff --git a/tools/tracing/rtla/src/actions.c b/tools/tracing/rtla/src/actions.c
index 15986505b4376..4274fa0894b04 100644
--- a/tools/tracing/rtla/src/actions.c
+++ b/tools/tracing/rtla/src/actions.c
@@ -181,12 +181,13 @@ actions_parse(struct actions *self, const char *trigger, const char *tracefn)
/* Takes two arguments, num (signal) and pid */
while (token != NULL) {
if (strlen(token) > 4 && strncmp(token, "num=", 4) == 0) {
- signal = atoi(token + 4);
+ if (strtoi(token + 4, &signal))
+ return -1;
} else if (strlen(token) > 4 && strncmp(token, "pid=", 4) == 0) {
if (strncmp(token + 4, "parent", 7) == 0)
pid = -1;
- else
- pid = atoi(token + 4);
+ else if (strtoi(token + 4, &pid))
+ return -1;
} else {
/* Invalid argument */
return -1;
diff --git a/tools/tracing/rtla/src/utils.c b/tools/tracing/rtla/src/utils.c
index bd5f34b446480..6b7717fcd142b 100644
--- a/tools/tracing/rtla/src/utils.c
+++ b/tools/tracing/rtla/src/utils.c
@@ -17,6 +17,7 @@
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
+#include <limits.h>
#include "utils.h"
@@ -112,16 +113,18 @@ int parse_cpu_set(char *cpu_list, cpu_set_t *set)
nr_cpus = sysconf(_SC_NPROCESSORS_CONF);
for (p = cpu_list; *p; ) {
- cpu = atoi(p);
- if (cpu < 0 || (!cpu && *p != '0') || cpu >= nr_cpus)
+ if (strtoi(p, &cpu))
+ goto err;
+ if (cpu < 0 || cpu >= nr_cpus)
goto err;
while (isdigit(*p))
p++;
if (*p == '-') {
p++;
- end_cpu = atoi(p);
- if (end_cpu < cpu || (!end_cpu && *p != '0') || end_cpu >= nr_cpus)
+ if (strtoi(p, &end_cpu))
+ goto err;
+ if (end_cpu < cpu || end_cpu >= nr_cpus)
goto err;
while (isdigit(*p))
p++;
@@ -322,6 +325,7 @@ int set_comm_sched_attr(const char *comm_prefix, struct sched_attr *attr)
struct dirent *proc_entry;
DIR *procfs;
int retval;
+ int pid;
if (strlen(comm_prefix) >= MAX_PATH) {
err_msg("Command prefix is too long: %d < strlen(%s)\n",
@@ -341,8 +345,12 @@ int set_comm_sched_attr(const char *comm_prefix, struct sched_attr *attr)
if (!retval)
continue;
+ if (strtoi(proc_entry->d_name, &pid)) {
+ err_msg("'%s' is not a valid pid", proc_entry->d_name);
+ goto out_err;
+ }
/* procfs_is_workload_pid confirmed it is a pid */
- retval = __set_sched_attr(atoi(proc_entry->d_name), attr);
+ retval = __set_sched_attr(pid, attr);
if (retval) {
err_msg("Error setting sched attributes for pid:%s\n", proc_entry->d_name);
goto out_err;
@@ -985,3 +993,25 @@ char *parse_optional_arg(int argc, char **argv)
return NULL;
}
}
+
+/*
+ * strtoi - convert string to integer with error checking
+ *
+ * Returns 0 on success, -1 if conversion fails or result is out of int range.
+ */
+int strtoi(const char *s, int *res)
+{
+ char *end_ptr;
+ long lres;
+
+ if (!*s)
+ return -1;
+
+ errno = 0;
+ lres = strtol(s, &end_ptr, 0);
+ if (errno || *end_ptr || lres > INT_MAX || lres < INT_MIN)
+ return -1;
+
+ *res = (int) lres;
+ return 0;
+}
diff --git a/tools/tracing/rtla/src/utils.h b/tools/tracing/rtla/src/utils.h
index d8d83abf0f0d0..f11d27927223c 100644
--- a/tools/tracing/rtla/src/utils.h
+++ b/tools/tracing/rtla/src/utils.h
@@ -3,6 +3,7 @@
#include <stdint.h>
#include <time.h>
#include <sched.h>
+#include <stdbool.h>
/*
* '18446744073709551615\0'
@@ -81,6 +82,7 @@ static inline int set_deepest_cpu_idle_state(unsigned int cpu, unsigned int stat
static inline int have_libcpupower_support(void) { return 0; }
#endif /* HAVE_LIBCPUPOWER_SUPPORT */
int auto_house_keeping(cpu_set_t *monitored_cpus);
+__attribute__((__warn_unused_result__)) int strtoi(const char *s, int *res);
#define ns_to_usf(x) (((double)x/1000))
#define ns_to_per(total, part) ((part * 100) / (double)total)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 353/957] rtla/utils: Fix resource leak in set_comm_sched_attr()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 352/957] rtla: Replace atoi() with a robust strtoi() Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 354/957] gfs2: less aggressive low-memory log flushing Greg Kroah-Hartman
` (609 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wander Lairson Costa, Tomas Glozar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wander Lairson Costa <wander@redhat.com>
[ Upstream commit 5b6dc659ad792c72b3ff1be8039ae2945e030928 ]
The set_comm_sched_attr() function opens the /proc directory via
opendir() but fails to call closedir() on its successful exit path.
If the function iterates through all processes without error, it
returns 0 directly, leaking the DIR stream pointer.
Fix this by refactoring the function to use a single exit path. A
retval variable is introduced to track the success or failure status.
All exit points now jump to a unified out label that calls closedir()
before the function returns, ensuring the resource is always freed.
Fixes: dada03db9bb19 ("rtla: Remove procps-ng dependency")
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Link: https://lore.kernel.org/r/20260309195040.1019085-18-wander@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/tracing/rtla/src/utils.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/tools/tracing/rtla/src/utils.c b/tools/tracing/rtla/src/utils.c
index 6b7717fcd142b..bf20077cca742 100644
--- a/tools/tracing/rtla/src/utils.c
+++ b/tools/tracing/rtla/src/utils.c
@@ -347,22 +347,23 @@ int set_comm_sched_attr(const char *comm_prefix, struct sched_attr *attr)
if (strtoi(proc_entry->d_name, &pid)) {
err_msg("'%s' is not a valid pid", proc_entry->d_name);
- goto out_err;
+ retval = 1;
+ goto out;
}
/* procfs_is_workload_pid confirmed it is a pid */
retval = __set_sched_attr(pid, attr);
if (retval) {
err_msg("Error setting sched attributes for pid:%s\n", proc_entry->d_name);
- goto out_err;
+ goto out;
}
debug_msg("Set sched attributes for pid:%s\n", proc_entry->d_name);
}
- return 0;
-out_err:
+ retval = 0;
+out:
closedir(procfs);
- return 1;
+ return retval;
}
#define INVALID_VAL (~0L)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 354/957] gfs2: less aggressive low-memory log flushing
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 353/957] rtla/utils: Fix resource leak in set_comm_sched_attr() Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 355/957] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
` (608 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 7288185ce87ec70133b7bc3b694b0f74bf46a0ee ]
It turns out that for some workloads, the fix in commit b74cd55aa9a9d
("gfs2: low-memory forced flush fixes") causes the number of forced log
flushes to increase to a degree that the overall filesystem performance
drops significantly. Address that by forcing a log flush only when
gfs2_writepages cannot make any progress rather than when it cannot make
"enough" progress.
Fixes: b74cd55aa9a9d ("gfs2: low-memory forced flush fixes")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/aops.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/aops.c b/fs/gfs2/aops.c
index 47d74afd63ac9..eafe0488b10d4 100644
--- a/fs/gfs2/aops.c
+++ b/fs/gfs2/aops.c
@@ -159,6 +159,7 @@ static int gfs2_writepages(struct address_space *mapping,
struct writeback_control *wbc)
{
struct gfs2_sbd *sdp = gfs2_mapping2sbd(mapping);
+ long initial_nr_to_write = wbc->nr_to_write;
struct iomap_writepage_ctx wpc = {
.inode = mapping->host,
.wbc = wbc,
@@ -167,13 +168,13 @@ static int gfs2_writepages(struct address_space *mapping,
int ret;
/*
- * Even if we didn't write enough pages here, we might still be holding
+ * Even if we didn't write any pages here, we might still be holding
* dirty pages in the ail. We forcibly flush the ail because we don't
* want balance_dirty_pages() to loop indefinitely trying to write out
* pages held in the ail that it can't find.
*/
ret = iomap_writepages(&wpc);
- if (ret == 0 && wbc->nr_to_write > 0)
+ if (ret == 0 && wbc->nr_to_write == initial_nr_to_write)
set_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 355/957] quota: Fix race of dquot_scan_active() with quota deactivation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 354/957] gfs2: less aggressive low-memory log flushing Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 356/957] vfio: unhide vdev->debug_root Greg Kroah-Hartman
` (607 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Sun, Jan Kara, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit e93ab401da4b2e2c1b8ef2424de2f238d51c8b2d ]
dquot_scan_active() can race with quota deactivation in
quota_release_workfn() like:
CPU0 (quota_release_workfn) CPU1 (dquot_scan_active)
============================== ==============================
spin_lock(&dq_list_lock);
list_replace_init(
&releasing_dquots, &rls_head);
/* dquot X on rls_head,
dq_count == 0,
DQ_ACTIVE_B still set */
spin_unlock(&dq_list_lock);
synchronize_srcu(&dquot_srcu);
spin_lock(&dq_list_lock);
list_for_each_entry(dquot,
&inuse_list, dq_inuse) {
/* finds dquot X */
dquot_active(X) -> true
atomic_inc(&X->dq_count);
}
spin_unlock(&dq_list_lock);
spin_lock(&dq_list_lock);
dquot = list_first_entry(&rls_head);
WARN_ON_ONCE(atomic_read(&dquot->dq_count));
The problem is not only a cosmetic one as under memory pressure the
caller of dquot_scan_active() can end up working on freed dquot.
Fix the problem by making sure the dquot is removed from releasing list
when we acquire a reference to it.
Fixes: 869b6ea1609f ("quota: Fix slow quotaoff")
Reported-by: Sam Sun <samsun1006219@gmail.com>
Link: https://lore.kernel.org/all/CAEkJfYPTt3uP1vAYnQ5V2ZWn5O9PLhhGi5HbOcAzyP9vbXyjeg@mail.gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/quota/dquot.c | 38 ++++++++++++++++++++++++++++++--------
include/linux/quotaops.h | 9 +--------
2 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index 6c4a6ee1fa2b6..45a46dc4de4ef 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -363,6 +363,31 @@ static inline int dquot_active(struct dquot *dquot)
return test_bit(DQ_ACTIVE_B, &dquot->dq_flags);
}
+static struct dquot *__dqgrab(struct dquot *dquot)
+{
+ lockdep_assert_held(&dq_list_lock);
+ if (!atomic_read(&dquot->dq_count))
+ remove_free_dquot(dquot);
+ atomic_inc(&dquot->dq_count);
+ return dquot;
+}
+
+/*
+ * Get reference to dquot when we got pointer to it by some other means. The
+ * dquot has to be active and the caller has to make sure it cannot get
+ * deactivated under our hands.
+ */
+struct dquot *dqgrab(struct dquot *dquot)
+{
+ spin_lock(&dq_list_lock);
+ WARN_ON_ONCE(!dquot_active(dquot));
+ dquot = __dqgrab(dquot);
+ spin_unlock(&dq_list_lock);
+
+ return dquot;
+}
+EXPORT_SYMBOL_GPL(dqgrab);
+
static inline int dquot_dirty(struct dquot *dquot)
{
return test_bit(DQ_MOD_B, &dquot->dq_flags);
@@ -641,15 +666,14 @@ int dquot_scan_active(struct super_block *sb,
continue;
if (dquot->dq_sb != sb)
continue;
- /* Now we have active dquot so we can just increase use count */
- atomic_inc(&dquot->dq_count);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
dqput(old_dquot);
old_dquot = dquot;
/*
* ->release_dquot() can be racing with us. Our reference
- * protects us from new calls to it so just wait for any
- * outstanding call and recheck the DQ_ACTIVE_B after that.
+ * protects us from dquot_release() proceeding so just wait for
+ * any outstanding call and recheck the DQ_ACTIVE_B after that.
*/
wait_on_dquot(dquot);
if (dquot_active(dquot)) {
@@ -717,7 +741,7 @@ int dquot_writeback_dquots(struct super_block *sb, int type)
/* Now we have active dquot from which someone is
* holding reference so we can safely just increase
* use count */
- dqgrab(dquot);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
err = dquot_write_dquot(dquot);
if (err && !ret)
@@ -963,9 +987,7 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
spin_unlock(&dq_list_lock);
dqstats_inc(DQST_LOOKUPS);
} else {
- if (!atomic_read(&dquot->dq_count))
- remove_free_dquot(dquot);
- atomic_inc(&dquot->dq_count);
+ __dqgrab(dquot);
spin_unlock(&dq_list_lock);
dqstats_inc(DQST_CACHE_HITS);
dqstats_inc(DQST_LOOKUPS);
diff --git a/include/linux/quotaops.h b/include/linux/quotaops.h
index c334f82ed385a..f9c0f9d7c9d93 100644
--- a/include/linux/quotaops.h
+++ b/include/linux/quotaops.h
@@ -44,14 +44,7 @@ int dquot_initialize(struct inode *inode);
bool dquot_initialize_needed(struct inode *inode);
void dquot_drop(struct inode *inode);
struct dquot *dqget(struct super_block *sb, struct kqid qid);
-static inline struct dquot *dqgrab(struct dquot *dquot)
-{
- /* Make sure someone else has active reference to dquot */
- WARN_ON_ONCE(!atomic_read(&dquot->dq_count));
- WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags));
- atomic_inc(&dquot->dq_count);
- return dquot;
-}
+struct dquot *dqgrab(struct dquot *dquot);
static inline bool dquot_is_busy(struct dquot *dquot)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 356/957] vfio: unhide vdev->debug_root
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 355/957] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
@ 2026-05-20 16:13 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 357/957] gfs2: add some missing log locking Greg Kroah-Hartman
` (606 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Alex Williamson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 555aa178f8d22261d71da74df6267e6e6e97f95a ]
When debugfs is disabled, the hisilicon driver now fails to build:
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c: In function 'hisi_acc_vfio_debug_init':
drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c:1671:62: error: 'struct vfio_device' has no member named 'debug_root'
1671 | vfio_dev_migration = debugfs_lookup("migration", vdev->debug_root);
| ^~
The driver otherwise relies on dead-code elimination, but this reference
fails. The single struct member is not going to make much of a difference
for memory consumption, so just keep this visible unconditionally.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: b398f91779b8 ("hisi_acc_vfio_pci: register debugfs for hisilicon migration driver")
Link: https://lore.kernel.org/r/20260327165521.3779707-1-arnd@kernel.org
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/vfio.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/include/linux/vfio.h b/include/linux/vfio.h
index eb563f538dee5..18fc36aadc326 100644
--- a/include/linux/vfio.h
+++ b/include/linux/vfio.h
@@ -71,13 +71,11 @@ struct vfio_device {
u8 iommufd_attached:1;
#endif
u8 cdev_opened:1;
-#ifdef CONFIG_DEBUG_FS
/*
* debug_root is a static property of the vfio_device
* which must be set prior to registering the vfio_device.
*/
struct dentry *debug_root;
-#endif
};
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 357/957] gfs2: add some missing log locking
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-05-20 16:13 ` [PATCH 6.18 356/957] vfio: unhide vdev->debug_root Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 358/957] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
` (605 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit fe2c8d051150b90b3ccb85f89e3b1d636cb88ec8 ]
Function gfs2_logd() calls the log flushing functions gfs2_ail1_start(),
gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock,
but these functions require exclusion against concurrent transactions.
To fix that, add a non-locking __gfs2_log_flush() function. Then, in
gfs2_logd(), take sdp->sd_log_flush_lock before calling the above mentioned log
flushing functions and __gfs2_log_flush().
Fixes: 5e4c7632aae1c ("gfs2: Issue revokes more intelligently")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/log.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 115c4ac457e90..592f69602e5aa 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -1027,14 +1027,15 @@ static void trans_drain(struct gfs2_trans *tr)
}
/**
- * gfs2_log_flush - flush incore transaction(s)
+ * __gfs2_log_flush - flush incore transaction(s)
* @sdp: The filesystem
* @gl: The glock structure to flush. If NULL, flush the whole incore log
* @flags: The log header flags: GFS2_LOG_HEAD_FLUSH_* and debug flags
*
*/
-void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
+static void __gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl,
+ u32 flags)
{
struct gfs2_trans *tr = NULL;
unsigned int reserved_blocks = 0, used_blocks = 0;
@@ -1042,7 +1043,6 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
unsigned int first_log_head;
unsigned int reserved_revokes = 0;
- down_write(&sdp->sd_log_flush_lock);
trace_gfs2_log_flush(sdp, 1, flags);
repeat:
@@ -1154,7 +1154,6 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
gfs2_assert_withdraw_delayed(sdp, used_blocks < reserved_blocks);
gfs2_log_release(sdp, reserved_blocks - used_blocks);
}
- up_write(&sdp->sd_log_flush_lock);
gfs2_trans_free(sdp, tr);
if (gfs2_withdrawing(sdp))
gfs2_withdraw(sdp);
@@ -1177,6 +1176,13 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
goto out_end;
}
+void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
+{
+ down_write(&sdp->sd_log_flush_lock);
+ __gfs2_log_flush(sdp, gl, flags);
+ up_write(&sdp->sd_log_flush_lock);
+}
+
/**
* gfs2_merge_trans - Merge a new transaction into a cached transaction
* @sdp: the filesystem
@@ -1319,19 +1325,25 @@ int gfs2_logd(void *data)
}
if (gfs2_jrnl_flush_reqd(sdp) || t == 0) {
+ down_write(&sdp->sd_log_flush_lock);
gfs2_ail1_empty(sdp, 0);
- gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_NORMAL |
- GFS2_LFC_LOGD_JFLUSH_REQD);
+ __gfs2_log_flush(sdp, NULL,
+ GFS2_LOG_HEAD_FLUSH_NORMAL |
+ GFS2_LFC_LOGD_JFLUSH_REQD);
+ up_write(&sdp->sd_log_flush_lock);
}
if (test_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags) ||
gfs2_ail_flush_reqd(sdp)) {
clear_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags);
+ down_write(&sdp->sd_log_flush_lock);
gfs2_ail1_start(sdp);
gfs2_ail1_wait(sdp);
gfs2_ail1_empty(sdp, 0);
- gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_NORMAL |
- GFS2_LFC_LOGD_AIL_FLUSH_REQD);
+ __gfs2_log_flush(sdp, NULL,
+ GFS2_LOG_HEAD_FLUSH_NORMAL |
+ GFS2_LFC_LOGD_AIL_FLUSH_REQD);
+ up_write(&sdp->sd_log_flush_lock);
}
t = gfs2_tune_get(sdp, gt_logd_secs) * HZ;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 358/957] gfs2: prevent NULL pointer dereference during unmount
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 357/957] gfs2: add some missing log locking Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 359/957] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
` (604 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Andreas Gruenbacher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 74b4dbb946060a3233604d91859a9abd3708141d ]
When flushing out outstanding glock work during an unmount, gfs2_log_flush()
can be called when sdp->sd_jdesc has already been deallocated and sdp->sd_jdesc
is NULL. Commit 35264909e9d1 ("gfs2: Fix NULL pointer dereference in
gfs2_log_flush") added a check for that to gfs2_log_flush() itself, but it
missed the sdp->sd_jdesc dereference in gfs2_log_release(). Fix that.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604071139.HNJiCaAi-lkp@intel.com/
Fixes: 35264909e9d1 ("gfs2: Fix NULL pointer dereference in gfs2_log_flush")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/log.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 592f69602e5aa..ecc5c59b87008 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -471,8 +471,9 @@ void gfs2_log_release(struct gfs2_sbd *sdp, unsigned int blks)
{
atomic_add(blks, &sdp->sd_log_blks_free);
trace_gfs2_log_blocks(sdp, blks);
- gfs2_assert_withdraw(sdp, atomic_read(&sdp->sd_log_blks_free) <=
- sdp->sd_jdesc->jd_blocks);
+ gfs2_assert_withdraw(sdp, !sdp->sd_jdesc ||
+ atomic_read(&sdp->sd_log_blks_free) <=
+ sdp->sd_jdesc->jd_blocks);
if (atomic_read(&sdp->sd_log_blks_needed))
wake_up(&sdp->sd_log_waitq);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 359/957] efi/capsule-loader: fix incorrect sizeof in phys array reallocation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 358/957] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 360/957] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
` (603 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Huth, Ard Biesheuvel,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Huth <thuth@redhat.com>
[ Upstream commit 48a428215782321b56956974f23593e40ce84b7a ]
The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses
sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be
causing an undersized allocation.
The allocation is also inconsistent with the initial array allocation in
efi_capsule_open() that allocates one entry with sizeof(phys_addr_t),
and the efi_capsule_write() function that stores phys_addr_t values (not
pointers) via page_to_phys().
On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this
goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but
pointers are 32-bit, this allocates half the required space, which might
lead to a heap buffer overflow when storing physical addresses.
This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader:
fix incorrect allocation size") which fixed the same issue at the initial
allocation site.
Fixes: f24c4d478013 ("efi/capsule-loader: Reinstate virtual capsule mapping")
Assisted-by: Claude:claude-sonnet-4-5
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/capsule-loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/capsule-loader.c b/drivers/firmware/efi/capsule-loader.c
index 0c17bdd388e12..bbddeb6a09552 100644
--- a/drivers/firmware/efi/capsule-loader.c
+++ b/drivers/firmware/efi/capsule-loader.c
@@ -67,7 +67,7 @@ int __efi_capsule_setup_info(struct capsule_info *cap_info)
cap_info->pages = temp_page;
temp_page = krealloc(cap_info->phys,
- pages_needed * sizeof(phys_addr_t *),
+ pages_needed * sizeof(phys_addr_t),
GFP_KERNEL | __GFP_ZERO);
if (!temp_page)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 360/957] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 359/957] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 361/957] arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon Greg Kroah-Hartman
` (602 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Klinesmith, Namjae Jeon,
Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Klinesmith <joshuaklinesmith@gmail.com>
[ Upstream commit 3e298897f41c61450c2e7a4f457e8b2485eb35b3 ]
ksmbd_crypt_message() sets a NULL completion callback on AEAD requests
and does not handle the -EINPROGRESS return code from async hardware
crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns
-EINPROGRESS, ksmbd treats it as an error and immediately frees the
request while the hardware DMA operation is still in flight. The DMA
completion callback then dereferences freed memory, causing a NULL
pointer crash:
pc : qce_skcipher_done+0x24/0x174
lr : vchan_complete+0x230/0x27c
...
el1h_64_irq+0x68/0x6c
ksmbd_free_work_struct+0x20/0x118 [ksmbd]
ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]
Use the standard crypto_wait_req() pattern with crypto_req_done() as
the completion callback, matching the approach used by the SMB client
in fs/smb/client/smb2ops.c. This properly handles both synchronous
engines (immediate return) and async engines (-EINPROGRESS followed
by callback notification).
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Link: https://github.com/openwrt/openwrt/issues/21822
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/auth.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c
index c37b86a83cac8..b63f32c692bab 100644
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -1076,6 +1076,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
struct smb2_transform_hdr *tr_hdr = smb2_get_msg(iov[0].iov_base);
unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20;
int rc;
+ DECLARE_CRYPTO_WAIT(wait);
struct scatterlist *sg;
u8 sign[SMB2_SIGNATURE_SIZE] = {};
u8 key[SMB3_ENC_DEC_KEY_SIZE];
@@ -1162,12 +1163,12 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
aead_request_set_crypt(req, sg, sg, crypt_len, iv);
aead_request_set_ad(req, assoc_data_len);
- aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
+ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
+ CRYPTO_TFM_REQ_MAY_SLEEP,
+ crypto_req_done, &wait);
- if (enc)
- rc = crypto_aead_encrypt(req);
- else
- rc = crypto_aead_decrypt(req);
+ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) :
+ crypto_aead_decrypt(req), &wait);
if (rc)
goto free_iv;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 361/957] arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 360/957] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 362/957] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
` (601 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nícolas F . R . A . Prado,
David Lechner, AngeloGioacchino Del Regno, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
[ Upstream commit 0651c24658360706c30588cec0a12c05edb03e9a ]
The infracfg-nao register space at 0x1020e000 has different registers
than the infracfg space at 0x10001000, and most importantly, doesn't
contain any clock controls. Therefore it shouldn't use the same
compatible used for the mt8365 infracfg clocks driver:
mediatek,mt8365-infracfg. Since it currently does, probe errors are
reported in the kernel logs:
[ 0.245959] Failed to register clk ifr_pmic_tmr: -EEXIST
[ 0.245998] clk-mt8365 1020e000.infracfg: probe with driver clk-mt8365 failed with error -17
This register space is used only as a syscon for bus control by the
power domain controller, so in order to properly describe it and fix the
errors, set its compatible to a distinct compatible used exclusively as
a syscon, drop the clock-cells, and while at it rename the node to
'syscon' following the naming convention.
Fixes: 6ff945376556 ("arm64: dts: mediatek: Initial mt8365-evk support")
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8365.dtsi | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8365.dtsi b/arch/arm64/boot/dts/mediatek/mt8365.dtsi
index e6d2b3221a3b7..49ad4dee9c4cf 100644
--- a/arch/arm64/boot/dts/mediatek/mt8365.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8365.dtsi
@@ -495,10 +495,9 @@ iommu: iommu@10205000 {
#iommu-cells = <1>;
};
- infracfg_nao: infracfg@1020e000 {
- compatible = "mediatek,mt8365-infracfg", "syscon";
+ infracfg_nao: syscon@1020e000 {
+ compatible = "mediatek,mt8365-infracfg-nao", "syscon";
reg = <0 0x1020e000 0 0x1000>;
- #clock-cells = <1>;
};
rng: rng@1020f000 {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 362/957] ARM: dts: mediatek: mt7623: fix efuse fallback compatible
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 361/957] arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 363/957] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
` (600 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafał Miłecki,
AngeloGioacchino Del Regno, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafał Miłecki <rafal@milecki.pl>
[ Upstream commit 5978ff33cc6f0988388a2830dc5cd2ea4e81f36a ]
Fix following validation error:
arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: efuse@10206000: compatible: 'oneOf' conditional failed, one must be fixed:
['mediatek,mt7623-efuse', 'mediatek,mt8173-efuse'] is too long
'mediatek,mt8173-efuse' was expected
'mediatek,efuse' was expected
from schema $id: http://devicetree.org/schemas/nvmem/mediatek,efuse.yaml#
arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: efuse@10206000: Unevaluated properties are not allowed ('compatible' was unexpected)
from schema $id: http://devicetree.org/schemas/nvmem/mediatek,efuse.yaml#
Fixes: 43c7a91b4b3a ("arm: dts: mt7623: add efuse nodes to the mt7623.dtsi file")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/mediatek/mt7623.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/mediatek/mt7623.dtsi b/arch/arm/boot/dts/mediatek/mt7623.dtsi
index fd7a89cc337d6..a60b1d6879ffe 100644
--- a/arch/arm/boot/dts/mediatek/mt7623.dtsi
+++ b/arch/arm/boot/dts/mediatek/mt7623.dtsi
@@ -328,7 +328,7 @@ sysirq: interrupt-controller@10200100 {
efuse: efuse@10206000 {
compatible = "mediatek,mt7623-efuse",
- "mediatek,mt8173-efuse";
+ "mediatek,efuse";
reg = <0 0x10206000 0 0x1000>;
#address-cells = <1>;
#size-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 363/957] memory: tegra124-emc: Fix dll_change check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 362/957] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 364/957] memory: tegra30-emc: " Greg Kroah-Hartman
` (599 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Krzysztof Kozlowski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 9597ab9a8296ab337e6820f8a717ff621078b632 ]
The code checking whether the specified memory timing enables DLL
in the EMRS register was reversed. DLL is enabled if bit A0 is low.
Fix the check.
Fixes: 73a7f0a90641 ("memory: tegra: Add EMC (external memory controller) driver")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Link: https://patch.msgid.link/20260126-fix-emc-dllchange-v1-1-47ad3bb63262@nvidia.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/tegra/tegra124-emc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memory/tegra/tegra124-emc.c b/drivers/memory/tegra/tegra124-emc.c
index 03f1daa2d132a..71d20b5916d89 100644
--- a/drivers/memory/tegra/tegra124-emc.c
+++ b/drivers/memory/tegra/tegra124-emc.c
@@ -608,7 +608,7 @@ static int tegra_emc_prepare_timing_change(struct tegra_emc *emc,
if ((last->emc_mode_1 & 0x1) == (timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_NONE;
- else if (timing->emc_mode_1 & 0x1)
+ else if (!(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_ON;
else
dll_change = DLL_CHANGE_OFF;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 364/957] memory: tegra30-emc: Fix dll_change check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 363/957] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 365/957] arm64: dts: imx8-apalis: Fix LEDs name collision Greg Kroah-Hartman
` (598 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Perttunen, Krzysztof Kozlowski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikko Perttunen <mperttunen@nvidia.com>
[ Upstream commit 0a93f2355cf4922ad2399dbef5ea1049fef116d4 ]
The code checking whether the specified memory timing enables DLL
in the EMRS register was reversed. DLL is enabled if bit A0 is low.
Fix the check.
Fixes: e34212c75a68 ("memory: tegra: Introduce Tegra30 EMC driver")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Link: https://patch.msgid.link/20260126-fix-emc-dllchange-v1-2-47ad3bb63262@nvidia.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memory/tegra/tegra30-emc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/memory/tegra/tegra30-emc.c b/drivers/memory/tegra/tegra30-emc.c
index 921dce1b8bc63..4981b7fa0f780 100644
--- a/drivers/memory/tegra/tegra30-emc.c
+++ b/drivers/memory/tegra/tegra30-emc.c
@@ -554,14 +554,14 @@ static int emc_prepare_timing_change(struct tegra_emc *emc, unsigned long rate)
emc->emc_cfg = readl_relaxed(emc->regs + EMC_CFG);
emc_dbg = readl_relaxed(emc->regs + EMC_DBG);
- if (emc->dll_on == !!(timing->emc_mode_1 & 0x1))
+ if (emc->dll_on == !(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_NONE;
- else if (timing->emc_mode_1 & 0x1)
+ else if (!(timing->emc_mode_1 & 0x1))
dll_change = DLL_CHANGE_ON;
else
dll_change = DLL_CHANGE_OFF;
- emc->dll_on = !!(timing->emc_mode_1 & 0x1);
+ emc->dll_on = !(timing->emc_mode_1 & 0x1);
if (timing->data[80] && !readl_relaxed(emc->regs + EMC_ZCAL_INTERVAL))
emc->zcal_long = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 365/957] arm64: dts: imx8-apalis: Fix LEDs name collision
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 364/957] memory: tegra30-emc: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 366/957] arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD Greg Kroah-Hartman
` (597 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Dolcini, Frank Li,
Daniel Baluta, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Dolcini <francesco.dolcini@toradex.com>
[ Upstream commit 92ab53b9bb2a72581c32073755077af916eb9aee ]
Ixora boards have multiple instances of status leds, to avoid a name
collision add the function-enumerator property.
This fixes the following Linux kernel warnings:
leds-gpio leds: Led green:status renamed to green:status_1 due to name collision
leds-gpio leds: Led red:status renamed to red:status_1 due to name collision
Fixes: c083131c9021 ("arm64: dts: freescale: add apalis imx8 aka quadmax carrier board support")
Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi | 4 ++++
arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi
index 3d8731504ce15..1e8b6e61e33d4 100644
--- a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.1.dtsi
@@ -21,6 +21,7 @@ led-1 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 27 GPIO_ACTIVE_HIGH>;
};
@@ -29,6 +30,7 @@ led-2 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 29 GPIO_ACTIVE_HIGH>;
};
@@ -37,6 +39,7 @@ led-3 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 20 GPIO_ACTIVE_HIGH>;
};
@@ -45,6 +48,7 @@ led-4 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 21 GPIO_ACTIVE_HIGH>;
};
};
diff --git a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi
index 106e802a68ba5..70dcb66f8fda4 100644
--- a/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8-apalis-ixora-v1.2.dtsi
@@ -21,6 +21,7 @@ led-1 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 27 GPIO_ACTIVE_HIGH>;
};
@@ -29,6 +30,7 @@ led-2 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <1>;
gpios = <&lsio_gpio5 29 GPIO_ACTIVE_HIGH>;
};
@@ -37,6 +39,7 @@ led-3 {
color = <LED_COLOR_ID_GREEN>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 20 GPIO_ACTIVE_HIGH>;
};
@@ -45,6 +48,7 @@ led-4 {
color = <LED_COLOR_ID_RED>;
default-state = "off";
function = LED_FUNCTION_STATUS;
+ function-enumerator = <2>;
gpios = <&lsio_gpio5 21 GPIO_ACTIVE_HIGH>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 366/957] arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 365/957] arm64: dts: imx8-apalis: Fix LEDs name collision Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 367/957] arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config Greg Kroah-Hartman
` (596 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luke Wang, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luke Wang <ziniu.wang_1@nxp.com>
[ Upstream commit 5ab0c76df2403137a6d0fb27a55e03cedf47f44c ]
During system resume, the following errors occurred:
[ 430.638625] mmc1: error -84 writing Cache Enable bit
[ 430.643618] mmc1: error -84 doing runtime resume
For eMMC and SD, there are two tuning pass windows and the gap between
those two windows may only have one cell. If tuning step > 1, the gap may
just be skipped and host assumes those two windows as a continuous
windows. This will cause a wrong delay cell near the gap to be selected.
Set the tuning step to 1 to avoid selecting the wrong delay cell.
For SDIO, the gap is sufficiently large, so the default tuning step does
not cause this issue.
Fixes: 6772c4cffd87 ("arm64: dts: freescale: add i.MX91 11x11 EVK basic support")
Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx91-11x11-evk.dts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx91-11x11-evk.dts b/arch/arm64/boot/dts/freescale/imx91-11x11-evk.dts
index aca78768dbd4b..4164d9e4e0fd2 100644
--- a/arch/arm64/boot/dts/freescale/imx91-11x11-evk.dts
+++ b/arch/arm64/boot/dts/freescale/imx91-11x11-evk.dts
@@ -415,6 +415,7 @@ &usdhc1 {
pinctrl-1 = <&pinctrl_usdhc1_100mhz>;
pinctrl-2 = <&pinctrl_usdhc1_200mhz>;
pinctrl-names = "default", "state_100mhz", "state_200mhz";
+ fsl,tuning-step = <1>;
status = "okay";
};
@@ -429,6 +430,7 @@ &usdhc2 {
pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_gpio_sleep>;
pinctrl-names = "default", "state_100mhz", "state_200mhz", "sleep";
vmmc-supply = <®_usdhc2_vmmc>;
+ fsl,tuning-step = <1>;
status = "okay";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 367/957] arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 366/957] arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 368/957] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
` (595 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quentin Schulz, Heiko Stuebner,
Shawn Lin, Heiko Stuebner, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Stuebner <heiko.stuebner@cherry.de>
[ Upstream commit f45d4356feeba1c8dac3414b688f59292ddfc9f9 ]
The hardware PU/PD config of the pin after reset is to pull-up and on
Jaguar this will also keep the device in reset until the driver actually
enables the pin. So restore this boot pull-up config of the pin on Jaguar
instead of setting it to pull-none.
Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Fixes: 0ec7e1096332 ("arm64: dts: rockchip: add PCIe3 support on rk3588-jaguar")
Signed-off-by: Heiko Stuebner <heiko.stuebner@cherry.de>
Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Link: https://patch.msgid.link/20260210080303.680403-5-heiko@sntech.de
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts b/arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts
index 176925d0a1a80..557158093b586 100644
--- a/arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3588-jaguar.dts
@@ -585,7 +585,7 @@ led1_pin: led1-pin {
pcie30x4 {
pcie30x4_clkreqn_m0: pcie30x4-clkreqn-m0 {
- rockchip,pins = <0 RK_PC6 RK_FUNC_GPIO &pcfg_pull_none>;
+ rockchip,pins = <0 RK_PC6 RK_FUNC_GPIO &pcfg_pull_up>;
};
pcie30x4_perstn_m0: pcie30x4-perstn-m0 {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 368/957] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 367/957] arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 369/957] iommufd: vfio compatibility extension check for noiommu mode Greg Kroah-Hartman
` (594 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sherry Sun, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sherry Sun <sherry.sun@nxp.com>
[ Upstream commit d1e7eab6033f9885a02c4b4e8f09e34d8e9d21ab ]
The current pin configuration for MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06
sets the weak pull-up but does not enable the pull select field.
Bit 8 in the IOMUX register must be set in order for the weak pull-up
to actually take effect.
Update the pinctrl setting from 0x40 to 0x140 to enable both the pull
select and the weak pull-up, ensuring the line behaves as expected.
Fixes: d50650500064 ("arm64: dts: imx8mp-evk: Add PCIe support")
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
index 3730792daf501..d957d6cc20f7f 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
@@ -995,7 +995,7 @@ MX8MP_IOMUXC_SD1_DATA5__GPIO2_IO07 0x40
pinctrl_pcie0_reg: pcie0reggrp {
fsl,pins = <
- MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x40
+ MX8MP_IOMUXC_SD1_DATA4__GPIO2_IO06 0x140
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 369/957] iommufd: vfio compatibility extension check for noiommu mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 368/957] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 370/957] arm64: dts: qcom: sm6125-ginkgo: Fix missing msm-id subtype Greg Kroah-Hartman
` (593 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jacob Pan, Jason Gunthorpe,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Pan <jacob.pan@linux.microsoft.com>
[ Upstream commit 7147ec874ea08c322d779d8eba28946e294ed1f3 ]
VFIO_CHECK_EXTENSION should return false for TYPE1_IOMMU variants when
in NO-IOMMU mode and IOMMUFD compat container is set. This change makes
the behavior match VFIO_CONTAINER in noiommu mode. It also prevents
userspace from incorrectly attempting to use TYPE1 IOMMU operations
in a no-iommu context.
Fixes: d624d6652a65 ("iommufd: vfio container FD ioctl compatibility")
Link: https://patch.msgid.link/r/20260213183636.3340-1-jacob.pan@linux.microsoft.com
Signed-off-by: Jacob Pan <jacob.pan@linux.microsoft.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommufd/vfio_compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/vfio_compat.c b/drivers/iommu/iommufd/vfio_compat.c
index a258ee2f4579f..acb48cdd3b005 100644
--- a/drivers/iommu/iommufd/vfio_compat.c
+++ b/drivers/iommu/iommufd/vfio_compat.c
@@ -283,7 +283,7 @@ static int iommufd_vfio_check_extension(struct iommufd_ctx *ictx,
case VFIO_TYPE1_IOMMU:
case VFIO_TYPE1v2_IOMMU:
case VFIO_UNMAP_ALL:
- return 1;
+ return !ictx->no_iommu_mode;
case VFIO_NOIOMMU_IOMMU:
return IS_ENABLED(CONFIG_VFIO_NOIOMMU);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 370/957] arm64: dts: qcom: sm6125-ginkgo: Fix missing msm-id subtype
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 369/957] iommufd: vfio compatibility extension check for noiommu mode Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 371/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id Greg Kroah-Hartman
` (592 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Bjorn Andersson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
[ Upstream commit 2c3b8260d1a0d9a388f2d30e3bbe50d93edfa2aa ]
qcom,msm-id property must consist of two numbers, where the second
number is the subtype, as reported by dtbs_check:
sm6125-xiaomi-ginkgo.dtb: / (xiaomi,ginkgo): qcom,msm-id:0: [394] is too short
Xiaomi vendor DTS for Trinket IDP and QRD boards uses value of 0x10000,
so put it here as well.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20251229142806.241088-2-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 535e5741bc9a ("arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
index 68a237215bd1f..6b68e391cf3ea 100644
--- a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
+++ b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
@@ -19,7 +19,7 @@ / {
chassis-type = "handset";
/* required for bootloader to select correct board */
- qcom,msm-id = <QCOM_ID_SM6125>;
+ qcom,msm-id = <QCOM_ID_SM6125 0x10000>;
qcom,board-id = <22 0>;
chosen {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 371/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 370/957] arm64: dts: qcom: sm6125-ginkgo: Fix missing msm-id subtype Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 372/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges Greg Kroah-Hartman
` (591 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Barnabás Czémán, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 535e5741bc9acef5ea2561aa300f28370599e7e2 ]
Remove board-id it is not necessary for the bootloader.
Fixes: 9b1a6c925c88 ("arm64: dts: qcom: sm6125: Initial support for xiaomi-ginkgo")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20260126-xiaomi-willow-v3-1-aad7b106c311@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
index 6b68e391cf3ea..bf03226a6f854 100644
--- a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
+++ b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
@@ -18,9 +18,7 @@ / {
compatible = "xiaomi,ginkgo", "qcom,sm6125";
chassis-type = "handset";
- /* required for bootloader to select correct board */
qcom,msm-id = <QCOM_ID_SM6125 0x10000>;
- qcom,board-id = <22 0>;
chosen {
#address-cells = <2>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 372/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 371/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 373/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon Greg Kroah-Hartman
` (590 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio,
Barnabás Czémán, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 242801cc24e865cb525ef7d826ce6ebeffcad606 ]
The device was crashing on high memory load because the reserved memory
ranges was wrongly defined. Correct the ranges for avoid the crashes.
Change the ramoops memory range to match with the values from the recovery
to be able to get the results from the device.
Fixes: 9b1a6c925c88 ("arm64: dts: qcom: sm6125: Initial support for xiaomi-ginkgo")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20260126-xiaomi-willow-v3-2-aad7b106c311@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/qcom/sm6125-xiaomi-ginkgo.dts | 41 +++++++++++++------
1 file changed, 29 insertions(+), 12 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
index bf03226a6f854..d5e5abdb3b2ff 100644
--- a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
+++ b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
@@ -13,6 +13,12 @@
#include "sm6125.dtsi"
#include "pm6125.dtsi"
+/delete-node/ &adsp_pil_mem;
+/delete-node/ &cont_splash_mem;
+/delete-node/ &gpu_mem;
+/delete-node/ &ipa_fw_mem;
+/delete-node/ &ipa_gsi_mem;
+
/ {
model = "Xiaomi Redmi Note 8";
compatible = "xiaomi,ginkgo", "qcom,sm6125";
@@ -36,28 +42,39 @@ framebuffer0: framebuffer@5c000000 {
};
reserved-memory {
- debug_mem: debug@ffb00000 {
- reg = <0x0 0xffb00000 0x0 0xc0000>;
+ adsp_pil_mem: adsp_pil_mem@55300000 {
+ reg = <0x0 0x55300000 0x0 0x2200000>;
no-map;
};
- last_log_mem: lastlog@ffbc0000 {
- reg = <0x0 0xffbc0000 0x0 0x80000>;
+ ipa_fw_mem: ipa_fw_mem@57500000 {
+ reg = <0x0 0x57500000 0x0 0x10000>;
no-map;
};
- pstore_mem: ramoops@ffc00000 {
- compatible = "ramoops";
- reg = <0x0 0xffc40000 0x0 0xc0000>;
- record-size = <0x1000>;
- console-size = <0x40000>;
- pmsg-size = <0x20000>;
+ ipa_gsi_mem: ipa_gsi_mem@57510000 {
+ reg = <0x0 0x57510000 0x0 0x5000>;
+ no-map;
};
- cmdline_mem: memory@ffd00000 {
- reg = <0x0 0xffd40000 0x0 0x1000>;
+ gpu_mem: gpu_mem@57515000 {
+ reg = <0x0 0x57515000 0x0 0x2000>;
no-map;
};
+
+ framebuffer@5c000000 {
+ reg = <0x0 0x5c000000 0x0 (2340 * 1080 * 4)>;
+ no-map;
+ };
+
+ /* Matching with recovery values to be able to get the results. */
+ ramoops@61600000 {
+ compatible = "ramoops";
+ reg = <0x0 0x61600000 0x0 0x400000>;
+ record-size = <0x80000>;
+ pmsg-size = <0x200000>;
+ console-size = <0x100000>;
+ };
};
extcon_usb: extcon-usb {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 373/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 372/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 374/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges Greg Kroah-Hartman
` (589 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Barnabás Czémán, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 79664600fd3ed3972ad9321e13d1f80267730447 ]
GPIO pin 102 is related to DisplayPort what is not supported
by this device and it is also disabled at downstream,
remove the unnecessary extcon-usb node.
Fixes: 9b1a6c925c88 ("arm64: dts: qcom: sm6125: Initial support for xiaomi-ginkgo")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20260126-xiaomi-willow-v3-4-aad7b106c311@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
index d5e5abdb3b2ff..418cfe67a2da8 100644
--- a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
+++ b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
@@ -77,11 +77,6 @@ ramoops@61600000 {
};
};
- extcon_usb: extcon-usb {
- compatible = "linux,extcon-usb-gpio";
- id-gpios = <&tlmm 102 GPIO_ACTIVE_HIGH>;
- };
-
gpio-keys {
compatible = "gpio-keys";
@@ -304,7 +299,3 @@ &tlmm {
&usb3 {
status = "okay";
};
-
-&usb3_dwc3 {
- extcon = <&extcon_usb>;
-};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 374/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 373/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 375/957] arm64: dts: qcom: talos: Add missing clock-names to GCC Greg Kroah-Hartman
` (588 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biswapriyo Nath, Konrad Dybcio,
Barnabás Czémán, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit e8669e010991154bedadd1cd67700544e0362e99 ]
The device was crashing on boot because the reserved gpio ranges
was wrongly defined. Correct the ranges for avoid pinctrl crashing.
Fixes: 9b1a6c925c88 ("arm64: dts: qcom: sm6125: Initial support for xiaomi-ginkgo")
Tested-by: Biswapriyo Nath <nathbappai@gmail.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20260126-xiaomi-willow-v3-5-aad7b106c311@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
index 418cfe67a2da8..c3edeee3af3ef 100644
--- a/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
+++ b/arch/arm64/boot/dts/qcom/sm6125-xiaomi-ginkgo.dts
@@ -293,7 +293,7 @@ &sdhc_2 {
};
&tlmm {
- gpio-reserved-ranges = <22 2>, <28 6>;
+ gpio-reserved-ranges = <0 4>, <30 4>;
};
&usb3 {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 375/957] arm64: dts: qcom: talos: Add missing clock-names to GCC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 374/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 376/957] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
` (587 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Taniya Das, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit c653607929bb4e0d8b80573bdb523adab5b975c2 ]
The binding for this clock controller requires that clock-names are
present. They're not really used by the kernel driver, but they're
marked as required, so someone might have assumed it's done on purpose
(where in reality we try to stay away from that since index-based
references are faster, take up less space and are already widely used)
and referenced it in drivers for another OS.
Hence, do the least painful thing and add the missing entries.
Fixes: 8e266654a2fe ("arm64: dts: qcom: add QCS615 platform")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260126-topic-talos_dt_warn-v1-1-c452afc647ad@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm6150.dtsi | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sm6150.dtsi b/arch/arm64/boot/dts/qcom/sm6150.dtsi
index 363b9f436cd0a..a066ad5ffde57 100644
--- a/arch/arm64/boot/dts/qcom/sm6150.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm6150.dtsi
@@ -522,6 +522,9 @@ gcc: clock-controller@100000 {
clocks = <&rpmhcc RPMH_CXO_CLK>,
<&rpmhcc RPMH_CXO_CLK_A>,
<&sleep_clk>;
+ clock-names = "bi_tcxo",
+ "bi_tcxo_ao",
+ "sleep_clk";
#clock-cells = <1>;
#reset-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 376/957] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 375/957] arm64: dts: qcom: talos: Add missing clock-names to GCC Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 377/957] arm64: dts: mediatek: mt7981b: " Greg Kroah-Hartman
` (586 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akari Tsuyukusa,
AngeloGioacchino Del Regno, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akari Tsuyukusa <akkun11.open@gmail.com>
[ Upstream commit c4c4823c8a5baa10b8100b01f49d7c3f4a871689 ]
The gpio-ranges in the MT6795 pinctrl node were incorrectly defined,
therefore, GPIO196 cannot be used.
Correct the range count to match the driver.
Fixes: b888886a4536 ("arm64: dts: mediatek: mt6795: Add pinctrl controller node")
Signed-off-by: Akari Tsuyukusa <akkun11.open@gmail.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6795.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt6795.dtsi b/arch/arm64/boot/dts/mediatek/mt6795.dtsi
index 58833e5135c8e..9757e37a65d4e 100644
--- a/arch/arm64/boot/dts/mediatek/mt6795.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6795.dtsi
@@ -372,7 +372,7 @@ pio: pinctrl@10005000 {
<GIC_SPI 154 IRQ_TYPE_LEVEL_HIGH>;
gpio-controller;
#gpio-cells = <2>;
- gpio-ranges = <&pio 0 0 196>;
+ gpio-ranges = <&pio 0 0 197>;
interrupt-controller;
#interrupt-cells = <2>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 377/957] arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 376/957] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 378/957] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
` (585 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akari Tsuyukusa,
AngeloGioacchino Del Regno, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akari Tsuyukusa <akkun11.open@gmail.com>
[ Upstream commit b62a927f4a46a7f58d88ba3d5fb6e88e1a4b4603 ]
The gpio-ranges in the MT7981B pinctrl node were incorrectly defined,
therefore, pin 56 cannot be used.
Correct the range count to match the driver.
Fixes: 62b24c7fdf0a ("arm64: dts: mediatek: mt7981: add pinctrl")
Signed-off-by: Akari Tsuyukusa <akkun11.open@gmail.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt7981b.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt7981b.dtsi b/arch/arm64/boot/dts/mediatek/mt7981b.dtsi
index 277c11247c132..88d7c3da3e49b 100644
--- a/arch/arm64/boot/dts/mediatek/mt7981b.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt7981b.dtsi
@@ -225,7 +225,7 @@ pio: pinctrl@11d00000 {
interrupt-controller;
interrupts = <GIC_SPI 225 IRQ_TYPE_LEVEL_HIGH>;
interrupt-parent = <&gic>;
- gpio-ranges = <&pio 0 0 56>;
+ gpio-ranges = <&pio 0 0 57>;
gpio-controller;
#gpio-cells = <2>;
#interrupt-cells = <2>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 378/957] arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 377/957] arm64: dts: mediatek: mt7981b: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 379/957] iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy} Greg Kroah-Hartman
` (584 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akari Tsuyukusa,
AngeloGioacchino Del Regno, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akari Tsuyukusa <akkun11.open@gmail.com>
[ Upstream commit 820ed0c1a13c5fafb36232538d793f99a0986ef3 ]
The gpio-ranges in the MT7986A pinctrl node were incorrectly defined,
therefore, pin 100 cannot be used.
Correct the range count to match the driver.
Fixes: c3a064a32ed9 ("arm64: dts: mediatek: add pinctrl support for mt7986a")
Signed-off-by: Akari Tsuyukusa <akkun11.open@gmail.com>
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
index a8972330a7b89..6786e5b590e85 100644
--- a/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt7986a.dtsi
@@ -187,7 +187,7 @@ pio: pinctrl@1001f000 {
"iocfg_lb", "iocfg_tr", "iocfg_tl", "eint";
gpio-controller;
#gpio-cells = <2>;
- gpio-ranges = <&pio 0 0 100>;
+ gpio-ranges = <&pio 0 0 101>;
interrupt-controller;
interrupts = <GIC_SPI 225 IRQ_TYPE_LEVEL_HIGH>;
interrupt-parent = <&gic>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 379/957] iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 378/957] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 380/957] arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices Greg Kroah-Hartman
` (583 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Nicolin Chen,
Pranjal Shrivastava, Jason Gunthorpe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 09c091fddb0b93297ea659ab48ee64f54ebeeaa2 ]
mock_viommu_init() allocates two pages using __get_free_pages(..., 1),
but its error path and mock_viommu_destroy() only release the first page
using free_page(), leaking the second page. Use free_pages() with the
matching order instead to avoid any page leaks.
Fixes: 80478a2b450e ("iommufd/selftest: Add coverage for the new mmap interface")
Link: https://patch.msgid.link/r/20260312164040.457293-3-thorsten.blum@linux.dev
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommufd/selftest.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
index dc0947aaac625..8fd27f65d6237 100644
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -699,7 +699,7 @@ static void mock_viommu_destroy(struct iommufd_viommu *viommu)
if (mock_viommu->mmap_offset)
iommufd_viommu_destroy_mmap(&mock_viommu->core,
mock_viommu->mmap_offset);
- free_page((unsigned long)mock_viommu->page);
+ free_pages((unsigned long)mock_viommu->page, 1);
mutex_destroy(&mock_viommu->queue_mutex);
/* iommufd core frees mock_viommu and viommu */
@@ -933,7 +933,7 @@ static int mock_viommu_init(struct iommufd_viommu *viommu,
iommufd_viommu_destroy_mmap(&mock_viommu->core,
mock_viommu->mmap_offset);
err_free_page:
- free_page((unsigned long)mock_viommu->page);
+ free_pages((unsigned long)mock_viommu->page, 1);
return rc;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 380/957] arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 379/957] iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy} Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 381/957] arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC eval carrier Greg Kroah-Hartman
` (582 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frieder Schrempf, Frank Li,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frieder Schrempf <frieder.schrempf@kontron.de>
[ Upstream commit 058c53476dde9937877e93d964a283bbb5e1e4c7 ]
The reset signal needs a pullup, but there is no hardware pullup.
As a workaround, enable the internal pullup to fix the touchscreen.
As this deviates from the default generic GPIO settings in the OSM
devicetree, add a new node for the touch pinctrl and redefine the
generic gpio1 pinctrl.
Fixes: 946ab10e3f40f ("arm64: dts: Add support for Kontron OSM-S i.MX8MP SoM and BL carrier board")
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/freescale/imx8mp-kontron-dl.dtso | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-kontron-dl.dtso b/arch/arm64/boot/dts/freescale/imx8mp-kontron-dl.dtso
index a3cba41d2b531..7131e9a499ae1 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-kontron-dl.dtso
+++ b/arch/arm64/boot/dts/freescale/imx8mp-kontron-dl.dtso
@@ -77,6 +77,8 @@
touchscreen@5d {
compatible = "goodix,gt928";
reg = <0x5d>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_touch>;
interrupt-parent = <&gpio1>;
interrupts = <6 8>;
irq-gpios = <&gpio1 6 0>;
@@ -98,6 +100,16 @@
status = "okay";
};
+/* redefine to remove touch controller GPIOs */
+&pinctrl_gpio1 {
+ fsl,pins = <
+ MX8MP_IOMUXC_GPIO1_IO00__GPIO1_IO00 0x19 /* GPIO_A_0 */
+ MX8MP_IOMUXC_GPIO1_IO01__GPIO1_IO01 0x19 /* GPIO_A_1 */
+ MX8MP_IOMUXC_GPIO1_IO05__GPIO1_IO05 0x19 /* GPIO_A_2 */
+ MX8MP_IOMUXC_GPIO1_IO08__GPIO1_IO08 0x19 /* GPIO_A_5 */
+ >;
+};
+
&pwm1 {
status = "okay";
};
@@ -108,4 +120,11 @@
MX8MP_IOMUXC_SAI3_RXFS__GPIO4_IO28 0x19
>;
};
+
+ pinctrl_touch: touchgrp {
+ fsl,pins = <
+ MX8MP_IOMUXC_GPIO1_IO06__GPIO1_IO06 0x19
+ MX8MP_IOMUXC_GPIO1_IO07__GPIO1_IO07 0x150
+ >;
+ };
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 381/957] arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC eval carrier
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 380/957] arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 382/957] arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference Greg Kroah-Hartman
` (581 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frieder Schrempf, Frank Li,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frieder Schrempf <frieder.schrempf@kontron.de>
[ Upstream commit d2ce84eecf081056b1d18d7524de52f849281ba7 ]
The SMARC evaluation carrier provides an SD card power switch that
complies with the OSM standard definition. The OSM base devicetree
already describes this correctly.
Stop overriding the vmmc-supply in the board devicetree and rely on
the definition from the OSM base DTS instead to fix the power supply
configuration for the SD card.
Fixes: 6fe1ced5ccab7 ("arm64: dts: Add support for Kontron i.MX8MP SMARC module and eval carrier")
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/freescale/imx8mp-kontron-smarc-eval-carrier.dts | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-kontron-smarc-eval-carrier.dts b/arch/arm64/boot/dts/freescale/imx8mp-kontron-smarc-eval-carrier.dts
index 2173a36ff6917..74d620dd06b7b 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-kontron-smarc-eval-carrier.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-kontron-smarc-eval-carrier.dts
@@ -249,6 +249,5 @@ &usb3_phy1 {
};
&usdhc2 {
- vmmc-supply = <®_vdd_3v3>;
status = "okay";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 382/957] arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 381/957] arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC eval carrier Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 383/957] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value Greg Kroah-Hartman
` (580 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 1d1d14d4253e6f373c247e67f3716768910be81e ]
imx8mp.dtsi includes a default port@1 node with an empty placeholder
endpoint intended for linking to a dsi bridge or panel.
HummingBoard Pulse mini-hdmi dtsi described a new endpoint node with a
different label attached.
This duplicate label causes confusion and is suspected to also cause
errors during dsi_attach.
Remove the duplicate node and link to the one defined in soc dtsi.
Further remove the unnecessary attach-bridge property.
Fixes: 2a222aa2bee9 ("arm64: dts: add description for solidrun imx8mp hummingboard variants")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../imx8mp-hummingboard-pulse-mini-hdmi.dtsi | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-hummingboard-pulse-mini-hdmi.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-hummingboard-pulse-mini-hdmi.dtsi
index 46916ddc05335..0e5f4607c7c1b 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-hummingboard-pulse-mini-hdmi.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-hummingboard-pulse-mini-hdmi.dtsi
@@ -41,7 +41,7 @@ port@0 {
reg = <0>;
adv7535_from_dsim: endpoint {
- remote-endpoint = <&dsim_to_adv7535>;
+ remote-endpoint = <&mipi_dsi_out>;
};
};
@@ -71,11 +71,8 @@ &lcdif1 {
&mipi_dsi {
samsung,esc-clock-frequency = <10000000>;
status = "okay";
+};
- port@1 {
- dsim_to_adv7535: endpoint {
- remote-endpoint = <&adv7535_from_dsim>;
- attach-bridge;
- };
- };
+&mipi_dsi_out {
+ remote-endpoint = <&adv7535_from_dsim>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 383/957] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 382/957] arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 384/957] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight Greg Kroah-Hartman
` (579 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio,
Barnabás Czémán, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 9e87f0eaadccc3fecdf3c3c0334e05694804b5f5 ]
PMI8950 doesn't actually support setting an OVP threshold value of
29.6 V. The closest allowed value is 29.5 V. Set that instead.
Fixes: aa17e707e04a ("arm64: dts: qcom: msm8953: Add device tree for Xiaomi Redmi 5 Plus")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://lore.kernel.org/r/20260116-pmi8950-wled-v3-5-e6c93de84079@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts
index d46325e799176..c2a290bf493c1 100644
--- a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts
+++ b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-vince.dts
@@ -169,7 +169,7 @@ &pm8953_resin {
&pmi8950_wled {
qcom,current-limit-microamp = <20000>;
- qcom,ovp-millivolt = <29600>;
+ qcom,ovp-millivolt = <29500>;
qcom,num-strings = <2>;
qcom,external-pfet;
qcom,cabc;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 384/957] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 383/957] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 385/957] arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi Greg Kroah-Hartman
` (578 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Czémán,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit 7131f6d909a6546329b71f2bacfdc60cb3e6020e ]
The backlight on this device is connected via 3 strings. Currently,
the DT claims only two are present, which results in visible stripes
on the display (since every third backlight string remains unconfigured).
Fix the number of strings to avoid that.
Fixes: 38d779c26395 ("arm64: dts: qcom: msm8953: Add device tree for Xiaomi Mi A2 Lite")
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260116-pmi8950-wled-v3-7-e6c93de84079@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts
index ddd7af6167942..59f873a06e4dd 100644
--- a/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts
+++ b/arch/arm64/boot/dts/qcom/msm8953-xiaomi-daisy.dts
@@ -157,7 +157,7 @@ &pm8953_resin {
&pmi8950_wled {
qcom,current-limit-microamp = <20000>;
- qcom,num-strings = <2>;
+ qcom,num-strings = <3>;
status = "okay";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 385/957] arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 384/957] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 386/957] Revert "arm64: dts: rockchip: add SPDIF audio to Beelink A1" Greg Kroah-Hartman
` (577 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Wang, Heiko Stuebner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Wang <wangming5719@gmail.com>
[ Upstream commit 861a9593e10bb6ab2a492b315c8a2a3aad70ac00 ]
The AP6212 WiFi/BT module on the LCKFB TaiShan Pi (RK3566) is prone to
communication timeouts and reset failures (error -110) when operating at
3 Mbps.
This patch stabilizes the Bluetooth interface by:
1. Updating the compatible string to 'brcm,bcm43430a1-bt' to better reflect
the actual chip revision used in the AP6212 module.
2. Lowering the maximum UART baud rate from 3,000,000 to 1,500,000 bps.
Tests show that 1.5 Mbps is the reliable upper limit for this board's
UART configuration, eliminating the initialization timeouts.
Fixes: 251e5ade9ba4 ("arm64: dts: rockchip: add dts for LCKFB Taishan Pi RK3566")
Signed-off-by: Ming Wang <wangming5719@gmail.com>
Link: https://patch.msgid.link/20260206090453.1041919-1-wming126@126.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3566-lckfb-tspi.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3566-lckfb-tspi.dts b/arch/arm64/boot/dts/rockchip/rk3566-lckfb-tspi.dts
index ed65d31204446..18a560a6e2a4a 100644
--- a/arch/arm64/boot/dts/rockchip/rk3566-lckfb-tspi.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3566-lckfb-tspi.dts
@@ -635,10 +635,10 @@ &uart1 {
status = "okay";
bluetooth: bluetooth {
- compatible = "brcm,bcm43438-bt";
+ compatible = "brcm,bcm43430a1-bt";
clocks = <&rk809 1>;
clock-names = "lpo";
- max-speed = <3000000>;
+ max-speed = <1500000>;
pinctrl-names = "default";
pinctrl-0 = <&bt_host_wake_l &bt_wake_l &bt_enable_h>;
shutdown-gpios = <&gpio2 RK_PB7 GPIO_ACTIVE_HIGH>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 386/957] Revert "arm64: dts: rockchip: add SPDIF audio to Beelink A1"
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 385/957] arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 387/957] arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace Greg Kroah-Hartman
` (576 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hewitt, Alex Bee,
Robin Murphy, Heiko Stuebner, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robin Murphy <robin.murphy@arm.com>
[ Upstream commit 03978cb18059ecd27e3d955508b18cf2a1196142 ]
This reverts commit bdc4d388c6452498ab62ef2564589f40e0c8c262.
While Beelink A1 mostly follows the high-end RK3328 reference design,
it does not in fact have the S/PDIF connector, only HDMI and a 3.5mm
jack for the analog audio/TV codecs - the tiny form factor literally
doesn't have room to fit more!
Cc: Christian Hewitt <christianshewitt@gmail.com>
Cc: Alex Bee <knaerzche@gmail.com>
Fixes: bdc4d388c645 ("arm64: dts: rockchip: add SPDIF audio to Beelink A1")
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Link: https://patch.msgid.link/0af77a02c2b0806d4ca72066392a5453fcc89a8f.1767111968.git.robin.murphy@arm.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3328-a1.dts | 23 ----------------------
1 file changed, 23 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3328-a1.dts b/arch/arm64/boot/dts/rockchip/rk3328-a1.dts
index 30bdb38f0727a..e810ed146451c 100644
--- a/arch/arm64/boot/dts/rockchip/rk3328-a1.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3328-a1.dts
@@ -58,24 +58,6 @@ ir-receiver {
gpios = <&gpio2 RK_PA2 GPIO_ACTIVE_LOW>;
linux,rc-map-name = "rc-beelink-gs1";
};
-
- spdif_dit: spdif-dit {
- compatible = "linux,spdif-dit";
- #sound-dai-cells = <0>;
- };
-
- spdif_sound: spdif-sound {
- compatible = "simple-audio-card";
- simple-audio-card,name = "SPDIF";
-
- simple-audio-card,cpu {
- sound-dai = <&spdif>;
- };
-
- simple-audio-card,codec {
- sound-dai = <&spdif_dit>;
- };
- };
};
&analog_sound {
@@ -343,11 +325,6 @@ &sdmmc {
status = "okay";
};
-&spdif {
- pinctrl-0 = <&spdifm0_tx>;
- status = "okay";
-};
-
&tsadc {
rockchip,hw-tshut-mode = <0>;
rockchip,hw-tshut-polarity = <0>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 387/957] arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 386/957] Revert "arm64: dts: rockchip: add SPDIF audio to Beelink A1" Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 388/957] arm64: dts: rockchip: Correct Joystick Axes on " Greg Kroah-Hartman
` (575 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Morgan, Heiko Stuebner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Morgan <macromorgan@hotmail.com>
[ Upstream commit c7079215b7dbf88b84a95ff13982bf3dab3cfbe1 ]
Correct the regulator providing power to the PWM controlled fan.
Without this fix the fan only runs when the audio path is playing
audio (because the speaker amplifier and PWM fan share the same
regulator).
Fixes: 4e946c447a04 ("arm64: dts: rockchip: Add GameForce Ace")
Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
Link: https://patch.msgid.link/20260310134648.550006-1-macroalpha82@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts b/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts
index f5894672fcbd3..ef8805219ea16 100644
--- a/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts
@@ -304,7 +304,7 @@ pwm_fan: pwm-fan {
compatible = "pwm-fan";
#cooling-cells = <2>;
cooling-levels = <0 120 150 180 210 240 255>;
- fan-supply = <&vcc5v0_sys>;
+ fan-supply = <&vcc5v0_spk>;
interrupt-parent = <&gpio4>;
interrupts = <RK_PB2 IRQ_TYPE_EDGE_RISING>;
pulses-per-revolution = <4>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 388/957] arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 387/957] arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 389/957] soc: qcom: ocmem: make the core clock optional Greg Kroah-Hartman
` (574 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sydarn, Chris Morgan, Heiko Stuebner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Morgan <macromorgan@hotmail.com>
[ Upstream commit c337c1b561c1c3016d30776d7dc2032ea4979334 ]
The Gameforce Ace's joystick axes were set incorrectly initially,
getting the X/Y and RX/RY axes backwards. Additionally, correct the
RY axis so that it is inverted.
All axes tested with evtest and outputting correct values.
Fixes: 4e946c447a04 ("arm64: dts: rockchip: Add GameForce Ace")
Reported-by: sydarn <sydarn@proton.me>
Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
Link: https://patch.msgid.link/20260310134919.550023-1-macroalpha82@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts b/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts
index ef8805219ea16..afac54ba58318 100644
--- a/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3588s-gameforce-ace.dts
@@ -60,8 +60,8 @@ axis@0 {
reg = <0>;
abs-flat = <40>;
abs-fuzz = <30>;
- abs-range = <0 4095>;
- linux,code = <ABS_RX>;
+ abs-range = <4095 0>;
+ linux,code = <ABS_RY>;
};
axis@1 {
@@ -69,7 +69,7 @@ axis@1 {
abs-flat = <40>;
abs-fuzz = <30>;
abs-range = <0 4095>;
- linux,code = <ABS_RY>;
+ linux,code = <ABS_RX>;
};
axis@2 {
@@ -77,7 +77,7 @@ axis@2 {
abs-flat = <40>;
abs-fuzz = <30>;
abs-range = <0 4095>;
- linux,code = <ABS_Y>;
+ linux,code = <ABS_X>;
};
axis@3 {
@@ -85,7 +85,7 @@ axis@3 {
abs-flat = <40>;
abs-fuzz = <30>;
abs-range = <0 4095>;
- linux,code = <ABS_X>;
+ linux,code = <ABS_Y>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 389/957] soc: qcom: ocmem: make the core clock optional
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 388/957] arm64: dts: rockchip: Correct Joystick Axes on " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 390/957] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
` (573 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit e8a61c51417c679d1a599fb36695e9d3b8d95514 ]
OCMEM's core clock (aka RPM bus 2 clock) is being handled internally by
the interconnect driver. Corresponding clock has been dropped from the
SMD RPM clock driver. The users of the ocmem will vote on the ocmemnoc
interconnect paths, making sure that ocmem is on. Make the clock
optional, keeping it for compatibility with older DT.
Fixes: d6edc31f3a68 ("clk: qcom: smd-rpm: Separate out interconnect bus clocks")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-1-ad9bcae44763@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index 71130a2f62e9e..7bcd0c71d7f64 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -308,7 +308,7 @@ static int ocmem_dev_probe(struct platform_device *pdev)
ocmem->dev = dev;
ocmem->config = device_get_match_data(dev);
- ocmem->core_clk = devm_clk_get(dev, "core");
+ ocmem->core_clk = devm_clk_get_optional(dev, "core");
if (IS_ERR(ocmem->core_clk))
return dev_err_probe(dev, PTR_ERR(ocmem->core_clk),
"Unable to get core clock\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 390/957] soc: qcom: ocmem: register reasons for probe deferrals
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 389/957] soc: qcom: ocmem: make the core clock optional Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 391/957] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
` (572 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Brian Masney,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 9dfd69cd89cd6afa4723be9098979abeef3bb8c6 ]
Instead of printing messages to the dmesg, let the message be recorded
as a reason for the OCMEM client deferral.
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-2-ad9bcae44763@oss.qualcomm.com
[bjorn: s/ERR_PTR(dev_err_probe)/dev_err_ptr_probe/
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index 7bcd0c71d7f64..ed77fdc76c9b2 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -196,10 +196,10 @@ struct ocmem *of_get_ocmem(struct device *dev)
}
pdev = of_find_device_by_node(devnode->parent);
- if (!pdev) {
- dev_err(dev, "Cannot find device node %s\n", devnode->name);
- return ERR_PTR(-EPROBE_DEFER);
- }
+ if (!pdev)
+ return dev_err_ptr_probe(dev, -EPROBE_DEFER,
+ "Cannot find device node %s\n",
+ devnode->name);
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 391/957] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 390/957] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 392/957] arm64: dts: rockchip: Fix RK3562 EVB2 model name Greg Kroah-Hartman
` (571 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 91b59009c7d48b58dbc50fecb27f2ad20749a05a ]
If OCMEM is declared in DT, it is expected that it is present and
handled by the driver. The GPU driver will ignore -ENODEV error, which
typically means that OCMEM isn't defined in DT. Let ocmem return
-EPROBE_DEFER if it supposed to be used, but it is not probed (yet).
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260323-ocmem-v1-3-ad9bcae44763@oss.qualcomm.com
[bjorn: s/ERR_PTR(dev_err_probe)/dev_err_ptr_probe/
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/ocmem.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c
index ed77fdc76c9b2..37ea6b86aebcb 100644
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -203,10 +203,9 @@ struct ocmem *of_get_ocmem(struct device *dev)
ocmem = platform_get_drvdata(pdev);
put_device(&pdev->dev);
- if (!ocmem) {
- dev_err(dev, "Cannot get ocmem\n");
- return ERR_PTR(-ENODEV);
- }
+ if (!ocmem)
+ return dev_err_ptr_probe(dev, -EPROBE_DEFER, "Cannot get ocmem\n");
+
return ocmem;
}
EXPORT_SYMBOL_GPL(of_get_ocmem);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 392/957] arm64: dts: rockchip: Fix RK3562 EVB2 model name
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 391/957] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 393/957] arm64: dts: rockchip: Add mphy reset to ufshc node Greg Kroah-Hartman
` (570 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, 谢致邦 ,
Heiko Stuebner, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
[ Upstream commit ede6a05606892bab4f6d785ffcfc124150c2eb32 ]
The model name should be "Rockchip RK3562 EVB2 V10 Board".
Fixes: ceb6ef1ea900 ("arm64: dts: rockchip: Add RK3562 evb2 devicetree")
Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
Link: https://patch.msgid.link/tencent_78E7E3F6991FB4403D5ADC9E6A6BC3BF8307@qq.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3562-evb2-v10.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3562-evb2-v10.dts b/arch/arm64/boot/dts/rockchip/rk3562-evb2-v10.dts
index 6a84db154a7d5..387062eea5208 100644
--- a/arch/arm64/boot/dts/rockchip/rk3562-evb2-v10.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3562-evb2-v10.dts
@@ -13,7 +13,7 @@
#include "rk3562.dtsi"
/ {
- model = "Rockchip RK3562 EVB V20 Board";
+ model = "Rockchip RK3562 EVB2 V10 Board";
compatible = "rockchip,rk3562-evb2-v10", "rockchip,rk3562";
chosen: chosen {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 393/957] arm64: dts: rockchip: Add mphy reset to ufshc node
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 392/957] arm64: dts: rockchip: Fix RK3562 EVB2 model name Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 394/957] bus: rifsc: fix RIF configuration check for peripherals Greg Kroah-Hartman
` (569 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shawn Lin, Heiko Stuebner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit 792c42da47fa199f90492784e3c57280acd57f22 ]
The mphy reset signal is used to reset the physical adapter. Resetting
other components while leaving the mphy unreset may occasionally prevent
the UFS controller from successfully linking up with the device.
This addresses an intermittent hardware bug where the UFS link fails to
establish under specific timing conditions with certain chips. While
difficult to reproduce initially, this issue was consistently observed in
downstream testing and requires explicit mphy reset control for full
stability.
Fixes: c75e5e010fef ("scsi: arm64: dts: rockchip: Add UFS support for RK3576 SoC")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Link: https://patch.msgid.link/1773277913-29580-1-git-send-email-shawn.lin@rock-chips.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3576.dtsi | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3576.dtsi b/arch/arm64/boot/dts/rockchip/rk3576.dtsi
index 70e67d4dccb8a..5d69a81aecc64 100644
--- a/arch/arm64/boot/dts/rockchip/rk3576.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3576.dtsi
@@ -1829,8 +1829,9 @@ ufshc: ufshc@2a2d0000 {
pinctrl-0 = <&ufs_refclk &ufs_rstgpio>;
pinctrl-names = "default";
resets = <&cru SRST_A_UFS_BIU>, <&cru SRST_A_UFS_SYS>,
- <&cru SRST_A_UFS>, <&cru SRST_P_UFS_GRF>;
- reset-names = "biu", "sys", "ufs", "grf";
+ <&cru SRST_A_UFS>, <&cru SRST_P_UFS_GRF>,
+ <&cru SRST_MPHY_INIT>;
+ reset-names = "biu", "sys", "ufs", "grf", "mphy";
reset-gpios = <&gpio4 RK_PD0 GPIO_ACTIVE_LOW>;
status = "disabled";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 394/957] bus: rifsc: fix RIF configuration check for peripherals
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 393/957] arm64: dts: rockchip: Add mphy reset to ufshc node Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 395/957] arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail Greg Kroah-Hartman
` (568 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gatien Chevallier, Alexandre Torgue,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gatien Chevallier <gatien.chevallier@foss.st.com>
[ Upstream commit d5ce3b4e951bc41a6ce877c8500bb4fe42146669 ]
Peripheral holding CID0 cannot be accessed, remove this completely
incorrect check. While there, fix and simplify the semaphore checking
that should be performed when the CID filtering is enabled.
Fixes: a18208457253 ("bus: rifsc: introduce RIFSC firewall controller driver")
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Link: https://lore.kernel.org/r/20260129-fix_cid_check_rifsc-v1-1-ef280ccf764d@foss.st.com
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/stm32_rifsc.c | 52 ++++++++++++++-------------------------
1 file changed, 18 insertions(+), 34 deletions(-)
diff --git a/drivers/bus/stm32_rifsc.c b/drivers/bus/stm32_rifsc.c
index 4cf1b60014b77..59872134c3224 100644
--- a/drivers/bus/stm32_rifsc.c
+++ b/drivers/bus/stm32_rifsc.c
@@ -126,34 +126,6 @@ static int stm32_rifsc_grant_access(struct stm32_firewall_controller *ctrl, u32
sec_reg_value = readl(rifsc_controller->mmio + RIFSC_RISC_SECCFGR0 + 0x4 * reg_id);
cid_reg_value = readl(rifsc_controller->mmio + RIFSC_RISC_PER0_CIDCFGR + 0x8 * firewall_id);
- /* First check conditions for semaphore mode, which doesn't take into account static CID. */
- if ((cid_reg_value & CIDCFGR_SEMEN) && (cid_reg_value & CIDCFGR_CFEN)) {
- if (cid_reg_value & BIT(RIF_CID1 + SEMWL_SHIFT)) {
- /* Static CID is irrelevant if semaphore mode */
- goto skip_cid_check;
- } else {
- dev_dbg(rifsc_controller->dev,
- "Invalid bus semaphore configuration: index %d\n", firewall_id);
- return -EACCES;
- }
- }
-
- /*
- * Skip CID check if CID filtering isn't enabled or filtering is enabled on CID0, which
- * corresponds to whatever CID.
- */
- if (!(cid_reg_value & CIDCFGR_CFEN) ||
- FIELD_GET(RIFSC_RISC_SCID_MASK, cid_reg_value) == RIF_CID0)
- goto skip_cid_check;
-
- /* Coherency check with the CID configuration */
- if (FIELD_GET(RIFSC_RISC_SCID_MASK, cid_reg_value) != RIF_CID1) {
- dev_dbg(rifsc_controller->dev, "Invalid CID configuration for peripheral: %d\n",
- firewall_id);
- return -EACCES;
- }
-
-skip_cid_check:
/* Check security configuration */
if (sec_reg_value & BIT(reg_offset)) {
dev_dbg(rifsc_controller->dev,
@@ -161,19 +133,31 @@ static int stm32_rifsc_grant_access(struct stm32_firewall_controller *ctrl, u32
return -EACCES;
}
- /*
- * If the peripheral is in semaphore mode, take the semaphore so that
- * the CID1 has the ownership.
- */
- if ((cid_reg_value & CIDCFGR_SEMEN) && (cid_reg_value & CIDCFGR_CFEN)) {
+ /* Skip CID check if CID filtering isn't enabled */
+ if (!(cid_reg_value & CIDCFGR_CFEN))
+ goto skip_cid_check;
+
+ /* First check conditions for semaphore mode, which doesn't take into account static CID. */
+ if (cid_reg_value & CIDCFGR_SEMEN) {
+ if (!(cid_reg_value & BIT(RIF_CID1 + SEMWL_SHIFT))) {
+ dev_dbg(rifsc_controller->dev,
+ "Invalid bus semaphore configuration: index %d\n", firewall_id);
+ return -EACCES;
+ }
+
rc = stm32_rif_acquire_semaphore(rifsc_controller, firewall_id);
if (rc) {
- dev_err(rifsc_controller->dev,
+ dev_dbg(rifsc_controller->dev,
"Couldn't acquire semaphore for peripheral: %d\n", firewall_id);
return rc;
}
+ } else if (FIELD_GET(RIFSC_RISC_SCID_MASK, cid_reg_value) != RIF_CID1) {
+ dev_dbg(rifsc_controller->dev, "Invalid CID configuration for peripheral: %d\n",
+ firewall_id);
+ return -EACCES;
}
+skip_cid_check:
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 395/957] arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 394/957] bus: rifsc: fix RIF configuration check for peripherals Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 396/957] arm64: dts: qcom: lemans: " Greg Kroah-Hartman
` (567 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Dikshita Agarwal,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit baac8b5e43f42b632b912a6a837d94fd5bca48f2 ]
The corners of the MVS0 / MVS0C clocks on the MMCX rail don't always
match the PLL corners on the MXC rail. Correct the performance corners
for the MXC rail following the PLL documentation.
Fixes: 9065340ac04d ("arm64: dts: qcom: x1e80100: Add IRIS video codec")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260313-iris-fix-corners-v1-1-32a393c25dda@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/x1e80100.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
index efe8d5e7079fe..66c31c1799421 100644
--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
@@ -5297,19 +5297,19 @@ opp-338000000 {
opp-366000000 {
opp-hz = /bits/ 64 <366000000>;
- required-opps = <&rpmhpd_opp_svs_l1>,
+ required-opps = <&rpmhpd_opp_svs>,
<&rpmhpd_opp_svs_l1>;
};
opp-444000000 {
opp-hz = /bits/ 64 <444000000>;
- required-opps = <&rpmhpd_opp_nom>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_nom>;
};
opp-481000000 {
opp-hz = /bits/ 64 <481000000>;
- required-opps = <&rpmhpd_opp_turbo>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_turbo>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 396/957] arm64: dts: qcom: lemans: correct Iris corners for the MXC rail
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 395/957] arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 397/957] arm64: dts: qcom: monaco: " Greg Kroah-Hartman
` (566 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Dikshita Agarwal,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 85a6cf5ef8cf6e6de948fbba56101fa05049417f ]
The corners of the MVS0 / MVS0C clocks on the MMCX rail don't always
match the PLL corners on the MXC rail. Correct the performance corners
for the MXC rail following the PLL documentation.
Fixes: 7bc95052c64f ("arm64: dts: qcom: sa8775p: add support for video node")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260313-iris-fix-corners-v1-2-32a393c25dda@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/lemans.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/lemans.dtsi b/arch/arm64/boot/dts/qcom/lemans.dtsi
index 530dc1e832b70..ef20ea941aa91 100644
--- a/arch/arm64/boot/dts/qcom/lemans.dtsi
+++ b/arch/arm64/boot/dts/qcom/lemans.dtsi
@@ -4363,19 +4363,19 @@ opp-366000000 {
opp-444000000 {
opp-hz = /bits/ 64 <444000000>;
- required-opps = <&rpmhpd_opp_nom>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_nom>;
};
opp-533000000 {
opp-hz = /bits/ 64 <533000000>;
- required-opps = <&rpmhpd_opp_turbo>,
+ required-opps = <&rpmhpd_opp_nom>,
<&rpmhpd_opp_turbo>;
};
opp-560000000 {
opp-hz = /bits/ 64 <560000000>;
- required-opps = <&rpmhpd_opp_turbo_l1>,
+ required-opps = <&rpmhpd_opp_nom>,
<&rpmhpd_opp_turbo_l1>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 397/957] arm64: dts: qcom: monaco: correct Iris corners for the MXC rail
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 396/957] arm64: dts: qcom: lemans: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 398/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
` (565 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Bjorn Andersson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit bba8d9ba7df8f6592552377049fc84958fd0575a ]
The corners of the MVS0 / MVS0C clocks on the MMCX rail don't always
match the PLL corners on the MXC rail. Correct the performance corners
for the MXC rail following the PLL documentation.
Fixes: bf6ec39c3f36 ("arm64: dts: qcom: qcs8300: add video node")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260313-iris-fix-corners-v1-3-32a393c25dda@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/qcs8300.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/qcs8300.dtsi b/arch/arm64/boot/dts/qcom/qcs8300.dtsi
index 7a4c3e872d8ee..8580884a16e98 100644
--- a/arch/arm64/boot/dts/qcom/qcs8300.dtsi
+++ b/arch/arm64/boot/dts/qcom/qcs8300.dtsi
@@ -4743,19 +4743,19 @@ opp-366000000 {
opp-444000000 {
opp-hz = /bits/ 64 <444000000>;
- required-opps = <&rpmhpd_opp_nom>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_nom>;
};
opp-533000000 {
opp-hz = /bits/ 64 <533000000>;
- required-opps = <&rpmhpd_opp_turbo>,
+ required-opps = <&rpmhpd_opp_nom>,
<&rpmhpd_opp_turbo>;
};
opp-560000000 {
opp-hz = /bits/ 64 <560000000>;
- required-opps = <&rpmhpd_opp_turbo_l1>,
+ required-opps = <&rpmhpd_opp_nom>,
<&rpmhpd_opp_turbo_l1>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 398/957] arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 397/957] arm64: dts: qcom: monaco: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 399/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
` (564 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Dikshita Agarwal,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit ff8edb5bc8bdf8bdf4573d8dc062b09cc1e6bc76 ]
The corners of the MVS0 / MVS0C clocks on the MMCX rail don't always
match the PLL corners on the MXC rail. Correct the performance corners
for the MXC rail following the PLL documentation.
Fixes: 41661853ae8e ("arm64: dts: qcom: sm8550: add iris DT node")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260313-iris-fix-corners-v1-4-32a393c25dda@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8550.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
index e294dc9c68c9a..63e17c3014061 100644
--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
@@ -3284,19 +3284,19 @@ opp-338000000 {
opp-366000000 {
opp-hz = /bits/ 64 <366000000>;
- required-opps = <&rpmhpd_opp_svs_l1>,
+ required-opps = <&rpmhpd_opp_svs>,
<&rpmhpd_opp_svs_l1>;
};
opp-444000000 {
opp-hz = /bits/ 64 <444000000>;
- required-opps = <&rpmhpd_opp_nom>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_nom>;
};
opp-533333334 {
opp-hz = /bits/ 64 <533333334>;
- required-opps = <&rpmhpd_opp_turbo>,
+ required-opps = <&rpmhpd_opp_nom>,
<&rpmhpd_opp_turbo>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 399/957] arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 398/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 400/957] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
` (563 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Dikshita Agarwal,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 7c302a2a6c1a4644e798ecfc4e72ddc4acec653f ]
The corners of the MVS0 / MVS0C clocks on the MMCX rail don't always
match the PLL corners on the MXC rail. Correct the performance corners
for the MXC rail following the PLL documentation.
Fixes: 56cf5ad39a55 ("arm64: dts: qcom: sm8650: add iris DT node")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260313-iris-fix-corners-v1-5-32a393c25dda@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8650.dtsi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8650.dtsi b/arch/arm64/boot/dts/qcom/sm8650.dtsi
index d22a26a416ccc..4e34c686265d6 100644
--- a/arch/arm64/boot/dts/qcom/sm8650.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8650.dtsi
@@ -5201,13 +5201,13 @@ opp-196000000 {
opp-300000000 {
opp-hz = /bits/ 64 <300000000>;
- required-opps = <&rpmhpd_opp_low_svs>,
+ required-opps = <&rpmhpd_opp_svs>,
<&rpmhpd_opp_low_svs>;
};
opp-380000000 {
opp-hz = /bits/ 64 <380000000>;
- required-opps = <&rpmhpd_opp_svs>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_svs>;
};
@@ -5219,13 +5219,13 @@ opp-435000000 {
opp-480000000 {
opp-hz = /bits/ 64 <480000000>;
- required-opps = <&rpmhpd_opp_nom>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_nom>;
};
opp-533333334 {
opp-hz = /bits/ 64 <533333334>;
- required-opps = <&rpmhpd_opp_turbo>,
+ required-opps = <&rpmhpd_opp_svs_l1>,
<&rpmhpd_opp_turbo>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 400/957] arm64: dts: qcom: sm8450: Fix GIC_ITS range length
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 399/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 401/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
` (562 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Neil Armstrong,
Abel Vesa, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 14044fa192c50265bc1f636108371044bbdcf7b7 ]
Currently, the GITS_SGIR register is cut off. Fix it up.
Fixes: fc8b0b9b630d ("arm64: dts: qcom: sm8450 add ITS device tree node")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260317-topic-its_range_fixup-v1-3-49be8076adb1@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
index 23420e6924728..68f5e7bca7cde 100644
--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
@@ -5079,7 +5079,7 @@ intc: interrupt-controller@17100000 {
gic_its: msi-controller@17140000 {
compatible = "arm,gic-v3-its";
- reg = <0x0 0x17140000 0x0 0x20000>;
+ reg = <0x0 0x17140000 0x0 0x40000>;
msi-controller;
#msi-cells = <1>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 401/957] arm64: dts: qcom: sm8550: Fix GIC_ITS range length
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 400/957] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 402/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
` (561 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Neil Armstrong,
Abel Vesa, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 357c559e386705609b6b9dc0544c420e3f91f3a0 ]
Currently, the GITS_SGIR register is cut off. Fix it up.
Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260317-topic-its_range_fixup-v1-4-49be8076adb1@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8550.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
index 63e17c3014061..c9a781273e842 100644
--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
@@ -5094,7 +5094,7 @@ ppi_cluster3: interrupt-partition-3 {
gic_its: msi-controller@17140000 {
compatible = "arm,gic-v3-its";
- reg = <0 0x17140000 0 0x20000>;
+ reg = <0 0x17140000 0 0x40000>;
msi-controller;
#msi-cells = <1>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 402/957] arm64: dts: qcom: sm8650: Fix GIC_ITS range length
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 401/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 403/957] arm64: dts: qcom: sm8750: " Greg Kroah-Hartman
` (560 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Neil Armstrong,
Abel Vesa, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 6c8e2ca1263d0da5976418ed285eaec430e8d87f ]
Currently, the GITS_SGIR register is cut off. Fix it up.
Fixes: d2350377997f ("arm64: dts: qcom: add initial SM8650 dtsi")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260317-topic-its_range_fixup-v1-5-49be8076adb1@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8650.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8650.dtsi b/arch/arm64/boot/dts/qcom/sm8650.dtsi
index 4e34c686265d6..0faaf54e597ea 100644
--- a/arch/arm64/boot/dts/qcom/sm8650.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8650.dtsi
@@ -6885,7 +6885,7 @@ ppi_cluster2: interrupt-partition-2 {
gic_its: msi-controller@17140000 {
compatible = "arm,gic-v3-its";
- reg = <0 0x17140000 0 0x20000>;
+ reg = <0 0x17140000 0 0x40000>;
msi-controller;
#msi-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 403/957] arm64: dts: qcom: sm8750: Fix GIC_ITS range length
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 402/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 404/957] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller Greg Kroah-Hartman
` (559 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Abel Vesa,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit c2f1f8874fda674af1efaa9a90efbdea8b6834ff ]
Currently, the GITS_SGIR register is cut off. Fix it up.
Fixes: 068c3d3c83be ("arm64: dts: qcom: Add base SM8750 dtsi")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260317-topic-its_range_fixup-v1-6-49be8076adb1@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8750.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8750.dtsi b/arch/arm64/boot/dts/qcom/sm8750.dtsi
index 33963fee1f699..3e1d1133792bb 100644
--- a/arch/arm64/boot/dts/qcom/sm8750.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8750.dtsi
@@ -3299,7 +3299,7 @@ intc: interrupt-controller@16000000 {
gic_its: msi-controller@16040000 {
compatible = "arm,gic-v3-its";
- reg = <0x0 0x16040000 0x0 0x20000>;
+ reg = <0x0 0x16040000 0x0 0x40000>;
msi-controller;
#msi-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 404/957] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 403/957] arm64: dts: qcom: sm8750: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 405/957] arm64: dts: qcom: sm8650: Fix xo clock supply of " Greg Kroah-Hartman
` (558 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Konrad Dybcio,
Neil Armstrong, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 30ac651c69bddbc83cab6d52fc5d2e03bed83282 ]
The expected frequency of SD host controller core supply clock is 19.2MHz,
while RPMH_CXO_CLK clock frequency on SM8650 platform is 38.4MHz.
Apparently the overclocked supply clock could be good enough on some
boards and even with the most of SD cards, however some low-end UHS-I
SD cards in SDR104 mode of the host controller produce I/O errors in
runtime, fortunately this problem is gone, if the "xo" clock frequency
matches the expected 19.2MHz clock rate.
Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-2-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8550.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
index c9a781273e842..002ed12f942c0 100644
--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
@@ -3175,7 +3175,7 @@ sdhc_2: mmc@8804000 {
clocks = <&gcc GCC_SDCC2_AHB_CLK>,
<&gcc GCC_SDCC2_APPS_CLK>,
- <&rpmhcc RPMH_CXO_CLK>;
+ <&bi_tcxo_div2>;
clock-names = "iface", "core", "xo";
iommus = <&apps_smmu 0x540 0>;
qcom,dll-config = <0x0007642c>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 405/957] arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 404/957] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 406/957] arm64: dts: qcom: hamoa: Fix xo clock supply of platform " Greg Kroah-Hartman
` (557 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Konrad Dybcio,
Neil Armstrong, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 390903efaa057c44fd80e7d9839419c50092018e ]
The expected frequency of SD host controller core supply clock is 19.2MHz,
while RPMH_CXO_CLK clock frequency on SM8650 platform is 38.4MHz.
Apparently the overclocked supply clock could be good enough on some
boards and even with the most of SD cards, however some low-end UHS-I
SD cards in SDR104 mode of the host controller produce I/O errors in
runtime, fortunately this problem is gone, if the "xo" clock frequency
matches the expected 19.2MHz clock rate.
Fixes: 10e024671295 ("arm64: dts: qcom: sm8650: add interconnect dependent device nodes")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-3-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8650.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8650.dtsi b/arch/arm64/boot/dts/qcom/sm8650.dtsi
index 0faaf54e597ea..d157cbc493d92 100644
--- a/arch/arm64/boot/dts/qcom/sm8650.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8650.dtsi
@@ -4922,7 +4922,7 @@ sdhc_2: mmc@8804000 {
clocks = <&gcc GCC_SDCC2_AHB_CLK>,
<&gcc GCC_SDCC2_APPS_CLK>,
- <&rpmhcc RPMH_CXO_CLK>;
+ <&bi_tcxo_div2>;
clock-names = "iface",
"core",
"xo";
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 406/957] arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host controller
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 405/957] arm64: dts: qcom: sm8650: Fix xo clock supply of " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 407/957] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
` (556 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Vladimir Zapolskiy,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit d094f79960e1da20c1380083c95945371baa3668 ]
The expected frequency of SD host controller core supply clock is 19.2MHz,
while RPMH_CXO_CLK clock frequency on SM8650 platform is 38.4MHz.
Apparently the overclocked supply clock could be good enough on some
boards and even with the most of SD cards, however some low-end UHS-I
SD cards in SDR104 mode of the host controller produce I/O errors in
runtime, fortunately this problem is gone, if the "xo" clock frequency
matches the expected 19.2MHz clock rate.
Fixes: ffb21c1e19b1 ("arm64: dts: qcom: x1e80100: Describe the SDHC controllers")
Reported-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-4-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/x1e80100.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
index 66c31c1799421..ee9c12600f95a 100644
--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
@@ -4579,7 +4579,7 @@ sdhc_2: mmc@8804000 {
clocks = <&gcc GCC_SDCC2_AHB_CLK>,
<&gcc GCC_SDCC2_APPS_CLK>,
- <&rpmhcc RPMH_CXO_CLK>;
+ <&bi_tcxo_div2>;
clock-names = "iface", "core", "xo";
iommus = <&apps_smmu 0x520 0>;
qcom,dll-config = <0x0007642c>;
@@ -4632,7 +4632,7 @@ sdhc_4: mmc@8844000 {
clocks = <&gcc GCC_SDCC4_AHB_CLK>,
<&gcc GCC_SDCC4_APPS_CLK>,
- <&rpmhcc RPMH_CXO_CLK>;
+ <&bi_tcxo_div2>;
clock-names = "iface", "core", "xo";
iommus = <&apps_smmu 0x160 0>;
qcom,dll-config = <0x0007642c>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 407/957] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 406/957] arm64: dts: qcom: hamoa: Fix xo clock supply of platform " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 408/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
` (555 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Konrad Dybcio,
Vladimir Zapolskiy, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit db0c5ef1abda6effdc5c85d6688fb6af2b351ae5 ]
The reported problem of some non-working UHS-I speed modes on SM8450
originates in commit 0a631a36f724 ("arm64: dts: qcom: Add device tree
for Sony Xperia 1 IV"), and then it was spread to all SM8450 powered
platforms by commit 9d561dc4e5cc ("arm64: dts: qcom: sm8450: disable
SDHCI SDR104/SDR50 on all boards").
The tests show that the rootcause of the problem was related to an
overclocking of SD cards, and it's fixed later on by commit a27ac3806b0a
("clk: qcom: gcc-sm8450: Use floor ops for SDCC RCGs").
Since then both SDR50 and SDR104 speed modes are working fine on SM8450,
tested on SM8450-HDK:
SDR50 speed mode:
mmc0: new UHS-I speed SDR50 SDHC card at address 0001
mmcblk0: mmc0:0001 00000 14.6 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 24.6254 s, 43.6 MB/s
SDR104 speed mode:
mmc0: new UHS-I speed SDR104 SDHC card at address 59b4
mmcblk0: mmc0:59b4 USDU1 28.3 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 12.3266 s, 87.1 MB/s
Remove the restrictions on SD card speed modes from the SM8450 platform
dtsi file and enable UHS-I speed modes.
Fixes: 9d561dc4e5cc ("arm64: dts: qcom: sm8450: disable SDHCI SDR104/SDR50 on all boards")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-5-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8450.dtsi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
index 68f5e7bca7cde..6c00390010f1f 100644
--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
@@ -5404,9 +5404,6 @@ sdhc_2: mmc@8804000 {
bus-width = <4>;
dma-coherent;
- /* Forbid SDR104/SDR50 - broken hw! */
- sdhci-caps-mask = <0x3 0x0>;
-
status = "disabled";
sdhc2_opp_table: opp-table {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 408/957] arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 407/957] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 409/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
` (554 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Vladimir Zapolskiy,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 66b0f024fba0728ddce6916dce173bb1bdd4eab0 ]
The restriction on UHS-I speed modes was added to all SM8550 platforms
by copying it from SM8450 dtsi file, and due to the overclocking of SD
cards it was an actually reproducible problem. Since the latter issue
has been fixed, UHS-I speed modes are working fine on SM8550 boards,
below is the test performed on SM8550-HDK:
SDR50 speed mode:
mmc0: new UHS-I speed SDR50 SDHC card at address 0001
mmcblk0: mmc0:0001 00000 14.6 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 23.5468 s, 45.6 MB/s
SDR104 speed mode:
mmc0: new UHS-I speed SDR104 SDHC card at address 59b4
mmcblk0: mmc0:59b4 USDU1 28.3 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 11.9819 s, 89.6 MB/s
Unset the UHS-I speed mode restrictions from the SM8550 platform dtsi
file, there is no indication that the SDHC controller is broken.
Fixes: ffc50b2d3828 ("arm64: dts: qcom: Add base SM8550 dtsi")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-6-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8550.dtsi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
index 002ed12f942c0..118a626dfcff5 100644
--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
@@ -3191,9 +3191,6 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>,
bus-width = <4>;
dma-coherent;
- /* Forbid SDR104/SDR50 - broken hw! */
- sdhci-caps-mask = <0x3 0>;
-
status = "disabled";
sdhc2_opp_table: opp-table {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 409/957] arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 408/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 410/957] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl Greg Kroah-Hartman
` (553 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Konrad Dybcio,
Vladimir Zapolskiy, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 93f823e7d48232e62fb8fb74481696609c90244a ]
The restriction on UHS-I speed modes was added to all SM8650 platforms
by copying it from SM8450 and SM8550 dtsi files, and it was an actually
reproducible problem due to the overclocking of SD cards. Since the latter
issue has been fixed in the SM8650 GCC driver, UHS-I speed modes are
working fine on SM8650 boards, below is the test performed on SM8650-HDK:
SDR50 speed mode:
mmc0: new UHS-I speed SDR50 SDHC card at address 0001
mmcblk0: mmc0:0001 00000 14.6 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 24.8086 s, 43.3 MB/s
SDR104 speed mode:
mmc0: new UHS-I speed SDR104 SDHC card at address 59b4
mmcblk0: mmc0:59b4 USDU1 28.3 GiB
mmcblk0: p1
% dd if=/dev/mmcblk0p1 of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 12.9448 s, 82.9 MB/s
Unset the UHS-I speed mode restrictions from the SM8550 platform dtsi
file, there is no indication that the SDHC controller is broken.
Fixes: 10e024671295 ("arm64: dts: qcom: sm8650: add interconnect dependent device nodes")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20260314023715.357512-7-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8650.dtsi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8650.dtsi b/arch/arm64/boot/dts/qcom/sm8650.dtsi
index d157cbc493d92..069b7f1267a0e 100644
--- a/arch/arm64/boot/dts/qcom/sm8650.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8650.dtsi
@@ -4941,9 +4941,6 @@ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>,
bus-width = <4>;
- /* Forbid SDR104/SDR50 - broken hw! */
- sdhci-caps-mask = <0x3 0>;
-
qcom,dll-config = <0x0007642c>;
qcom,ddr-config = <0x80040868>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 410/957] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 409/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 411/957] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
` (552 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Conor Dooley, Luca Weiss,
Konrad Dybcio, Conor Dooley, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit be7c1badb0b934cfe88427b1d4ec3eb9f52ba587 ]
The pinctrl nodes from sm6350.dtsi already contain a bias-* property, so
that needs to be deleted, otherwise the dtb will contain two conflicting
bias-* properties.
Reported-by: Conor Dooley <conor@kernel.org>
Closes: https://lore.kernel.org/r/20260310-maritime-silly-05e7b7e03aa6@spud/
Fixes: c4ef464b24c5 ("arm64: dts: qcom: sm7225-fairphone-fp4: Add Bluetooth")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20260319-fp4-uart1-fix-v1-1-f6b3fedef583@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts b/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts
index 4afbab570ca15..8cbe068645ea9 100644
--- a/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts
+++ b/arch/arm64/boot/dts/qcom/sm7225-fairphone-fp4.dts
@@ -953,12 +953,14 @@ &qup_uart1_cts {
* the Bluetooth module drives the pin in either
* direction or leaves the pin fully unpowered.
*/
+ /delete-property/ bias-disable;
bias-bus-hold;
};
&qup_uart1_rts {
/* We'll drive RTS, so no pull */
drive-strength = <2>;
+ /delete-property/ bias-pull-down;
bias-disable;
};
@@ -969,12 +971,14 @@ &qup_uart1_rx {
* in tri-state (module powered off or not driving the
* signal yet).
*/
+ /delete-property/ bias-disable;
bias-pull-up;
};
&qup_uart1_tx {
/* We'll drive TX, so no pull */
drive-strength = <2>;
+ /delete-property/ bias-pull-up;
bias-disable;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 411/957] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 410/957] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 412/957] arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader Greg Kroah-Hartman
` (551 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Heidelberg, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Heidelberg <david@ixit.cz>
[ Upstream commit 3b0dd81eea6b7a239fce456ce4545af76f1a9715 ]
The regulator must be on, since it provides the display subsystem and
therefore the bootloader had turned it on before Linux booted.
Fixes: 77809cf74a8c ("arm64: dts: qcom: Add support for Xiaomi Poco F1 (Beryllium)")
Signed-off-by: David Heidelberg <david@ixit.cz>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260320-beryllium-booton-v2-1-931d1be21eae@ixit.cz
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi
index 7480c8d7ac5b7..dbd5f08b5cdd3 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-beryllium-common.dtsi
@@ -148,6 +148,7 @@ vreg_l1a_0p875: ldo1 {
regulator-min-microvolt = <880000>;
regulator-max-microvolt = <880000>;
regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+ regulator-boot-on;
};
vreg_l5a_0p8: ldo5 {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 412/957] arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 411/957] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 413/957] arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins Greg Kroah-Hartman
` (550 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio,
Barnabás Czémán, Dmitry Baryshkov, Bjorn Andersson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
[ Upstream commit a49cd243503c528ea99e31a7853cf438ccc9032d ]
Redmi 5A comes with multiple bootloader versions where the expected
board-id is different.
Change the board-id to unified form what works on both bootloader
version.
Fixes: 26633b582056 ("arm64: dts: qcom: Add Xiaomi Redmi 5A")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260315-riva-common-v3-1-897f130786ed@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8917-xiaomi-riva.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8917-xiaomi-riva.dts b/arch/arm64/boot/dts/qcom/msm8917-xiaomi-riva.dts
index 9db503e218886..1bfb16f90ddd5 100644
--- a/arch/arm64/boot/dts/qcom/msm8917-xiaomi-riva.dts
+++ b/arch/arm64/boot/dts/qcom/msm8917-xiaomi-riva.dts
@@ -18,7 +18,7 @@ / {
chassis-type = "handset";
qcom,msm-id = <QCOM_ID_MSM8917 0>;
- qcom,board-id = <0x1000b 2>, <0x2000b 2>;
+ qcom,board-id = <0x1000b 1>, <0x1000b 2>;
pwm_backlight: backlight {
compatible = "pwm-backlight";
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 413/957] arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 412/957] arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 414/957] arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 " Greg Kroah-Hartman
` (549 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Moteen Shah,
Vignesh Raghavendra, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
[ Upstream commit 6d4441be969bea89bb9702781f5dfb3a8f2a02a4 ]
AM62P SK has external 10K pullups on MMC1 DAT1-DAT3 pins [0].
Disable internal pullups on DAT1-DAT3 so that each line has a
single pullup source:
- with both pullups enabled, the effective parallel resistance on
DAT1-3 (~8.33K) drops below the 10K minimum pullup requirement
for data lines (per SD Physical Layer Specification)
- removing internal pullups makes DAT1-3 match DAT0 10K
external pullup so its consistent and within spec
- both internal and external pullups enabled equals unnecessary power
consumption
[0] https://www.ti.com/lit/zip/SPRR487
Fixes: c00504ea42c0 ("arm64: dts: ti: k3-am62p5-sk: Updates for SK EVM")
Signed-off-by: Judith Mendez <jm@ti.com>
Reviewed-by: Moteen Shah <m-shah@ti.com>
Link: https://patch.msgid.link/20260223233731.2690472-2-jm@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am62p5-sk.dts | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am62p5-sk.dts b/arch/arm64/boot/dts/ti/k3-am62p5-sk.dts
index a064a632680ec..f5054912ad910 100644
--- a/arch/arm64/boot/dts/ti/k3-am62p5-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-am62p5-sk.dts
@@ -271,9 +271,9 @@ main_mmc1_pins_default: main-mmc1-default-pins {
AM62PX_IOPAD(0x023c, PIN_INPUT, 0) /* (H20) MMC1_CMD */
AM62PX_IOPAD(0x0234, PIN_OUTPUT, 0) /* (J24) MMC1_CLK */
AM62PX_IOPAD(0x0230, PIN_INPUT, 0) /* (H21) MMC1_DAT0 */
- AM62PX_IOPAD(0x022c, PIN_INPUT_PULLUP, 0) /* (H23) MMC1_DAT1 */
- AM62PX_IOPAD(0x0228, PIN_INPUT_PULLUP, 0) /* (H22) MMC1_DAT2 */
- AM62PX_IOPAD(0x0224, PIN_INPUT_PULLUP, 0) /* (H25) MMC1_DAT3 */
+ AM62PX_IOPAD(0x022c, PIN_INPUT, 0) /* (H23) MMC1_DAT1 */
+ AM62PX_IOPAD(0x0228, PIN_INPUT, 0) /* (H22) MMC1_DAT2 */
+ AM62PX_IOPAD(0x0224, PIN_INPUT, 0) /* (H25) MMC1_DAT3 */
AM62PX_IOPAD(0x0240, PIN_INPUT, 0) /* (D23) MMC1_SDCD */
>;
bootph-all;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 414/957] arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 413/957] arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 415/957] arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label Greg Kroah-Hartman
` (548 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Moteen Shah,
Vignesh Raghavendra, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
[ Upstream commit ee2a9d9c9e6c9643fb7e45febcaedfbc038e483a ]
AM62 LP SK board does not have external pullups on MMC0 DAT1-DAT7
pins [0]. Enable internal pullups on DAT1-DAT7 considering:
- without a host-side pullup, these lines rely solely on the eMMC
device's internal pullup (R_int, 10-150K per JEDEC), which may
exceed the recommended 50K max for 1.8V VCCQ
- JEDEC JESD84-B51 Table 200 requires host-side pullups (R_DAT,
10K-100K) on all data lines to prevent bus floating
[0] https://www.ti.com/lit/zip/SPRR471
Fixes: a0b8da04153e ("arm64: dts: ti: k3-am62*: Move eMMC pinmux to top level board file")
Signed-off-by: Judith Mendez <jm@ti.com>
Reviewed-by: Moteen Shah <m-shah@ti.com>
Link: https://patch.msgid.link/20260223233731.2690472-4-jm@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts b/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts
index ecfba05fe5c27..5ed757c19db60 100644
--- a/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts
@@ -88,13 +88,13 @@ main_mmc0_pins_default: main-mmc0-default-pins {
AM62X_IOPAD(0x220, PIN_INPUT, 0) /* (V3) MMC0_CMD */
AM62X_IOPAD(0x218, PIN_INPUT, 0) /* (Y1) MMC0_CLK */
AM62X_IOPAD(0x214, PIN_INPUT, 0) /* (V2) MMC0_DAT0 */
- AM62X_IOPAD(0x210, PIN_INPUT, 0) /* (V1) MMC0_DAT1 */
- AM62X_IOPAD(0x20c, PIN_INPUT, 0) /* (W2) MMC0_DAT2 */
- AM62X_IOPAD(0x208, PIN_INPUT, 0) /* (W1) MMC0_DAT3 */
- AM62X_IOPAD(0x204, PIN_INPUT, 0) /* (Y2) MMC0_DAT4 */
- AM62X_IOPAD(0x200, PIN_INPUT, 0) /* (W3) MMC0_DAT5 */
- AM62X_IOPAD(0x1fc, PIN_INPUT, 0) /* (W4) MMC0_DAT6 */
- AM62X_IOPAD(0x1f8, PIN_INPUT, 0) /* (V4) MMC0_DAT7 */
+ AM62X_IOPAD(0x210, PIN_INPUT_PULLUP, 0) /* (V1) MMC0_DAT1 */
+ AM62X_IOPAD(0x20c, PIN_INPUT_PULLUP, 0) /* (W2) MMC0_DAT2 */
+ AM62X_IOPAD(0x208, PIN_INPUT_PULLUP, 0) /* (W1) MMC0_DAT3 */
+ AM62X_IOPAD(0x204, PIN_INPUT_PULLUP, 0) /* (Y2) MMC0_DAT4 */
+ AM62X_IOPAD(0x200, PIN_INPUT_PULLUP, 0) /* (W3) MMC0_DAT5 */
+ AM62X_IOPAD(0x1fc, PIN_INPUT_PULLUP, 0) /* (W4) MMC0_DAT6 */
+ AM62X_IOPAD(0x1f8, PIN_INPUT_PULLUP, 0) /* (V4) MMC0_DAT7 */
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 415/957] arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 414/957] arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 " Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 416/957] arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing Greg Kroah-Hartman
` (547 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Dolcini,
Vignesh Raghavendra, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Dolcini <francesco.dolcini@toradex.com>
[ Upstream commit 944dffaec1ef0f21c203728de77b5618ed70df6e ]
Fix SPI_1_CS GPIO pinmux label, this is spi1_cs, not qspi1_io4.
There are no user of this label yet, therefore this change does not
create any compatibility issue.
Fixes: fcb335934c51 ("arm64: dts: ti: verdin-am62: Improve spi1 chip-select pinctrl")
Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Link: https://patch.msgid.link/20260324093705.26730-3-francesco@dolcini.it
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi b/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi
index 796f2cedf5d62..059ec492a973e 100644
--- a/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi
@@ -278,7 +278,7 @@ AM62X_IOPAD(0x0018, PIN_INPUT, 7) /* (F24) OSPI0_D3.GPIO0_6 */ /* SODIMM 62 */
};
/* Verdin SPI_1 CS as GPIO */
- pinctrl_qspi1_io4_gpio: main-gpio0-7-default-pins {
+ pinctrl_spi1_cs_gpio: main-gpio0-7-default-pins {
pinctrl-single,pins = <
AM62X_IOPAD(0x001c, PIN_INPUT, 7) /* (J23) OSPI0_D4.GPIO0_7 */ /* SODIMM 202 */
>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 416/957] arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 415/957] arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label Greg Kroah-Hartman
@ 2026-05-20 16:14 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 417/957] arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC Greg Kroah-Hartman
` (546 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nora Schiffer, Alexander Stein,
Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nora Schiffer <nora.schiffer@ew.tq-group.com>
[ Upstream commit b8d785a9f360abcd6a6f8f10a2adf222f8494d66 ]
UART1 operates in DCE mode, but the RTS/CTS pins were incorrectly
configured using the DTE pinmux setting.
Correct the pinmux to match DCE mode. Switching the RTS and CTS signals
is fine for this board, as UART1 is routed to a pin header. Existing
functionality is unaffected, as RTS/CTS could never have worked with
the incorrect pinmux.
Fixes: ddabb3ce3f90 ("arm64: dts: freescale: add TQMa8MPQL on MBa8MP-RAS314")
Signed-off-by: Nora Schiffer <nora.schiffer@ew.tq-group.com>
Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts b/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts
index a122f2ed5f531..06c865c3a8cf8 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts
@@ -833,8 +833,8 @@ pinctrl_tlv320aic3x04: tlv320aic3x04grp {
pinctrl_uart1: uart1grp {
fsl,pins = <MX8MP_IOMUXC_SAI2_RXFS__UART1_DCE_TX 0x14>,
<MX8MP_IOMUXC_SAI2_RXC__UART1_DCE_RX 0x14>,
- <MX8MP_IOMUXC_SAI2_RXD0__UART1_DTE_CTS 0x14>,
- <MX8MP_IOMUXC_SAI2_TXFS__UART1_DTE_RTS 0x14>;
+ <MX8MP_IOMUXC_SAI2_RXD0__UART1_DCE_RTS 0x14>,
+ <MX8MP_IOMUXC_SAI2_TXFS__UART1_DCE_CTS 0x14>;
};
pinctrl_uart1_gpio: uart1gpiogrp {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 417/957] arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-05-20 16:14 ` [PATCH 6.18 416/957] arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 418/957] arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3 Greg Kroah-Hartman
` (545 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Annette Kobou, Frieder Schrempf,
Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Annette Kobou <annette.kobou@kontron.de>
[ Upstream commit 130d90114c5255a7a729158da8fd8298a02017f1 ]
The PMIC provides a level-shifter for the I2C lines to the RTC. As the
level shifter needs to be enabled before the RTC can be accessed, make sure
that the PMIC driver is probed first.
As the PMIC also provides the supply voltage for the RTC through the 3.3V
regulator, simply express this in the DT to create the required dependency.
Avoid sporadic boot hangs that occurred when the RTC was accessed before
the level-shifter was enabled.
Fixes: 946ab10e3f40f ("arm64: dts: Add support for Kontron OSM-S i.MX8MP SoM and BL carrier board")
Signed-off-by: Annette Kobou <annette.kobou@kontron.de>
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-kontron-osm-s.dtsi | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-kontron-osm-s.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-kontron-osm-s.dtsi
index b97bfeb1c30f8..bc1a261bb000e 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-kontron-osm-s.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-kontron-osm-s.dtsi
@@ -330,6 +330,12 @@ rv3028: rtc@52 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_rtc>;
interrupts-extended = <&gpio3 24 IRQ_TYPE_LEVEL_LOW>;
+ /*
+ * While specifying the vdd-supply is normally not strictly necessary,
+ * here it also makes sure that the PMIC driver enables the level-
+ * shifter for the RTC before the RTC is probed.
+ */
+ vdd-supply = <®_vdd_3v3>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 418/957] arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 417/957] arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 419/957] arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit Greg Kroah-Hartman
` (544 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit e8341b0245736619f8d6a2cc311c9e8ad8e82390 ]
The sound card wm8960-2 and wm8960-3 only support capture mode for the
reason of connection on the EVK board. But fsl-asoc-card don't support
capture_only setting, the sound card creation will fail.
fsl-sai 59060000.sai: Missing dma channel for stream: 0
fsl-sai 59060000.sai: ASoC error (-22): at snd_soc_pcm_component_new() on 59060000.sai
fsl-sai 59070000.sai: Missing dma channel for stream: 0
fsl-sai 59070000.sai: ASoC error (-22): at snd_soc_pcm_component_new() on 59070000.sai
so switch to use audio-graph-card2 which supports 'capture_only'
property for wm8960-2 and wm8960-3 cards.
Fixes: b41c45eb990a ("arm64: dts: imx8dxl-evk: add audio nodes")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8dxl-evk.dts | 114 ++++++++++++++----
1 file changed, 90 insertions(+), 24 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8dxl-evk.dts b/arch/arm64/boot/dts/freescale/imx8dxl-evk.dts
index 25a77cac6f0b5..b75ab1e010f0c 100644
--- a/arch/arm64/boot/dts/freescale/imx8dxl-evk.dts
+++ b/arch/arm64/boot/dts/freescale/imx8dxl-evk.dts
@@ -259,33 +259,37 @@ sound-wm8960-1 {
};
sound-wm8960-2 {
- compatible = "fsl,imx-audio-wm8960";
- model = "wm8960-audio-2";
- audio-cpu = <&sai2>;
- audio-codec = <&wm8960_2>;
- audio-routing = "Headphone Jack", "HP_L",
- "Headphone Jack", "HP_R",
- "Ext Spk", "SPK_LP",
- "Ext Spk", "SPK_LN",
- "Ext Spk", "SPK_RP",
- "Ext Spk", "SPK_RN",
- "LINPUT1", "Mic Jack",
- "Mic Jack", "MICB";
+ compatible = "audio-graph-card2";
+ label = "wm8960-audio-2";
+ links = <&sai2_port2>;
+ routing = "Headphones", "HP_L",
+ "Headphones", "HP_R",
+ "Ext Spk", "SPK_LP",
+ "Ext Spk", "SPK_LN",
+ "Ext Spk", "SPK_RP",
+ "Ext Spk", "SPK_RN",
+ "LINPUT1", "Mic Jack",
+ "Mic Jack", "MICB";
+ widgets = "Headphone", "Headphones",
+ "Speaker", "Ext Spk",
+ "Microphone", "Mic Jack";
};
sound-wm8960-3 {
- compatible = "fsl,imx-audio-wm8960";
- model = "wm8960-audio-3";
- audio-cpu = <&sai3>;
- audio-codec = <&wm8960_3>;
- audio-routing = "Headphone Jack", "HP_L",
- "Headphone Jack", "HP_R",
- "Ext Spk", "SPK_LP",
- "Ext Spk", "SPK_LN",
- "Ext Spk", "SPK_RP",
- "Ext Spk", "SPK_RN",
- "LINPUT1", "Mic Jack",
- "Mic Jack", "MICB";
+ compatible = "audio-graph-card2";
+ label = "wm8960-audio-3";
+ links = <&sai3_port2>;
+ routing = "Headphones", "HP_L",
+ "Headphones", "HP_R",
+ "Ext Spk", "SPK_LP",
+ "Ext Spk", "SPK_LN",
+ "Ext Spk", "SPK_RP",
+ "Ext Spk", "SPK_RN",
+ "LINPUT1", "Mic Jack",
+ "Mic Jack", "MICB";
+ widgets = "Headphone", "Headphones",
+ "Speaker", "Ext Spk",
+ "Microphone", "Mic Jack";
};
};
@@ -481,6 +485,16 @@ wm8960_2: audio-codec@1a {
DCVDD-supply = <®_audio_1v8>;
SPKVDD1-supply = <®_audio_5v>;
SPKVDD2-supply = <®_audio_5v>;
+
+ port {
+ capture-only;
+
+ wm8960_2_ep: endpoint {
+ bitclock-master;
+ frame-master;
+ remote-endpoint = <&sai2_endpoint2>;
+ };
+ };
};
};
@@ -510,6 +524,16 @@ wm8960_3: audio-codec@1a {
DCVDD-supply = <®_audio_1v8>;
SPKVDD1-supply = <®_audio_5v>;
SPKVDD2-supply = <®_audio_5v>;
+
+ port {
+ capture-only;
+
+ wm8960_3_ep: endpoint {
+ bitclock-master;
+ frame-master;
+ remote-endpoint = <&sai3_endpoint2>;
+ };
+ };
};
};
@@ -695,6 +719,27 @@ &sai2 {
pinctrl-0 = <&pinctrl_sai2>;
fsl,sai-asynchronous;
status = "okay";
+
+ ports {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ sai2_port1: port@1 {
+ reg = <1>;
+ endpoint { /* not used */ };
+ };
+
+ sai2_port2: port@2 {
+ reg = <2>;
+ capture-only;
+
+ sai2_endpoint2: endpoint {
+ dai-format = "i2s";
+ remote-endpoint = <&wm8960_2_ep>;
+ system-clock-direction-out;
+ };
+ };
+ };
};
&sai3 {
@@ -707,6 +752,27 @@ &sai3 {
pinctrl-0 = <&pinctrl_sai3>;
fsl,sai-asynchronous;
status = "okay";
+
+ ports {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ sai3_port1: port@1 {
+ reg = <1>;
+ endpoint { /* not used */ };
+ };
+
+ sai3_port2: port@2 {
+ reg = <2>;
+ capture-only;
+
+ sai3_endpoint2: endpoint {
+ dai-format = "i2s";
+ remote-endpoint = <&wm8960_3_ep>;
+ system-clock-direction-out;
+ };
+ };
+ };
};
&thermal_zones {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 419/957] arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 418/957] arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3 Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 420/957] arm64: dts: lx2160a: remove duplicate pinmux nodes Greg Kroah-Hartman
` (543 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 7a3cc49ad1fc8d063abb7f5de8f1b981b99d2978 ]
LX2160A pinmux is done in groups by various length bitfields within
configuration registers.
The first i2c bus (called IIC1 in reference manual) is configured through
field IIC1_PMUX in register RCWSR14 bit 10 which is described in the
reference manual as a single bit, unlike the other i2c buses.
Change the bitmask for the pinmux nodes from 0x7 to 0x1 to ensure only
single bit is modified.
Further change the zero in the same line to hexadecimal format for
consistency.
Align with documentation by avoiding writes to reserved bits. No functional
change, as writing the extra two reserved bits is not known to cause
issues.
Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
index bc1d34f1cd545..79a22f53afc50 100644
--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
@@ -1790,11 +1790,11 @@ i2c7_scl_gpio: i2c7-scl-gpio-pins {
};
i2c0_scl: i2c0-scl-pins {
- pinctrl-single,bits = <0x8 0 (0x7 << 10)>;
+ pinctrl-single,bits = <0x8 0x0 (0x1 << 10)>;
};
i2c0_scl_gpio: i2c0-scl-gpio-pins {
- pinctrl-single,bits = <0x8 (0x1 << 10) (0x7 << 10)>;
+ pinctrl-single,bits = <0x8 (0x1 << 10) (0x1 << 10)>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 420/957] arm64: dts: lx2160a: remove duplicate pinmux nodes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 419/957] arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 421/957] arm64: dts: lx2160a: rename pinmux nodes for readability Greg Kroah-Hartman
` (542 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 325ca511ca3dda936207ce737e0afe837d45a674 ]
LX2160A pinmux is done in groups by various length bitfields within
configuration registers.
The pinmux nodes i2c7-scl-pins and i2c7-scl-gpio-pins are duplicates of
i2c6-scl-gpio and i2c6-scl-gpio-pins, writing to the same register and
bits.
These two i2c buses i2c6/i2c7 (IIC7/IIC8) are configured together in
register RCWSR13 bits 3-0.
Drop the duplicate node name and change references to the i2c6 node.
Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
index 79a22f53afc50..6d21982e057b3 100644
--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
@@ -862,8 +862,8 @@ i2c7: i2c@2070000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c7_scl>;
- pinctrl-1 = <&i2c7_scl_gpio>;
+ pinctrl-0 = <&i2c6_scl>;
+ pinctrl-1 = <&i2c6_scl_gpio>;
scl-gpios = <&gpio1 18 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -1781,14 +1781,6 @@ i2c6_scl_gpio: i2c6-scl-gpio-pins {
pinctrl-single,bits = <0x4 0x1 0x7>;
};
- i2c7_scl: i2c7-scl-pins {
- pinctrl-single,bits = <0x4 0x2 0x7>;
- };
-
- i2c7_scl_gpio: i2c7-scl-gpio-pins {
- pinctrl-single,bits = <0x4 0x1 0x7>;
- };
-
i2c0_scl: i2c0-scl-pins {
pinctrl-single,bits = <0x8 0x0 (0x1 << 10)>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 421/957] arm64: dts: lx2160a: rename pinmux nodes for readability
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 420/957] arm64: dts: lx2160a: remove duplicate pinmux nodes Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 422/957] arm64: dts: lx2160a: add sda gpio references for i2c bus recovery Greg Kroah-Hartman
` (541 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 456eb494746afd56d3a9dc30271300136e55b96e ]
LX2160A pinmux is done in groups by various length bitfields within
configuration registers.
Each group of pins is named in the reference manual after a primary
function using soc-specific naming, e.g. IIC1 (for i2c0).
Hardware block numbering starts from zero in device-tree but one in the
reference manual.
Rename the already defined pinmux nodes originally added for changing
i2c pins between i2c and gpio functions reflecting the reference manual
name (IIC) in the node name, and the device-tree name (i2c, gpio) in the
label.
Specifically, drop the "_scl" suffix from the I2C labels because the
nodes actually configure both SDA and SCL pins together. Instead add
"_pins" suffix to avoid conflicts with I2C controller labels.
For GPIO functions, include the specific controller and pin numbers in
the label to clarify they are generic GPIOs and help spot mistakes.
No functional change intended.
Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 64 +++++++++----------
1 file changed, 32 insertions(+), 32 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
index 6d21982e057b3..59417e00ac93d 100644
--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
@@ -750,8 +750,8 @@ i2c0: i2c@2000000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c0_scl>;
- pinctrl-1 = <&i2c0_scl_gpio>;
+ pinctrl-0 = <&i2c0_pins>;
+ pinctrl-1 = <&gpio0_3_2_pins>;
scl-gpios = <&gpio0 3 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -766,8 +766,8 @@ i2c1: i2c@2010000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c1_scl>;
- pinctrl-1 = <&i2c1_scl_gpio>;
+ pinctrl-0 = <&i2c1_pins>;
+ pinctrl-1 = <&gpio0_31_30_pins>;
scl-gpios = <&gpio0 31 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -782,8 +782,8 @@ i2c2: i2c@2020000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c2_scl>;
- pinctrl-1 = <&i2c2_scl_gpio>;
+ pinctrl-0 = <&i2c2_pins>;
+ pinctrl-1 = <&gpio0_29_28_pins>;
scl-gpios = <&gpio0 29 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -798,8 +798,8 @@ i2c3: i2c@2030000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c3_scl>;
- pinctrl-1 = <&i2c3_scl_gpio>;
+ pinctrl-0 = <&i2c3_pins>;
+ pinctrl-1 = <&gpio0_27_26_pins>;
scl-gpios = <&gpio0 27 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -814,8 +814,8 @@ i2c4: i2c@2040000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c4_scl>;
- pinctrl-1 = <&i2c4_scl_gpio>;
+ pinctrl-0 = <&i2c4_pins>;
+ pinctrl-1 = <&gpio0_25_24_pins>;
scl-gpios = <&gpio0 25 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -830,8 +830,8 @@ i2c5: i2c@2050000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c5_scl>;
- pinctrl-1 = <&i2c5_scl_gpio>;
+ pinctrl-0 = <&i2c5_pins>;
+ pinctrl-1 = <&gpio0_23_22_pins>;
scl-gpios = <&gpio0 23 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -846,8 +846,8 @@ i2c6: i2c@2060000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c6_scl>;
- pinctrl-1 = <&i2c6_scl_gpio>;
+ pinctrl-0 = <&i2c6_i2c7_pins>;
+ pinctrl-1 = <&gpio1_18_15_pins>;
scl-gpios = <&gpio1 16 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -862,8 +862,8 @@ i2c7: i2c@2070000 {
clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL
QORIQ_CLK_PLL_DIV(16)>;
pinctrl-names = "default", "gpio";
- pinctrl-0 = <&i2c6_scl>;
- pinctrl-1 = <&i2c6_scl_gpio>;
+ pinctrl-0 = <&i2c6_i2c7_pins>;
+ pinctrl-1 = <&gpio1_18_15_pins>;
scl-gpios = <&gpio1 18 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -1709,11 +1709,11 @@ pinmux_i2crv: pinmux@70010012c {
pinctrl-single,register-width = <32>;
pinctrl-single,function-mask = <0x7>;
- i2c1_scl: i2c1-scl-pins {
+ i2c1_pins: iic2-i2c-pins {
pinctrl-single,bits = <0x0 0 0x7>;
};
- i2c1_scl_gpio: i2c1-scl-gpio-pins {
+ gpio0_31_30_pins: iic2-gpio-pins {
pinctrl-single,bits = <0x0 0x1 0x7>;
};
@@ -1721,35 +1721,35 @@ esdhc0_cd_wp_pins: iic2-sdhc-pins {
pinctrl-single,bits = <0x0 0x6 0x7>;
};
- i2c2_scl: i2c2-scl-pins {
+ i2c2_pins: iic3-i2c-pins {
pinctrl-single,bits = <0x0 0 (0x7 << 3)>;
};
- i2c2_scl_gpio: i2c2-scl-gpio-pins {
+ gpio0_29_28_pins: iic3-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 3) (0x7 << 3)>;
};
- i2c3_scl: i2c3-scl-pins {
+ i2c3_pins: iic4-i2c-pins {
pinctrl-single,bits = <0x0 0 (0x7 << 6)>;
};
- i2c3_scl_gpio: i2c3-scl-gpio-pins {
+ gpio0_27_26_pins: iic4-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 6) (0x7 << 6)>;
};
- i2c4_scl: i2c4-scl-pins {
+ i2c4_pins: iic5-i2c-pins {
pinctrl-single,bits = <0x0 0 (0x7 << 9)>;
};
- i2c4_scl_gpio: i2c4-scl-gpio-pins {
+ gpio0_25_24_pins: iic5-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 9) (0x7 << 9)>;
};
- i2c5_scl: i2c5-scl-pins {
+ i2c5_pins: iic6-i2c-pins {
pinctrl-single,bits = <0x0 0 (0x7 << 12)>;
};
- i2c5_scl_gpio: i2c5-scl-gpio-pins {
+ gpio0_23_22_pins: iic6-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 12) (0x7 << 12)>;
};
@@ -1773,19 +1773,19 @@ gpio0_14_12_pins: sdhc1-dir-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 27) (0x7 << 27)>;
};
- i2c6_scl: i2c6-scl-pins {
- pinctrl-single,bits = <0x4 0x2 0x7>;
+ gpio1_18_15_pins: iic8-iic7-gpio-pins {
+ pinctrl-single,bits = <0x4 0x1 0x7>;
};
- i2c6_scl_gpio: i2c6-scl-gpio-pins {
- pinctrl-single,bits = <0x4 0x1 0x7>;
+ i2c6_i2c7_pins: iic8-iic7-i2c-pins {
+ pinctrl-single,bits = <0x4 0x2 0x7>;
};
- i2c0_scl: i2c0-scl-pins {
+ i2c0_pins: iic1-i2c-pins {
pinctrl-single,bits = <0x8 0x0 (0x1 << 10)>;
};
- i2c0_scl_gpio: i2c0-scl-gpio-pins {
+ gpio0_3_2_pins: iic1-gpio-pins {
pinctrl-single,bits = <0x8 (0x1 << 10) (0x1 << 10)>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 422/957] arm64: dts: lx2160a: add sda gpio references for i2c bus recovery
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 421/957] arm64: dts: lx2160a: rename pinmux nodes for readability Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 423/957] arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes Greg Kroah-Hartman
` (540 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 89ea0dbd701f89805499d26bd90657468c789545 ]
LX2160A pinmux is done in groups by various length bitfields within
configuration registers.
In particular i2c sda/scl pins are always configured together. Therefore
bus recovery may control both sda and scl.
When pinmux nodes and bus recovery was enabled originally for LX2160,
only the scl-gpios were added to the i2c controller nodes.
Add references to sda-gpios for each i2c controller.
Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
index 59417e00ac93d..e7790a94e888f 100644
--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
@@ -753,6 +753,7 @@ i2c0: i2c@2000000 {
pinctrl-0 = <&i2c0_pins>;
pinctrl-1 = <&gpio0_3_2_pins>;
scl-gpios = <&gpio0 3 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio0 2 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -769,6 +770,7 @@ i2c1: i2c@2010000 {
pinctrl-0 = <&i2c1_pins>;
pinctrl-1 = <&gpio0_31_30_pins>;
scl-gpios = <&gpio0 31 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio0 30 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -785,6 +787,7 @@ i2c2: i2c@2020000 {
pinctrl-0 = <&i2c2_pins>;
pinctrl-1 = <&gpio0_29_28_pins>;
scl-gpios = <&gpio0 29 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio0 28 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -801,6 +804,7 @@ i2c3: i2c@2030000 {
pinctrl-0 = <&i2c3_pins>;
pinctrl-1 = <&gpio0_27_26_pins>;
scl-gpios = <&gpio0 27 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio0 26 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -817,6 +821,7 @@ i2c4: i2c@2040000 {
pinctrl-0 = <&i2c4_pins>;
pinctrl-1 = <&gpio0_25_24_pins>;
scl-gpios = <&gpio0 25 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio0 24 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -833,6 +838,7 @@ i2c5: i2c@2050000 {
pinctrl-0 = <&i2c5_pins>;
pinctrl-1 = <&gpio0_23_22_pins>;
scl-gpios = <&gpio0 23 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio0 22 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -849,6 +855,7 @@ i2c6: i2c@2060000 {
pinctrl-0 = <&i2c6_i2c7_pins>;
pinctrl-1 = <&gpio1_18_15_pins>;
scl-gpios = <&gpio1 16 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio1 15 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
@@ -865,6 +872,7 @@ i2c7: i2c@2070000 {
pinctrl-0 = <&i2c6_i2c7_pins>;
pinctrl-1 = <&gpio1_18_15_pins>;
scl-gpios = <&gpio1 18 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ sda-gpios = <&gpio1 17 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "disabled";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 423/957] arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 422/957] arm64: dts: lx2160a: add sda gpio references for i2c bus recovery Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 424/957] arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word Greg Kroah-Hartman
` (539 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 03241620d2b9915c9e3463dbc56e9eb95ad43c08 ]
Replace some stray zeros from decimal to hexadecimal format within
pinmux nodes.
No functional change intended.
Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
index e7790a94e888f..536f4bfad9a67 100644
--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
@@ -1718,7 +1718,7 @@ pinmux_i2crv: pinmux@70010012c {
pinctrl-single,function-mask = <0x7>;
i2c1_pins: iic2-i2c-pins {
- pinctrl-single,bits = <0x0 0 0x7>;
+ pinctrl-single,bits = <0x0 0x0 0x7>;
};
gpio0_31_30_pins: iic2-gpio-pins {
@@ -1730,7 +1730,7 @@ esdhc0_cd_wp_pins: iic2-sdhc-pins {
};
i2c2_pins: iic3-i2c-pins {
- pinctrl-single,bits = <0x0 0 (0x7 << 3)>;
+ pinctrl-single,bits = <0x0 0x0 (0x7 << 3)>;
};
gpio0_29_28_pins: iic3-gpio-pins {
@@ -1738,7 +1738,7 @@ gpio0_29_28_pins: iic3-gpio-pins {
};
i2c3_pins: iic4-i2c-pins {
- pinctrl-single,bits = <0x0 0 (0x7 << 6)>;
+ pinctrl-single,bits = <0x0 0x0 (0x7 << 6)>;
};
gpio0_27_26_pins: iic4-gpio-pins {
@@ -1746,7 +1746,7 @@ gpio0_27_26_pins: iic4-gpio-pins {
};
i2c4_pins: iic5-i2c-pins {
- pinctrl-single,bits = <0x0 0 (0x7 << 9)>;
+ pinctrl-single,bits = <0x0 0x0 (0x7 << 9)>;
};
gpio0_25_24_pins: iic5-gpio-pins {
@@ -1754,7 +1754,7 @@ gpio0_25_24_pins: iic5-gpio-pins {
};
i2c5_pins: iic6-i2c-pins {
- pinctrl-single,bits = <0x0 0 (0x7 << 12)>;
+ pinctrl-single,bits = <0x0 0x0 (0x7 << 12)>;
};
gpio0_23_22_pins: iic6-gpio-pins {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 424/957] arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 423/957] arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 425/957] arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual Greg Kroah-Hartman
` (538 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit 284ad7064aaa1badde022785cd925af29c696b21 ]
Commit 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to
support bus recovery") introduced pinmux nodes for lx2160 i2c
interfaces, allowing runtime change between i2c and gpio functions
implementing bus recovery.
However, the dynamic configuration area (overwrite MUX) used by the
pinctrl-single driver initially reads as zero and does not reflect the
actual hardware state set by the Reset Configuration Word (RCW) at
power-on.
Because multiple groups of pins are configured from a single 32-bit
register, the first write from the pinctrl driver unintentionally clears
all other bits to zero.
Add description for all bits of RCWSR12 register, allowing boards to
explicitly define and restore their intended hardware state.
This includes i2c, gpio, flextimer, spi, can and sdhc functions.
Other configuration words, i.e. RCWSR13 & RCWSR14 may be added in the
future for boards setting non-zero values there.
Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
index 536f4bfad9a67..f7fb0a0562ec7 100644
--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi
@@ -1717,6 +1717,7 @@ pinmux_i2crv: pinmux@70010012c {
pinctrl-single,register-width = <32>;
pinctrl-single,function-mask = <0x7>;
+ /* RCWSR12 */
i2c1_pins: iic2-i2c-pins {
pinctrl-single,bits = <0x0 0x0 0x7>;
};
@@ -1725,6 +1726,10 @@ gpio0_31_30_pins: iic2-gpio-pins {
pinctrl-single,bits = <0x0 0x1 0x7>;
};
+ ftm0_ch10_pins: iic2-ftm-pins {
+ pinctrl-single,bits = <0x0 0x2 0x7>;
+ };
+
esdhc0_cd_wp_pins: iic2-sdhc-pins {
pinctrl-single,bits = <0x0 0x6 0x7>;
};
@@ -1737,6 +1742,14 @@ gpio0_29_28_pins: iic3-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 3) (0x7 << 3)>;
};
+ can0_pins: iic3-can-pins {
+ pinctrl-single,bits = <0x0 (0x2 << 3) (0x7 << 3)>;
+ };
+
+ event65_pins: iic3-event-pins {
+ pinctrl-single,bits = <0x0 (0x6 << 3) (0x7 << 3)>;
+ };
+
i2c3_pins: iic4-i2c-pins {
pinctrl-single,bits = <0x0 0x0 (0x7 << 6)>;
};
@@ -1745,6 +1758,14 @@ gpio0_27_26_pins: iic4-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 6) (0x7 << 6)>;
};
+ can1_pins: iic4-can-pins {
+ pinctrl-single,bits = <0x0 (0x2 << 6) (0x7 << 6)>;
+ };
+
+ event87_pins: iic4-event-pins {
+ pinctrl-single,bits = <0x0 (0x6 << 6) (0x7 << 6)>;
+ };
+
i2c4_pins: iic5-i2c-pins {
pinctrl-single,bits = <0x0 0x0 (0x7 << 9)>;
};
@@ -1753,6 +1774,14 @@ gpio0_25_24_pins: iic5-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 9) (0x7 << 9)>;
};
+ esdhc0_clksync_pins: iic5-sdhc-clk-pins {
+ pinctrl-single,bits = <0x0 (0x2 << 9) (0x7 << 9)>;
+ };
+
+ dspi2_miso_mosi_pins: iic5-spi3-pins {
+ pinctrl-single,bits = <0x3 (0x2 << 9) (0x7 << 9)>;
+ };
+
i2c5_pins: iic6-i2c-pins {
pinctrl-single,bits = <0x0 0x0 (0x7 << 12)>;
};
@@ -1761,26 +1790,71 @@ gpio0_23_22_pins: iic6-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 12) (0x7 << 12)>;
};
+ esdhc1_clksync_pins: iic6-sdhc-clk-pins {
+ pinctrl-single,bits = <0x0 (0x2 << 12) (0x7 << 12)>;
+ };
+
fspi_data74_pins: xspi1-data74-pins {
pinctrl-single,bits = <0x0 0x0 (0x7 << 15)>;
};
+ gpio1_31_28_pins: xspi1-data74-gpio-pins {
+ pinctrl-single,bits = <0x0 0x1 (0x7 << 15)>;
+ };
+
fspi_data30_pins: xspi1-data30-pins {
pinctrl-single,bits = <0x0 0x0 (0x7 << 18)>;
};
+ gpio1_27_24_pins: xspi1-data30-gpio-pins {
+ pinctrl-single,bits = <0x0 0x1 (0x7 << 18)>;
+ };
+
fspi_dqs_sck_cs10_pins: xspi1-base-pins {
pinctrl-single,bits = <0x0 0x0 (0x7 << 21)>;
};
+ gpio1_23_20_pins: xspi1-base-gpio-pins {
+ pinctrl-single,bits = <0x0 0x1 (0x7 << 21)>;
+ };
+
esdhc0_cmd_data30_clk_vsel_pins: sdhc1-base-sdhc-vsel-pins {
pinctrl-single,bits = <0x0 0x0 (0x7 << 24)>;
};
+ gpio0_21_15_pins: sdhc1-base-gpio-pins {
+ pinctrl-single,bits = <0x0 (0x1 << 24) (0x7 << 24)>;
+ };
+
+ dspi0_pins: sdhc1-base-spi1-pins {
+ pinctrl-single,bits = <0x0 (0x2 << 24) (0x7 << 24)>;
+ };
+
+ esdhc0_cmd_data30_clk_dspi2_cs0_pins: sdhc1-base-sdhc-spi3-pins {
+ pinctrl-single,bits = <0x0 (0x3 << 24) (0x7 << 24)>;
+ };
+
+ esdhc0_cmd_data30_clk_data4_pins: sdhc1-base-sdhc-data4-pins {
+ pinctrl-single,bits = <0x0 (0x4 << 24) (0x7 << 24)>;
+ };
+
+ esdhc0_dir_pins: sdhc1-dir-pins {
+ pinctrl-single,bits = <0x0 0x0 (0x7 << 27)>;
+ };
+
gpio0_14_12_pins: sdhc1-dir-gpio-pins {
pinctrl-single,bits = <0x0 (0x1 << 27) (0x7 << 27)>;
};
+ dspi2_cs31_pins: sdhc1-dir-spi3-pins {
+ pinctrl-single,bits = <0x0 (0x3 << 27) (0x7 << 27)>;
+ };
+
+ esdhc0_data75_pins: sdhc1-dir-sdhc-pins {
+ pinctrl-single,bits = <0x0 (0x4 << 27) (0x7 << 27)>;
+ };
+
+ /* RCWSR13 */
gpio1_18_15_pins: iic8-iic7-gpio-pins {
pinctrl-single,bits = <0x4 0x1 0x7>;
};
@@ -1789,6 +1863,7 @@ i2c6_i2c7_pins: iic8-iic7-i2c-pins {
pinctrl-single,bits = <0x4 0x2 0x7>;
};
+ /* RCWSR14 */
i2c0_pins: iic1-i2c-pins {
pinctrl-single,bits = <0x8 0x0 (0x1 << 10)>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 425/957] arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 424/957] arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 426/957] arm64: dts: imx8qxp-mek: " Greg Kroah-Hartman
` (537 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
[ Upstream commit e3d3d19d1c0050789a4813ce836a641a3387d916 ]
When attach to PC Type-A port, the USB device controller does not function
at all. Because it is configured as source-only and a Type-A port doesn't
support PD capability, a data role swap is impossible.
Actually, PTN5110THQ is configured for Source role only at POR, but after
POR it can operate as a DRP (Dual-Role Power). By switching the power-role
to dual, the port can operate as a sink and enter device mode when attach
to Type-A port.
Since the board design uses EN_SRC to control the 5V VBUS path and EN_SNK
to control the 12V VBUS output, to avoid outputting a higher VBUS when in
sink role, we set the operation current limit to 0mA so that SW will not
control EN_SNK at all.
Fixes: b237975b2cd58 ("arm64: dts: imx8qm-mek: add usb 3.0 and related type C nodes")
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
index df99fe88cf4ac..a97883873b564 100644
--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
@@ -593,9 +593,17 @@ ptn5110: tcpc@51 {
usb_con1: connector {
compatible = "usb-c-connector";
label = "USB-C";
- power-role = "source";
+ power-role = "dual";
data-role = "dual";
+ try-power-role = "sink";
source-pdos = <PDO_FIXED(5000, 3000, PDO_FIXED_USB_COMM)>;
+ /*
+ * Set operational current to 0mA as we don't want EN_SNK
+ * enable 12V VBUS switch when it work as a sink.
+ */
+ sink-pdos = <PDO_FIXED(5000, 0, PDO_FIXED_USB_COMM)>;
+ op-sink-microwatt = <0>;
+ self-powered;
ports {
#address-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 426/957] arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 425/957] arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 427/957] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
` (536 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
[ Upstream commit 825b8c7e1d2918d89eb378b761530d1e51dba82e ]
When attach to PC Type-A port, the USB device controller does not function
at all. Because it is configured as source-only and a Type-A port doesn't
support PD capability, a data role swap is impossible.
Actually, PTN5110THQ is configured for Source role only at POR, but after
POR it can operate as a DRP (Dual-Role Power). By switching the power-role
to dual, the port can operate as a sink and enter device mode when attach
to Type-A port.
Since the board design uses EN_SRC to control the 5V VBUS path and EN_SNK
to control the 12V VBUS output, to avoid outputting a higher VBUS when in
sink role, we set the operation current limit to 0mA so that SW will not
control EN_SNK at all.
Fixes: 2faf4ebcee2e5 ("arm64: dts: freescale: imx8qxp-mek: enable cadence usb3")
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8qxp-mek.dts | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts b/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
index 7b03374455410..ea78e84341523 100644
--- a/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qxp-mek.dts
@@ -497,9 +497,17 @@ ptn5110: tcpc@50 {
usb_con1: connector {
compatible = "usb-c-connector";
label = "USB-C";
- power-role = "source";
+ power-role = "dual";
data-role = "dual";
+ try-power-role = "sink";
source-pdos = <PDO_FIXED(5000, 3000, PDO_FIXED_USB_COMM)>;
+ /*
+ * Set operational current to 0mA as we don't want EN_SNK
+ * enable 12V VBUS switch when it work as a sink.
+ */
+ sink-pdos = <PDO_FIXED(5000, 0, PDO_FIXED_USB_COMM)>;
+ op-sink-microwatt = <0>;
+ self-powered;
ports {
#address-cells = <1>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 427/957] soc/tegra: cbb: Set ERD on resume for err interrupt
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 426/957] arm64: dts: imx8qxp-mek: " Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 428/957] soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables Greg Kroah-Hartman
` (535 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Gupta, Thierry Reding,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumit Gupta <sumitg@nvidia.com>
[ Upstream commit b6ff71c5d1d4ad858ddf6f39394d169c96689596 ]
Set the Error Response Disable (ERD) bit to mask SError responses
and use interrupt-based error reporting. When the ERD bit is set,
inband error responses to the initiator via SError are suppressed,
and fabric errors are reported via an interrupt instead.
The register is set during boot but the info is lost during system
suspend and needs to be set again on resume.
Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0")
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/tegra/cbb/tegra234-cbb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c
index a9adbcecd47cc..518733a066588 100644
--- a/drivers/soc/tegra/cbb/tegra234-cbb.c
+++ b/drivers/soc/tegra/cbb/tegra234-cbb.c
@@ -1586,6 +1586,10 @@ static int __maybe_unused tegra234_cbb_resume_noirq(struct device *dev)
{
struct tegra234_cbb *cbb = dev_get_drvdata(dev);
+ /* set ERD bit to mask SError and generate interrupt to report error */
+ if (cbb->fabric->off_mask_erd)
+ tegra234_cbb_mask_serror(cbb);
+
tegra234_cbb_error_enable(&cbb->base);
dev_dbg(dev, "%s resumed\n", cbb->fabric->fab_list[cbb->fabric->fab_id].name);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 428/957] soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 427/957] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 429/957] soc/tegra: cbb: Fix cross-fabric target timeout lookup Greg Kroah-Hartman
` (534 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Gupta, Thierry Reding,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumit Gupta <sumitg@nvidia.com>
[ Upstream commit 499f7e5ebbdd9ff0c4d532b1c432f8a61ff585b3 ]
Fix incorrect ARRAY_SIZE usage in fabric lookup tables which could
cause out-of-bounds access during target timeout lookup.
Fixes: 25de5c8fe0801 ("soc/tegra: cbb: Improve handling for per SoC fabric data")
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/tegra/cbb/tegra234-cbb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c
index 518733a066588..626e0e820329b 100644
--- a/drivers/soc/tegra/cbb/tegra234-cbb.c
+++ b/drivers/soc/tegra/cbb/tegra234-cbb.c
@@ -881,7 +881,7 @@ static const struct tegra234_fabric_lookup tegra234_cbb_fab_list[] = {
ARRAY_SIZE(tegra234_common_target_map) },
[T234_AON_FABRIC_ID] = { "aon-fabric", true,
tegra234_aon_target_map,
- ARRAY_SIZE(tegra234_bpmp_target_map) },
+ ARRAY_SIZE(tegra234_aon_target_map) },
[T234_PSC_FABRIC_ID] = { "psc-fabric" },
[T234_BPMP_FABRIC_ID] = { "bpmp-fabric", true,
tegra234_bpmp_target_map,
@@ -1160,7 +1160,7 @@ static const struct tegra234_fabric_lookup tegra241_cbb_fab_list[] = {
[T234_CBB_FABRIC_ID] = { "cbb-fabric", true,
tegra241_cbb_target_map, ARRAY_SIZE(tegra241_cbb_target_map) },
[T234_BPMP_FABRIC_ID] = { "bpmp-fabric", true,
- tegra241_bpmp_target_map, ARRAY_SIZE(tegra241_cbb_target_map) },
+ tegra241_bpmp_target_map, ARRAY_SIZE(tegra241_bpmp_target_map) },
};
static const struct tegra234_cbb_fabric tegra241_cbb_fabric = {
.fab_id = T234_CBB_FABRIC_ID,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 429/957] soc/tegra: cbb: Fix cross-fabric target timeout lookup
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 428/957] soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 430/957] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
` (533 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumit Gupta, Thierry Reding,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumit Gupta <sumitg@nvidia.com>
[ Upstream commit a5f51b04cbb3ae0f9cb2c4488952b775ebb0ccbf ]
When a fabric receives an error interrupt, the error may have
occurred on a different fabric. The target timeout lookup was using
the wrong base address (cbb->regs) with offsets from a different
fabric's target map, causing a kernel page fault.
Unable to handle kernel paging request at virtual address ffff80000954cc00
pc : tegra234_cbb_get_tmo_slv+0xc/0x28
Call trace:
tegra234_cbb_get_tmo_slv+0xc/0x28
print_err_notifier+0x6c0/0x7d0
tegra234_cbb_isr+0xe4/0x1b4
Add tegra234_cbb_get_fabric() to look up the correct fabric device
using fab_id, and use its base address for accessing target timeout
registers.
Fixes: 25de5c8fe0801 ("soc/tegra: cbb: Improve handling for per SoC fabric data")
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/tegra/cbb/tegra234-cbb.c | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/drivers/soc/tegra/cbb/tegra234-cbb.c b/drivers/soc/tegra/cbb/tegra234-cbb.c
index 626e0e820329b..7e387fc54c6b1 100644
--- a/drivers/soc/tegra/cbb/tegra234-cbb.c
+++ b/drivers/soc/tegra/cbb/tegra234-cbb.c
@@ -313,12 +313,37 @@ static void tegra234_cbb_lookup_apbslv(struct seq_file *file, const char *target
}
}
+static struct tegra234_cbb *tegra234_cbb_get_fabric(u8 fab_id)
+{
+ struct tegra_cbb *entry;
+
+ list_for_each_entry(entry, &cbb_list, node) {
+ struct tegra234_cbb *priv = to_tegra234_cbb(entry);
+
+ if (priv->fabric->fab_id == fab_id)
+ return priv;
+ }
+
+ return NULL;
+}
+
static void tegra234_sw_lookup_target_timeout(struct seq_file *file, struct tegra234_cbb *cbb,
u8 target_id, u8 fab_id)
{
const struct tegra234_target_lookup *map = cbb->fabric->fab_list[fab_id].target_map;
+ struct tegra234_cbb *target_cbb = NULL;
void __iomem *addr;
+ if (fab_id == cbb->fabric->fab_id)
+ target_cbb = cbb;
+ else
+ target_cbb = tegra234_cbb_get_fabric(fab_id);
+
+ if (!target_cbb) {
+ dev_err(cbb->base.dev, "could not find fabric for fab_id:%d\n", fab_id);
+ return;
+ }
+
if (target_id >= cbb->fabric->fab_list[fab_id].max_targets) {
tegra_cbb_print_err(file, "\t Invalid target_id:%d\n", target_id);
return;
@@ -341,7 +366,7 @@ static void tegra234_sw_lookup_target_timeout(struct seq_file *file, struct tegr
* e) Goto step-a till all bits are set.
*/
- addr = cbb->regs + map[target_id].offset;
+ addr = target_cbb->regs + map[target_id].offset;
if (strstr(map[target_id].name, "AXI2APB")) {
addr += APB_BLOCK_TMO_STATUS_0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 430/957] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 429/957] soc/tegra: cbb: Fix cross-fabric target timeout lookup Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 431/957] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
` (532 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Grzedzicki, Andrew Morton,
Alexey Gladkov (Intel), Ben Segall, David Hildenbrand,
Dietmar Eggemann, Ingo Molnar, Juri Lelli, Kees Cook,
Liam R. Howlett, Lorenzo Stoakes (Oracle), Mel Gorman,
Michal Hocko, Mike Rapoport, Peter Zijlstra, Steven Rostedt,
Suren Baghdasaryan, Valentin Schneider, Vincent Guittot,
Vlastimil Babka, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Grzedzicki <mge@meta.com>
[ Upstream commit a98621a0f187a934c115dcfe79a49520ae892111 ]
When set_cred_ucounts() fails in ksys_unshare() new_nsproxy is leaked.
Let's call put_nsproxy() if that happens.
Link: https://lkml.kernel.org/r/20260213193959.2556730-1-mge@meta.com
Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
Signed-off-by: Michal Grzedzicki <mge@meta.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexey Gladkov (Intel) <legion@kernel.org>
Cc: Ben Segall <bsegall@google.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Vlastimil Babka <vbabka@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 34e6b94c22129..3ad76c2cf5af5 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3132,11 +3132,10 @@ int ksys_unshare(unsigned long unshare_flags)
new_cred, new_fs);
if (err)
goto bad_unshare_cleanup_cred;
-
if (new_cred) {
err = set_cred_ucounts(new_cred);
if (err)
- goto bad_unshare_cleanup_cred;
+ goto bad_unshare_cleanup_nsproxy;
}
if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
@@ -3152,8 +3151,10 @@ int ksys_unshare(unsigned long unshare_flags)
shm_init_task(current);
}
- if (new_nsproxy)
+ if (new_nsproxy) {
switch_task_namespaces(current, new_nsproxy);
+ new_nsproxy = NULL;
+ }
task_lock(current);
@@ -3182,13 +3183,15 @@ int ksys_unshare(unsigned long unshare_flags)
perf_event_namespaces(current);
+bad_unshare_cleanup_nsproxy:
+ if (new_nsproxy)
+ put_nsproxy(new_nsproxy);
bad_unshare_cleanup_cred:
if (new_cred)
put_cred(new_cred);
bad_unshare_cleanup_fd:
if (new_fd)
put_files_struct(new_fd);
-
bad_unshare_cleanup_fs:
if (new_fs)
free_fs_struct(new_fs);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 431/957] ocfs2/dlm: validate qr_numregions in dlm_match_regions()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 430/957] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 432/957] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
` (531 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yuhao Jiang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 7ab3fbb01bc6d79091bc375e5235d360cd9b78be ]
Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".
In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION
network message is used to drive loops over the qr_regions buffer without
sufficient validation. This series fixes two issues:
- Patch 1 adds a bounds check to reject messages where qr_numregions
exceeds O2NM_MAX_REGIONS. The o2net layer only validates message
byte length; it does not constrain field values, so a crafted message
can set qr_numregions up to 255 and trigger out-of-bounds reads past
the 1024-byte qr_regions buffer.
- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop,
which uses '<=' instead of '<', reading one entry past the valid range
even when qr_numregions is within bounds.
This patch (of 2):
The qr_numregions field from a DLM_QUERY_REGION network message is used
directly as loop bounds in dlm_match_regions() without checking against
O2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS
(32) entries, a crafted message with qr_numregions > 32 causes
out-of-bounds reads past the qr_regions buffer.
Add a bounds check for qr_numregions before entering the loops.
Link: https://lkml.kernel.org/r/SYBPR01MB7881A334D02ACEE5E0645801AF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Link: https://lkml.kernel.org/r/SYBPR01MB788166F524AD04E262E174BEAF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/dlm/dlmdomain.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index 2347a50f079b7..f159785a21116 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -980,6 +980,14 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
goto bail;
}
+ if (qr->qr_numregions > O2NM_MAX_REGIONS) {
+ mlog(ML_ERROR, "Domain %s: Joining node %d has invalid "
+ "number of heartbeat regions %u\n",
+ qr->qr_domain, qr->qr_node, qr->qr_numregions);
+ status = -EINVAL;
+ goto bail;
+ }
+
r = remote;
for (i = 0; i < qr->qr_numregions; ++i) {
mlog(0, "Region %.*s\n", O2HB_MAX_REGION_NAME_LEN, r);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 432/957] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 431/957] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 433/957] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
` (530 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junrui Luo, Yuhao Jiang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 01b61e8dda9b0fdb0d4cda43de25f4e390554d7b ]
The local-vs-remote region comparison loop uses '<=' instead of '<',
causing it to read one entry past the valid range of qr_regions. The
other loops in the same function correctly use '<'.
Fix the loop condition to use '<' for consistency and correctness.
Link: https://lkml.kernel.org/r/SYBPR01MB78813DA26B50EC5E01F00566AF7BA@SYBPR01MB7881.ausprd01.prod.outlook.com
Fixes: ea2034416b54 ("ocfs2/dlm: Add message DLM_QUERY_REGION")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/dlm/dlmdomain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ocfs2/dlm/dlmdomain.c b/fs/ocfs2/dlm/dlmdomain.c
index f159785a21116..09bee7b86815e 100644
--- a/fs/ocfs2/dlm/dlmdomain.c
+++ b/fs/ocfs2/dlm/dlmdomain.c
@@ -1002,7 +1002,7 @@ static int dlm_match_regions(struct dlm_ctxt *dlm,
for (i = 0; i < localnr; ++i) {
foundit = 0;
r = remote;
- for (j = 0; j <= qr->qr_numregions; ++j) {
+ for (j = 0; j < qr->qr_numregions; ++j) {
if (!memcmp(l, r, O2HB_MAX_REGION_NAME_LEN)) {
foundit = 1;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 433/957] soc: qcom: llcc: fix v1 SB syndrome register offset
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 432/957] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 434/957] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
` (529 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Manivannan Sadhasivam,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 24e7625df5ce065393249b78930781be593bc381 ]
The llcc_v1_edac_reg_offset table uses 0x2304c for trp_ecc_sb_err_syn0,
which is inconsistent with the surrounding TRP ECC registers (0x2034x)
and with llcc_v2_1_edac_reg_offset, where trp_ecc_sb_err_syn0 is 0x2034c
adjacent to trp_ecc_error_status0/1 at 0x20344/0x20348.
Use 0x2034c for llcc v1 so the SB syndrome register follows the expected
+0x4 progression from trp_ecc_error_status1. This fixes EDAC reading the
wrong register for SB syndrome reporting.
Fixes: c13d7d261e36 ("soc: qcom: llcc: Pass LLCC version based register offsets to EDAC driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260330095118.2657362-1-alok.a.tiwari@oracle.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/llcc-qcom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c
index 857ead56b37d0..d5ce09d6115f0 100644
--- a/drivers/soc/qcom/llcc-qcom.c
+++ b/drivers/soc/qcom/llcc-qcom.c
@@ -3394,7 +3394,7 @@ static const struct llcc_slice_config x1e80100_data[] = {
static const struct llcc_edac_reg_offset llcc_v1_edac_reg_offset = {
.trp_ecc_error_status0 = 0x20344,
.trp_ecc_error_status1 = 0x20348,
- .trp_ecc_sb_err_syn0 = 0x2304c,
+ .trp_ecc_sb_err_syn0 = 0x2034c,
.trp_ecc_db_err_syn0 = 0x20370,
.trp_ecc_error_cntr_clear = 0x20440,
.trp_interrupt_0_status = 0x20480,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 434/957] soc: qcom: aoss: compare against normalized cooling state
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 433/957] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 435/957] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
` (528 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit cd3c4670db3ffe997be9548c7a9db3952563cf14 ]
qmp_cdev_set_cur_state() normalizes the requested state to a boolean
(cdev_state = !!state). The existing early-return check compares
qmp_cdev->state == state, which can be wrong if state is non-boolean
(any non-zero value). Compare qmp_cdev->state against cdev_state instead,
so the check matches the effective state and avoids redundant updates.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Fixes: 05589b30b21a ("soc: qcom: Extend AOSS QMP driver to support resources that are used to wake up the SoC.")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260329195333.1478090-1-alok.a.tiwari@oracle.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/qcom_aoss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/qcom_aoss.c b/drivers/soc/qcom/qcom_aoss.c
index a543ab9bee6c4..c255662b8fc3d 100644
--- a/drivers/soc/qcom/qcom_aoss.c
+++ b/drivers/soc/qcom/qcom_aoss.c
@@ -355,7 +355,7 @@ static int qmp_cdev_set_cur_state(struct thermal_cooling_device *cdev,
/* Normalize state */
cdev_state = !!state;
- if (qmp_cdev->state == state)
+ if (qmp_cdev->state == cdev_state)
return 0;
ret = qmp_send(qmp_cdev->qmp, "{class: volt_flr, event:zero_temp, res:%s, value:%s}",
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 435/957] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 434/957] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 436/957] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
` (527 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Koskovich, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Koskovich <AKoskovich@pm.me>
[ Upstream commit b683730e27ba4f91986c4c92f5cb7297f1e01a6d ]
This resolves the following error seen on the ASUS ROG Phone 3:
cpu cpu7: Voltage update failed freq=3091200
cpu cpu7: failed to update OPP for freq=3091200
Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables")
Signed-off-by: Alexander Koskovich <akoskovich@pm.me>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260307-sm8250-cpu7-opp-v1-1-435f5f6628a1@pm.me
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sm8250.dtsi | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
index 50dd11432bb2e..adf6b49b52c48 100644
--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
@@ -665,6 +665,11 @@ cpu7_opp20: opp-2841600000 {
opp-hz = /bits/ 64 <2841600000>;
opp-peak-kBps = <8368000 51609600>;
};
+
+ cpu7_opp21: opp-3091200000 {
+ opp-hz = /bits/ 64 <3091200000>;
+ opp-peak-kBps = <8368000 51609600>;
+ };
};
firmware {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 436/957] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 435/957] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 437/957] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
` (526 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaro Koskinen, Kevin Hilman,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
[ Upstream commit 7e74b606dd39c46d4378d6f6563f560a00ab8694 ]
On OMAP16XX, the UART enable bit shifts are written instead of the actual
bits. This breaks the boot when DEBUG_LL and earlyprintk is enabled;
the UART gets disabled and some random bits get enabled. Fix that.
Fixes: 34c86239b184 ("ARM: OMAP1: clock: Fix early UART rate issues")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Link: https://patch.msgid.link/aca7HnXZ-aCSJPW7@darkstar.musicnaut.iki.fi
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-omap1/clock_data.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-omap1/clock_data.c b/arch/arm/mach-omap1/clock_data.c
index c58d200e4816b..5203b047deac8 100644
--- a/arch/arm/mach-omap1/clock_data.c
+++ b/arch/arm/mach-omap1/clock_data.c
@@ -700,8 +700,8 @@ int __init omap1_clk_init(void)
/* Make sure UART clocks are enabled early */
if (cpu_is_omap16xx())
omap_writel(omap_readl(MOD_CONF_CTRL_0) |
- CONF_MOD_UART1_CLK_MODE_R |
- CONF_MOD_UART3_CLK_MODE_R, MOD_CONF_CTRL_0);
+ (1 << CONF_MOD_UART1_CLK_MODE_R) |
+ (1 << CONF_MOD_UART3_CLK_MODE_R), MOD_CONF_CTRL_0);
#endif
/* USB_REQ_EN will be disabled later if necessary (usb_dc_ck) */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 437/957] arm64/xor: fix conflicting attributes for xor_block_template
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 436/957] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 438/957] slab: Introduce kmalloc_obj() and family Greg Kroah-Hartman
` (525 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Eric Biggers,
Albert Ou, Alexander Gordeev, Alexandre Ghiti, Andreas Larsson,
Anton Ivanov, Ard Biesheuvel, Arnd Bergmann,
Borislav Petkov (AMD), Catalin Marinas, Chris Mason,
Christian Borntraeger, Dan Williams, David S. Miller,
David Sterba, Heiko Carstens, Herbert Xu, H. Peter Anvin,
Huacai Chen, Ingo Molnar, Jason A. Donenfeld, Johannes Berg,
Li Nan, Madhavan Srinivasan, Magnus Lindholm, Matt Turner,
Michael Ellerman, Nicholas Piggin, Palmer Dabbelt,
Richard Henderson, Richard Weinberger, Russell King, Song Liu,
Sven Schnelle, Ted Tso, Vasily Gorbik, WANG Xuerui, Will Deacon,
Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 675a0dd596e712404557286d0a883b54ee28e4f4 ]
Commit 2c54b423cf85 ("arm64/xor: use EOR3 instructions when available")
changes the definition to __ro_after_init instead of const, but failed to
update the external declaration in xor.h. This was not found because
xor-neon.c doesn't include <asm/xor.h>, and can't easily do that due to
current architecture of the XOR code.
Link: https://lkml.kernel.org/r/20260327061704.3707577-4-hch@lst.de
Fixes: 2c54b423cf85 ("arm64/xor: use EOR3 instructions when available")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Tested-by: Eric Biggers <ebiggers@kernel.org>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Andreas Larsson <andreas@gaisler.com>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Borislav Petkov (AMD)" <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Chris Mason <clm@fb.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: David Sterba <dsterba@suse.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Huacai Chen <chenhuacai@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jason A. Donenfeld <jason@zx2c4.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Li Nan <linan122@huawei.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Magnus Lindholm <linmag7@gmail.com>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Richard Henderson <richard.henderson@linaro.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Song Liu <song@kernel.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: WANG Xuerui <kernel@xen0n.name>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/xor.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/xor.h b/arch/arm64/include/asm/xor.h
index befcd8a7abc98..7c03207157196 100644
--- a/arch/arm64/include/asm/xor.h
+++ b/arch/arm64/include/asm/xor.h
@@ -13,7 +13,7 @@
#ifdef CONFIG_KERNEL_MODE_NEON
-extern struct xor_block_template const xor_block_inner_neon;
+extern struct xor_block_template xor_block_inner_neon __ro_after_init;
static void
xor_neon_2(unsigned long bytes, unsigned long * __restrict p1,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 438/957] slab: Introduce kmalloc_obj() and family
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 437/957] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 439/957] lib: kunit_iov_iter: fix memory leaks Greg Kroah-Hartman
` (524 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vlastimil Babka, Kees Cook,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 2932ba8d9c99875b98c951d9d3fd6d651d35df3a ]
Introduce type-aware kmalloc-family helpers to replace the common
idioms for single object and arrays of objects allocation:
ptr = kmalloc(sizeof(*ptr), gfp);
ptr = kmalloc(sizeof(struct some_obj_name), gfp);
ptr = kzalloc(sizeof(*ptr), gfp);
ptr = kmalloc_array(count, sizeof(*ptr), gfp);
ptr = kcalloc(count, sizeof(*ptr), gfp);
These become, respectively:
ptr = kmalloc_obj(*ptr, gfp);
ptr = kmalloc_obj(*ptr, gfp);
ptr = kzalloc_obj(*ptr, gfp);
ptr = kmalloc_objs(*ptr, count, gfp);
ptr = kzalloc_objs(*ptr, count, gfp);
Beyond the other benefits outlined below, the primary ergonomic benefit
is the elimination of needing "sizeof" nor the type name, and the
enforcement of assignment types (they do not return "void *", but rather
a pointer to the type of the first argument). The type name _can_ be
used, though, in the case where an assignment is indirect (e.g. via
"return"). This additionally allows[1] variables to be declared via
__auto_type:
__auto_type ptr = kmalloc_obj(struct foo, gfp);
Internal introspection of the allocated type now becomes possible,
allowing for future alignment-aware choices to be made by the allocator
and future hardening work that can be type sensitive. For example,
adding __alignof(*ptr) as an argument to the internal allocators so that
appropriate/efficient alignment choices can be made, or being able to
correctly choose per-allocation offset randomization within a bucket
that does not break alignment requirements.
Link: https://lore.kernel.org/all/CAHk-=wiCOTW5UftUrAnvJkr6769D29tF7Of79gUjdQHS_TkF5A@mail.gmail.com/ [1]
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Link: https://patch.msgid.link/20251203233036.3212363-1-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Stable-dep-of: 0b49c7d0ae69 ("lib: kunit_iov_iter: fix memory leaks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/process/deprecated.rst | 24 ++++++++++++
include/linux/slab.h | 58 ++++++++++++++++++++++++++++
2 files changed, 82 insertions(+)
diff --git a/Documentation/process/deprecated.rst b/Documentation/process/deprecated.rst
index 1f7f3e6c9cda9..91c628fa2d59c 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -372,3 +372,27 @@ The helper must be used::
DECLARE_FLEX_ARRAY(struct type2, two);
};
};
+
+Open-coded kmalloc assignments for struct objects
+-------------------------------------------------
+Performing open-coded kmalloc()-family allocation assignments prevents
+the kernel (and compiler) from being able to examine the type of the
+variable being assigned, which limits any related introspection that
+may help with alignment, wrap-around, or additional hardening. The
+kmalloc_obj()-family of macros provide this introspection, which can be
+used for the common code patterns for single, array, and flexible object
+allocations. For example, these open coded assignments::
+
+ ptr = kmalloc(sizeof(*ptr), gfp);
+ ptr = kzalloc(sizeof(*ptr), gfp);
+ ptr = kmalloc_array(count, sizeof(*ptr), gfp);
+ ptr = kcalloc(count, sizeof(*ptr), gfp);
+ ptr = kmalloc(sizeof(struct foo, gfp);
+
+become, respectively::
+
+ ptr = kmalloc_obj(*ptr, gfp);
+ ptr = kzalloc_obj(*ptr, gfp);
+ ptr = kmalloc_objs(*ptr, count, gfp);
+ ptr = kzalloc_objs(*ptr, count, gfp);
+ __auto_type ptr = kmalloc_obj(struct foo, gfp);
diff --git a/include/linux/slab.h b/include/linux/slab.h
index 2482992248dc9..cbb64a2698f5d 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -12,6 +12,7 @@
#ifndef _LINUX_SLAB_H
#define _LINUX_SLAB_H
+#include <linux/bug.h>
#include <linux/cache.h>
#include <linux/gfp.h>
#include <linux/overflow.h>
@@ -965,6 +966,63 @@ static __always_inline __alloc_size(1) void *kmalloc_noprof(size_t size, gfp_t f
void *kmalloc_nolock_noprof(size_t size, gfp_t gfp_flags, int node);
#define kmalloc_nolock(...) alloc_hooks(kmalloc_nolock_noprof(__VA_ARGS__))
+/**
+ * __alloc_objs - Allocate objects of a given type using
+ * @KMALLOC: which size-based kmalloc wrapper to allocate with.
+ * @GFP: GFP flags for the allocation.
+ * @TYPE: type to allocate space for.
+ * @COUNT: how many @TYPE objects to allocate.
+ *
+ * Returns: Newly allocated pointer to (first) @TYPE of @COUNT-many
+ * allocated @TYPE objects, or NULL on failure.
+ */
+#define __alloc_objs(KMALLOC, GFP, TYPE, COUNT) \
+({ \
+ const size_t __obj_size = size_mul(sizeof(TYPE), COUNT); \
+ (TYPE *)KMALLOC(__obj_size, GFP); \
+})
+
+/**
+ * kmalloc_obj - Allocate a single instance of the given type
+ * @VAR_OR_TYPE: Variable or type to allocate.
+ * @GFP: GFP flags for the allocation.
+ *
+ * Returns: newly allocated pointer to a @VAR_OR_TYPE on success, or NULL
+ * on failure.
+ */
+#define kmalloc_obj(VAR_OR_TYPE, GFP) \
+ __alloc_objs(kmalloc, GFP, typeof(VAR_OR_TYPE), 1)
+
+/**
+ * kmalloc_objs - Allocate an array of the given type
+ * @VAR_OR_TYPE: Variable or type to allocate an array of.
+ * @COUNT: How many elements in the array.
+ * @GFP: GFP flags for the allocation.
+ *
+ * Returns: newly allocated pointer to array of @VAR_OR_TYPE on success,
+ * or NULL on failure.
+ */
+#define kmalloc_objs(VAR_OR_TYPE, COUNT, GFP) \
+ __alloc_objs(kmalloc, GFP, typeof(VAR_OR_TYPE), COUNT)
+
+/* All kzalloc aliases for kmalloc_(obj|objs|flex). */
+#define kzalloc_obj(P, GFP) \
+ __alloc_objs(kzalloc, GFP, typeof(P), 1)
+#define kzalloc_objs(P, COUNT, GFP) \
+ __alloc_objs(kzalloc, GFP, typeof(P), COUNT)
+
+/* All kvmalloc aliases for kmalloc_(obj|objs|flex). */
+#define kvmalloc_obj(P, GFP) \
+ __alloc_objs(kvmalloc, GFP, typeof(P), 1)
+#define kvmalloc_objs(P, COUNT, GFP) \
+ __alloc_objs(kvmalloc, GFP, typeof(P), COUNT)
+
+/* All kvzalloc aliases for kmalloc_(obj|objs|flex). */
+#define kvzalloc_obj(P, GFP) \
+ __alloc_objs(kvzalloc, GFP, typeof(P), 1)
+#define kvzalloc_objs(P, COUNT, GFP) \
+ __alloc_objs(kvzalloc, GFP, typeof(P), COUNT)
+
#define kmem_buckets_alloc(_b, _size, _flags) \
alloc_hooks(__kmalloc_node_noprof(PASS_BUCKET_PARAMS(_size, _b), _flags, NUMA_NO_NODE))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 439/957] lib: kunit_iov_iter: fix memory leaks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 438/957] slab: Introduce kmalloc_obj() and family Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 440/957] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended Greg Kroah-Hartman
` (523 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt, David Howells,
David Gow, Kees Cook, Petr Mladek, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <lk@c--e.de>
[ Upstream commit 0b49c7d0ae697fcecd7377cb7dda220f7cd096ff ]
Use vfree() instead of vunmap() to free the buffer allocated by
iov_kunit_create_buffer() because vunmap() does not honour
VM_MAP_PUT_PAGES. In order for this to work the page array itself must
not be managed by kunit.
Remove the folio_put() when destroying a folioq. This is handled by
vfree(), now.
Pointed out by sashiko.dev on a previous iteration of this series.
Tested by running the kunit test 10000 times in a loop.
Link: https://lkml.kernel.org/r/20260326214905.818170-4-lk@c--e.de
Fixes: 2d71340ff1d4 ("iov_iter: Kunit tests for copying to/from an iterator")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Cc: David Howells <dhowells@redhat.com>
Cc: David Gow <davidgow@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Petr Mladek <pmladek@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/tests/kunit_iov_iter.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/lib/tests/kunit_iov_iter.c b/lib/tests/kunit_iov_iter.c
index 48342736d0164..43e63bf4c0956 100644
--- a/lib/tests/kunit_iov_iter.c
+++ b/lib/tests/kunit_iov_iter.c
@@ -42,7 +42,7 @@ static inline u8 pattern(unsigned long x)
static void iov_kunit_unmap(void *data)
{
- vunmap(data);
+ vfree(data);
}
static void *__init iov_kunit_create_buffer(struct kunit *test,
@@ -53,17 +53,22 @@ static void *__init iov_kunit_create_buffer(struct kunit *test,
unsigned long got;
void *buffer;
- pages = kunit_kcalloc(test, npages, sizeof(struct page *), GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pages);
+ pages = kzalloc_objs(struct page *, npages, GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, pages);
*ppages = pages;
got = alloc_pages_bulk(GFP_KERNEL, npages, pages);
if (got != npages) {
release_pages(pages, got);
+ kvfree(pages);
KUNIT_ASSERT_EQ(test, got, npages);
}
buffer = vmap(pages, npages, VM_MAP | VM_MAP_PUT_PAGES, PAGE_KERNEL);
+ if (buffer == NULL) {
+ release_pages(pages, got);
+ kvfree(pages);
+ }
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
kunit_add_action_or_reset(test, iov_kunit_unmap, buffer);
@@ -369,9 +374,6 @@ static void iov_kunit_destroy_folioq(void *data)
for (folioq = data; folioq; folioq = next) {
next = folioq->next;
- for (int i = 0; i < folioq_nr_slots(folioq); i++)
- if (folioq_folio(folioq, i))
- folio_put(folioq_folio(folioq, i));
kfree(folioq);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 440/957] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 439/957] lib: kunit_iov_iter: fix memory leaks Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 441/957] firmware: arm_ffa: Use the correct buffer size during RXTX_MAP Greg Kroah-Hartman
` (522 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit 0477a6b31e2874e554e3bcfac9883684b8f8ca2d ]
The property interrupts use default interrupt controllers. But pass down
gpio<n> as phandle. Correct it by use interrupts-extended.
Fixes: d8cae888aa2bc ("ARM: dts: Add support for the cpuimx27 board from Eukrea and its baseboard")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi | 8 ++++----
.../boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi
index c7e9235848782..9f0e65526d5f9 100644
--- a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi
+++ b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-cpuimx27.dtsi
@@ -106,7 +106,7 @@ uart8250@3,200000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 23 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 23 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x200000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
@@ -119,7 +119,7 @@ uart8250@3,400000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 22 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 22 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x400000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
@@ -132,7 +132,7 @@ uart8250@3,800000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 27 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 27 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x800000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
@@ -145,7 +145,7 @@ uart8250@3,1000000 {
compatible = "ns8250";
clocks = <&clk14745600>;
fsl,weim-cs-timing = <0x0000d603 0x0d1d0d01 0x00d20000>;
- interrupts = <&gpio2 30 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio2 30 IRQ_TYPE_LEVEL_LOW>;
reg = <3 0x1000000 0x1000>;
reg-shift = <1>;
reg-io-width = <1>;
diff --git a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts
index d78793601306c..c71f802983304 100644
--- a/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts
+++ b/arch/arm/boot/dts/nxp/imx/imx27-eukrea-mbimxsd27-baseboard.dts
@@ -76,7 +76,7 @@ ads7846@0 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_touch>;
reg = <0>;
- interrupts = <&gpio4 25 IRQ_TYPE_LEVEL_LOW>;
+ interrupts-extended = <&gpio4 25 IRQ_TYPE_LEVEL_LOW>;
spi-cpol;
spi-max-frequency = <1500000>;
ti,keep-vref-on;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 441/957] firmware: arm_ffa: Use the correct buffer size during RXTX_MAP
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 440/957] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 442/957] fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal Greg Kroah-Hartman
` (521 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Ene, Sudeep Holla,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Ene <sebastianene@google.com>
[ Upstream commit 83210251fd70d5f96bcdc8911e15f7411a6b2463 ]
Don't use the discovered buffer size from an FFA_FEATURES call directly
since we can run on a system that has the PAGE_SIZE larger than the
returned size which makes the alloc_pages_exact for the buffer to be
rounded up.
Fixes: 61824feae5c0 ("firmware: arm_ffa: Fetch the Rx/Tx buffer size using ffa_features()")
Signed-off-by: Sebastian Ene <sebastianene@google.com>
Link: https://patch.msgid.link/20260402113939.930221-1-sebastianene@google.com
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_ffa/driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
index f6ceae987acbc..d71a2ef335d1c 100644
--- a/drivers/firmware/arm_ffa/driver.c
+++ b/drivers/firmware/arm_ffa/driver.c
@@ -2074,7 +2074,7 @@ static int __init ffa_init(void)
ret = ffa_rxtx_map(virt_to_phys(drv_info->tx_buffer),
virt_to_phys(drv_info->rx_buffer),
- rxtx_bufsz / FFA_PAGE_SIZE);
+ PAGE_ALIGN(rxtx_bufsz) / FFA_PAGE_SIZE);
if (ret) {
pr_err("failed to register FFA RxTx buffers\n");
goto free_pages;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 442/957] fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 441/957] firmware: arm_ffa: Use the correct buffer size during RXTX_MAP Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 443/957] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
` (520 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Cheng, Kai-Heng Feng,
Dave Jiang, Jason Gunthorpe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Cheng <icheng@nvidia.com>
[ Upstream commit a55f80233f384dc89ef3425b2e1dd0e6d44bcf29 ]
CXL is linked before fwctl in drivers/Makefile. Both use `module_init, so
`cxl_pci_driver_init()` runs first. When `cxl_pci_probe()` calls
`fwctl_register()` and then `device_add()`, fwctl_class is not yet
registered because fwctl_init() hasn't run, causing `class_to_subsys()` to
return NULL and skip knode_class initialization.
On device removal, `class_to_subsys()` returns non-NULL, and
`device_del()` calls `klist_del()` on the uninitialized knode, triggering
a NULL pointer dereference.
Fixes: 858ce2f56b52 ("cxl: Add FWCTL support to CXL")
Link: https://patch.msgid.link/r/20260409051902.40218-1-icheng@nvidia.com
Signed-off-by: Richard Cheng <icheng@nvidia.com>
Reviewed-by: Kai-Heng Feng <kaihengf@nvidia.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/fwctl/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/fwctl/main.c b/drivers/fwctl/main.c
index bc6378506296c..098c3824ad751 100644
--- a/drivers/fwctl/main.c
+++ b/drivers/fwctl/main.c
@@ -415,7 +415,7 @@ static void __exit fwctl_exit(void)
unregister_chrdev_region(fwctl_dev, FWCTL_MAX_DEVICES);
}
-module_init(fwctl_init);
+subsys_initcall(fwctl_init);
module_exit(fwctl_exit);
MODULE_DESCRIPTION("fwctl device firmware access framework");
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 443/957] ocfs2: fix listxattr handling when the buffer is full
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 442/957] fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 444/957] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
` (519 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit d12f558e6200b3f47dbef9331ed6d115d2410e59 ]
[BUG]
If an OCFS2 inode has both inline and block-based xattrs, listxattr()
can return a size larger than the caller's buffer when the inline names
consume that buffer exactly.
kernel BUG at mm/usercopy.c:102!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102
Call Trace:
__check_heap_object+0xe3/0x120 mm/slub.c:8243
check_heap_object mm/usercopy.c:196 [inline]
__check_object_size mm/usercopy.c:250 [inline]
__check_object_size+0x5c5/0x780 mm/usercopy.c:215
check_object_size include/linux/ucopysize.h:22 [inline]
check_copy_size include/linux/ucopysize.h:59 [inline]
copy_to_user include/linux/uaccess.h:219 [inline]
listxattr+0xb0/0x170 fs/xattr.c:926
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x137/0x320 fs/xattr.c:988
__do_sys_listxattr fs/xattr.c:1001 [inline]
__se_sys_listxattr fs/xattr.c:998 [inline]
__x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998
...
[CAUSE]
Commit 936b8834366e ("ocfs2: Refactor xattr list and remove
ocfs2_xattr_handler().") replaced the old per-handler list accounting
with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect
probe mode.
That assumption stops being true once ocfs2_listxattr() finishes the
inline-xattr pass. If the inline names fill the caller buffer exactly,
the block-xattr pass runs with a non-NULL buffer and a remaining size of
zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps
counting block names, and returns a positive size larger than the
supplied buffer.
[FIX]
Detect probe mode by testing whether the destination buffer pointer is
NULL instead of whether the remaining size is zero.
That restores the pre-refactor behavior and matches the OCFS2 getxattr
helpers. Once the remaining buffer reaches zero while more names are
left, the block-xattr pass now returns -ERANGE instead of reporting a
size larger than the allocated list buffer.
Link: https://lkml.kernel.org/r/20260410040339.3837162-1-gality369@gmail.com
Fixes: 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/xattr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 64ba3946f8408..8f7018bad283b 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -907,8 +907,8 @@ static int ocfs2_xattr_list_entry(struct super_block *sb,
total_len = prefix_len + name_len + 1;
*result += total_len;
- /* we are just looking for how big our buffer needs to be */
- if (!size)
+ /* No buffer means we are only looking for the required size. */
+ if (!buffer)
return 0;
if (*result > size)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 444/957] ocfs2: validate bg_bits during freefrag scan
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 443/957] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 445/957] ocfs2: validate group add input before caching Greg Kroah-Hartman
` (518 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Heming Zhao,
Joseph Qi, Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge,
Jun Piao, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit 8f687eeed3da3012152b0f9473f578869de0cd7b ]
[BUG]
A crafted filesystem can trigger an out-of-bounds bitmap walk when
OCFS2_IOC_INFO is issued with OCFS2_INFO_FL_NON_COHERENT.
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in test_bit_le include/asm-generic/bitops/le.h:21 [inline]
BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline]
BUG: KASAN: use-after-free in ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline]
BUG: KASAN: use-after-free in ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline]
BUG: KASAN: use-after-free in ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754
Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xbe/0x130 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xd1/0x650 mm/kasan/report.c:482
kasan_report+0xfb/0x140 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:186 [inline]
kasan_check_range+0x11c/0x200 mm/kasan/generic.c:200
__kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
test_bit_le include/asm-generic/bitops/le.h:21 [inline]
ocfs2_info_freefrag_scan_chain fs/ocfs2/ioctl.c:495 [inline]
ocfs2_info_freefrag_scan_bitmap fs/ocfs2/ioctl.c:588 [inline]
ocfs2_info_handle_freefrag fs/ocfs2/ioctl.c:662 [inline]
ocfs2_info_handle_request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754
ocfs2_info_handle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828
ocfs2_ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
...
[CAUSE]
ocfs2_info_freefrag_scan_chain() uses on-disk bg_bits directly as the
bitmap scan limit. The coherent path reads group descriptors through
ocfs2_read_group_descriptor(), which validates the descriptor before
use. The non-coherent path uses ocfs2_read_blocks_sync() instead and
skips that validation, so an impossible bg_bits value can drive the
bitmap walk past the end of the block.
[FIX]
Compute the bitmap capacity from the filesystem format with
ocfs2_group_bitmap_size(), report descriptors whose bg_bits exceeds
that limit, and clamp the scan to the computed capacity. This keeps the
freefrag report going while avoiding reads beyond the buffer.
Link: https://lkml.kernel.org/r/20260410034220.3825769-1-gality369@gmail.com
Fixes: d24a10b9f8ed ("Ocfs2: Add a new code 'OCFS2_INFO_FREEFRAG' for o2info ioctl.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/ioctl.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c
index b6864602814c4..b004e7117a5f3 100644
--- a/fs/ocfs2/ioctl.c
+++ b/fs/ocfs2/ioctl.c
@@ -441,13 +441,16 @@ static int ocfs2_info_freefrag_scan_chain(struct ocfs2_super *osb,
struct buffer_head *bh = NULL;
struct ocfs2_group_desc *bg = NULL;
- unsigned int max_bits, num_clusters;
+ unsigned int max_bits, max_bitmap_bits, num_clusters;
unsigned int offset = 0, cluster, chunk;
unsigned int chunk_free, last_chunksize = 0;
if (!le32_to_cpu(rec->c_free))
goto bail;
+ max_bitmap_bits = 8 * ocfs2_group_bitmap_size(osb->sb, 0,
+ osb->s_feature_incompat);
+
do {
if (!bg)
blkno = le64_to_cpu(rec->c_blkno);
@@ -479,6 +482,19 @@ static int ocfs2_info_freefrag_scan_chain(struct ocfs2_super *osb,
continue;
max_bits = le16_to_cpu(bg->bg_bits);
+
+ /*
+ * Non-coherent scans read raw blocks and do not get the
+ * bg_bits validation from
+ * ocfs2_read_group_descriptor().
+ */
+ if (max_bits > max_bitmap_bits) {
+ mlog(ML_ERROR,
+ "Group desc #%llu has %u bits, max bitmap bits %u\n",
+ (unsigned long long)blkno, max_bits, max_bitmap_bits);
+ max_bits = max_bitmap_bits;
+ }
+
offset = 0;
for (chunk = 0; chunk < chunks_in_group; chunk++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 445/957] ocfs2: validate group add input before caching
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 444/957] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 446/957] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
` (517 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhengYuan Huang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao,
Heming Zhao, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengYuan Huang <gality369@gmail.com>
[ Upstream commit 70b672833f4025341c11b22c7f83778a5cd611bc ]
[BUG]
OCFS2_IOC_GROUP_ADD can trigger a BUG_ON in
ocfs2_set_new_buffer_uptodate():
kernel BUG at fs/ocfs2/uptodate.c:509!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_set_new_buffer_uptodate+0x194/0x1e0 fs/ocfs2/uptodate.c:509
Code: ffffe88f 42b9fe4c 89e64889 dfe8b4df
Call Trace:
ocfs2_group_add+0x3f1/0x1510 fs/ocfs2/resize.c:507
ocfs2_ioctl+0x309/0x6e0 fs/ocfs2/ioctl.c:887
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7bbfb55a966d
[CAUSE]
ocfs2_group_add() calls ocfs2_set_new_buffer_uptodate() on a
user-controlled group block before ocfs2_verify_group_and_input()
validates that block number. That helper is only valid for newly
allocated metadata and asserts that the block is not already present in
the chosen metadata cache. The code also uses INODE_CACHE(inode) even
though the group descriptor belongs to main_bm_inode and later journal
accesses use that cache context instead.
[FIX]
Validate the on-disk group descriptor before caching it, then add it to
the metadata cache tracked by INODE_CACHE(main_bm_inode). Keep the
validation failure path separate from the later cleanup path so we only
remove the buffer from that cache after it has actually been inserted.
This keeps the group buffer lifetime consistent across validation,
journaling, and cleanup.
Link: https://lkml.kernel.org/r/20260410020209.3786348-1-gality369@gmail.com
Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/resize.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
index ed7ed15ad9a73..583a411557ab9 100644
--- a/fs/ocfs2/resize.c
+++ b/fs/ocfs2/resize.c
@@ -508,14 +508,14 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
goto out_unlock;
}
- ocfs2_set_new_buffer_uptodate(INODE_CACHE(inode), group_bh);
-
ret = ocfs2_verify_group_and_input(main_bm_inode, fe, input, group_bh);
if (ret) {
mlog_errno(ret);
goto out_free_group_bh;
}
+ ocfs2_set_new_buffer_uptodate(INODE_CACHE(main_bm_inode), group_bh);
+
trace_ocfs2_group_add((unsigned long long)input->group,
input->chain, input->clusters, input->frees);
@@ -523,7 +523,7 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
if (IS_ERR(handle)) {
mlog_errno(PTR_ERR(handle));
ret = -EINVAL;
- goto out_free_group_bh;
+ goto out_remove_cache;
}
cl_bpc = le16_to_cpu(fe->id2.i_chain.cl_bpc);
@@ -577,9 +577,11 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input)
out_commit:
ocfs2_commit_trans(osb, handle);
-out_free_group_bh:
+out_remove_cache:
if (ret < 0)
- ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh);
+ ocfs2_remove_from_cache(INODE_CACHE(main_bm_inode), group_bh);
+
+out_free_group_bh:
brelse(group_bh);
out_unlock:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 446/957] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 445/957] ocfs2: validate group add input before caching Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 447/957] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
` (516 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Khairul Anuar Romli, Vinod Koul,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khairul Anuar Romli <karom.9560@gmail.com>
[ Upstream commit 48278a72fce8a8d30efaedeb206c9c3f05c1eb3f ]
checkpatch.pl --strict reports a WARNING in dw-axi-dmac-platform.c:
WARNING: void function return statements are not generally useful
FILE: drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
According to Linux kernel coding style [Documentation/process/
coding-style.rst], explicit "return;" statements at the end of void
functions are redundant and should be omitted. The function will
automatically return upon reaching the closing brace, so the extra
statement adds unnecessary clutter without functional benefit.
This patch removes the superfluous "return;" statement in
dw_axi_dma_set_hw_channel() to comply with kernel coding standards and
eliminate the checkpatch warning.
Fixes: 32286e279385 ("dmaengine: dw-axi-dmac: Remove free slot check algorithm in dw_axi_dma_set_hw_channel")
Signed-off-by: Khairul Anuar Romli <karom.9560@gmail.com>
Link: https://patch.msgid.link/20260202060224.12616-4-karom.9560@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
index b23536645ff7c..b0e689f48bb67 100644
--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
@@ -592,8 +592,6 @@ static void dw_axi_dma_set_hw_channel(struct axi_dma_chan *chan, bool set)
(chan->id * DMA_APB_HS_SEL_BIT_SIZE));
reg_value |= (val << (chan->id * DMA_APB_HS_SEL_BIT_SIZE));
lo_hi_writeq(reg_value, chip->apb_regs + DMAC_APB_HW_HS_SEL_0);
-
- return;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 447/957] soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 446/957] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 448/957] soundwire: Intel: test bus.bpt_stream before assigning it Greg Kroah-Hartman
` (515 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cole Leavitt, Richard Fitzgerald,
Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cole Leavitt <cole@unwrap.rs>
[ Upstream commit 2c96956fe764f8224f9ec93b2a9160a578949a7a ]
The dev_warn() messages in sdw_handle_slave_status() for UNATTACHED
transitions were added in commit d1b328557058 ("soundwire: bus: add
dev_warn() messages to track UNATTACHED devices") to debug attachment
failures with dynamic debug enabled.
These warnings fire during normal operation -- for example when a codec
driver triggers a hardware reset after firmware download, causing the
device to momentarily go UNATTACHED before re-attaching -- producing
misleading noise on every boot.
Demote the messages to dev_dbg() so they remain available via dynamic
debug for diagnosing real attachment failures without alarming users
during expected initialization sequences.
Fixes: d1b328557058 ("soundwire: bus: add dev_warn() messages to track UNATTACHED devices")
Signed-off-by: Cole Leavitt <cole@unwrap.rs>
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260218180210.9263-1-cole@unwrap.rs
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c
index 55c1db8165340..14e1351a3f8ae 100644
--- a/drivers/soundwire/bus.c
+++ b/drivers/soundwire/bus.c
@@ -1899,8 +1899,8 @@ int sdw_handle_slave_status(struct sdw_bus *bus,
if (status[i] == SDW_SLAVE_UNATTACHED &&
slave->status != SDW_SLAVE_UNATTACHED) {
- dev_warn(&slave->dev, "Slave %d state check1: UNATTACHED, status was %d\n",
- i, slave->status);
+ dev_dbg(&slave->dev, "Slave %d state check1: UNATTACHED, status was %d\n",
+ i, slave->status);
sdw_modify_slave_status(slave, SDW_SLAVE_UNATTACHED);
/* Ensure driver knows that peripheral unattached */
@@ -1951,8 +1951,8 @@ int sdw_handle_slave_status(struct sdw_bus *bus,
if (slave->status == SDW_SLAVE_UNATTACHED)
break;
- dev_warn(&slave->dev, "Slave %d state check2: UNATTACHED, status was %d\n",
- i, slave->status);
+ dev_dbg(&slave->dev, "Slave %d state check2: UNATTACHED, status was %d\n",
+ i, slave->status);
sdw_modify_slave_status(slave, SDW_SLAVE_UNATTACHED);
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 448/957] soundwire: Intel: test bus.bpt_stream before assigning it
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 447/957] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 449/957] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
` (514 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Trimmer, Bard Liao,
Ranjani Sridharan, Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bard Liao <yung-chuan.liao@linux.intel.com>
[ Upstream commit b2c9f1d5a7eb50bcdda607afef1378e552bbb490 ]
We only allow up to 1 bpt stream running on a SoundWire bus.
bus.bpt_stream will be assigned when it is opened and will be set to
NULL when it is closed. We do check bus->bpt_stream_refcount if the
stream type is SDW_STREAM_BPT in sdw_master_rt_alloc(), but at that
moment the bpt stream is allocated and set to bus.bpt_stream. It will
lead to the original bus.bpt_stream be changed to the new and not used
bpt stream. And it will be released and set to NULL when
sdw_slave_bpt_stream_add() return error as it supposed to. Then the
original stream will try to use the NULL bus.bpt_stream.
Fixes: 4c1ce9f37d8a ("soundwire: intel_ace2x: add BPT send_async/wait callbacks")
Reported-by: Simon Trimmer <simont@opensource.cirrus.com>
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Simon Trimmer <simont@opensource.cirrus.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://patch.msgid.link/20260126054045.2504103-1-yung-chuan.liao@linux.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/intel_ace2x.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/soundwire/intel_ace2x.c b/drivers/soundwire/intel_ace2x.c
index 5d08364ad6d14..5b73bbb73be6e 100644
--- a/drivers/soundwire/intel_ace2x.c
+++ b/drivers/soundwire/intel_ace2x.c
@@ -68,6 +68,11 @@ static int intel_ace2x_bpt_open_stream(struct sdw_intel *sdw, struct sdw_slave *
int dir;
int i;
+ if (cdns->bus.bpt_stream) {
+ dev_err(cdns->dev, "%s: BPT stream already exists\n", __func__);
+ return -EAGAIN;
+ }
+
stream = sdw_alloc_stream("BPT", SDW_STREAM_BPT);
if (!stream)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 449/957] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 448/957] soundwire: Intel: test bus.bpt_stream before assigning it Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 450/957] soundwire: cadence: Clear message complete before signaling waiting thread Greg Kroah-Hartman
` (513 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit ab2bf6d4c0a0152907b18d25c1b118ea5ea779df ]
Propagate the return value of of_dma_controller_register() in probe()
instead of ignoring it.
Fixes: a580b8c5429a6 ("dmaengine: mxs-dma: add dma support for i.MX23/28")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260225-mxsdma-module-v3-2-8f798b13baa6@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/mxs-dma.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma/mxs-dma.c b/drivers/dma/mxs-dma.c
index cfb9962417ef6..53f572b6b6fc6 100644
--- a/drivers/dma/mxs-dma.c
+++ b/drivers/dma/mxs-dma.c
@@ -824,6 +824,7 @@ static int mxs_dma_probe(struct platform_device *pdev)
if (ret) {
dev_err(mxs_dma->dma_device.dev,
"failed to register controller\n");
+ return ret;
}
dev_info(mxs_dma->dma_device.dev, "initialized\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 450/957] soundwire: cadence: Clear message complete before signaling waiting thread
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 449/957] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 451/957] tracing: remove size parameter in __trace_puts() Greg Kroah-Hartman
` (512 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Norman Bintang,
Pierre-Louis Bossart, Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit cbfea84f820962c3c5394ff06e7e9344c96bf761 ]
Clear the CDNS_MCP_INT_RX_WL interrupt before signaling completion.
This is to prevent the potential race where:
- The main thread is scheduled immediately the completion is signaled,
and starts a new message
- The RX_WL IRQ for this new message happens before sdw_cdns_irq() has
been re-scheduled.
- When sdw_cdns_irq() is re-scheduled it clears the new RX_WL interrupt.
MAIN THREAD | IRQ THREAD
|
_cdns_xfer_msg() |
{ |
write data to FIFO |
wait_for_completion_timeout() |
<BLOCKED> | <---- RX_WL IRQ
| sdw_cdns_irq()
| {
| signal completion
<== RESCHEDULE <==
Handle message completion |
} |
|
Start new message |
_cdns_xfer_msg() |
{ |
write data to FIFO |
wait_for_completion_timeout() |
<BLOCKED> | <---- RX_WL IRQ
==> RESCHEDULE ==>
| // New RX_WL IRQ is cleared before
| // it has been handled.
| clear CDNS_MCP_INTSTAT
| return IRQ_HANDLED;
| }
Before this change, this error message was sometimes seen on kernels
that have large amounts of debugging enabled:
SCP Msg trf timed out
This error indicates that the completion has not been signalled after
500ms.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 956baa1992f9 ("soundwire: cdns: Add sdw_master_ops and IO transfer support")
Reported-by: Norman Bintang <normanbt@google.com>
Closes: https://issuetracker.google.com/issues/477099834
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
Link: https://patch.msgid.link/20260310113133.1707288-1-rf@opensource.cirrus.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/cadence_master.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
index 21bb491d026b4..d7a0a14ad9626 100644
--- a/drivers/soundwire/cadence_master.c
+++ b/drivers/soundwire/cadence_master.c
@@ -933,6 +933,14 @@ irqreturn_t sdw_cdns_irq(int irq, void *dev_id)
cdns_read_response(cdns);
+ /*
+ * Clear interrupt before signalling the completion to avoid
+ * a race between this thread and the main thread starting
+ * another TX.
+ */
+ cdns_writel(cdns, CDNS_MCP_INTSTAT, CDNS_MCP_INT_RX_WL);
+ int_status &= ~CDNS_MCP_INT_RX_WL;
+
if (defer && defer->msg) {
cdns_fill_msg_resp(cdns, defer->msg,
defer->length, 0);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 451/957] tracing: remove size parameter in __trace_puts()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 450/957] soundwire: cadence: Clear message complete before signaling waiting thread Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 452/957] tracing: move tracing declarations from kernel.h to a dedicated header Greg Kroah-Hartman
` (511 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google), Yury Norov,
Andy Shevchenko, Joel Fernandes, Aaron Tomlin, Andi Shyti,
Christophe Leroy (CS GROUP), Jani Nikula, Petr Pavlu,
Randy Dunlap, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 86e685ff364394b477cd1c476029480a2a1960c5 ]
The __trace_puts() function takes a string pointer and the size of the
string itself. All users currently simply pass in the strlen() of the
string it is also passing in. There's no reason to pass in the size.
Instead have the __trace_puts() function do the strlen() within the
function itself.
This fixes a header recursion issue where using strlen() in the macro
calling __trace_puts() requires adding #include <linux/string.h> in order
to use strlen(). Removing the use of strlen() from the header fixes the
recursion issue.
Link: https://lore.kernel.org/all/aUN8Hm377C5A0ILX@yury/
Link: https://lkml.kernel.org/r/20260116042510.241009-6-ynorov@nvidia.com
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Yury Norov <ynorov@nvidia.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
Cc: Aaron Tomlin <atomlin@atomlin.com>
Cc: Andi Shyti <andi.shyti@linux.intel.com>
Cc: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Petr Pavlu <petr.pavlu@suse.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 473e470f16f9 ("tracing: move __printf() attribute on __ftrace_vbprintk()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/kernel.h | 4 ++--
kernel/trace/trace.c | 7 +++----
kernel/trace/trace.h | 2 +-
3 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 5b46924fdff52..d5a939b8c3911 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -331,10 +331,10 @@ int __trace_printk(unsigned long ip, const char *fmt, ...);
if (__builtin_constant_p(str)) \
__trace_bputs(_THIS_IP_, trace_printk_fmt); \
else \
- __trace_puts(_THIS_IP_, str, strlen(str)); \
+ __trace_puts(_THIS_IP_, str); \
})
extern int __trace_bputs(unsigned long ip, const char *str);
-extern int __trace_puts(unsigned long ip, const char *str, int size);
+extern int __trace_puts(unsigned long ip, const char *str);
extern void trace_dump_stack(int skip);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 2be9e47d64b08..55c9f51a2fda0 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1180,11 +1180,10 @@ EXPORT_SYMBOL_GPL(__trace_array_puts);
* __trace_puts - write a constant string into the trace buffer.
* @ip: The address of the caller
* @str: The constant string to write
- * @size: The size of the string.
*/
-int __trace_puts(unsigned long ip, const char *str, int size)
+int __trace_puts(unsigned long ip, const char *str)
{
- return __trace_array_puts(printk_trace, ip, str, size);
+ return __trace_array_puts(printk_trace, ip, str, strlen(str));
}
EXPORT_SYMBOL_GPL(__trace_puts);
@@ -1203,7 +1202,7 @@ int __trace_bputs(unsigned long ip, const char *str)
int size = sizeof(struct bputs_entry);
if (!printk_binsafe(tr))
- return __trace_puts(ip, str, strlen(str));
+ return __trace_puts(ip, str);
if (!(tr->trace_flags & TRACE_ITER_PRINTK))
return 0;
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index ec372e0f2e716..62d5a5f224c4a 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -2099,7 +2099,7 @@ extern void tracing_log_err(struct trace_array *tr,
* about performance). The internal_trace_puts() is for such
* a purpose.
*/
-#define internal_trace_puts(str) __trace_puts(_THIS_IP_, str, strlen(str))
+#define internal_trace_puts(str) __trace_puts(_THIS_IP_, str)
#undef FTRACE_ENTRY
#define FTRACE_ENTRY(call, struct_name, id, tstruct, print) \
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 452/957] tracing: move tracing declarations from kernel.h to a dedicated header
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 451/957] tracing: remove size parameter in __trace_puts() Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 453/957] tracing: move __printf() attribute on __ftrace_vbprintk() Greg Kroah-Hartman
` (510 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yury Norov, Steven Rostedt,
Andy Shevchenko, Joel Fernandes, Aaron Tomlin, Andi Shyti,
Christophe Leroy (CS GROUP), Jani Nikula, Petr Pavlu,
Randy Dunlap, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yury Norov <ynorov@nvidia.com>
[ Upstream commit bec261fec6d41318e414c4064f2b67c6db628acd ]
Tracing is a half of the kernel.h in terms of LOCs, although it's a
self-consistent part. It is intended for quick debugging purposes and
isn't used by the normal tracing utilities.
Move it to a separate header. If someone needs to just throw a
trace_printk() in their driver, they will not have to pull all the heavy
tracing machinery.
This is a pure move.
Link: https://lkml.kernel.org/r/20260116042510.241009-7-ynorov@nvidia.com
Signed-off-by: Yury Norov <ynorov@nvidia.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
Cc: Aaron Tomlin <atomlin@atomlin.com>
Cc: Andi Shyti <andi.shyti@linux.intel.com>
Cc: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Petr Pavlu <petr.pavlu@suse.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 473e470f16f9 ("tracing: move __printf() attribute on __ftrace_vbprintk()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/kernel.h | 196 +--------------------------------
include/linux/trace_printk.h | 204 +++++++++++++++++++++++++++++++++++
2 files changed, 205 insertions(+), 195 deletions(-)
create mode 100644 include/linux/trace_printk.h
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index d5a939b8c3911..356a6f1db9dac 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -32,7 +32,7 @@
#include <linux/build_bug.h>
#include <linux/sprintf.h>
#include <linux/static_call_types.h>
-#include <linux/instruction_pointer.h>
+#include <linux/trace_printk.h>
#include <linux/util_macros.h>
#include <linux/wordpart.h>
@@ -192,200 +192,6 @@ enum system_states {
};
extern enum system_states system_state;
-/*
- * General tracing related utility functions - trace_printk(),
- * tracing_on/tracing_off and tracing_start()/tracing_stop
- *
- * Use tracing_on/tracing_off when you want to quickly turn on or off
- * tracing. It simply enables or disables the recording of the trace events.
- * This also corresponds to the user space /sys/kernel/tracing/tracing_on
- * file, which gives a means for the kernel and userspace to interact.
- * Place a tracing_off() in the kernel where you want tracing to end.
- * From user space, examine the trace, and then echo 1 > tracing_on
- * to continue tracing.
- *
- * tracing_stop/tracing_start has slightly more overhead. It is used
- * by things like suspend to ram where disabling the recording of the
- * trace is not enough, but tracing must actually stop because things
- * like calling smp_processor_id() may crash the system.
- *
- * Most likely, you want to use tracing_on/tracing_off.
- */
-
-enum ftrace_dump_mode {
- DUMP_NONE,
- DUMP_ALL,
- DUMP_ORIG,
- DUMP_PARAM,
-};
-
-#ifdef CONFIG_TRACING
-void tracing_on(void);
-void tracing_off(void);
-int tracing_is_on(void);
-void tracing_snapshot(void);
-void tracing_snapshot_alloc(void);
-
-extern void tracing_start(void);
-extern void tracing_stop(void);
-
-static inline __printf(1, 2)
-void ____trace_printk_check_format(const char *fmt, ...)
-{
-}
-#define __trace_printk_check_format(fmt, args...) \
-do { \
- if (0) \
- ____trace_printk_check_format(fmt, ##args); \
-} while (0)
-
-/**
- * trace_printk - printf formatting in the ftrace buffer
- * @fmt: the printf format for printing
- *
- * Note: __trace_printk is an internal function for trace_printk() and
- * the @ip is passed in via the trace_printk() macro.
- *
- * This function allows a kernel developer to debug fast path sections
- * that printk is not appropriate for. By scattering in various
- * printk like tracing in the code, a developer can quickly see
- * where problems are occurring.
- *
- * This is intended as a debugging tool for the developer only.
- * Please refrain from leaving trace_printks scattered around in
- * your code. (Extra memory is used for special buffers that are
- * allocated when trace_printk() is used.)
- *
- * A little optimization trick is done here. If there's only one
- * argument, there's no need to scan the string for printf formats.
- * The trace_puts() will suffice. But how can we take advantage of
- * using trace_puts() when trace_printk() has only one argument?
- * By stringifying the args and checking the size we can tell
- * whether or not there are args. __stringify((__VA_ARGS__)) will
- * turn into "()\0" with a size of 3 when there are no args, anything
- * else will be bigger. All we need to do is define a string to this,
- * and then take its size and compare to 3. If it's bigger, use
- * do_trace_printk() otherwise, optimize it to trace_puts(). Then just
- * let gcc optimize the rest.
- */
-
-#define trace_printk(fmt, ...) \
-do { \
- char _______STR[] = __stringify((__VA_ARGS__)); \
- if (sizeof(_______STR) > 3) \
- do_trace_printk(fmt, ##__VA_ARGS__); \
- else \
- trace_puts(fmt); \
-} while (0)
-
-#define do_trace_printk(fmt, args...) \
-do { \
- static const char *trace_printk_fmt __used \
- __section("__trace_printk_fmt") = \
- __builtin_constant_p(fmt) ? fmt : NULL; \
- \
- __trace_printk_check_format(fmt, ##args); \
- \
- if (__builtin_constant_p(fmt)) \
- __trace_bprintk(_THIS_IP_, trace_printk_fmt, ##args); \
- else \
- __trace_printk(_THIS_IP_, fmt, ##args); \
-} while (0)
-
-extern __printf(2, 3)
-int __trace_bprintk(unsigned long ip, const char *fmt, ...);
-
-extern __printf(2, 3)
-int __trace_printk(unsigned long ip, const char *fmt, ...);
-
-/**
- * trace_puts - write a string into the ftrace buffer
- * @str: the string to record
- *
- * Note: __trace_bputs is an internal function for trace_puts and
- * the @ip is passed in via the trace_puts macro.
- *
- * This is similar to trace_printk() but is made for those really fast
- * paths that a developer wants the least amount of "Heisenbug" effects,
- * where the processing of the print format is still too much.
- *
- * This function allows a kernel developer to debug fast path sections
- * that printk is not appropriate for. By scattering in various
- * printk like tracing in the code, a developer can quickly see
- * where problems are occurring.
- *
- * This is intended as a debugging tool for the developer only.
- * Please refrain from leaving trace_puts scattered around in
- * your code. (Extra memory is used for special buffers that are
- * allocated when trace_puts() is used.)
- *
- * Returns: 0 if nothing was written, positive # if string was.
- * (1 when __trace_bputs is used, strlen(str) when __trace_puts is used)
- */
-
-#define trace_puts(str) ({ \
- static const char *trace_printk_fmt __used \
- __section("__trace_printk_fmt") = \
- __builtin_constant_p(str) ? str : NULL; \
- \
- if (__builtin_constant_p(str)) \
- __trace_bputs(_THIS_IP_, trace_printk_fmt); \
- else \
- __trace_puts(_THIS_IP_, str); \
-})
-extern int __trace_bputs(unsigned long ip, const char *str);
-extern int __trace_puts(unsigned long ip, const char *str);
-
-extern void trace_dump_stack(int skip);
-
-/*
- * The double __builtin_constant_p is because gcc will give us an error
- * if we try to allocate the static variable to fmt if it is not a
- * constant. Even with the outer if statement.
- */
-#define ftrace_vprintk(fmt, vargs) \
-do { \
- if (__builtin_constant_p(fmt)) { \
- static const char *trace_printk_fmt __used \
- __section("__trace_printk_fmt") = \
- __builtin_constant_p(fmt) ? fmt : NULL; \
- \
- __ftrace_vbprintk(_THIS_IP_, trace_printk_fmt, vargs); \
- } else \
- __ftrace_vprintk(_THIS_IP_, fmt, vargs); \
-} while (0)
-
-extern __printf(2, 0) int
-__ftrace_vbprintk(unsigned long ip, const char *fmt, va_list ap);
-
-extern __printf(2, 0) int
-__ftrace_vprintk(unsigned long ip, const char *fmt, va_list ap);
-
-extern void ftrace_dump(enum ftrace_dump_mode oops_dump_mode);
-#else
-static inline void tracing_start(void) { }
-static inline void tracing_stop(void) { }
-static inline void trace_dump_stack(int skip) { }
-
-static inline void tracing_on(void) { }
-static inline void tracing_off(void) { }
-static inline int tracing_is_on(void) { return 0; }
-static inline void tracing_snapshot(void) { }
-static inline void tracing_snapshot_alloc(void) { }
-
-static inline __printf(1, 2)
-int trace_printk(const char *fmt, ...)
-{
- return 0;
-}
-static __printf(1, 0) inline int
-ftrace_vprintk(const char *fmt, va_list ap)
-{
- return 0;
-}
-static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
-#endif /* CONFIG_TRACING */
-
/* Rebuild everything on CONFIG_DYNAMIC_FTRACE */
#ifdef CONFIG_DYNAMIC_FTRACE
# define REBUILD_DUE_TO_DYNAMIC_FTRACE
diff --git a/include/linux/trace_printk.h b/include/linux/trace_printk.h
new file mode 100644
index 0000000000000..bb5874097f24e
--- /dev/null
+++ b/include/linux/trace_printk.h
@@ -0,0 +1,204 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _LINUX_TRACE_PRINTK_H
+#define _LINUX_TRACE_PRINTK_H
+
+#include <linux/compiler_attributes.h>
+#include <linux/instruction_pointer.h>
+#include <linux/stddef.h>
+#include <linux/stringify.h>
+
+/*
+ * General tracing related utility functions - trace_printk(),
+ * tracing_on/tracing_off and tracing_start()/tracing_stop
+ *
+ * Use tracing_on/tracing_off when you want to quickly turn on or off
+ * tracing. It simply enables or disables the recording of the trace events.
+ * This also corresponds to the user space /sys/kernel/tracing/tracing_on
+ * file, which gives a means for the kernel and userspace to interact.
+ * Place a tracing_off() in the kernel where you want tracing to end.
+ * From user space, examine the trace, and then echo 1 > tracing_on
+ * to continue tracing.
+ *
+ * tracing_stop/tracing_start has slightly more overhead. It is used
+ * by things like suspend to ram where disabling the recording of the
+ * trace is not enough, but tracing must actually stop because things
+ * like calling smp_processor_id() may crash the system.
+ *
+ * Most likely, you want to use tracing_on/tracing_off.
+ */
+
+enum ftrace_dump_mode {
+ DUMP_NONE,
+ DUMP_ALL,
+ DUMP_ORIG,
+ DUMP_PARAM,
+};
+
+#ifdef CONFIG_TRACING
+void tracing_on(void);
+void tracing_off(void);
+int tracing_is_on(void);
+void tracing_snapshot(void);
+void tracing_snapshot_alloc(void);
+
+extern void tracing_start(void);
+extern void tracing_stop(void);
+
+static inline __printf(1, 2)
+void ____trace_printk_check_format(const char *fmt, ...)
+{
+}
+#define __trace_printk_check_format(fmt, args...) \
+do { \
+ if (0) \
+ ____trace_printk_check_format(fmt, ##args); \
+} while (0)
+
+/**
+ * trace_printk - printf formatting in the ftrace buffer
+ * @fmt: the printf format for printing
+ *
+ * Note: __trace_printk is an internal function for trace_printk() and
+ * the @ip is passed in via the trace_printk() macro.
+ *
+ * This function allows a kernel developer to debug fast path sections
+ * that printk is not appropriate for. By scattering in various
+ * printk like tracing in the code, a developer can quickly see
+ * where problems are occurring.
+ *
+ * This is intended as a debugging tool for the developer only.
+ * Please refrain from leaving trace_printks scattered around in
+ * your code. (Extra memory is used for special buffers that are
+ * allocated when trace_printk() is used.)
+ *
+ * A little optimization trick is done here. If there's only one
+ * argument, there's no need to scan the string for printf formats.
+ * The trace_puts() will suffice. But how can we take advantage of
+ * using trace_puts() when trace_printk() has only one argument?
+ * By stringifying the args and checking the size we can tell
+ * whether or not there are args. __stringify((__VA_ARGS__)) will
+ * turn into "()\0" with a size of 3 when there are no args, anything
+ * else will be bigger. All we need to do is define a string to this,
+ * and then take its size and compare to 3. If it's bigger, use
+ * do_trace_printk() otherwise, optimize it to trace_puts(). Then just
+ * let gcc optimize the rest.
+ */
+
+#define trace_printk(fmt, ...) \
+do { \
+ char _______STR[] = __stringify((__VA_ARGS__)); \
+ if (sizeof(_______STR) > 3) \
+ do_trace_printk(fmt, ##__VA_ARGS__); \
+ else \
+ trace_puts(fmt); \
+} while (0)
+
+#define do_trace_printk(fmt, args...) \
+do { \
+ static const char *trace_printk_fmt __used \
+ __section("__trace_printk_fmt") = \
+ __builtin_constant_p(fmt) ? fmt : NULL; \
+ \
+ __trace_printk_check_format(fmt, ##args); \
+ \
+ if (__builtin_constant_p(fmt)) \
+ __trace_bprintk(_THIS_IP_, trace_printk_fmt, ##args); \
+ else \
+ __trace_printk(_THIS_IP_, fmt, ##args); \
+} while (0)
+
+extern __printf(2, 3)
+int __trace_bprintk(unsigned long ip, const char *fmt, ...);
+
+extern __printf(2, 3)
+int __trace_printk(unsigned long ip, const char *fmt, ...);
+
+/**
+ * trace_puts - write a string into the ftrace buffer
+ * @str: the string to record
+ *
+ * Note: __trace_bputs is an internal function for trace_puts and
+ * the @ip is passed in via the trace_puts macro.
+ *
+ * This is similar to trace_printk() but is made for those really fast
+ * paths that a developer wants the least amount of "Heisenbug" effects,
+ * where the processing of the print format is still too much.
+ *
+ * This function allows a kernel developer to debug fast path sections
+ * that printk is not appropriate for. By scattering in various
+ * printk like tracing in the code, a developer can quickly see
+ * where problems are occurring.
+ *
+ * This is intended as a debugging tool for the developer only.
+ * Please refrain from leaving trace_puts scattered around in
+ * your code. (Extra memory is used for special buffers that are
+ * allocated when trace_puts() is used.)
+ *
+ * Returns: 0 if nothing was written, positive # if string was.
+ * (1 when __trace_bputs is used, strlen(str) when __trace_puts is used)
+ */
+
+#define trace_puts(str) ({ \
+ static const char *trace_printk_fmt __used \
+ __section("__trace_printk_fmt") = \
+ __builtin_constant_p(str) ? str : NULL; \
+ \
+ if (__builtin_constant_p(str)) \
+ __trace_bputs(_THIS_IP_, trace_printk_fmt); \
+ else \
+ __trace_puts(_THIS_IP_, str); \
+})
+extern int __trace_bputs(unsigned long ip, const char *str);
+extern int __trace_puts(unsigned long ip, const char *str);
+
+extern void trace_dump_stack(int skip);
+
+/*
+ * The double __builtin_constant_p is because gcc will give us an error
+ * if we try to allocate the static variable to fmt if it is not a
+ * constant. Even with the outer if statement.
+ */
+#define ftrace_vprintk(fmt, vargs) \
+do { \
+ if (__builtin_constant_p(fmt)) { \
+ static const char *trace_printk_fmt __used \
+ __section("__trace_printk_fmt") = \
+ __builtin_constant_p(fmt) ? fmt : NULL; \
+ \
+ __ftrace_vbprintk(_THIS_IP_, trace_printk_fmt, vargs); \
+ } else \
+ __ftrace_vprintk(_THIS_IP_, fmt, vargs); \
+} while (0)
+
+extern __printf(2, 0) int
+__ftrace_vbprintk(unsigned long ip, const char *fmt, va_list ap);
+
+extern __printf(2, 0) int
+__ftrace_vprintk(unsigned long ip, const char *fmt, va_list ap);
+
+extern void ftrace_dump(enum ftrace_dump_mode oops_dump_mode);
+#else
+static inline void tracing_start(void) { }
+static inline void tracing_stop(void) { }
+static inline void trace_dump_stack(int skip) { }
+
+static inline void tracing_on(void) { }
+static inline void tracing_off(void) { }
+static inline int tracing_is_on(void) { return 0; }
+static inline void tracing_snapshot(void) { }
+static inline void tracing_snapshot_alloc(void) { }
+
+static inline __printf(1, 2)
+int trace_printk(const char *fmt, ...)
+{
+ return 0;
+}
+static __printf(1, 0) inline int
+ftrace_vprintk(const char *fmt, va_list ap)
+{
+ return 0;
+}
+static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
+#endif /* CONFIG_TRACING */
+
+#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 453/957] tracing: move __printf() attribute on __ftrace_vbprintk()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 452/957] tracing: move tracing declarations from kernel.h to a dedicated header Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 454/957] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
` (509 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Anna Schumaker,
Chuck Lever, Simon Horman, Mathieu Desnoyers, Andrew Morton,
Yury Norov, Randy Dunlap, Jeff Layton, Steven Rostedt (Google),
Arnd Bergmann, Andy Shevchenko, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 473e470f16f98569d59adc11c4a318780fb68fe9 ]
The sunrpc change to use trace_printk() for debugging caused
a new warning for every instance of dprintk() in some configurations,
when -Wformat-security is enabled:
fs/nfs/getroot.c: In function 'nfs_get_root':
fs/nfs/getroot.c:90:17: error: format not a string literal and no format arguments [-Werror=format-security]
90 | nfs_errorf(fc, "NFS: Couldn't getattr on root");
I've been slowly chipping away at those warnings over time with the
intention of enabling them by default in the future. While I could not
figure out why this only happens for this one instance, I see that the
__trace_bprintk() function is always called with a local variable as
the format string, rather than a literal.
Move the __printf(2,3) annotation on this function from the declaration
to the caller. As this is can only be validated for literals, the
attribute on the declaration causes the warnings every time, but
removing it entirely introduces a new warning on the __ftrace_vbprintk()
definition.
The format strings still get checked because the underlying literal keeps
getting passed into __trace_printk() in the "else" branch, which is not
taken but still evaluated for compile-time warnings.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Anna Schumaker <anna.schumaker@oracle.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: Simon Horman <horms@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Yury Norov <ynorov@nvidia.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260203164545.3174910-1-arnd@kernel.org
Fixes: ec7d8e68ef0e ("sunrpc: add a Kconfig option to redirect dfprintk() output to trace buffer")
Acked-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/trace_printk.h | 1 -
kernel/trace/trace_printk.c | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/trace_printk.h b/include/linux/trace_printk.h
index bb5874097f24e..2670ec7f42629 100644
--- a/include/linux/trace_printk.h
+++ b/include/linux/trace_printk.h
@@ -107,7 +107,6 @@ do { \
__trace_printk(_THIS_IP_, fmt, ##args); \
} while (0)
-extern __printf(2, 3)
int __trace_bprintk(unsigned long ip, const char *fmt, ...);
extern __printf(2, 3)
diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
index 29f6e95439b67..48c085fcae7aa 100644
--- a/kernel/trace/trace_printk.c
+++ b/kernel/trace/trace_printk.c
@@ -197,6 +197,7 @@ struct notifier_block module_trace_bprintk_format_nb = {
.notifier_call = module_trace_bprintk_format_notify,
};
+__printf(2, 3)
int __trace_bprintk(unsigned long ip, const char *fmt, ...)
{
int ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 454/957] tracing: Rebuild full_name on each hist_field_name() call
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 453/957] tracing: move __printf() attribute on __ftrace_vbprintk() Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 455/957] hte: tegra194: remove Kconfig dependency on Tegra194 SoC Greg Kroah-Hartman
` (508 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Zanussi, Pengpeng Hou,
Steven Rostedt (Google), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 5ec1d1e97de134beed3a5b08235a60fc1c51af96 ]
hist_field_name() uses a static MAX_FILTER_STR_VAL buffer for fully
qualified variable-reference names, but it currently appends into that
buffer with strcat() without rebuilding it first. As a result, repeated
calls append a new "system.event.field" name onto the previous one,
which can eventually run past the end of full_name.
Build the name with snprintf() on each call and return NULL if the fully
qualified name does not fit in MAX_FILTER_STR_VAL.
Link: https://patch.msgid.link/20260401112224.85582-1-pengpeng@iscas.ac.cn
Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Tested-by: Tom Zanussi <zanussi@kernel.org>
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_hist.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 2a0726e1bc97f..cb9e067138683 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1355,12 +1355,14 @@ static const char *hist_field_name(struct hist_field *field,
field->flags & HIST_FIELD_FL_VAR_REF) {
if (field->system) {
static char full_name[MAX_FILTER_STR_VAL];
+ int len;
+
+ len = snprintf(full_name, sizeof(full_name), "%s.%s.%s",
+ field->system, field->event_name,
+ field->name);
+ if (len >= sizeof(full_name))
+ return NULL;
- strcat(full_name, field->system);
- strcat(full_name, ".");
- strcat(full_name, field->event_name);
- strcat(full_name, ".");
- strcat(full_name, field->name);
field_name = full_name;
} else
field_name = field->name;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 455/957] hte: tegra194: remove Kconfig dependency on Tegra194 SoC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 454/957] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 456/957] remoteproc: xlnx: Fix sram property parsing Greg Kroah-Hartman
` (507 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra, Dipen Patel,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
[ Upstream commit 92dfd92f747698352b256cd9ddd7497bb7ebe9c8 ]
This driver runs also on other Tegra SoCs (e.g. Tegra234).
Replace Kconfig dependency on Tegra194 with more generic dependency on
Tegra, and amend the Kconfig help text to reflect the fact that this
driver works on SoCs other than Tegra194.
Fixes: b003fb5c9df8 ("hte: Add Tegra234 provider")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Acked-by: Dipen Patel <dipenp@nvidia.com>
Signed-off-by: Dipen Patel <dipenp@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hte/Kconfig | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/hte/Kconfig b/drivers/hte/Kconfig
index 641af722b555d..f57bad67deef0 100644
--- a/drivers/hte/Kconfig
+++ b/drivers/hte/Kconfig
@@ -16,13 +16,13 @@ if HTE
config HTE_TEGRA194
tristate "NVIDIA Tegra194 HTE Support"
- depends on (ARCH_TEGRA_194_SOC || COMPILE_TEST)
+ depends on (ARCH_TEGRA || COMPILE_TEST)
depends on GPIOLIB
help
Enable this option for integrated hardware timestamping engine also
known as generic timestamping engine (GTE) support on NVIDIA Tegra194
- systems-on-chip. The driver supports 352 LIC IRQs and 39 AON GPIOs
- lines for timestamping in realtime.
+ and later systems-on-chip. The driver supports 352 LIC IRQs and 39
+ AON GPIOs lines for timestamping in realtime.
config HTE_TEGRA194_TEST
tristate "NVIDIA Tegra194 HTE Test"
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 456/957] remoteproc: xlnx: Fix sram property parsing
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 455/957] hte: tegra194: remove Kconfig dependency on Tegra194 SoC Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 457/957] stop_machine: Fix the documentation for a NULL cpus argument Greg Kroah-Hartman
` (506 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Michals, Tanmay Shah,
Mathieu Poirier, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Michals <tcmichals@yahoo.com>
[ Upstream commit d116bccf6f1c199b27c9ebdf07cc3cfe868f919c ]
As per sram bindings, "sram" property can be list of phandles.
When more than one sram phandles are listed, driver can't parse second
phandle's address correctly. Because, phandle index is passed to the API
instead of offset of address from reg property which is always 0 as per
sram.yaml bindings. Fix it by passing 0 to the API instead of sram
phandle index.
Fixes: 77fcdf51b8ca ("remoteproc: xlnx: Add sram support")
Signed-off-by: Tim Michals <tcmichals@yahoo.com>
Signed-off-by: Tanmay Shah <tanmay.shah@amd.com>
Link: https://lore.kernel.org/r/20260204202730.3729984-1-tanmay.shah@amd.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/xlnx_r5_remoteproc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/xlnx_r5_remoteproc.c b/drivers/remoteproc/xlnx_r5_remoteproc.c
index b30f660a1c553..5ef586fd37bca 100644
--- a/drivers/remoteproc/xlnx_r5_remoteproc.c
+++ b/drivers/remoteproc/xlnx_r5_remoteproc.c
@@ -1022,7 +1022,7 @@ static int zynqmp_r5_get_sram_banks(struct zynqmp_r5_core *r5_core)
}
/* Get SRAM device address */
- ret = of_property_read_reg(sram_np, i, &abs_addr, &size);
+ ret = of_property_read_reg(sram_np, 0, &abs_addr, &size);
if (ret) {
dev_err(dev, "failed to get reg property\n");
goto fail_sram_get;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 457/957] stop_machine: Fix the documentation for a NULL cpus argument
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 456/957] remoteproc: xlnx: Fix sram property parsing Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 458/957] remoteproc: imx_rproc: Check return value of regmap_attach_dev() in imx_rproc_mmio_detect_mode() Greg Kroah-Hartman
` (505 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Paul E. McKenney, Sebastian Andrzej Siewior, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit 48f7a50c027dd2abb9e7b8a6ecc8e531d87f2c21 ]
A recent refactoring of the kernel-docs for stop machine changed the
description of the cpus parameter from "NULL = any online cpu"
to "NULL = run on each online CPU".
However the callback is only executed on a single CPU, not all of them.
The old wording was a bit ambiguous and could have been read both ways.
Reword the documentation to be correct again and hopefully also clearer.
Fixes: fc6f89dc7078 ("stop_machine: Improve kernel-doc function-header comments")
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/stop_machine.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/stop_machine.h b/include/linux/stop_machine.h
index 72820503514cc..01011113d2263 100644
--- a/include/linux/stop_machine.h
+++ b/include/linux/stop_machine.h
@@ -99,7 +99,7 @@ static inline void print_stop_info(const char *log_lvl, struct task_struct *task
* stop_machine: freeze the machine on all CPUs and run this function
* @fn: the function to run
* @data: the data ptr to pass to @fn()
- * @cpus: the cpus to run @fn() on (NULL = run on each online CPU)
+ * @cpus: the cpus to run @fn() on (NULL = one unspecified online CPU)
*
* Description: This causes a thread to be scheduled on every CPU, which
* will run with interrupts disabled. Each CPU specified by @cpus will
@@ -133,7 +133,7 @@ int stop_machine(cpu_stop_fn_t fn, void *data, const struct cpumask *cpus);
* stop_machine_cpuslocked: freeze the machine on all CPUs and run this function
* @fn: the function to run
* @data: the data ptr to pass to @fn()
- * @cpus: the cpus to run @fn() on (NULL = run on each online CPU)
+ * @cpus: the cpus to run @fn() on (NULL = one unspecified online CPU)
*
* Same as above. Avoids nested calls to cpus_read_lock().
*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 458/957] remoteproc: imx_rproc: Check return value of regmap_attach_dev() in imx_rproc_mmio_detect_mode()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 457/957] stop_machine: Fix the documentation for a NULL cpus argument Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 459/957] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
` (504 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peng Fan, Chen Ni, Mathieu Poirier,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit a48c6676912fb808d2af1b8344d8656815a3e108 ]
Add error checking for regmap_attach_dev() call in
imx_rproc_mmio_detect_mode() function to ensure proper error
propagation.
Return the value of regmap_attach_dev() if it fails to prevent
proceeding with an incomplete regmap setup.
Suggested-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Fixes: e14168bf3493 ("remoteproc: imx_rproc: Simplify IMX_RPROC_MMIO switch case")
Link: https://lore.kernel.org/r/20260209051407.1467660-1-nichen@iscas.ac.cn
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/imx_rproc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
index 7ef99eac37f1a..8fa81d3779849 100644
--- a/drivers/remoteproc/imx_rproc.c
+++ b/drivers/remoteproc/imx_rproc.c
@@ -899,7 +899,11 @@ static int imx_rproc_mmio_detect_mode(struct rproc *rproc)
}
priv->regmap = regmap;
- regmap_attach_dev(dev, regmap, &config);
+ ret = regmap_attach_dev(dev, regmap, &config);
+ if (ret) {
+ dev_err(dev, "regmap attach failed\n");
+ return ret;
+ }
if (priv->gpr) {
ret = regmap_read(priv->gpr, dcfg->gpr_reg, &val);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 459/957] ima: check return value of crypto_shash_final() in boot aggregate
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 458/957] remoteproc: imx_rproc: Check return value of regmap_attach_dev() in imx_rproc_mmio_detect_mode() Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 460/957] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
` (503 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Roberto Sassu,
Mimi Zohar, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <hodgesd@meta.com>
[ Upstream commit 870819434c8dfcc3158033b66e7851b81bb17e21 ]
The return value of crypto_shash_final() is not checked in
ima_calc_boot_aggregate_tfm(). If the hash finalization fails, the
function returns success and a corrupted boot aggregate digest could
be used for IMA measurements.
Capture the return value and propagate any error to the caller.
Fixes: 76bb28f6126f ("ima: use new crypto_shash API instead of old crypto_hash")
Signed-off-by: Daniel Hodges <hodgesd@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 6f5696d999d0d..8ae7821a65c26 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -832,7 +832,7 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
}
}
if (!rc)
- crypto_shash_final(shash, digest);
+ rc = crypto_shash_final(shash, digest);
return rc;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 460/957] HID: asus: make asus_resume adhere to linux kernel coding standards
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 459/957] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 461/957] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
` (502 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Benato, Jiri Kosina,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 51d33b42b8ae23da92819d28439fdd5636c45186 ]
Linux kernel coding standars requires functions opening brackets to be in
a newline: move the opening bracket of asus_resume in its own line.
Fixes: 546edbd26cff ("HID: hid-asus: reset the backlight brightness level on resume")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 5a068f6fd2ce5..b9dfb38b0df4f 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1095,7 +1095,8 @@ static int asus_start_multitouch(struct hid_device *hdev)
return 0;
}
-static int __maybe_unused asus_resume(struct hid_device *hdev) {
+static int __maybe_unused asus_resume(struct hid_device *hdev)
+{
struct asus_drvdata *drvdata = hid_get_drvdata(hdev);
int ret = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 461/957] HID: asus: do not abort probe when not necessary
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 460/957] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 462/957] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
` (501 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Benato, Jiri Kosina,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 7253091766ded0fd81fe8d8be9b8b835495b06e8 ]
In order to avoid dereferencing a NULL pointer asus_probe is aborted early
and control of some asus devices is transferred over hid-generic after
erroring out even when such NULL dereference cannot happen: only early
abort when the NULL dereference can happen.
Also make the code shorter and more adherent to coding standards
removing square brackets enclosing single-line if-else statements.
Fixes: d3af6ca9a8c3 ("HID: asus: fix UAF via HID_CLAIMED_INPUT validation")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-asus.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index b9dfb38b0df4f..1746e8ea50ddf 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1223,22 +1223,17 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id)
* were freed during registration due to no usages being mapped,
* leaving drvdata->input pointing to freed memory.
*/
- if (!drvdata->input || !(hdev->claimed & HID_CLAIMED_INPUT)) {
- hid_err(hdev, "Asus input not registered\n");
- ret = -ENOMEM;
- goto err_stop_hw;
- }
-
- if (drvdata->tp) {
- drvdata->input->name = "Asus TouchPad";
- } else {
- drvdata->input->name = "Asus Keyboard";
- }
+ if (drvdata->input && (hdev->claimed & HID_CLAIMED_INPUT)) {
+ if (drvdata->tp)
+ drvdata->input->name = "Asus TouchPad";
+ else
+ drvdata->input->name = "Asus Keyboard";
- if (drvdata->tp) {
- ret = asus_start_multitouch(hdev);
- if (ret)
- goto err_stop_hw;
+ if (drvdata->tp) {
+ ret = asus_start_multitouch(hdev);
+ if (ret)
+ goto err_stop_hw;
+ }
}
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 462/957] mtd: physmap_of_gemini: Fix disabled pinctrl state check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 461/957] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 463/957] ima_fs: Correctly create securityfs files for unsupported hash algos Greg Kroah-Hartman
` (500 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Linus Walleij,
Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit b7c0982184b0661f5b1b805f3a56f1bd3757b63e ]
The condition for checking the disabled pinctrl state incorrectly checks
gf->enabled_state instead of gf->disabled_state. This causes misleading
error messages and could lead to incorrect behavior when only one of the
pinctrl states is defined.
Fix the condition to properly check gf->disabled_state.
Fixes: 9d3b5086f6d4 ("mtd: physmap_of_gemini: Handle pin control")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/maps/physmap-gemini.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/maps/physmap-gemini.c b/drivers/mtd/maps/physmap-gemini.c
index 9d3b4bf84a1ad..1c34b4ef77ea3 100644
--- a/drivers/mtd/maps/physmap-gemini.c
+++ b/drivers/mtd/maps/physmap-gemini.c
@@ -181,7 +181,7 @@ int of_flash_probe_gemini(struct platform_device *pdev,
dev_err(dev, "no enabled pin control state\n");
gf->disabled_state = pinctrl_lookup_state(gf->p, "disabled");
- if (IS_ERR(gf->enabled_state)) {
+ if (IS_ERR(gf->disabled_state)) {
dev_err(dev, "no disabled pin control state\n");
} else {
ret = pinctrl_select_state(gf->p, gf->disabled_state);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 463/957] ima_fs: Correctly create securityfs files for unsupported hash algos
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 462/957] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 464/957] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range Greg Kroah-Hartman
` (499 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Safonov, Enrico Bravi,
Silvia Sisinni, Roberto Sassu, Mimi Zohar, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Safonov <dima@arista.com>
[ Upstream commit d7bd8cf0b348d3edae7bee33e74a32b21668b181 ]
ima_tpm_chip->allocated_banks[i].crypto_id is initialized to
HASH_ALGO__LAST if the TPM algorithm is not supported. However there
are places relying on the algorithm to be valid because it is accessed
by hash_algo_name[].
On 6.12.40 I observe the following read out-of-bounds in hash_algo_name:
==================================================================
BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440
Read of size 8 at addr ffffffff83e18138 by task swapper/0/1
CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3
Call Trace:
<TASK>
dump_stack_lvl+0x61/0x90
print_report+0xc4/0x580
? kasan_addr_to_slab+0x26/0x80
? create_securityfs_measurement_lists+0x396/0x440
kasan_report+0xc2/0x100
? create_securityfs_measurement_lists+0x396/0x440
create_securityfs_measurement_lists+0x396/0x440
ima_fs_init+0xa3/0x300
ima_init+0x7d/0xd0
init_ima+0x28/0x100
do_one_initcall+0xa6/0x3e0
kernel_init_freeable+0x455/0x740
kernel_init+0x24/0x1d0
ret_from_fork+0x38/0x80
ret_from_fork_asm+0x11/0x20
</TASK>
The buggy address belongs to the variable:
hash_algo_name+0xb8/0x420
Memory state around the buggy address:
ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9
^
ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
==================================================================
Seems like the TPM chip supports sha3_256, which isn't yet in
tpm_algorithms:
tpm tpm0: TPM with unsupported bank algorithm 0x0027
That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0
Library Part 2: Structures", page 51 [1].
See also the related U-Boot algorithms update [2].
Thus solve the problem by creating a file name with "_tpm_alg_<ID>"
postfix if the crypto algorithm isn't initialized.
This is how it looks on the test machine (patch ported to v6.12 release):
# ls -1 /sys/kernel/security/ima/
ascii_runtime_measurements
ascii_runtime_measurements_tpm_alg_27
ascii_runtime_measurements_sha1
ascii_runtime_measurements_sha256
binary_runtime_measurements
binary_runtime_measurements_tpm_alg_27
binary_runtime_measurements_sha1
binary_runtime_measurements_sha256
policy
runtime_measurements_count
violations
[1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf
[2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html
Fixes: 9fa8e7625008 ("ima: add crypto agility support for template-hash algorithm")
Signed-off-by: Dmitry Safonov <dima@arista.com>
Cc: Enrico Bravi <enrico.bravi@polito.it>
Cc: Silvia Sisinni <silvia.sisinni@polito.it>
Cc: Roberto Sassu <roberto.sassu@huawei.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Tested-by: Roberto Sassu <roberto.sassu@huawei.com>
Link: https://github.com/linux-integrity/linux/issues/14
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_fs.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 87045b09f1206..25970867f594e 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -404,16 +404,24 @@ static int __init create_securityfs_measurement_lists(void)
char file_name[NAME_MAX + 1];
struct dentry *dentry;
- sprintf(file_name, "ascii_runtime_measurements_%s",
- hash_algo_name[algo]);
+ if (algo == HASH_ALGO__LAST)
+ sprintf(file_name, "ascii_runtime_measurements_tpm_alg_%x",
+ ima_tpm_chip->allocated_banks[i].alg_id);
+ else
+ sprintf(file_name, "ascii_runtime_measurements_%s",
+ hash_algo_name[algo]);
dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
ima_dir, (void *)(uintptr_t)i,
&ima_ascii_measurements_ops);
if (IS_ERR(dentry))
return PTR_ERR(dentry);
- sprintf(file_name, "binary_runtime_measurements_%s",
- hash_algo_name[algo]);
+ if (algo == HASH_ALGO__LAST)
+ sprintf(file_name, "binary_runtime_measurements_tpm_alg_%x",
+ ima_tpm_chip->allocated_banks[i].alg_id);
+ else
+ sprintf(file_name, "binary_runtime_measurements_%s",
+ hash_algo_name[algo]);
dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP,
ima_dir, (void *)(uintptr_t)i,
&ima_measurements_ops);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 464/957] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 463/957] ima_fs: Correctly create securityfs files for unsupported hash algos Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 465/957] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
` (498 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Marc Zyngier,
Rob Herring (Arm), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 15cfc8984defc17e5e4de1f58db7b993240fcbda ]
According to the "Arm Generic Interrupt Controller (GIC) Architecture
Specification, v3 and v4", revision H.b[1], there can be only 64
Extended PPI interrupts.
[1] https://developer.arm.com/documentation/ihi0069/hb/
Fixes: 4b049063e0bcbfd3 ("dt-bindings: interrupt-controller: arm,gic-v3: Describe EPPI range support")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Brain-farted-by: Marc Zyngier <maz@kernel.org>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://patch.msgid.link/3e49a63c6b2b6ee48e3737adee87781f9c136c5f.1772792753.git.geert+renesas@glider.be
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../devicetree/bindings/interrupt-controller/arm,gic-v3.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
index f3247a47f9eed..71e6016fe3ca0 100644
--- a/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
+++ b/Documentation/devicetree/bindings/interrupt-controller/arm,gic-v3.yaml
@@ -50,7 +50,7 @@ properties:
The 2nd cell contains the interrupt number for the interrupt type.
SPI interrupts are in the range [0-987]. PPI interrupts are in the
range [0-15]. Extended SPI interrupts are in the range [0-1023].
- Extended PPI interrupts are in the range [0-127].
+ Extended PPI interrupts are in the range [0-63].
The 3rd cell is the flags, encoded as follows:
bits[3:0] trigger type and level flags.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 465/957] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 464/957] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 466/957] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
` (497 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haibo Chen, Pratyush Yadav,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit 756564a536ecd8c9d33edd89f0647a91a0b03587 ]
When check read operation, need to setting the op.dummy.nbytes based
on current read operation rather than the nor->read_proto.
Fixes: 0e30f47232ab ("mtd: spi-nor: add support for DTR protocol")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
index 20ea80450f222..19dc13faf9fd9 100644
--- a/drivers/mtd/spi-nor/core.c
+++ b/drivers/mtd/spi-nor/core.c
@@ -2393,7 +2393,7 @@ static int spi_nor_spimem_check_readop(struct spi_nor *nor,
/* convert the dummy cycles to the number of bytes */
op.dummy.nbytes = (read->num_mode_clocks + read->num_wait_states) *
op.dummy.buswidth / 8;
- if (spi_nor_protocol_is_dtr(nor->read_proto))
+ if (spi_nor_protocol_is_dtr(read->proto))
op.dummy.nbytes *= 2;
return spi_nor_spimem_check_op(nor, &op);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 466/957] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 465/957] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 467/957] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
` (496 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Takahiro Kuwano,
Pratyush Yadav, Sasha Levin, Marek Vasut
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit 653f6def567c81f37302f9591ffd54df3e2a11eb ]
SMPT contains config detection info that describes opcode, address, and
dummy cycles to read sector map config. The dummy cycles parameter can
be SMPT_CMD_READ_DUMMY_IS_VARIABLE and in that case nor->read_dummy
(initialized as 0) is used. In Infineon flash chips, Read Any Register
command with variable dummy cycle is defined in SMPT. S25Hx/S28Hx flash
has 0 dummy cycle by default to read volatile regiters and
nor->read_dummy can work. S25FS-S flash has 8 dummy cycles so we need a
hook that can fix dummy cycles with actually used value.
Inroduce smpt_read_dummy() in struct spi_nor_fixups. It is called when
the dummy cycle field in SMPT config detection is 'varialble'.
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # S25FS512S
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 3 +++
drivers/mtd/spi-nor/sfdp.c | 18 ++++++++++++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index ceff412f7d65a..5ad46d95d09cc 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -409,6 +409,8 @@ struct spi_nor_flash_parameter {
* flash parameters when information provided by the flash_info
* table is incomplete or wrong.
* @post_bfpt: called after the BFPT table has been parsed
+ * @smpt_read_dummy: called during SMPT table is being parsed. Used to fix the
+ * number of dummy cycles in read register ops.
* @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
@@ -426,6 +428,7 @@ struct spi_nor_fixups {
int (*post_bfpt)(struct spi_nor *nor,
const struct sfdp_parameter_header *bfpt_header,
const struct sfdp_bfpt *bfpt);
+ void (*smpt_read_dummy)(const struct spi_nor *nor, u8 *read_dummy);
int (*post_sfdp)(struct spi_nor *nor);
int (*late_init)(struct spi_nor *nor);
};
diff --git a/drivers/mtd/spi-nor/sfdp.c b/drivers/mtd/spi-nor/sfdp.c
index 21727f9a4ac69..9a47dcaca06ae 100644
--- a/drivers/mtd/spi-nor/sfdp.c
+++ b/drivers/mtd/spi-nor/sfdp.c
@@ -699,6 +699,17 @@ static u8 spi_nor_smpt_addr_nbytes(const struct spi_nor *nor, const u32 settings
}
}
+static void spi_nor_smpt_read_dummy_fixups(const struct spi_nor *nor,
+ u8 *read_dummy)
+{
+ if (nor->manufacturer && nor->manufacturer->fixups &&
+ nor->manufacturer->fixups->smpt_read_dummy)
+ nor->manufacturer->fixups->smpt_read_dummy(nor, read_dummy);
+
+ if (nor->info->fixups && nor->info->fixups->smpt_read_dummy)
+ nor->info->fixups->smpt_read_dummy(nor, read_dummy);
+}
+
/**
* spi_nor_smpt_read_dummy() - return the configuration detection command read
* latency, in clock cycles.
@@ -711,8 +722,11 @@ static u8 spi_nor_smpt_read_dummy(const struct spi_nor *nor, const u32 settings)
{
u8 read_dummy = SMPT_CMD_READ_DUMMY(settings);
- if (read_dummy == SMPT_CMD_READ_DUMMY_IS_VARIABLE)
- return nor->read_dummy;
+ if (read_dummy == SMPT_CMD_READ_DUMMY_IS_VARIABLE) {
+ read_dummy = nor->read_dummy;
+ spi_nor_smpt_read_dummy_fixups(nor, &read_dummy);
+ }
+
return read_dummy;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 467/957] mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 466/957] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 468/957] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
` (495 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Tudor Ambarus,
Takahiro Kuwano, Pratyush Yadav, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
[ Upstream commit f74de390557bf2bcc5dca4a357b41c0701d3f76e ]
Certain chips have inconsistent Sector Map Parameter Table (SMPT) data,
which leads to the wrong map ID being identified, causing failures to
detect the correct sector map.
To fix this, introduce smpt_map_id() into the struct spi_nor_fixups.
This function will be called after the initial SMPT-based detection,
allowing chip-specific logic to correct the map ID.
Infineon S25FS512S needs this fixup as it has inconsistency between map
ID definition and configuration register value actually obtained.
Co-developed-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # S25FS512S
Signed-off-by: Takahiro Kuwano <Takahiro.Kuwano@infineon.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Stable-dep-of: 3620d67b4849 ("mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 3 +++
drivers/mtd/spi-nor/sfdp.c | 12 ++++++++++++
2 files changed, 15 insertions(+)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index 5ad46d95d09cc..16b382d4f04f2 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -411,6 +411,8 @@ struct spi_nor_flash_parameter {
* @post_bfpt: called after the BFPT table has been parsed
* @smpt_read_dummy: called during SMPT table is being parsed. Used to fix the
* number of dummy cycles in read register ops.
+ * @smpt_map_id: called after map ID in SMPT table has been determined for the
+ * case the map ID is wrong and needs to be fixed.
* @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
@@ -429,6 +431,7 @@ struct spi_nor_fixups {
const struct sfdp_parameter_header *bfpt_header,
const struct sfdp_bfpt *bfpt);
void (*smpt_read_dummy)(const struct spi_nor *nor, u8 *read_dummy);
+ void (*smpt_map_id)(const struct spi_nor *nor, u8 *map_id);
int (*post_sfdp)(struct spi_nor *nor);
int (*late_init)(struct spi_nor *nor);
};
diff --git a/drivers/mtd/spi-nor/sfdp.c b/drivers/mtd/spi-nor/sfdp.c
index 9a47dcaca06ae..a8324c2da0acf 100644
--- a/drivers/mtd/spi-nor/sfdp.c
+++ b/drivers/mtd/spi-nor/sfdp.c
@@ -730,6 +730,16 @@ static u8 spi_nor_smpt_read_dummy(const struct spi_nor *nor, const u32 settings)
return read_dummy;
}
+static void spi_nor_smpt_map_id_fixups(const struct spi_nor *nor, u8 *map_id)
+{
+ if (nor->manufacturer && nor->manufacturer->fixups &&
+ nor->manufacturer->fixups->smpt_map_id)
+ nor->manufacturer->fixups->smpt_map_id(nor, map_id);
+
+ if (nor->info->fixups && nor->info->fixups->smpt_map_id)
+ nor->info->fixups->smpt_map_id(nor, map_id);
+}
+
/**
* spi_nor_get_map_in_use() - get the configuration map in use
* @nor: pointer to a 'struct spi_nor'
@@ -783,6 +793,8 @@ static const u32 *spi_nor_get_map_in_use(struct spi_nor *nor, const u32 *smpt,
map_id = map_id << 1 | !!(*buf & read_data_mask);
}
+ spi_nor_smpt_map_id_fixups(nor, &map_id);
+
/*
* If command descriptors are provided, they always precede map
* descriptors in the table. There is no need to start the iteration
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 468/957] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 467/957] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 469/957] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
` (494 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Pratyush Yadav,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit 3620d67b48493c6252bbc873dc88dde81641d56b ]
After commit 5273cc6df984 ("mtd: spi-nor: core: Call
spi_nor_post_sfdp_fixups() only when SFDP is defined")
spi_nor_post_sfdp_fixups() isn't called anymore if no SFDP is detected.
Update the documentation accordingly.
Fixes: 5273cc6df984 ("mtd: spi-nor: core: Call spi_nor_post_sfdp_fixups() only when SFDP is defined")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/core.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/core.h b/drivers/mtd/spi-nor/core.h
index 16b382d4f04f2..e838c40a25897 100644
--- a/drivers/mtd/spi-nor/core.h
+++ b/drivers/mtd/spi-nor/core.h
@@ -413,7 +413,7 @@ struct spi_nor_flash_parameter {
* number of dummy cycles in read register ops.
* @smpt_map_id: called after map ID in SMPT table has been determined for the
* case the map ID is wrong and needs to be fixed.
- * @post_sfdp: called after SFDP has been parsed (is also called for SPI NORs
+ * @post_sfdp: called after SFDP has been parsed (is not called for SPI NORs
* that do not support RDSFDP). Typically used to tweak various
* parameters that could not be extracted by other means (i.e.
* when information provided by the SFDP/flash_info tables are
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 469/957] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 468/957] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 470/957] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
` (493 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Michael Walle,
Miquel Raynal, Pratyush Yadav (Google), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit 94645aa41bf9ecb87c2ce78b1c3405bfb6074a37 ]
When the chip does not support top/bottom block protect, the tb_mask
must be set to 0, otherwise SR1 bit5 will be unexpectedly modified.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Fixes: 3dd8012a8eeb ("mtd: spi-nor: add TB (Top/Bottom) protect support")
Reviewed-by: Michael Walle <mwalle@kernel.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/spi-nor/swp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/swp.c b/drivers/mtd/spi-nor/swp.c
index 9b07f83aeac76..e67a81dbb6bf6 100644
--- a/drivers/mtd/spi-nor/swp.c
+++ b/drivers/mtd/spi-nor/swp.c
@@ -28,8 +28,10 @@ static u8 spi_nor_get_sr_tb_mask(struct spi_nor *nor)
{
if (nor->flags & SNOR_F_HAS_SR_TB_BIT6)
return SR_TB_BIT6;
- else
+ else if (nor->flags & SNOR_F_HAS_SR_TB)
return SR_TB_BIT5;
+ else
+ return 0;
}
static u64 spi_nor_get_min_prot_length_sr(struct spi_nor *nor)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 470/957] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 469/957] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 471/957] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
` (492 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Tommaso Merciai,
Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
[ Upstream commit 0c87dea1aab86116211cb37387c404c9e9231c39 ]
ofpart_none can only be reached after the for_each_child_of_node() loop
finishes. for_each_child_of_node() correctly calls of_node_put() for all
device nodes it iterates over as long as we don't break or jump out of
the loop.
Calling of_node_put() inside the ofpart_none path will wrongly decrement
the ref count of the last node in the for_each_child_of_node() loop.
Move the call to of_node_put() under the ofpart_fail label to fix this.
Fixes: ebd5a74db74e ("mtd: ofpart: Check availability of reg property instead of name property")
Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
Tested-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/parsers/ofpart_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/ofpart_core.c b/drivers/mtd/parsers/ofpart_core.c
index 09961c6f39496..a5ba78c6723ee 100644
--- a/drivers/mtd/parsers/ofpart_core.c
+++ b/drivers/mtd/parsers/ofpart_core.c
@@ -191,11 +191,11 @@ static int parse_fixed_partitions(struct mtd_info *master,
ofpart_fail:
pr_err("%s: error parsing ofpart partition %pOF (%pOF)\n",
master->name, pp, mtd_node);
+ of_node_put(pp);
ret = -EINVAL;
ofpart_none:
if (dedicated)
of_node_put(ofpart_node);
- of_node_put(pp);
kfree(parts);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 471/957] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 470/957] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 472/957] cxl/pci: Check memdev driver binding status in cxl_reset_done() Greg Kroah-Hartman
` (491 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Tommaso Merciai,
Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
[ Upstream commit e882626c1747653f1f01ea9d12e278e613b11d0f ]
In order to parse sub-partitions, add_mtd_partitions() calls
parse_mtd_partitions() for all previously found partitions.
Each partition will end up being passed to parse_fixed_partitions(), and
its of_node will be treated as the ofpart_node.
Commit 7cce81df7d26 ("mtd: parsers: ofpart: fix OF node refcount leak in
parse_fixed_partitions()") added of_node_put() calls for ofpart_node on
all exit paths.
In the case where the partition passed to parse_fixed_partitions() has a
parent, it is treated as a dedicated partitions node, and of_node_put()
is wrongly called for it, even if of_node_get() was not called
explicitly.
On repeated bind / unbinds of the MTD, the extra of_node_put() ends up
decrementing the refcount down to 0, which should never happen,
resulting in the following error:
OF: ERROR: of_node_release() detected bad of_node_put() on
/soc/spi@80007000/flash@0/partitions/partition@0
Call of_node_get() to balance the call to of_node_put() done for
dedicated partitions nodes.
Fixes: 7cce81df7d26 ("mtd: parsers: ofpart: fix OF node refcount leak in parse_fixed_partitions()")
Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa@renesas.com>
Tested-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/parsers/ofpart_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/ofpart_core.c b/drivers/mtd/parsers/ofpart_core.c
index a5ba78c6723ee..321002a1d0cae 100644
--- a/drivers/mtd/parsers/ofpart_core.c
+++ b/drivers/mtd/parsers/ofpart_core.c
@@ -71,7 +71,7 @@ static int parse_fixed_partitions(struct mtd_info *master,
dedicated = false;
}
} else { /* Partition */
- ofpart_node = mtd_node;
+ ofpart_node = of_node_get(mtd_node);
}
of_id = of_match_node(parse_ofpart_match_table, ofpart_node);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 472/957] cxl/pci: Check memdev driver binding status in cxl_reset_done()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 471/957] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 473/957] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
` (490 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Williams, Dave Jiang, Li Ming,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Ming <ming.li@zohomail.com>
[ Upstream commit e8069c66d09309579e53567be8ddfa6ccb2f452a ]
cxl_reset_done() accesses the endpoint of the corresponding CXL memdev
without endpoint validity checking. By default, cxlmd->endpoint is
initialized to -ENXIO, if cxl_reset_done() is triggered after the
corresponding CXL memdev probing failed, this results in access to an
invalid endpoint.
CXL subsystem can always check CXL memdev driver binding status to
confirm its endpoint validity. So adding the CXL memdev driver checking
inside cxl_reset_done() to avoid accessing an invalid endpoint.
Fixes: 934edcd436dc ("cxl: Add post-reset warning if reset results in loss of previously committed HDM decoders")
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Li Ming <ming.li@zohomail.com>
Link: https://patch.msgid.link/20260314-fix_access_endpoint_without_drv_check-v2-4-4c09edf2e1db@zohomail.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cxl/pci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c
index bd100ac31672d..c78d7d88744bf 100644
--- a/drivers/cxl/pci.c
+++ b/drivers/cxl/pci.c
@@ -1104,6 +1104,9 @@ static void cxl_reset_done(struct pci_dev *pdev)
* that no longer exists.
*/
guard(device)(&cxlmd->dev);
+ if (!cxlmd->dev.driver)
+ return;
+
if (cxlmd->endpoint &&
cxl_endpoint_decoder_reset_detected(cxlmd->endpoint)) {
dev_crit(dev, "SBR happened without memory regions removal.\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 473/957] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 472/957] cxl/pci: Check memdev driver binding status in cxl_reset_done() Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 474/957] mtd: spinand: Add missing check Greg Kroah-Hartman
` (489 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jernej Skrabec, Richard Genoud,
Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Genoud <richard.genoud@bootlin.com>
[ Upstream commit 848c13996c55fe4ea6bf5acc3ce6c8c5c944b5f6 ]
When dumping the OOB, the bytes at the end where actually copied from
the beginning of the OOB instead of current_offset.
That leads to something like:
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
instead of:
OOB: ff ff ff ff ff ff ff ff ea 19 00 3a 83 db aa 8d
OOB: 99 09 c8 9a 90 36 35 7d aa 15 13 07 3d 97 b2 a4
OOB: a8 bb 19 b3 07 e9 f6 25 52 d7 1a 23 e2 7e 0a e4
OOB: 52 8a 09 d2 1a 86 3d cf b4 99 43 13 d3 90 33 0b
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
OOB: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
(example with BCH16, user data [8,0], no scrambling)
*cur_off (offset from the beginning of the page) was compared to offset
(offset from the beginning of the OOB), and then, the
nand_change_read_column_op() sets the current position to the beginning
of the OOB instead of OOB+offset
Fixes: 15d6f118285f ("mtd: rawnand: sunxi: Stop supporting ECC_HW_SYNDROME mode")
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/sunxi_nand.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c
index f6a8e8ae819d4..75db1713e6177 100644
--- a/drivers/mtd/nand/raw/sunxi_nand.c
+++ b/drivers/mtd/nand/raw/sunxi_nand.c
@@ -886,9 +886,9 @@ static void sunxi_nfc_hw_ecc_read_extra_oob(struct nand_chip *nand,
if (len <= 0)
return;
- if (!cur_off || *cur_off != offset)
- nand_change_read_column_op(nand, mtd->writesize, NULL, 0,
- false);
+ if (!cur_off || *cur_off != (offset + mtd->writesize))
+ nand_change_read_column_op(nand, mtd->writesize + offset,
+ NULL, 0, false);
if (!randomize)
sunxi_nfc_read_buf(nand, oob + offset, len);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 474/957] mtd: spinand: Add missing check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 473/957] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 475/957] mtd: spinand: Decouple write enable and write disable operations Greg Kroah-Hartman
` (488 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Miquel Raynal,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit aab8a4c656379a6a1a4ca716f48118680560eaab ]
The update cache variant is mandatory, both read and write versions are
being checked, but not this one. All chip drivers seem to implement this
variant, so there should be no breakage.
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index 697877584a285..33e6b76944ab8 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -1436,6 +1436,9 @@ int spinand_match_and_init(struct spinand_device *spinand,
op = spinand_select_op_variant(spinand,
info->op_variants.update_cache);
+ if (!op)
+ return -ENOTSUPP;
+
spinand->op_templates.update_cache = op;
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 475/957] mtd: spinand: Decouple write enable and write disable operations
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 474/957] mtd: spinand: Add missing check Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 476/957] mtd: spinand: Create an array of operation templates Greg Kroah-Hartman
` (487 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Miquel Raynal,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit c0ba929cf7a960c796cc9946b3f79d8405e9b805 ]
In order to introduce templates for all operations and not only for page
helpers (in order to introduce octal DDR support), decouple the WR_EN
and WR_DIS operations into two separate macros.
Adapt the callers accordingly.
There is no functional change.
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/core.c | 2 +-
drivers/mtd/nand/spi/esmt.c | 2 +-
drivers/mtd/nand/spi/micron.c | 2 +-
include/linux/mtd/spinand.h | 10 ++++++++--
4 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index 33e6b76944ab8..d3029ce2fe9ae 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -362,7 +362,7 @@ static void spinand_ondie_ecc_save_status(struct nand_device *nand, u8 status)
int spinand_write_enable_op(struct spinand_device *spinand)
{
- struct spi_mem_op op = SPINAND_WR_EN_DIS_1S_0_0_OP(true);
+ struct spi_mem_op op = SPINAND_WR_EN_1S_0_0_OP;
return spi_mem_exec_op(spinand->spimem, &op);
}
diff --git a/drivers/mtd/nand/spi/esmt.c b/drivers/mtd/nand/spi/esmt.c
index 9a9325c0bc497..f880c3b15ceab 100644
--- a/drivers/mtd/nand/spi/esmt.c
+++ b/drivers/mtd/nand/spi/esmt.c
@@ -137,7 +137,7 @@ static int f50l1g41lb_user_otp_info(struct spinand_device *spinand, size_t len,
static int f50l1g41lb_otp_lock(struct spinand_device *spinand, loff_t from,
size_t len)
{
- struct spi_mem_op write_op = SPINAND_WR_EN_DIS_1S_0_0_OP(true);
+ struct spi_mem_op write_op = SPINAND_WR_EN_1S_0_0_OP;
struct spi_mem_op exec_op = SPINAND_PROG_EXEC_1S_1S_0_OP(0);
u8 status;
int ret;
diff --git a/drivers/mtd/nand/spi/micron.c b/drivers/mtd/nand/spi/micron.c
index a49d7cb6a96da..b8130e04e8e79 100644
--- a/drivers/mtd/nand/spi/micron.c
+++ b/drivers/mtd/nand/spi/micron.c
@@ -251,7 +251,7 @@ static int mt29f2g01abagd_user_otp_info(struct spinand_device *spinand,
static int mt29f2g01abagd_otp_lock(struct spinand_device *spinand, loff_t from,
size_t len)
{
- struct spi_mem_op write_op = SPINAND_WR_EN_DIS_1S_0_0_OP(true);
+ struct spi_mem_op write_op = SPINAND_WR_EN_1S_0_0_OP;
struct spi_mem_op exec_op = SPINAND_PROG_EXEC_1S_1S_0_OP(0);
u8 status;
int ret;
diff --git a/include/linux/mtd/spinand.h b/include/linux/mtd/spinand.h
index 1c741145e4971..c74c9ba0cd0a4 100644
--- a/include/linux/mtd/spinand.h
+++ b/include/linux/mtd/spinand.h
@@ -26,8 +26,14 @@
SPI_MEM_OP_NO_DUMMY, \
SPI_MEM_OP_NO_DATA)
-#define SPINAND_WR_EN_DIS_1S_0_0_OP(enable) \
- SPI_MEM_OP(SPI_MEM_OP_CMD((enable) ? 0x06 : 0x04, 1), \
+#define SPINAND_WR_EN_1S_0_0_OP \
+ SPI_MEM_OP(SPI_MEM_OP_CMD(0x06, 1), \
+ SPI_MEM_OP_NO_ADDR, \
+ SPI_MEM_OP_NO_DUMMY, \
+ SPI_MEM_OP_NO_DATA)
+
+#define SPINAND_WR_DIS_1S_0_0_OP \
+ SPI_MEM_OP(SPI_MEM_OP_CMD(0x04, 1), \
SPI_MEM_OP_NO_ADDR, \
SPI_MEM_OP_NO_DUMMY, \
SPI_MEM_OP_NO_DATA)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 476/957] mtd: spinand: Create an array of operation templates
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 475/957] mtd: spinand: Decouple write enable and write disable operations Greg Kroah-Hartman
@ 2026-05-20 16:15 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 477/957] mtd: spinand: winbond: Rename IO_MODE register macro Greg Kroah-Hartman
` (486 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tudor Ambarus, Miquel Raynal,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit 408015023294958407925bc50cdd85718d12a335 ]
Currently, the SPI NAND core implementation directly calls macros to get
the various operations in shape. These macros are specific to the bus
interface, currently only supporting the single SDR interface (any
command following the 1S-XX-XX pattern).
Introducing support for other bus interfaces (such as octal DTR) would
mean that every user of these macros should become aware of the current
bus interface and act accordingly, picking up and adapting to the
current configuration. This would add quite a bit of boilerplate, be
repetitive as well as error prone in case we miss one occurrence.
Instead, let's create a table with all SPI NAND memory operations that
are currently supported. We initialize them with the same single SDR _OP
macros as before. This opens the possibility for users of the individual
macros to make use of these templates instead. This way, when we will add
another bus interface, we can just switch to another set of templates
and all users will magically fill in their spi_mem_op structures with
the correct ops.
The existing read, write and update cache variants are also moved in
this template array, which is barely noticeable by callers as we also
add a structure member pointing to it.
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/core.c | 38 ++++++++++++++++++++++--------
drivers/mtd/nand/spi/winbond.c | 4 ++--
include/linux/mtd/spinand.h | 43 +++++++++++++++++++++++++++-------
3 files changed, 64 insertions(+), 21 deletions(-)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index d3029ce2fe9ae..5c1797946a047 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -184,9 +184,9 @@ static int spinand_init_quad_enable(struct spinand_device *spinand)
if (!(spinand->flags & SPINAND_HAS_QE_BIT))
return 0;
- if (spinand->op_templates.read_cache->data.buswidth == 4 ||
- spinand->op_templates.write_cache->data.buswidth == 4 ||
- spinand->op_templates.update_cache->data.buswidth == 4)
+ if (spinand->op_templates->read_cache->data.buswidth == 4 ||
+ spinand->op_templates->write_cache->data.buswidth == 4 ||
+ spinand->op_templates->update_cache->data.buswidth == 4)
enable = true;
return spinand_upd_cfg(spinand, CFG_QUAD_ENABLE,
@@ -1162,7 +1162,7 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
info.offset = plane << fls(nand->memorg.pagesize);
info.length = nanddev_page_size(nand) + nanddev_per_page_oobsize(nand);
- info.op_tmpl = *spinand->op_templates.update_cache;
+ info.op_tmpl = *spinand->op_templates->update_cache;
desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
spinand->spimem, &info);
if (IS_ERR(desc))
@@ -1170,7 +1170,7 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
spinand->dirmaps[plane].wdesc = desc;
- info.op_tmpl = *spinand->op_templates.read_cache;
+ info.op_tmpl = *spinand->op_templates->read_cache;
desc = spinand_create_rdesc(spinand, &info);
if (IS_ERR(desc))
return PTR_ERR(desc);
@@ -1185,7 +1185,7 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
}
info.length = nanddev_page_size(nand) + nanddev_per_page_oobsize(nand);
- info.op_tmpl = *spinand->op_templates.update_cache;
+ info.op_tmpl = *spinand->op_templates->update_cache;
info.op_tmpl.data.ecc = true;
desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
spinand->spimem, &info);
@@ -1194,7 +1194,7 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
spinand->dirmaps[plane].wdesc_ecc = desc;
- info.op_tmpl = *spinand->op_templates.read_cache;
+ info.op_tmpl = *spinand->op_templates->read_cache;
info.op_tmpl.data.ecc = true;
desc = spinand_create_rdesc(spinand, &info);
if (IS_ERR(desc))
@@ -1330,6 +1330,22 @@ static void spinand_manufacturer_cleanup(struct spinand_device *spinand)
return spinand->manufacturer->ops->cleanup(spinand);
}
+static void spinand_init_ssdr_templates(struct spinand_device *spinand)
+{
+ struct spinand_mem_ops *tmpl = &spinand->ssdr_op_templates;
+
+ tmpl->reset = (struct spi_mem_op)SPINAND_RESET_1S_0_0_OP;
+ tmpl->readid = (struct spi_mem_op)SPINAND_READID_1S_1S_1S_OP(0, 0, NULL, 0);
+ tmpl->wr_en = (struct spi_mem_op)SPINAND_WR_EN_1S_0_0_OP;
+ tmpl->wr_dis = (struct spi_mem_op)SPINAND_WR_DIS_1S_0_0_OP;
+ tmpl->set_feature = (struct spi_mem_op)SPINAND_SET_FEATURE_1S_1S_1S_OP(0, NULL);
+ tmpl->get_feature = (struct spi_mem_op)SPINAND_GET_FEATURE_1S_1S_1S_OP(0, NULL);
+ tmpl->blk_erase = (struct spi_mem_op)SPINAND_BLK_ERASE_1S_1S_0_OP(0);
+ tmpl->page_read = (struct spi_mem_op)SPINAND_PAGE_READ_1S_1S_0_OP(0);
+ tmpl->prog_exec = (struct spi_mem_op)SPINAND_PROG_EXEC_1S_1S_0_OP(0);
+ spinand->op_templates = &spinand->ssdr_op_templates;
+}
+
static const struct spi_mem_op *
spinand_select_op_variant(struct spinand_device *spinand,
const struct spinand_op_variants *variants)
@@ -1425,21 +1441,21 @@ int spinand_match_and_init(struct spinand_device *spinand,
if (!op)
return -ENOTSUPP;
- spinand->op_templates.read_cache = op;
+ spinand->ssdr_op_templates.read_cache = op;
op = spinand_select_op_variant(spinand,
info->op_variants.write_cache);
if (!op)
return -ENOTSUPP;
- spinand->op_templates.write_cache = op;
+ spinand->ssdr_op_templates.write_cache = op;
op = spinand_select_op_variant(spinand,
info->op_variants.update_cache);
if (!op)
return -ENOTSUPP;
- spinand->op_templates.update_cache = op;
+ spinand->ssdr_op_templates.update_cache = op;
return 0;
}
@@ -1554,6 +1570,8 @@ static int spinand_init(struct spinand_device *spinand)
if (!spinand->scratchbuf)
return -ENOMEM;
+ spinand_init_ssdr_templates(spinand);
+
ret = spinand_detect(spinand);
if (ret)
goto err_free_bufs;
diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c
index af377b917a107..b389c9ee58508 100644
--- a/drivers/mtd/nand/spi/winbond.c
+++ b/drivers/mtd/nand/spi/winbond.c
@@ -291,7 +291,7 @@ static int w25n0xjw_hs_cfg(struct spinand_device *spinand)
u8 sr4;
int ret;
- op = spinand->op_templates.read_cache;
+ op = spinand->op_templates->read_cache;
if (op->cmd.dtr || op->addr.dtr || op->dummy.dtr || op->data.dtr)
hs = false;
else if (op->cmd.buswidth == 1 && op->addr.buswidth == 1 &&
@@ -355,7 +355,7 @@ static int w35n0xjw_vcr_cfg(struct spinand_device *spinand)
u8 io_mode;
int ret;
- op = spinand->op_templates.read_cache;
+ op = spinand->op_templates->read_cache;
single = (op->cmd.buswidth == 1 && op->addr.buswidth == 1 && op->data.buswidth == 1);
dtr = (op->cmd.dtr || op->addr.dtr || op->data.dtr);
diff --git a/include/linux/mtd/spinand.h b/include/linux/mtd/spinand.h
index c74c9ba0cd0a4..3825fe9e759a6 100644
--- a/include/linux/mtd/spinand.h
+++ b/include/linux/mtd/spinand.h
@@ -604,6 +604,36 @@ struct spinand_dirmap {
struct spi_mem_dirmap_desc *rdesc_ecc;
};
+/**
+ * struct spinand_mem_ops - SPI NAND memory operations
+ * @reset: reset op template
+ * @readid: read ID op template
+ * @wr_en: write enable op template
+ * @wr_dis: write disable op template
+ * @set_feature: set feature op template
+ * @get_feature: get feature op template
+ * @blk_erase: blk erase op template
+ * @page_read: page read op template
+ * @prog_exec: prog exec op template
+ * @read_cache: read cache op template
+ * @write_cache: write cache op template
+ * @update_cache: update cache op template
+ */
+struct spinand_mem_ops {
+ struct spi_mem_op reset;
+ struct spi_mem_op readid;
+ struct spi_mem_op wr_en;
+ struct spi_mem_op wr_dis;
+ struct spi_mem_op set_feature;
+ struct spi_mem_op get_feature;
+ struct spi_mem_op blk_erase;
+ struct spi_mem_op page_read;
+ struct spi_mem_op prog_exec;
+ const struct spi_mem_op *read_cache;
+ const struct spi_mem_op *write_cache;
+ const struct spi_mem_op *update_cache;
+};
+
/**
* struct spinand_device - SPI NAND device instance
* @base: NAND device instance
@@ -611,10 +641,8 @@ struct spinand_dirmap {
* @lock: lock used to serialize accesses to the NAND
* @id: NAND ID as returned by READ_ID
* @flags: NAND flags
- * @op_templates: various SPI mem op templates
- * @op_templates.read_cache: read cache op template
- * @op_templates.write_cache: write cache op template
- * @op_templates.update_cache: update cache op template
+ * @ssdr_op_templates: Templates for all single SDR SPI mem operations
+ * @op_templates: Templates for all SPI mem operations
* @select_target: select a specific target/die. Usually called before sending
* a command addressing a page or an eraseblock embedded in
* this die. Only required if your chip exposes several dies
@@ -648,11 +676,8 @@ struct spinand_device {
struct spinand_id id;
u32 flags;
- struct {
- const struct spi_mem_op *read_cache;
- const struct spi_mem_op *write_cache;
- const struct spi_mem_op *update_cache;
- } op_templates;
+ struct spinand_mem_ops ssdr_op_templates;
+ struct spinand_mem_ops *op_templates;
struct spinand_dirmap *dirmaps;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 477/957] mtd: spinand: winbond: Rename IO_MODE register macro
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-05-20 16:15 ` [PATCH 6.18 476/957] mtd: spinand: Create an array of operation templates Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 478/957] mtd: spinand: winbond: Configure the IO mode after the dummy cycles Greg Kroah-Hartman
` (485 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit 57e1015cc9a96372f330195abe32a904ec8d1eab ]
Suffix the macro name with *_REG to align with the rest of the driver.
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/winbond.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c
index b389c9ee58508..2361109101727 100644
--- a/drivers/mtd/nand/spi/winbond.c
+++ b/drivers/mtd/nand/spi/winbond.c
@@ -22,7 +22,7 @@
#define W25N0XJW_SR4 0xD0
#define W25N0XJW_SR4_HS BIT(2)
-#define W35N01JW_VCR_IO_MODE 0x00
+#define W35N01JW_VCR_IO_MODE_REG 0x00
#define W35N01JW_VCR_IO_MODE_SINGLE_SDR 0xFF
#define W35N01JW_VCR_IO_MODE_OCTAL_SDR 0xDF
#define W35N01JW_VCR_IO_MODE_OCTAL_DDR_DS 0xE7
@@ -368,7 +368,7 @@ static int w35n0xjw_vcr_cfg(struct spinand_device *spinand)
else
return -EINVAL;
- ret = w35n0xjw_write_vcr(spinand, W35N01JW_VCR_IO_MODE, io_mode);
+ ret = w35n0xjw_write_vcr(spinand, W35N01JW_VCR_IO_MODE_REG, io_mode);
if (ret)
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 478/957] mtd: spinand: winbond: Configure the IO mode after the dummy cycles
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 477/957] mtd: spinand: winbond: Rename IO_MODE register macro Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 479/957] mtd: spinand: Gather all the bus interface steps in one single function Greg Kroah-Hartman
` (484 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit ef1ed296fb9d9246256e1b5b2cf2e86e85606ac3 ]
When we will change the bus interface, the action that actually performs
the transition is the IO mode register write. This means after the IO
mode register write, we should use the new bus interface. But the
->configure_chip() hook itself is not responsible of making this change
official, it is the caller that must act according to the return value.
Reorganize this helper to first configure the dummy cycles before
possibly switching to another bus interface.
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/winbond.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c
index 2361109101727..6cb5dd45e6fb7 100644
--- a/drivers/mtd/nand/spi/winbond.c
+++ b/drivers/mtd/nand/spi/winbond.c
@@ -357,21 +357,6 @@ static int w35n0xjw_vcr_cfg(struct spinand_device *spinand)
op = spinand->op_templates->read_cache;
- single = (op->cmd.buswidth == 1 && op->addr.buswidth == 1 && op->data.buswidth == 1);
- dtr = (op->cmd.dtr || op->addr.dtr || op->data.dtr);
- if (single && !dtr)
- io_mode = W35N01JW_VCR_IO_MODE_SINGLE_SDR;
- else if (!single && !dtr)
- io_mode = W35N01JW_VCR_IO_MODE_OCTAL_SDR;
- else if (!single && dtr)
- io_mode = W35N01JW_VCR_IO_MODE_OCTAL_DDR;
- else
- return -EINVAL;
-
- ret = w35n0xjw_write_vcr(spinand, W35N01JW_VCR_IO_MODE_REG, io_mode);
- if (ret)
- return ret;
-
dummy_cycles = ((op->dummy.nbytes * 8) / op->dummy.buswidth) / (op->dummy.dtr ? 2 : 1);
switch (dummy_cycles) {
case 8:
@@ -388,6 +373,21 @@ static int w35n0xjw_vcr_cfg(struct spinand_device *spinand)
if (ret)
return ret;
+ single = (op->cmd.buswidth == 1 && op->addr.buswidth == 1 && op->data.buswidth == 1);
+ dtr = (op->cmd.dtr && op->addr.dtr && op->data.dtr);
+ if (single && !dtr)
+ io_mode = W35N01JW_VCR_IO_MODE_SINGLE_SDR;
+ else if (!single && !dtr)
+ io_mode = W35N01JW_VCR_IO_MODE_OCTAL_SDR;
+ else if (!single && dtr)
+ io_mode = W35N01JW_VCR_IO_MODE_OCTAL_DDR;
+ else
+ return -EINVAL;
+
+ ret = w35n0xjw_write_vcr(spinand, W35N01JW_VCR_IO_MODE_REG, io_mode);
+ if (ret)
+ return ret;
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 479/957] mtd: spinand: Gather all the bus interface steps in one single function
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 478/957] mtd: spinand: winbond: Configure the IO mode after the dummy cycles Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 480/957] mtd: spinand: Add support for setting a bus interface Greg Kroah-Hartman
` (483 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit be0b86c648bf811237cc17e274e9f9488fccb772 ]
Writing the quad enable bit in one helper and doing the chip
configuration in another does not make much sense from a bus interface
setup point of view.
Instead, let's create a broader helper which is going to be in charge of
all the bus configuration steps at once. This will specifically allow to
transition to octal DDR mode, and even fallback to quad (if suppoorted)
or single mode otherwise.
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/core.c | 62 ++++++++++++++++++++++---------------
1 file changed, 37 insertions(+), 25 deletions(-)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index 5c1797946a047..b88f30ed746fc 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -177,18 +177,9 @@ static int spinand_init_cfg_cache(struct spinand_device *spinand)
return 0;
}
-static int spinand_init_quad_enable(struct spinand_device *spinand)
+static int spinand_init_quad_enable(struct spinand_device *spinand,
+ bool enable)
{
- bool enable = false;
-
- if (!(spinand->flags & SPINAND_HAS_QE_BIT))
- return 0;
-
- if (spinand->op_templates->read_cache->data.buswidth == 4 ||
- spinand->op_templates->write_cache->data.buswidth == 4 ||
- spinand->op_templates->update_cache->data.buswidth == 4)
- enable = true;
-
return spinand_upd_cfg(spinand, CFG_QUAD_ENABLE,
enable ? CFG_QUAD_ENABLE : 0);
}
@@ -1314,12 +1305,6 @@ static int spinand_manufacturer_init(struct spinand_device *spinand)
return ret;
}
- if (spinand->configure_chip) {
- ret = spinand->configure_chip(spinand);
- if (ret)
- return ret;
- }
-
return 0;
}
@@ -1496,6 +1481,31 @@ static int spinand_detect(struct spinand_device *spinand)
return 0;
}
+static int spinand_configure_chip(struct spinand_device *spinand)
+{
+ bool quad_enable = false;
+ int ret;
+
+ if (spinand->flags & SPINAND_HAS_QE_BIT) {
+ if (spinand->ssdr_op_templates.read_cache->data.buswidth == 4 ||
+ spinand->ssdr_op_templates.write_cache->data.buswidth == 4 ||
+ spinand->ssdr_op_templates.update_cache->data.buswidth == 4)
+ quad_enable = true;
+ }
+
+ ret = spinand_init_quad_enable(spinand, quad_enable);
+ if (ret)
+ return ret;
+
+ if (spinand->configure_chip) {
+ ret = spinand->configure_chip(spinand);
+ if (ret)
+ return ret;
+ }
+
+ return ret;
+}
+
static int spinand_init_flash(struct spinand_device *spinand)
{
struct device *dev = &spinand->spimem->spi->dev;
@@ -1506,10 +1516,6 @@ static int spinand_init_flash(struct spinand_device *spinand)
if (ret)
return ret;
- ret = spinand_init_quad_enable(spinand);
- if (ret)
- return ret;
-
ret = spinand_upd_cfg(spinand, CFG_OTP_ENABLE, 0);
if (ret)
return ret;
@@ -1522,19 +1528,25 @@ static int spinand_init_flash(struct spinand_device *spinand)
return ret;
}
+ ret = spinand_configure_chip(spinand);
+ if (ret)
+ goto manuf_cleanup;
+
/* After power up, all blocks are locked, so unlock them here. */
for (i = 0; i < nand->memorg.ntargets; i++) {
ret = spinand_select_target(spinand, i);
if (ret)
- break;
+ goto manuf_cleanup;
ret = spinand_lock_block(spinand, BL_ALL_UNLOCKED);
if (ret)
- break;
+ goto manuf_cleanup;
}
- if (ret)
- spinand_manufacturer_cleanup(spinand);
+ return 0;
+
+manuf_cleanup:
+ spinand_manufacturer_cleanup(spinand);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 480/957] mtd: spinand: Add support for setting a bus interface
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 479/957] mtd: spinand: Gather all the bus interface steps in one single function Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 481/957] mtd: spinand: Give the bus interface to the configuration helper Greg Kroah-Hartman
` (482 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit 20387f2fe509eba46ecf758da052786d7b1203fb ]
Create a bus interface enumeration, currently only containing the
one we support: SSDR, for single SDR, so any operation whose command is
sent over a single data line in SDR mode, ie. any operation matching
1S-XX-XX.
The main spinand_device structure gets a new parameter to store this
enumeration, for now unused. Of course it is set to SSDR during the SSDR
templates initialization to further clarify the state we are in at the
moment.
This member is subject to be used to know in which bus configuration we
and be updated by the core when we switch to faster mode(s).
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/core.c | 1 +
include/linux/mtd/spinand.h | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index b88f30ed746fc..9f6682c0af102 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -1329,6 +1329,7 @@ static void spinand_init_ssdr_templates(struct spinand_device *spinand)
tmpl->page_read = (struct spi_mem_op)SPINAND_PAGE_READ_1S_1S_0_OP(0);
tmpl->prog_exec = (struct spi_mem_op)SPINAND_PROG_EXEC_1S_1S_0_OP(0);
spinand->op_templates = &spinand->ssdr_op_templates;
+ spinand->bus_iface = SSDR;
}
static const struct spi_mem_op *
diff --git a/include/linux/mtd/spinand.h b/include/linux/mtd/spinand.h
index 3825fe9e759a6..c991c6c3bdedf 100644
--- a/include/linux/mtd/spinand.h
+++ b/include/linux/mtd/spinand.h
@@ -486,6 +486,14 @@ struct spinand_user_otp {
const struct spinand_user_otp_ops *ops;
};
+/**
+ * enum spinand_bus_interface - SPI NAND bus interface types
+ * @SSDR: Bus configuration supporting all 1S-XX-XX operations, including dual and quad
+ */
+enum spinand_bus_interface {
+ SSDR,
+};
+
/**
* struct spinand_info - Structure used to describe SPI NAND chips
* @model: model name
@@ -643,6 +651,7 @@ struct spinand_mem_ops {
* @flags: NAND flags
* @ssdr_op_templates: Templates for all single SDR SPI mem operations
* @op_templates: Templates for all SPI mem operations
+ * @bus_iface: Current bus interface
* @select_target: select a specific target/die. Usually called before sending
* a command addressing a page or an eraseblock embedded in
* this die. Only required if your chip exposes several dies
@@ -678,6 +687,7 @@ struct spinand_device {
struct spinand_mem_ops ssdr_op_templates;
struct spinand_mem_ops *op_templates;
+ enum spinand_bus_interface bus_iface;
struct spinand_dirmap *dirmaps;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 481/957] mtd: spinand: Give the bus interface to the configuration helper
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 480/957] mtd: spinand: Add support for setting a bus interface Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 482/957] mtd: spinand: winbond: Clarify when to enable the HS bit Greg Kroah-Hartman
` (481 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit 0a331a1851aedd670b95a2d16c6a82496137378d ]
The chip configuration hook is the one responsible to actually switch
the switch between bus interfaces. It is natural to give it the bus
interface we expect with a new parameter. For now the only value we can
give is SSDR, but this is subject to change in the future, so add a bit
of extra logic in the implementations of this callback to make sure
both the core and the chip driver are aligned on the request.
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Stable-dep-of: 25a915fad503 ("mtd: spinand: winbond: Clarify when to enable the HS bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/core.c | 2 +-
drivers/mtd/nand/spi/winbond.c | 28 +++++++++++++++++++++-------
include/linux/mtd/spinand.h | 6 ++++--
3 files changed, 26 insertions(+), 10 deletions(-)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index 9f6682c0af102..2f656a5e4af89 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -1499,7 +1499,7 @@ static int spinand_configure_chip(struct spinand_device *spinand)
return ret;
if (spinand->configure_chip) {
- ret = spinand->configure_chip(spinand);
+ ret = spinand->configure_chip(spinand, SSDR);
if (ret)
return ret;
}
diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c
index 6cb5dd45e6fb7..0ea5b1c97d33d 100644
--- a/drivers/mtd/nand/spi/winbond.c
+++ b/drivers/mtd/nand/spi/winbond.c
@@ -284,13 +284,17 @@ static int w25n02kv_ecc_get_status(struct spinand_device *spinand,
return -EINVAL;
}
-static int w25n0xjw_hs_cfg(struct spinand_device *spinand)
+static int w25n0xjw_hs_cfg(struct spinand_device *spinand,
+ enum spinand_bus_interface iface)
{
const struct spi_mem_op *op;
bool hs;
u8 sr4;
int ret;
+ if (iface != SSDR)
+ return -EOPNOTSUPP;
+
op = spinand->op_templates->read_cache;
if (op->cmd.dtr || op->addr.dtr || op->dummy.dtr || op->data.dtr)
hs = false;
@@ -347,17 +351,25 @@ static int w35n0xjw_write_vcr(struct spinand_device *spinand, u8 reg, u8 val)
return 0;
}
-static int w35n0xjw_vcr_cfg(struct spinand_device *spinand)
+static int w35n0xjw_vcr_cfg(struct spinand_device *spinand,
+ enum spinand_bus_interface iface)
{
- const struct spi_mem_op *op;
+ const struct spi_mem_op *ref_op;
unsigned int dummy_cycles;
bool dtr, single;
u8 io_mode;
int ret;
- op = spinand->op_templates->read_cache;
+ switch (iface) {
+ case SSDR:
+ ref_op = spinand->ssdr_op_templates.read_cache;
+ break;
+ default:
+ return -EOPNOTSUPP;
+ };
- dummy_cycles = ((op->dummy.nbytes * 8) / op->dummy.buswidth) / (op->dummy.dtr ? 2 : 1);
+ dummy_cycles = ((ref_op->dummy.nbytes * 8) / ref_op->dummy.buswidth) /
+ (ref_op->dummy.dtr ? 2 : 1);
switch (dummy_cycles) {
case 8:
case 12:
@@ -373,8 +385,10 @@ static int w35n0xjw_vcr_cfg(struct spinand_device *spinand)
if (ret)
return ret;
- single = (op->cmd.buswidth == 1 && op->addr.buswidth == 1 && op->data.buswidth == 1);
- dtr = (op->cmd.dtr && op->addr.dtr && op->data.dtr);
+ single = (ref_op->cmd.buswidth == 1 &&
+ ref_op->addr.buswidth == 1 &&
+ ref_op->data.buswidth == 1);
+ dtr = (ref_op->cmd.dtr && ref_op->addr.dtr && ref_op->data.dtr);
if (single && !dtr)
io_mode = W35N01JW_VCR_IO_MODE_SINGLE_SDR;
else if (!single && !dtr)
diff --git a/include/linux/mtd/spinand.h b/include/linux/mtd/spinand.h
index c991c6c3bdedf..07e4d87019c64 100644
--- a/include/linux/mtd/spinand.h
+++ b/include/linux/mtd/spinand.h
@@ -532,7 +532,8 @@ struct spinand_info {
} op_variants;
int (*select_target)(struct spinand_device *spinand,
unsigned int target);
- int (*configure_chip)(struct spinand_device *spinand);
+ int (*configure_chip)(struct spinand_device *spinand,
+ enum spinand_bus_interface iface);
int (*set_cont_read)(struct spinand_device *spinand,
bool enable);
struct spinand_fact_otp fact_otp;
@@ -704,7 +705,8 @@ struct spinand_device {
const struct spinand_manufacturer *manufacturer;
void *priv;
- int (*configure_chip)(struct spinand_device *spinand);
+ int (*configure_chip)(struct spinand_device *spinand,
+ enum spinand_bus_interface iface);
bool cont_read_possible;
int (*set_cont_read)(struct spinand_device *spinand,
bool enable);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 482/957] mtd: spinand: winbond: Clarify when to enable the HS bit
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 481/957] mtd: spinand: Give the bus interface to the configuration helper Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 483/957] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
` (480 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit 25a915fad503c2678902075565d47ddc2aa45db9 ]
Above 104MHz when in fast dual or quad I/O reads, the delay between
address and data cycles is too short. It is possible to reach higher
frequencies, up to 166MHz, by adding a few more dummy cycles through the
setting of the HS bit. Improve the condition for enabling this bit, and
also make sure we set it at soon as we go over 104MHz.
Fixes: f1a91175faaa ("mtd: spinand: winbond: Enable high-speed modes on w25n0xjw")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/spi/winbond.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c
index 0ea5b1c97d33d..578924c98b90a 100644
--- a/drivers/mtd/nand/spi/winbond.c
+++ b/drivers/mtd/nand/spi/winbond.c
@@ -295,16 +295,19 @@ static int w25n0xjw_hs_cfg(struct spinand_device *spinand,
if (iface != SSDR)
return -EOPNOTSUPP;
+ /*
+ * SDR dual and quad I/O operations over 104MHz require the HS bit to
+ * enable a few more dummy cycles.
+ */
op = spinand->op_templates->read_cache;
if (op->cmd.dtr || op->addr.dtr || op->dummy.dtr || op->data.dtr)
hs = false;
- else if (op->cmd.buswidth == 1 && op->addr.buswidth == 1 &&
- op->dummy.buswidth == 1 && op->data.buswidth == 1)
+ else if (op->cmd.buswidth != 1 || op->addr.buswidth == 1)
hs = false;
- else if (!op->max_freq)
- hs = true;
- else
+ else if (op->max_freq && op->max_freq <= 104 * HZ_PER_MHZ)
hs = false;
+ else
+ hs = true;
ret = spinand_read_reg_op(spinand, W25N0XJW_SR4, &sr4);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 483/957] HID: usbhid: fix deadlock in hid_post_reset()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 482/957] mtd: spinand: winbond: Clarify when to enable the HS bit Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 484/957] ext4: fix possible null-ptr-deref in mbt_kunit_exit() Greg Kroah-Hartman
` (479 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Jiri Kosina,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 8df2c1b47ee3cd50fd454f75c7a7e2ae8a6adf72 ]
You can build a USB device that includes a HID component
and a storage or UAS component. The components can be reset
only together. That means that hid_pre_reset() and hid_post_reset()
are in the block IO error handling. Hence no memory allocation
used in them may do block IO because the IO can deadlock
on the mutex held while resetting a device and calling the
interface drivers.
Use GFP_NOIO for all allocations in them.
Fixes: dc3c78e434690 ("HID: usbhid: Check HID report descriptor contents after device reset")
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 758eb21430cda..df3cc89dfb37f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1552,7 +1552,7 @@ static int hid_post_reset(struct usb_interface *intf)
* configuration descriptors passed, we already know that
* the size of the HID report descriptor has not changed.
*/
- rdesc = kmalloc(hid->dev_rsize, GFP_KERNEL);
+ rdesc = kmalloc(hid->dev_rsize, GFP_NOIO);
if (!rdesc)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 484/957] ext4: fix possible null-ptr-deref in mbt_kunit_exit()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 483/957] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 485/957] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
` (478 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Ritesh Harjani (IBM),
Ojaswin Mujoo, Theodore Tso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 22f53f08d9eb837ce69b1a07641d414aac8d045f ]
There's issue as follows:
# test_new_blocks_simple: failed to initialize: -12
KASAN: null-ptr-deref in range [0x0000000000000638-0x000000000000063f]
Tainted: [E]=UNSIGNED_MODULE, [N]=TEST
RIP: 0010:mbt_kunit_exit+0x5e/0x3e0 [ext4_test]
Call Trace:
<TASK>
kunit_try_run_case_cleanup+0xbc/0x100 [kunit]
kunit_generic_run_threadfn_adapter+0x89/0x100 [kunit]
kthread+0x408/0x540
ret_from_fork+0xa76/0xdf0
ret_from_fork_asm+0x1a/0x30
If mbt_kunit_init() init testcase failed will lead to null-ptr-deref.
So add test if 'sb' is inited success in mbt_kunit_exit().
Fixes: 7c9fa399a369 ("ext4: add first unit test for ext4_mb_new_blocks_simple in mballoc")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20260330133035.287842-6-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc-test.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/mballoc-test.c b/fs/ext4/mballoc-test.c
index 4abb40d4561ce..68aab8e45bc37 100644
--- a/fs/ext4/mballoc-test.c
+++ b/fs/ext4/mballoc-test.c
@@ -362,7 +362,6 @@ static int mbt_kunit_init(struct kunit *test)
return ret;
}
- test->priv = sb;
kunit_activate_static_stub(test,
ext4_read_block_bitmap_nowait,
ext4_read_block_bitmap_nowait_stub);
@@ -383,6 +382,8 @@ static int mbt_kunit_init(struct kunit *test)
return -ENOMEM;
}
+ test->priv = sb;
+
return 0;
}
@@ -390,6 +391,9 @@ static void mbt_kunit_exit(struct kunit *test)
{
struct super_block *sb = (struct super_block *)test->priv;
+ if (!sb)
+ return;
+
mbt_mb_release(sb);
mbt_ctx_release(sb);
mbt_ext4_free_super_block(sb);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 485/957] bpf, arm64: Fix off-by-one in check_imm signed range check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 484/957] ext4: fix possible null-ptr-deref in mbt_kunit_exit() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 486/957] bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize Greg Kroah-Hartman
` (477 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Puranjay Mohan,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 1dd8be4ec722ce54e4cace59f3a4ba658111b3ec ]
check_imm(bits, imm) is used in the arm64 BPF JIT to verify that
a branch displacement (in arm64 instruction units) fits into the
signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding
before it is handed to the encoder. The macro currently tests for
(imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits
values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A
signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check
admits one extra bit of range on each side.
In particular, for check_imm19(), values in [2^18, 2^19) slip past
the check but do not fit into the 19-bit signed imm19 field of
B.cond. aarch64_insn_encode_immediate() then masks the raw value
into the 19-bit field, setting bit 18 (the sign bit) and flipping
a forward branch into a backward one. Same class of issue exists
for check_imm26() and the B/BL encoding. Shift by (bits - 1)
instead of bits so the actual signed N-bit range is enforced.
Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/r/20260415121403.639619-2-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 107eb71b533a0..4b2aacdd43221 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -35,8 +35,8 @@
#define ARENA_VM_START (MAX_BPF_JIT_REG + 5)
#define check_imm(bits, imm) do { \
- if ((((imm) > 0) && ((imm) >> (bits))) || \
- (((imm) < 0) && (~(imm) >> (bits)))) { \
+ if ((((imm) > 0) && ((imm) >> ((bits) - 1))) || \
+ (((imm) < 0) && (~(imm) >> ((bits) - 1)))) { \
pr_info("[%2d] imm=%d(0x%x) out of range\n", \
i, imm, imm); \
return -EINVAL; \
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 486/957] bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 485/957] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 487/957] bpf, riscv: " Greg Kroah-Hartman
` (476 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Puranjay Mohan,
Breno Leitao, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 42f18ae53011826cfd3c84d041817e7f07bc645b ]
bpf_flush_icache() calls flush_icache_range() to clean the data cache
and invalidate the instruction cache for the JITed code region. However,
since commit 1dad391daef1 ("bpf, arm64: use bpf_prog_pack for memory
management"), this flush is redundant.
bpf_jit_binary_pack_finalize() copies the JITed instructions to the ROX
region via bpf_arch_text_copy() -> aarch64_insn_copy() -> __text_poke(),
and __text_poke() already calls flush_icache_range() on the written
range. The subsequent bpf_flush_icache() repeats the same cache
maintenance on an overlapping range, including an unnecessary second
synchronous IPI to all CPUs via kick_all_cpus_sync().
Remove the redundant bpf_flush_icache() call and its now-unused
definition.
Fixes: 1dad391daef1 ("bpf, arm64: use bpf_prog_pack for memory management")
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Acked-by: Breno Leitao <leitao@debian.org>
Link: https://lore.kernel.org/r/20260413191111.3426023-2-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 4b2aacdd43221..873c1b784a872 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -18,7 +18,6 @@
#include <asm/asm-extable.h>
#include <asm/byteorder.h>
-#include <asm/cacheflush.h>
#include <asm/cpufeature.h>
#include <asm/debug-monitors.h>
#include <asm/insn.h>
@@ -1964,11 +1963,6 @@ static int validate_ctx(struct jit_ctx *ctx)
return 0;
}
-static inline void bpf_flush_icache(void *start, void *end)
-{
- flush_icache_range((unsigned long)start, (unsigned long)end);
-}
-
static void priv_stack_init_guard(void __percpu *priv_stack_ptr, int alloc_size)
{
int cpu, underflow_idx = (alloc_size - PRIV_STACK_GUARD_SZ) >> 3;
@@ -2207,12 +2201,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
prog = orig_prog;
goto out_off;
}
- /*
- * The instructions have now been copied to the ROX region from
- * where they will execute. Now the data cache has to be cleaned to
- * the PoU and the I-cache has to be invalidated for the VAs.
- */
- bpf_flush_icache(ro_header, ctx.ro_image + ctx.idx);
} else {
jit_data->ctx = ctx;
jit_data->ro_image = ro_image_ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 487/957] bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 486/957] bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 488/957] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
` (475 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Puranjay Mohan, Pu Lehui,
Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 46ee1342b887c9387a933397d846ff6c9584322c ]
bpf_flush_icache() calls flush_icache_range() to clean the data cache
and invalidate the instruction cache for the JITed code region. However,
since commit 48a8f78c50bd ("bpf, riscv: use prog pack allocator in the
BPF JIT"), this flush is redundant.
bpf_jit_binary_pack_finalize() copies the JITed instructions to the ROX
region via bpf_arch_text_copy() -> patch_text_nosync(), and
patch_text_nosync() already calls flush_icache_range() on the written
range. The subsequent bpf_flush_icache() repeats the same cache
maintenance on an overlapping range.
Remove the redundant bpf_flush_icache() call and its now-unused
definition.
Fixes: 48a8f78c50bd ("bpf, riscv: use prog pack allocator in the BPF JIT")
Acked-by: Song Liu <song@kernel.org>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Pu Lehui <pulehui@huawei.com>
Tested-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260413191111.3426023-3-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/net/bpf_jit.h | 6 ------
arch/riscv/net/bpf_jit_core.c | 7 -------
2 files changed, 13 deletions(-)
diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h
index 632ced07bca44..da02717902442 100644
--- a/arch/riscv/net/bpf_jit.h
+++ b/arch/riscv/net/bpf_jit.h
@@ -11,7 +11,6 @@
#include <linux/bpf.h>
#include <linux/filter.h>
-#include <asm/cacheflush.h>
/* verify runtime detection extension status */
#define rv_ext_enabled(ext) \
@@ -105,11 +104,6 @@ static inline void bpf_fill_ill_insns(void *area, unsigned int size)
memset(area, 0, size);
}
-static inline void bpf_flush_icache(void *start, void *end)
-{
- flush_icache_range((unsigned long)start, (unsigned long)end);
-}
-
/* Emit a 4-byte riscv instruction. */
static inline void emit(const u32 insn, struct rv_jit_context *ctx)
{
diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
index f6ca5cfa6b2fd..191bf0e66c824 100644
--- a/arch/riscv/net/bpf_jit_core.c
+++ b/arch/riscv/net/bpf_jit_core.c
@@ -183,13 +183,6 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
prog = orig_prog;
goto out_offset;
}
- /*
- * The instructions have now been copied to the ROX region from
- * where they will execute.
- * Write any modified data cache blocks out to memory and
- * invalidate the corresponding blocks in the instruction cache.
- */
- bpf_flush_icache(jit_data->ro_header, ctx->ro_insns + ctx->ninsns);
for (i = 0; i < prog->len; i++)
ctx->offset[i] = ninsns_rvoff(ctx->offset[i]);
bpf_prog_fill_jited_linfo(prog, ctx->offset);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 488/957] bpf, sockmap: Fix af_unix iter deadlock
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 487/957] bpf, riscv: " Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 489/957] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
` (474 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Martin KaFai Lau,
Michal Luczaj, Martin KaFai Lau, Jiayuan Chen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 4d328dd695383224aa750ddee6b4ad40c0f8d205 ]
bpf_iter_unix_seq_show() may deadlock when lock_sock_fast() takes the fast
path and the iter prog attempts to update a sockmap. Which ends up spinning
at sock_map_update_elem()'s bh_lock_sock():
WARNING: possible recursive locking detected
test_progs/1393 is trying to acquire lock:
ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: sock_map_update_elem+0xdb/0x1f0
but task is already holding lock:
ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(slock-AF_UNIX);
lock(slock-AF_UNIX);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by test_progs/1393:
#0: ffff88814b59c790 (&p->lock){+.+.}-{4:4}, at: bpf_seq_read+0x59/0x10d0
#1: ffff88811ec25fd8 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: bpf_seq_read+0x42c/0x10d0
#2: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0
#3: ffffffff85a6a7c0 (rcu_read_lock){....}-{1:3}, at: bpf_iter_run_prog+0x51d/0xb00
Call Trace:
dump_stack_lvl+0x5d/0x80
print_deadlock_bug.cold+0xc0/0xce
__lock_acquire+0x130f/0x2590
lock_acquire+0x14e/0x2b0
_raw_spin_lock+0x30/0x40
sock_map_update_elem+0xdb/0x1f0
bpf_prog_2d0075e5d9b721cd_dump_unix+0x55/0x4f4
bpf_iter_run_prog+0x5b9/0xb00
bpf_iter_unix_seq_show+0x1f7/0x2e0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0x6b/0x3a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain socket.")
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-2-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index a09c732748945..cf022252d521c 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3773,15 +3773,14 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
struct bpf_prog *prog;
struct sock *sk = v;
uid_t uid;
- bool slow;
int ret;
if (v == SEQ_START_TOKEN)
return 0;
- slow = lock_sock_fast(sk);
+ lock_sock(sk);
- if (unlikely(sk_unhashed(sk))) {
+ if (unlikely(sock_flag(sk, SOCK_DEAD))) {
ret = SEQ_SKIP;
goto unlock;
}
@@ -3791,7 +3790,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
prog = bpf_iter_get_info(&meta, false);
ret = unix_prog_seq_show(prog, &meta, v, uid);
unlock:
- unlock_sock_fast(sk, slow);
+ release_sock(sk);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 489/957] bpf, sockmap: Fix af_unix null-ptr-deref in proto update
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 488/957] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 490/957] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
` (473 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj,
钱一铭, Kuniyuki Iwashima, Martin KaFai Lau,
Martin KaFai Lau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit dca38b7734d2ea00af4818ff3ae836fab33d5d5a ]
unix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state,
TCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).
sk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that
socket is properly set up, which would include having a defined peer. IOW,
there's a window when unix_stream_bpf_update_proto() can be called on
socket which still has unix_peer(sk) == NULL.
CPU0 bpf CPU1 connect
-------- ------------
WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)
sock_map_sk_state_allowed(sk)
...
sk_pair = unix_peer(sk)
sock_hold(sk_pair)
sock_hold(newsk)
smp_mb__after_atomic()
unix_peer(sk) = newsk
BUG: kernel NULL pointer dereference, address: 0000000000000080
RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0
Call Trace:
sock_map_link+0x564/0x8b0
sock_map_update_common+0x6e/0x340
sock_map_update_elem_sys+0x17d/0x240
__sys_bpf+0x26db/0x3250
__x64_sys_bpf+0x21/0x30
do_syscall_64+0x6b/0x3a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Initial idea was to move peer assignment _before_ the sk_state update[1],
but that involved an additional memory barrier, and changing the hot path
was rejected.
Then a NULL check during proto update in unix_stream_bpf_update_proto() was
considered[2], but the follow-up discussion[3] focused on the root cause,
i.e. sockmap update taking a wrong lock. Or, more specifically, missing
unix_state_lock()[4].
In the end it was concluded that teaching sockmap about the af_unix locking
would be unnecessarily complex[5].
Complexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT
are allowed to update sockmaps, sock_map_update_elem() taking the unix
lock, as it is currently implemented in unix_state_lock():
spin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken
in a process context, followed by a softirq-context TC BPF program
attempting to take the same spinlock -- deadlock[6].
This way we circled back to the peer check idea[2].
[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/
[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/
[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/
[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/
[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/
[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/
Summary of scenarios where af_unix/stream connect() may race a sockmap
update:
1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()
Implemented NULL check is sufficient. Once assigned, socket peer won't
be released until socket fd is released. And that's not an issue because
sock_map_update_elem_sys() bumps fd refcnf.
2. connect() vs BPF program doing update
Update restricted per verifier.c:may_update_sockmap() to
BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER
BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)
BPF_PROG_TYPE_SOCKET_FILTER
BPF_PROG_TYPE_SCHED_CLS
BPF_PROG_TYPE_SCHED_ACT
BPF_PROG_TYPE_XDP
BPF_PROG_TYPE_SK_REUSEPORT
BPF_PROG_TYPE_FLOW_DISSECTOR
BPF_PROG_TYPE_SK_LOOKUP
Plus one more race to consider:
CPU0 bpf CPU1 connect
-------- ------------
WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)
sock_map_sk_state_allowed(sk)
sock_hold(newsk)
smp_mb__after_atomic()
unix_peer(sk) = newsk
sk_pair = unix_peer(sk)
if (unlikely(!sk_pair))
return -EINVAL;
CPU1 close
----------
skpair = unix_peer(sk);
unix_peer(sk) = NULL;
sock_put(skpair)
// use after free?
sock_hold(sk_pair)
2.1 BPF program invoking helper function bpf_sock_map_update() ->
BPF_CALL_4(bpf_sock_map_update(), ...)
Helper limited to BPF_PROG_TYPE_SOCK_OPS. Nevertheless, a unix sock
might be accessible via bpf_map_lookup_elem(). Which implies sk
already having psock, which in turn implies sk already having
sk_pair. Since sk_psock_destroy() is queued as RCU work, sk_pair
won't go away while BPF executes the update.
2.2 BPF program invoking helper function bpf_map_update_elem() ->
sock_map_update_elem()
2.2.1 Unix sock accessible to BPF prog only via sockmap lookup in
BPF_PROG_TYPE_SOCKET_FILTER, BPF_PROG_TYPE_SCHED_CLS,
BPF_PROG_TYPE_SCHED_ACT, BPF_PROG_TYPE_XDP,
BPF_PROG_TYPE_SK_REUSEPORT, BPF_PROG_TYPE_FLOW_DISSECTOR,
BPF_PROG_TYPE_SK_LOOKUP.
Pretty much the same as case 2.1.
2.2.2 Unix sock accessible to BPF program directly:
BPF_PROG_TYPE_TRACING, narrowed down to BPF_TRACE_ITER.
Sockmap iterator (sock_map_seq_ops) is safe: unix sock
residing in a sockmap means that the sock already went through
the proto update step.
Unix sock iterator (bpf_iter_unix_seq_ops), on the other hand,
gives access to socks that may still be unconnected. Which
means iterator prog can race sockmap/proto update against
connect().
BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x253/0x4d0
Write of size 4 at addr 0000000000000080 by task test_progs/3140
Call Trace:
dump_stack_lvl+0x5d/0x80
kasan_report+0xe4/0x1c0
kasan_check_range+0x125/0x200
unix_stream_bpf_update_proto+0x253/0x4d0
sock_map_link+0x71c/0xec0
sock_map_update_common+0xbc/0x600
sock_map_update_elem+0x19a/0x1f0
bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217
bpf_iter_run_prog+0x21e/0xae0
bpf_iter_unix_seq_show+0x1e0/0x2a0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
While the introduced NULL check prevents null-ptr-deref in the
BPF program path as well, it is insufficient to guard against
a poorly timed close() leading to a use-after-free. This will
be addressed in a subsequent patch.
Fixes: c63829182c37 ("af_unix: Implement ->psock_update_sk_prot()")
Closes: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/
Reported-by: Michal Luczaj <mhal@rbox.co>
Reported-by: 钱一铭 <yimingqian591@gmail.com>
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-4-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/unix_bpf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
index e0d30d6d22acb..57f3124c9d8db 100644
--- a/net/unix/unix_bpf.c
+++ b/net/unix/unix_bpf.c
@@ -185,6 +185,9 @@ int unix_stream_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool r
*/
if (!psock->sk_pair) {
sk_pair = unix_peer(sk);
+ if (unlikely(!sk_pair))
+ return -EINVAL;
+
sock_hold(sk_pair);
psock->sk_pair = sk_pair;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 490/957] bpf, sockmap: Take state lock for af_unix iter
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 489/957] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 491/957] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
` (472 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Michal Luczaj,
Martin KaFai Lau, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 64c2f93fc3254d3bf5de4445fb732ee5c451edb6 ]
When a BPF iterator program updates a sockmap, there is a race condition in
unix_stream_bpf_update_proto() where the `peer` pointer can become stale[1]
during a state transition TCP_ESTABLISHED -> TCP_CLOSE.
CPU0 bpf CPU1 close
-------- ----------
// unix_stream_bpf_update_proto()
sk_pair = unix_peer(sk)
if (unlikely(!sk_pair))
return -EINVAL;
// unix_release_sock()
skpair = unix_peer(sk);
unix_peer(sk) = NULL;
sock_put(skpair)
sock_hold(sk_pair) // UaF
More practically, this fix guarantees that the iterator program is
consistently provided with a unix socket that remains stable during
iterator execution.
[1]:
BUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490
Write of size 4 at addr ffff8881178c9a00 by task test_progs/2231
Call Trace:
dump_stack_lvl+0x5d/0x80
print_report+0x170/0x4f3
kasan_report+0xe4/0x1c0
kasan_check_range+0x125/0x200
unix_stream_bpf_update_proto+0x155/0x490
sock_map_link+0x71c/0xec0
sock_map_update_common+0xbc/0x600
sock_map_update_elem+0x19a/0x1f0
bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217
bpf_iter_run_prog+0x21e/0xae0
bpf_iter_unix_seq_show+0x1e0/0x2a0
bpf_seq_read+0x42c/0x10d0
vfs_read+0x171/0xb20
ksys_read+0xff/0x200
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 2236:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x63/0x80
kmem_cache_alloc_noprof+0x1d5/0x680
sk_prot_alloc+0x59/0x210
sk_alloc+0x34/0x470
unix_create1+0x86/0x8a0
unix_stream_connect+0x318/0x15b0
__sys_connect+0xfd/0x130
__x64_sys_connect+0x72/0xd0
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 2236:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x47/0x70
kmem_cache_free+0x11c/0x590
__sk_destruct+0x432/0x6e0
unix_release_sock+0x9b3/0xf60
unix_release+0x8a/0xf0
__sock_release+0xb0/0x270
sock_close+0x18/0x20
__fput+0x36e/0xac0
fput_close_sync+0xe5/0x1a0
__x64_sys_close+0x7d/0xd0
do_syscall_64+0xf7/0x5e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain socket.")
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-5-2af6fe97918e@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index cf022252d521c..33ed8ecb556dd 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -3779,6 +3779,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
return 0;
lock_sock(sk);
+ unix_state_lock(sk);
if (unlikely(sock_flag(sk, SOCK_DEAD))) {
ret = SEQ_SKIP;
@@ -3790,6 +3791,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
prog = bpf_iter_get_info(&meta, false);
ret = unix_prog_seq_show(prog, &meta, v, uid);
unlock:
+ unix_state_unlock(sk);
release_sock(sk);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 491/957] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 490/957] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 492/957] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Greg Kroah-Hartman
` (471 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit e5f635edd393aeaa7cad9e42831d397e6e2e1eed ]
Fix an operator precedence issue in convert_bpf_ld_abs() where the
expression offset + ip_align % size evaluates as offset + (ip_align % size)
due to % having higher precedence than +. That latter evaluation does
not make any sense. The intended check is (offset + ip_align) % size == 0
to verify that the packet load offset is properly aligned for direct
access.
With NET_IP_ALIGN == 2, the bug causes the inline fast-path for direct
packet loads to almost never be taken on !CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
platforms. This forces nearly all cBPF BPF_LD_ABS packet loads through
the bpf_skb_load_helper slow path on the affected archs.
Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260416122719.661033-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 7fc01474c3781..ae6d0453cf123 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -508,7 +508,7 @@ static bool convert_bpf_ld_abs(struct sock_filter *fp, struct bpf_insn **insnp)
((unaligned_ok && offset >= 0) ||
(!unaligned_ok && offset >= 0 &&
offset + ip_align >= 0 &&
- offset + ip_align % size == 0))) {
+ (offset + ip_align) % size == 0))) {
bool ldx_off_ok = offset <= S16_MAX;
*insn++ = BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_H);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 492/957] bpf: Fix NULL deref in map_kptr_match_type for scalar regs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 491/957] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 493/957] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
` (470 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hiker Cl, Mykyta Yatsenko,
Paul Chaignon, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mykyta Yatsenko <yatsenko@meta.com>
[ Upstream commit 4d0a375887ab4d49e4da1ff10f9606cab8f7c3ad ]
Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local
kptr") refactored map_kptr_match_type() to branch on btf_is_kernel()
before checking base_type(). A scalar register stored into a kptr
slot has no btf, so the btf_is_kernel(reg->btf) call dereferences
NULL.
Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf
access.
Fixes: ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr")
Reported-by: Hiker Cl <clhiker365@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221372
Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260416-kptr_crash-v1-1-5589356584b4@meta.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 153a7c1d32069..ebfa27d4002c5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5843,6 +5843,9 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
int perm_flags;
const char *reg_name = "";
+ if (base_type(reg->type) != PTR_TO_BTF_ID)
+ goto bad_type;
+
if (btf_is_kernel(reg->btf)) {
perm_flags = PTR_MAYBE_NULL | PTR_TRUSTED | MEM_RCU;
@@ -5855,7 +5858,7 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
perm_flags |= MEM_PERCPU;
}
- if (base_type(reg->type) != PTR_TO_BTF_ID || (type_flag(reg->type) & ~perm_flags))
+ if (type_flag(reg->type) & ~perm_flags)
goto bad_type;
/* We need to verify reg->type and reg->btf, before accessing reg->btf */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 493/957] bpf: allow UTF-8 literals in bpf_bprintf_prepare()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 492/957] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 494/957] libbpf: Prevent double close and leak of btf objects Greg Kroah-Hartman
` (469 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihan Ding, Paul Chaignon,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihan Ding <dingyihan@uniontech.com>
[ Upstream commit b960430ea8862ef37ce53c8bf74a8dc79d3f2404 ]
bpf_bprintf_prepare() only needs ASCII parsing for conversion
specifiers. Plain text can safely carry bytes >= 0x80, so allow
UTF-8 literals outside '%' sequences while keeping ASCII control
bytes rejected and format specifiers ASCII-only.
This keeps existing parsing rules for format directives unchanged,
while allowing helpers such as bpf_trace_printk() to emit UTF-8
literal text.
Update test_snprintf_negative() in the same commit so selftests keep
matching the new plain-text vs format-specifier split during bisection.
Fixes: 48cac3f4a96d ("bpf: Implement formatted output helpers with bstr_printf")
Signed-off-by: Yihan Ding <dingyihan@uniontech.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260416120142.1420646-2-dingyihan@uniontech.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/helpers.c | 17 ++++++++++++++++-
.../testing/selftests/bpf/prog_tests/snprintf.c | 3 ++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 68da6dcfb4bb7..b596452424481 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -848,7 +848,13 @@ int bpf_bprintf_prepare(const char *fmt, u32 fmt_size, const u64 *raw_args,
data->buf = buffers->buf;
for (i = 0; i < fmt_size; i++) {
- if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) {
+ unsigned char c = fmt[i];
+
+ /*
+ * Permit bytes >= 0x80 in plain text so UTF-8 literals can pass
+ * through unchanged, while still rejecting ASCII control bytes.
+ */
+ if (isascii(c) && !isprint(c) && !isspace(c)) {
err = -EINVAL;
goto out;
}
@@ -870,6 +876,15 @@ int bpf_bprintf_prepare(const char *fmt, u32 fmt_size, const u64 *raw_args,
* always access fmt[i + 1], in the worst case it will be a 0
*/
i++;
+ c = fmt[i];
+ /*
+ * The format parser below only understands ASCII conversion
+ * specifiers and modifiers, so reject non-ASCII after '%'.
+ */
+ if (!isascii(c)) {
+ err = -EINVAL;
+ goto out;
+ }
/* skip optional "[0 +-][num]" width formatting field */
while (fmt[i] == '0' || fmt[i] == '+' || fmt[i] == '-' ||
diff --git a/tools/testing/selftests/bpf/prog_tests/snprintf.c b/tools/testing/selftests/bpf/prog_tests/snprintf.c
index 594441acb7071..4e4a82d54f799 100644
--- a/tools/testing/selftests/bpf/prog_tests/snprintf.c
+++ b/tools/testing/selftests/bpf/prog_tests/snprintf.c
@@ -114,7 +114,8 @@ static void test_snprintf_negative(void)
ASSERT_ERR(load_single_snprintf("%--------"), "invalid specifier 5");
ASSERT_ERR(load_single_snprintf("%lc"), "invalid specifier 6");
ASSERT_ERR(load_single_snprintf("%llc"), "invalid specifier 7");
- ASSERT_ERR(load_single_snprintf("\x80"), "non ascii character");
+ ASSERT_OK(load_single_snprintf("\x80"), "non ascii plain text");
+ ASSERT_ERR(load_single_snprintf("%\x80"), "non ascii in specifier");
ASSERT_ERR(load_single_snprintf("\x1"), "non printable character");
ASSERT_ERR(load_single_snprintf("%p%"), "invalid specifier 8");
ASSERT_ERR(load_single_snprintf("%s%"), "invalid specifier 9");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 494/957] libbpf: Prevent double close and leak of btf objects
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 493/957] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 495/957] bpf: Validate node_id in arena_alloc_pages() Greg Kroah-Hartman
` (468 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Olsa, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
[ Upstream commit 380044c40b1636a72fd8f188b5806be6ae564279 ]
Sashiko found possible double close of btf object fd [1],
which happens when strdup in load_module_btfs fails at which
point the obj->btf_module_cnt is already incremented.
The error path close btf fd and so does later cleanup code in
bpf_object_post_load_cleanup function.
Also libbpf_ensure_mem failure leaves btf object not assigned
and it's leaked.
Replacing the err_out label with break to make the error path
less confusing as suggested by Alan.
Incrementing obj->btf_module_cnt only if there's no failure
and releasing btf object in error path.
Fixes: 91abb4a6d79d ("libbpf: Support attachment of BPF tracing programs to kernel modules")
[1] https://sashiko.dev/#/patchset/20260324081846.2334094-1-jolsa%40kernel.org
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20260416100034.1610852-1-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 9c98c6adb6d05..84b6fb47a2f79 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -5746,11 +5746,12 @@ static int load_module_btfs(struct bpf_object *obj)
info.name = ptr_to_u64(name);
info.name_len = sizeof(name);
+ btf = NULL;
err = bpf_btf_get_info_by_fd(fd, &info, &len);
if (err) {
err = -errno;
pr_warn("failed to get BTF object #%d info: %s\n", id, errstr(err));
- goto err_out;
+ break;
}
/* ignore non-module BTFs */
@@ -5764,15 +5765,15 @@ static int load_module_btfs(struct bpf_object *obj)
if (err) {
pr_warn("failed to load module [%s]'s BTF object #%d: %s\n",
name, id, errstr(err));
- goto err_out;
+ break;
}
err = libbpf_ensure_mem((void **)&obj->btf_modules, &obj->btf_module_cap,
sizeof(*obj->btf_modules), obj->btf_module_cnt + 1);
if (err)
- goto err_out;
+ break;
- mod_btf = &obj->btf_modules[obj->btf_module_cnt++];
+ mod_btf = &obj->btf_modules[obj->btf_module_cnt];
mod_btf->btf = btf;
mod_btf->id = id;
@@ -5780,16 +5781,16 @@ static int load_module_btfs(struct bpf_object *obj)
mod_btf->name = strdup(name);
if (!mod_btf->name) {
err = -ENOMEM;
- goto err_out;
+ break;
}
- continue;
+ obj->btf_module_cnt++;
+ }
-err_out:
+ if (err) {
+ btf__free(btf);
close(fd);
- return err;
}
-
- return 0;
+ return err;
}
static struct bpf_core_cand_list *
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 495/957] bpf: Validate node_id in arena_alloc_pages()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 494/957] libbpf: Prevent double close and leak of btf objects Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 496/957] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
` (467 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Puranjay Mohan, Emil Tsalapatis,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit 2845989f2ebaf7848e4eccf9a779daf3156ea0a5 ]
arena_alloc_pages() accepts a plain int node_id and forwards it through
the entire allocation chain without any bounds checking.
Validate node_id before passing it down the allocation chain in
arena_alloc_pages().
Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260417152135.1383754-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/arena.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index c67525847687f..dafa179da0c9c 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -446,6 +446,10 @@ static long arena_alloc_pages(struct bpf_arena *arena, long uaddr, long page_cnt
u32 uaddr32;
int ret, i;
+ if (node_id != NUMA_NO_NODE &&
+ ((unsigned int)node_id >= nr_node_ids || !node_online(node_id)))
+ return 0;
+
if (page_cnt > page_cnt_max)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 496/957] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 495/957] bpf: Validate node_id in arena_alloc_pages() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 497/957] perf trace: Fix IS_ERR() vs NULL check bug Greg Kroah-Hartman
` (466 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Jonas Rebmann,
Puranjay Mohan, Emil Tsalapatis, Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puranjay Mohan <puranjay@kernel.org>
[ Upstream commit e1d486445af3c392628532229f7ce5f5cf7891b6 ]
The ARM32 BPF JIT does not support BPF-to-BPF function calls
(BPF_PSEUDO_CALL) or callbacks (BPF_PSEUDO_FUNC), but it does
not reject them either.
When a program with subprograms is loaded (e.g. libxdp's XDP
dispatcher uses __noinline__ subprograms, or any program using
callbacks like bpf_loop or bpf_for_each_map_elem), the verifier
invokes bpf_jit_subprogs() which calls bpf_int_jit_compile()
for each subprogram.
For BPF_PSEUDO_CALL, since ARM32 does not reject it, the JIT
silently emits code using the wrong address computation:
func = __bpf_call_base + imm
where imm is a pc-relative subprogram offset, producing a bogus
function pointer.
For BPF_PSEUDO_FUNC, the ldimm64 handler ignores src_reg and
loads the immediate as a normal 64-bit value without error.
In both cases, build_body() reports success and a JIT image is
allocated. ARM32 lacks the jit_data/extra_pass mechanism needed
for the second JIT pass in bpf_jit_subprogs(). On the second
pass, bpf_int_jit_compile() performs a full fresh compilation,
allocating a new JIT binary and overwriting prog->bpf_func. The
first allocation is never freed. bpf_jit_subprogs() then detects
the function pointer changed and aborts with -ENOTSUPP, but the
original JIT binary has already been leaked. Each program
load/unload cycle leaks one JIT binary allocation, as reported
by kmemleak:
unreferenced object 0xbf0a1000 (size 4096):
backtrace:
bpf_jit_binary_alloc+0x64/0xfc
bpf_int_jit_compile+0x14c/0x348
bpf_jit_subprogs+0x4fc/0xa60
Fix this by rejecting both BPF_PSEUDO_CALL in the BPF_CALL
handler and BPF_PSEUDO_FUNC in the BPF_LD_IMM64 handler, falling
through to the existing 'notyet' path. This causes build_body()
to fail before any JIT binary is allocated, so
bpf_int_jit_compile() returns the original program unjitted.
bpf_jit_subprogs() then sees !prog->jited and cleanly falls
back to the interpreter with no leak.
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs")
Reported-by: Jonas Rebmann <jre@pengutronix.de>
Closes: https://lore.kernel.org/bpf/b63e9174-7a3d-4e22-8294-16df07a4af89@pengutronix.de
Tested-by: Jonas Rebmann <jre@pengutronix.de>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260417143353.838911-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/net/bpf_jit_32.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index deeb8f292454b..a900aa9738855 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -1852,6 +1852,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
{
u64 val = (u32)imm | (u64)insn[1].imm << 32;
+ if (insn->src_reg == BPF_PSEUDO_FUNC)
+ goto notyet;
+
emit_a32_mov_i64(dst, val, ctx);
return 1;
@@ -2055,6 +2058,9 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
const s8 *r5 = bpf2a32[BPF_REG_5];
const u32 func = (u32)__bpf_call_base + (u32)imm;
+ if (insn->src_reg == BPF_PSEUDO_CALL)
+ goto notyet;
+
emit_a32_mov_r64(true, r0, r1, ctx);
emit_a32_mov_r64(true, r1, r2, ctx);
emit_push_r64(r5, ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 497/957] perf trace: Fix IS_ERR() vs NULL check bug
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 496/957] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 498/957] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
` (465 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wangguangju, Howard Chu, Ian Rogers,
Namhyung Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangguangju <wangguangju@hygon.cn>
[ Upstream commit 96f202eab8133f94479b14a32902c636e9bdf6af ]
The alloc_syscall_stats() function always returns an error pointer
(ERR_PTR) on failure.
So replace NULL check with IS_ERR() check after calling
delete_syscall_stats() function.
Fixes: ef2da619b132c6f74 ("perf trace: Convert syscall_stats to hashmap")
Signed-off-by: wangguangju <wangguangju@hygon.cn>
Reviewed-by: Howard Chu <howardchu95@gmail.com>
Acked-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index c607f39b8c8bb..1f0b9ba3cdc15 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1573,7 +1573,7 @@ static void delete_syscall_stats(struct hashmap *syscall_stats)
struct hashmap_entry *pos;
size_t bkt;
- if (syscall_stats == NULL)
+ if (IS_ERR(syscall_stats))
return;
hashmap__for_each_entry(syscall_stats, pos, bkt)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 498/957] pinctrl: pinctrl-pic32: Fix resource leak
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 497/957] perf trace: Fix IS_ERR() vs NULL check bug Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 499/957] perf trace: Avoid an ERR_PTR in syscall_stats Greg Kroah-Hartman
` (464 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Linus Walleij,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit fe5560688f3ba98364c7de7b4f8dc240ffd1ff75 ]
Fix three possible resource leaks by using the devres version of
clk_prepare_enable(). Also, update error message accordingly.
Detected by Smatch:
drivers/pinctrl/pinctrl-pic32.c:2211 pic32_pinctrl_probe() warn:
'pctl->clk' from clk_prepare_enable() not released on lines: 2208.
drivers/pinctrl/pinctrl-pic32.c:2274 pic32_gpio_probe() warn:
'bank->clk' from clk_prepare_enable() not released on lines: 2264,2272.
Fixes: 2ba384e6c3810 ("pinctrl: pinctrl-pic32: Add PIC32 pin control driver")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-pic32.c | 20 ++++----------------
1 file changed, 4 insertions(+), 16 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-pic32.c b/drivers/pinctrl/pinctrl-pic32.c
index e8b481e87c779..506e95793adf3 100644
--- a/drivers/pinctrl/pinctrl-pic32.c
+++ b/drivers/pinctrl/pinctrl-pic32.c
@@ -2175,16 +2175,10 @@ static int pic32_pinctrl_probe(struct platform_device *pdev)
if (IS_ERR(pctl->reg_base))
return PTR_ERR(pctl->reg_base);
- pctl->clk = devm_clk_get(&pdev->dev, NULL);
+ pctl->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(pctl->clk)) {
ret = PTR_ERR(pctl->clk);
- dev_err(&pdev->dev, "clk get failed\n");
- return ret;
- }
-
- ret = clk_prepare_enable(pctl->clk);
- if (ret) {
- dev_err(&pdev->dev, "clk enable failed\n");
+ dev_err(&pdev->dev, "Failed to get and enable clock\n");
return ret;
}
@@ -2240,16 +2234,10 @@ static int pic32_gpio_probe(struct platform_device *pdev)
if (irq < 0)
return irq;
- bank->clk = devm_clk_get(&pdev->dev, NULL);
+ bank->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(bank->clk)) {
ret = PTR_ERR(bank->clk);
- dev_err(&pdev->dev, "clk get failed\n");
- return ret;
- }
-
- ret = clk_prepare_enable(bank->clk);
- if (ret) {
- dev_err(&pdev->dev, "clk enable failed\n");
+ dev_err(&pdev->dev, "Failed to get and enable clock\n");
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 499/957] perf trace: Avoid an ERR_PTR in syscall_stats
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 498/957] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 500/957] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
` (463 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit d05073adda0f047e9b2115a2932bcb2797eab238 ]
hashmap__new may return an ERR_PTR and previously this would be
assigned to syscall_stats meaning all use of syscall_stats needs to
test for NULL (uninitialized) or an ERR_PTR. Given the only reason
hashmap__new can fail is ENOMEM, just use NULL to indicate the
allocation failure and avoid the code having to test for NULL and
IS_ERR.
Fixes: 96f202eab813 (perf trace: Fix IS_ERR() vs NULL check bug)
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index 1f0b9ba3cdc15..96efe1fba8547 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1565,7 +1565,9 @@ static bool syscall_id_equal(long key1, long key2, void *ctx __maybe_unused)
static struct hashmap *alloc_syscall_stats(void)
{
- return hashmap__new(syscall_id_hash, syscall_id_equal, NULL);
+ struct hashmap *result = hashmap__new(syscall_id_hash, syscall_id_equal, NULL);
+
+ return IS_ERR(result) ? NULL : result;
}
static void delete_syscall_stats(struct hashmap *syscall_stats)
@@ -1573,7 +1575,7 @@ static void delete_syscall_stats(struct hashmap *syscall_stats)
struct hashmap_entry *pos;
size_t bkt;
- if (IS_ERR(syscall_stats))
+ if (!syscall_stats)
return;
hashmap__for_each_entry(syscall_stats, pos, bkt)
@@ -1589,7 +1591,7 @@ static struct thread_trace *thread_trace__new(struct trace *trace)
ttrace->files.max = -1;
if (trace->summary) {
ttrace->syscall_stats = alloc_syscall_stats();
- if (IS_ERR(ttrace->syscall_stats))
+ if (!ttrace->syscall_stats)
zfree(&ttrace);
}
}
@@ -4441,7 +4443,7 @@ static int trace__run(struct trace *trace, int argc, const char **argv)
if (trace->summary_mode == SUMMARY__BY_TOTAL && !trace->summary_bpf) {
trace->syscall_stats = alloc_syscall_stats();
- if (IS_ERR(trace->syscall_stats))
+ if (!trace->syscall_stats)
goto out_delete_evlist;
}
@@ -4749,7 +4751,7 @@ static int trace__replay(struct trace *trace)
if (trace->summary_mode == SUMMARY__BY_TOTAL) {
trace->syscall_stats = alloc_syscall_stats();
- if (IS_ERR(trace->syscall_stats))
+ if (!trace->syscall_stats)
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 500/957] pinctrl: cy8c95x0: remove duplicate error message
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 499/957] perf trace: Avoid an ERR_PTR in syscall_stats Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 501/957] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
` (462 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 970dacb3b9f0fedbbbcfd7dbf1f4f22340b3f359 ]
The pin control core is covered to report any error via message.
The devm_request_threaded_irq() already prints an error message.
Remove the duplicates.
While at it, drop the info message as the same information about
an IRQ in use can be retrieved differently.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Stable-dep-of: 5ad32c3607cf ("pinctrl: cy8c95x0: Avoid returning positive values to user space")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 21 +++++----------------
1 file changed, 5 insertions(+), 16 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index 5c055d344ac9d..c0f1d964f8397 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1310,6 +1310,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
{
struct gpio_irq_chip *girq = &chip->gpio_chip.irq;
DECLARE_BITMAP(pending_irqs, MAX_LINE);
+ struct device *dev = chip->dev;
int ret;
mutex_init(&chip->irq_lock);
@@ -1336,17 +1337,9 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
girq->handler = handle_simple_irq;
girq->threaded = true;
- ret = devm_request_threaded_irq(chip->dev, irq,
- NULL, cy8c95x0_irq_handler,
- IRQF_ONESHOT | IRQF_SHARED,
- dev_name(chip->dev), chip);
- if (ret) {
- dev_err(chip->dev, "failed to request irq %d\n", irq);
- return ret;
- }
- dev_info(chip->dev, "Registered threaded IRQ\n");
-
- return 0;
+ return devm_request_threaded_irq(dev, irq, NULL, cy8c95x0_irq_handler,
+ IRQF_ONESHOT | IRQF_SHARED,
+ dev_name(chip->dev), chip);
}
static int cy8c95x0_setup_pinctrl(struct cy8c95x0_pinctrl *chip)
@@ -1362,11 +1355,7 @@ static int cy8c95x0_setup_pinctrl(struct cy8c95x0_pinctrl *chip)
pd->owner = THIS_MODULE;
chip->pctldev = devm_pinctrl_register(chip->dev, pd, chip);
- if (IS_ERR(chip->pctldev))
- return dev_err_probe(chip->dev, PTR_ERR(chip->pctldev),
- "can't register controller\n");
-
- return 0;
+ return PTR_ERR_OR_ZERO(chip->pctldev);
}
static int cy8c95x0_detect(struct i2c_client *client,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 501/957] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 500/957] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 502/957] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
` (461 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 014884732095b982412d13d3220c3fe8483b9b3e ]
Unify error messages that might appear during probe phase by
switching to use dev_err_probe().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Stable-dep-of: 5ad32c3607cf ("pinctrl: cy8c95x0: Avoid returning positive values to user space")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index c0f1d964f8397..14d927035bc0f 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1319,10 +1319,8 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
/* Read IRQ status register to clear all pending interrupts */
ret = cy8c95x0_irq_pending(chip, pending_irqs);
- if (ret) {
- dev_err(chip->dev, "failed to clear irq status register\n");
- return ret;
- }
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to clear irq status register\n");
/* Mask all interrupts */
bitmap_fill(chip->irq_mask, MAX_LINE);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 502/957] pinctrl: cy8c95x0: Avoid returning positive values to user space
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 501/957] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 503/957] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
` (460 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Andy Shevchenko, Linus Walleij, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 5ad32c3607cf241a1a2680cabd64cbcd757227aa ]
When probe fails due to unclear interrupt status register, it returns
a positive number instead of the proper error code. Fix this accordingly.
Fixes: e6cbbe42944d ("pinctrl: Add Cypress cy8c95x0 support")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202602271847.vVWkqLBD-lkp@intel.com/
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-cy8c95x0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
index 14d927035bc0f..54b117f32f0ea 100644
--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
+++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
@@ -1320,7 +1320,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
/* Read IRQ status register to clear all pending interrupts */
ret = cy8c95x0_irq_pending(chip, pending_irqs);
if (ret)
- return dev_err_probe(dev, ret, "failed to clear irq status register\n");
+ return dev_err_probe(dev, -EBUSY, "failed to clear irq status register\n");
/* Mask all interrupts */
bitmap_fill(chip->irq_mask, MAX_LINE);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 503/957] perf branch: Avoid incrementing NULL
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 502/957] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 504/957] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
` (459 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit c969a9d7bbf46f983c4a48566b3b2f7340b02296 ]
If the entry is NULL the value is meaningless so early return NULL to
avoid an increment of NULL. This was happening in calls from
has_stitched_lbr when running the "perf record LBR tests". The return
value isn't used in that case, so returning NULL as no effect.
Fixes: 42bbabed09ce ("perf tools: Add hw_idx in struct branch_stack")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/branch.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/perf/util/branch.h b/tools/perf/util/branch.h
index 7429530fa7749..a1d4736497c40 100644
--- a/tools/perf/util/branch.h
+++ b/tools/perf/util/branch.h
@@ -66,6 +66,9 @@ static inline struct branch_entry *perf_sample__branch_entries(struct perf_sampl
{
u64 *entry = (u64 *)sample->branch_stack;
+ if (entry == NULL)
+ return NULL;
+
entry++;
if (sample->no_hw_idx)
return (struct branch_entry *)entry;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 504/957] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 503/957] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 505/957] pinctrl: pinconf-generic: Fully validate pinmux property Greg Kroah-Hartman
` (458 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Mike Leach, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Leach <mike.leach@arm.com>
[ Upstream commit 6c478e7b3eba3f387a2d6c749e3e3ee0f8ad1c53 ]
Building perf with CORESIGHT=1 and the optional CSTRACE_RAW=1 enables
additional debug printing of raw trace data when using command:-
perf report --dump.
This raw trace prints the CoreSight formatted trace frames, which may be
used to investigate suspected issues with trace quality / corruption /
decode.
These frames are not present in ETE + TRBE trace.
This fix removes the unnecessary call to print these frames.
This fix also rationalises implementation - original code had helper
function that unnecessarily repeated initialisation calls that had
already been made.
Due to an addtional fault with the OpenCSD library, this call when ETE/TRBE
are being decoded will cause a segfault in perf. This fix also prevents
that problem for perf using older (<= 1.8.0 version) OpenCSD libraries.
Fixes: 68ffe3902898 ("perf tools: Add decoder mechanic to support dumping trace data")
Reported-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Mike Leach <mike.leach@arm.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../perf/util/cs-etm-decoder/cs-etm-decoder.c | 51 +++++--------------
1 file changed, 13 insertions(+), 38 deletions(-)
diff --git a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
index b85a8837bddcd..43ac711a4e2ae 100644
--- a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
+++ b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
@@ -237,46 +237,24 @@ cs_etm_decoder__init_def_logger_printing(struct cs_etm_decoder_params *d_params,
(void *)decoder,
cs_etm_decoder__print_str_cb);
if (ret != 0)
- ret = -1;
-
- return 0;
-}
+ return -1;
#ifdef CS_LOG_RAW_FRAMES
-static void
-cs_etm_decoder__init_raw_frame_logging(struct cs_etm_decoder_params *d_params,
- struct cs_etm_decoder *decoder)
-{
- /* Only log these during a --dump operation */
- if (d_params->operation == CS_ETM_OPERATION_PRINT) {
- /* set up a library default logger to process the
- * raw frame printer we add later
- */
- ocsd_def_errlog_init(OCSD_ERR_SEV_ERROR, 1);
-
- /* no stdout / err / file output */
- ocsd_def_errlog_config_output(C_API_MSGLOGOUT_FLG_NONE, NULL);
-
- /* set the string CB for the default logger,
- * passes strings to perf print logger.
- */
- ocsd_def_errlog_set_strprint_cb(decoder->dcd_tree,
- (void *)decoder,
- cs_etm_decoder__print_str_cb);
-
+ /*
+ * Only log raw frames if --dump operation and hardware is actually
+ * generating formatted CoreSight trace frames
+ */
+ if ((d_params->operation == CS_ETM_OPERATION_PRINT) &&
+ (d_params->formatted == true)) {
/* use the built in library printer for the raw frames */
- ocsd_dt_set_raw_frame_printer(decoder->dcd_tree,
- CS_RAW_DEBUG_FLAGS);
+ ret = ocsd_dt_set_raw_frame_printer(decoder->dcd_tree,
+ CS_RAW_DEBUG_FLAGS);
+ if (ret != 0)
+ return -1;
}
-}
-#else
-static void
-cs_etm_decoder__init_raw_frame_logging(
- struct cs_etm_decoder_params *d_params __maybe_unused,
- struct cs_etm_decoder *decoder __maybe_unused)
-{
-}
#endif
+ return 0;
+}
static ocsd_datapath_resp_t
cs_etm_decoder__do_soft_timestamp(struct cs_etm_queue *etmq,
@@ -760,9 +738,6 @@ cs_etm_decoder__new(int decoders, struct cs_etm_decoder_params *d_params,
if (ret != 0)
goto err_free_decoder;
- /* init raw frame logging if required */
- cs_etm_decoder__init_raw_frame_logging(d_params, decoder);
-
for (i = 0; i < decoders; i++) {
ret = cs_etm_decoder__create_etm_decoder(d_params,
&t_params[i],
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 505/957] pinctrl: pinconf-generic: Fully validate pinmux property
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 504/957] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 506/957] pinctrl: realtek: Fix function signature for config argument Greg Kroah-Hartman
` (457 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit c98324ea7849b6e5baa1774f71709b375a2c2f9e ]
The pinconf_generic_parse_dt_pinmux() assumes that the 'pinmux' property
is not empty when present. This might be not true. With that, the allocator
will give a special value in return and not NULL which lead to the crash
when trying to access that (invalid) memory. Fix that by fully validating
'pinmux' value, including its length.
Fixes: 7112c05fff83 ("pinctrl: pinconf-generic: Add API for pinmux propertity in DTS file")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinconf-generic.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinconf-generic.c b/drivers/pinctrl/pinconf-generic.c
index cad29abe4050a..8f6a83fdc3844 100644
--- a/drivers/pinctrl/pinconf-generic.c
+++ b/drivers/pinctrl/pinconf-generic.c
@@ -261,12 +261,17 @@ int pinconf_generic_parse_dt_pinmux(struct device_node *np, struct device *dev,
return -ENOENT;
}
+ npins_t = prop->length / sizeof(u32);
+ if (npins_t == 0) {
+ dev_info(dev, "pinmux property doesn't have entries\n");
+ return -ENODATA;
+ }
+
if (!pid || !pmux || !npins) {
dev_err(dev, "parameters error\n");
return -EINVAL;
}
- npins_t = prop->length / sizeof(u32);
pid_t = devm_kcalloc(dev, npins_t, sizeof(*pid_t), GFP_KERNEL);
pmux_t = devm_kcalloc(dev, npins_t, sizeof(*pmux_t), GFP_KERNEL);
if (!pid_t || !pmux_t) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 506/957] pinctrl: realtek: Fix function signature for config argument
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 505/957] pinctrl: pinconf-generic: Fully validate pinmux property Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 507/957] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
` (456 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu-Chun Lin, Linus Walleij,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu-Chun Lin <eleanor.lin@realtek.com>
[ Upstream commit 1f5451844786ed203605528dca9e5d84ed378160 ]
The argument originates from pinconf_to_config_argument(), which returns a
u32. Therefore, the arg parameter should be an unsigned int instead of enum
pin_config_param.
Fixes: e99ce78030db ("pinctrl: realtek: Add common pinctrl driver for Realtek DHC RTD SoCs")
Signed-off-by: Yu-Chun Lin <eleanor.lin@realtek.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/realtek/pinctrl-rtd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/realtek/pinctrl-rtd.c b/drivers/pinctrl/realtek/pinctrl-rtd.c
index 2440604863327..4c876d1f6ad59 100644
--- a/drivers/pinctrl/realtek/pinctrl-rtd.c
+++ b/drivers/pinctrl/realtek/pinctrl-rtd.c
@@ -279,7 +279,7 @@ static const struct rtd_pin_sconfig_desc *rtd_pinctrl_find_sconfig(struct rtd_pi
static int rtd_pconf_parse_conf(struct rtd_pinctrl *data,
unsigned int pinnr,
enum pin_config_param param,
- enum pin_config_param arg)
+ unsigned int arg)
{
const struct rtd_pin_config_desc *config_desc;
const struct rtd_pin_sconfig_desc *sconfig_desc;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 507/957] pinctrl: abx500: Fix type of argument variable
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 506/957] pinctrl: realtek: Fix function signature for config argument Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 508/957] pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers Greg Kroah-Hartman
` (455 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu-Chun Lin, Linus Walleij,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu-Chun Lin <eleanor15x@gmail.com>
[ Upstream commit 34006f77890d050e6d80cbee365b5d703c1140b4 ]
The argument variable is assigned the return value of
pinconf_to_config_argument(), which returns a u32. Change its type from
enum pin_config_param to unsigned int to correctly store the configuration
argument.
Fixes: 03b054e9696c ("pinctrl: Pass all configs to driver on pin_config_set()")
Signed-off-by: Yu-Chun Lin <eleanor15x@gmail.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/nomadik/pinctrl-abx500.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/nomadik/pinctrl-abx500.c b/drivers/pinctrl/nomadik/pinctrl-abx500.c
index fc7ebeda8440e..858fbaebcf8e5 100644
--- a/drivers/pinctrl/nomadik/pinctrl-abx500.c
+++ b/drivers/pinctrl/nomadik/pinctrl-abx500.c
@@ -852,7 +852,7 @@ static int abx500_pin_config_set(struct pinctrl_dev *pctldev,
int ret = -EINVAL;
int i;
enum pin_config_param param;
- enum pin_config_param argument;
+ unsigned int argument;
for (i = 0; i < num_configs; i++) {
param = pinconf_to_config_param(configs[i]);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 508/957] pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 507/957] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 509/957] perf lock: Fix option value type in parse_max_stack Greg Kroah-Hartman
` (454 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biju Das, Geert Uytterhoeven,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit d9a60e367919752a1d398ebeba667f1e200fae1e ]
The rzg2l_pinctrl_pm_setup_regs() handles save/restore of
{IOLH,IEN,PUPD,SMT} registers during s2ram, but only for ports where all
pins share the same pincfg. Extend the code to also support ports with
variable pincfg per pin, so that {IOLH,IEN,PUPD,SMT} registers are
correctly saved and restored for all pins.
Fixes: 254203f9a94c ("pinctrl: renesas: rzg2l: Add suspend/resume support")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260326162459.101414-1-biju.das.jz@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
index c2711b2de374d..ca360185740a8 100644
--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
@@ -2997,6 +2997,13 @@ static void rzg2l_pinctrl_pm_setup_regs(struct rzg2l_pinctrl *pctrl, bool suspen
off = RZG2L_PIN_CFG_TO_PORT_OFFSET(cfg);
pincnt = hweight8(FIELD_GET(PIN_CFG_PIN_MAP_MASK, cfg));
+ if (cfg & RZG2L_VARIABLE_CFG) {
+ unsigned int pin = port * RZG2L_PINS_PER_PORT;
+
+ for (unsigned int i = 0; i < RZG2L_PINS_PER_PORT; i++)
+ cfg |= *(u64 *)pctrl->desc.pins[pin + i].drv_data;
+ }
+
caps = FIELD_GET(PIN_CFG_MASK, cfg);
has_iolh = !!(caps & (PIN_CFG_IOLH_A | PIN_CFG_IOLH_B | PIN_CFG_IOLH_C));
has_ien = !!(caps & PIN_CFG_IEN);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 509/957] perf lock: Fix option value type in parse_max_stack
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 508/957] pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 510/957] perf stat: Fix opt->value type for parse_cache_level Greg Kroah-Hartman
` (453 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit cfaade34b52aa1ec553044255702c4b31b57c005 ]
The value is a void* and the address of an int, max_stack_depth, is
set up in the perf lock options. The parse_max_stack function treats
the int* as a long*, make this more correct by declaring the value to
be an int*.
Fixes: 0a277b622670 ("perf lock contention: Check --max-stack option")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-lock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-lock.c b/tools/perf/builtin-lock.c
index e8962c985d34a..5585aeb97684d 100644
--- a/tools/perf/builtin-lock.c
+++ b/tools/perf/builtin-lock.c
@@ -2250,7 +2250,7 @@ static int parse_map_entry(const struct option *opt, const char *str,
static int parse_max_stack(const struct option *opt, const char *str,
int unset __maybe_unused)
{
- unsigned long *len = (unsigned long *)opt->value;
+ int *len = opt->value;
long val;
char *endptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 510/957] perf stat: Fix opt->value type for parse_cache_level
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 509/957] perf lock: Fix option value type in parse_max_stack Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 511/957] memblock: reserve_mem: fix end caclulation in reserve_mem_release_by_name() Greg Kroah-Hartman
` (452 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 44311ae84ad9177fb311aee856027861c22f17b2 ]
Commit f5803651b4a4 ("perf stat: Choose the most disaggregate command
line option") changed aggregation option handling for `perf stat` but
not `perf stat report` leading to parse_cache_level being passed a
struct in the `perf stat` case but erroneously an aggr_mode enum value
for `perf stat report`. Change the `perf stat report` aggregation
handling to use the same opt_aggr_mode as `perf stat`. Also, just pass
the boolean for consistency with other boolean argument handling.
Fixes: f5803651b4a4 ("perf stat: Choose the most disaggregate command line option")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-stat.c | 43 +++++++++++++++++++++------------------
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
index b6533dcf5465b..9eb0876633c05 100644
--- a/tools/perf/builtin-stat.c
+++ b/tools/perf/builtin-stat.c
@@ -153,7 +153,7 @@ struct opt_aggr_mode {
};
/* Turn command line option into most generic aggregation mode setting. */
-static enum aggr_mode opt_aggr_mode_to_aggr_mode(struct opt_aggr_mode *opt_mode)
+static enum aggr_mode opt_aggr_mode_to_aggr_mode(const struct opt_aggr_mode *opt_mode)
{
enum aggr_mode mode = AGGR_GLOBAL;
@@ -1161,8 +1161,8 @@ static int parse_cache_level(const struct option *opt,
int unset __maybe_unused)
{
int level;
- struct opt_aggr_mode *opt_aggr_mode = (struct opt_aggr_mode *)opt->value;
- u32 *aggr_level = (u32 *)opt->data;
+ bool *per_cache = opt->value;
+ u32 *aggr_level = opt->data;
/*
* If no string is specified, aggregate based on the topology of
@@ -1200,7 +1200,7 @@ static int parse_cache_level(const struct option *opt,
return -EINVAL;
}
out:
- opt_aggr_mode->cache = true;
+ *per_cache = true;
*aggr_level = level;
return 0;
}
@@ -2262,24 +2262,23 @@ static struct perf_stat perf_stat = {
static int __cmd_report(int argc, const char **argv)
{
struct perf_session *session;
+ struct opt_aggr_mode opt_mode = {};
const struct option options[] = {
OPT_STRING('i', "input", &input_name, "file", "input file name"),
- OPT_SET_UINT(0, "per-socket", &perf_stat.aggr_mode,
- "aggregate counts per processor socket", AGGR_SOCKET),
- OPT_SET_UINT(0, "per-die", &perf_stat.aggr_mode,
- "aggregate counts per processor die", AGGR_DIE),
- OPT_SET_UINT(0, "per-cluster", &perf_stat.aggr_mode,
- "aggregate counts perf processor cluster", AGGR_CLUSTER),
- OPT_CALLBACK_OPTARG(0, "per-cache", &perf_stat.aggr_mode, &perf_stat.aggr_level,
- "cache level",
- "aggregate count at this cache level (Default: LLC)",
+ OPT_BOOLEAN(0, "per-thread", &opt_mode.thread, "aggregate counts per thread"),
+ OPT_BOOLEAN(0, "per-socket", &opt_mode.socket,
+ "aggregate counts per processor socket"),
+ OPT_BOOLEAN(0, "per-die", &opt_mode.die, "aggregate counts per processor die"),
+ OPT_BOOLEAN(0, "per-cluster", &opt_mode.cluster,
+ "aggregate counts per processor cluster"),
+ OPT_CALLBACK_OPTARG(0, "per-cache", &opt_mode.cache, &perf_stat.aggr_level,
+ "cache level", "aggregate count at this cache level (Default: LLC)",
parse_cache_level),
- OPT_SET_UINT(0, "per-core", &perf_stat.aggr_mode,
- "aggregate counts per physical processor core", AGGR_CORE),
- OPT_SET_UINT(0, "per-node", &perf_stat.aggr_mode,
- "aggregate counts per numa node", AGGR_NODE),
- OPT_SET_UINT('A', "no-aggr", &perf_stat.aggr_mode,
- "disable CPU count aggregation", AGGR_NONE),
+ OPT_BOOLEAN(0, "per-core", &opt_mode.core,
+ "aggregate counts per physical processor core"),
+ OPT_BOOLEAN(0, "per-node", &opt_mode.node, "aggregate counts per numa node"),
+ OPT_BOOLEAN('A', "no-aggr", &opt_mode.no_aggr,
+ "disable aggregation across CPUs or PMUs"),
OPT_END()
};
struct stat st;
@@ -2287,6 +2286,10 @@ static int __cmd_report(int argc, const char **argv)
argc = parse_options(argc, argv, options, stat_report_usage, 0);
+ perf_stat.aggr_mode = opt_aggr_mode_to_aggr_mode(&opt_mode);
+ if (perf_stat.aggr_mode == AGGR_GLOBAL)
+ perf_stat.aggr_mode = AGGR_UNSET; /* No option found so leave unset. */
+
if (!input_name || !strlen(input_name)) {
if (!fstat(STDIN_FILENO, &st) && S_ISFIFO(st.st_mode))
input_name = "-";
@@ -2462,7 +2465,7 @@ int cmd_stat(int argc, const char **argv)
OPT_BOOLEAN(0, "per-die", &opt_mode.die, "aggregate counts per processor die"),
OPT_BOOLEAN(0, "per-cluster", &opt_mode.cluster,
"aggregate counts per processor cluster"),
- OPT_CALLBACK_OPTARG(0, "per-cache", &opt_mode, &stat_config.aggr_level,
+ OPT_CALLBACK_OPTARG(0, "per-cache", &opt_mode.cache, &stat_config.aggr_level,
"cache level", "aggregate count at this cache level (Default: LLC)",
parse_cache_level),
OPT_BOOLEAN(0, "per-core", &opt_mode.core,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 511/957] memblock: reserve_mem: fix end caclulation in reserve_mem_release_by_name()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 510/957] perf stat: Fix opt->value type for parse_cache_level Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 512/957] perf tools: Fix module symbol resolution for non-zero .text sh_addr Greg Kroah-Hartman
` (451 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mike Rapoport (Microsoft),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Rapoport (Microsoft) <rppt@kernel.org>
[ Upstream commit c12c3e1507809ad1fc0448f51c933f52e17d13cd ]
free_reserved_area() expects end parameter to point to the first address
after the area, but reserve_mem_release_by_name() passes it the last
address inside the area.
Remove subtraction of one in calculation of the area end.
Fixes: 74e2498ccf7b ("mm/memblock: Add reserved memory release function")
Link: https://patch.msgid.link/20260323074836.3653702-2-rppt@kernel.org
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/memblock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/memblock.c b/mm/memblock.c
index f0f2dc66e9a20..757258d68425a 100644
--- a/mm/memblock.c
+++ b/mm/memblock.c
@@ -2433,7 +2433,7 @@ int reserve_mem_release_by_name(const char *name)
return 0;
start = phys_to_virt(map->start);
- end = start + map->size - 1;
+ end = start + map->size;
snprintf(buf, sizeof(buf), "reserve_mem:%s", name);
free_reserved_area(start, end, 0, buf);
map->size = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 512/957] perf tools: Fix module symbol resolution for non-zero .text sh_addr
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 511/957] memblock: reserve_mem: fix end caclulation in reserve_mem_release_by_name() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 513/957] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
` (450 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Ian Rogers,
Thomas Richter, Namhyung Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 9a82bfde4775b7a87cd1a7e791f46f83ae442848 ]
When perf resolves symbols from kernel module ELF files (ET_REL),
it converts symbol addresses to file offsets so that sample IPs
can be matched to the correct symbol. The conversion adjusts each
symbol's st_value:
sym->st_value -= shdr->sh_addr - shdr->sh_offset;
For vmlinux (ET_EXEC), st_value is a virtual address and sh_addr
is the section's virtual base, so subtracting sh_addr and adding
sh_offset correctly yields a file offset.
For kernel modules (ET_REL), st_value is a section-relative
offset. The module loader ignores sh_addr entirely and places
symbols at module_base + st_value. Converting to file offset
requires only adding sh_offset; subtracting sh_addr introduces an
error equal to sh_addr bytes.
When .text has sh_addr == 0 -- the historical norm for simple
modules -- both formulas produce the same result and the bug is
latent. As modules gain more metadata sections before .text (.note,
.static_call.text, etc.), the linker assigns .text a non-zero
sh_addr, exposing the defect. For example, nfsd.ko on this kernel
has sh_addr=0xa80, kvm-intel.ko has sh_addr=0x1e90.
The effect is that all .text symbols in affected modules
shift by sh_addr bytes relative to sample IPs, causing perf
report to attribute samples to incorrect, nearby symbols. This
was observed as 13% of LLC-load-miss samples misattributed
to nfsd_file_get_dio_attrs when the actual hot function was
nfsd_cache_lookup, approximately 0xa80 bytes away in the symbol
table.
Use the existing dso__rel() flag (already set for ET_REL modules)
to select the correct adjustment: add sh_offset for ET_REL,
subtract (sh_addr - sh_offset) for ET_EXEC/ET_DYN.
Fixes: 0131c4ec794a ("perf tools: Make it possible to read object code from kernel modules")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Tested-by: Thomas Richter <tmricht@linux.ibm.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol-elf.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index 9d62386464680..9602cc51dcc65 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -1353,8 +1353,12 @@ static int dso__process_kernel_symbol(struct dso *dso, struct map *map,
char dso_name[PATH_MAX];
/* Adjust symbol to map to file offset */
- if (adjust_kernel_syms)
- sym->st_value -= shdr->sh_addr - shdr->sh_offset;
+ if (adjust_kernel_syms) {
+ if (dso__rel(dso))
+ sym->st_value += shdr->sh_offset;
+ else
+ sym->st_value -= shdr->sh_addr - shdr->sh_offset;
+ }
if (strcmp(section_name, (dso__short_name(curr_dso) + dso__short_name_len(dso))) == 0)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 513/957] perf expr: Return -EINVAL for syntax error in expr__find_ids()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 512/957] perf tools: Fix module symbol resolution for non-zero .text sh_addr Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 514/957] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure Greg Kroah-Hartman
` (449 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 3a61fd866ef9aaa1d3158b460f852b74a2df07f4 ]
expr__find_ids() propagates the parser return value directly. For syntax
errors, the parser can return a positive value, but callers treat it as
success, e.g., for below case on Arm64 platform:
metric expr 100 * (STALL_SLOT_BACKEND / (CPU_CYCLES * #slots) - BR_MIS_PRED * 3 / CPU_CYCLES) for backend_bound
parsing metric: 100 * (STALL_SLOT_BACKEND / (CPU_CYCLES * #slots) - BR_MIS_PRED * 3 / CPU_CYCLES)
Failure to read '#slots' literal: #slots = nan
syntax error
Convert positive parser returns in expr__find_ids() to -EINVAL, as a
result, the error value will be respected by callers.
Before:
perf stat -C 5
Failure to read '#slots'Failure to read '#slots'Failure to read '#slots'Failure to read '#slots'Segmentation fault
After:
perf stat -C 5
Failure to read '#slots'Cannot find metric or group `Default'
Fixes: ded80bda8bc9 ("perf expr: Migrate expr ids table to a hashmap")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/expr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/expr.c b/tools/perf/util/expr.c
index 7fda0ff89c168..0893c88a4ef83 100644
--- a/tools/perf/util/expr.c
+++ b/tools/perf/util/expr.c
@@ -376,7 +376,8 @@ int expr__find_ids(const char *expr, const char *one,
if (one)
expr__del_id(ctx, one);
- return ret;
+ /* A positive value means syntax error, convert to -EINVAL */
+ return ret > 0 ? -EINVAL : ret;
}
double expr_id_data__value(const struct expr_id_data *data)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 514/957] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 513/957] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 515/957] ipmi: ssif_bmc: fix message desynchronization after truncated response Greg Kroah-Hartman
` (448 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Corey Minyard,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
[ Upstream commit ea641be7a4faee4351f9c5ed6b188e1bbf5586a6 ]
copy_to_user() returns the number of bytes that could not be copied,
with a non-zero value indicating a partial or complete failure. The
current code only checks for negative return values and treats all
non-negative results as success.
Treating any positive return value from copy_to_user() as
an error and returning -EFAULT.
Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Message-ID: <20260403090603.3988423-2-zhangjian.3032@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ssif_bmc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c
index 7a52e3ea49ed8..6cc5c210799ca 100644
--- a/drivers/char/ipmi/ssif_bmc.c
+++ b/drivers/char/ipmi/ssif_bmc.c
@@ -163,6 +163,8 @@ static ssize_t ssif_bmc_read(struct file *file, char __user *buf, size_t count,
spin_unlock_irqrestore(&ssif_bmc->lock, flags);
ret = copy_to_user(buf, &msg, count);
+ if (ret > 0)
+ ret = -EFAULT;
}
return (ret < 0) ? ret : count;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 515/957] ipmi: ssif_bmc: fix message desynchronization after truncated response
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 514/957] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 516/957] ipmi: ssif_bmc: change log level to dbg in irq callback Greg Kroah-Hartman
` (447 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Corey Minyard,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
[ Upstream commit 1d38e849adb6851ee280aa1a1d687b2181549a66 ]
A truncated response, caused by host power-off, or other conditions,
can lead to message desynchronization.
Raw trace data (STOP loss scenario, add state transition comment):
1. T-1: Read response phase (SSIF_RES_SENDING)
8271.955342 WR_RCV [03] <- Read polling cmd
8271.955348 RD_REQ [04] <== SSIF_RES_SENDING <- start sending response
8271.955436 RD_PRO [b4]
8271.955527 RD_PRO [00]
8271.955618 RD_PRO [c1]
8271.955707 RD_PRO [00]
8271.955814 RD_PRO [ad] <== SSIF_RES_SENDING <- last byte
<- !! STOP lost (truncated response)
2. T: New Write request arrives, BMC still in SSIF_RES_SENDING
8271.967973 WR_REQ [] <== SSIF_RES_SENDING >> SSIF_ABORTING <- log: unexpected WR_REQ in RES_SENDING
8271.968447 WR_RCV [02] <== SSIF_ABORTING <- do nothing
8271.968452 WR_RCV [02] <== SSIF_ABORTING <- do nothing
8271.968454 WR_RCV [18] <== SSIF_ABORTING <- do nothing
8271.968456 WR_RCV [01] <== SSIF_ABORTING <- do nothing
8271.968458 WR_RCV [66] <== SSIF_ABORTING <- do nothing
8271.978714 STOP [] <== SSIF_ABORTING >> SSIF_READY <- log: unexpected SLAVE STOP in state=SSIF_ABORTING
3. T+1: Next Read polling, treated as a fresh transaction
8271.979125 WR_REQ [] <== SSIF_READY >> SSIF_START
8271.979326 WR_RCV [03] <== SSIF_START >> SSIF_SMBUS_CMD <- smbus_cmd=0x03
8271.979331 RD_REQ [04] <== SSIF_RES_SENDING <- sending response
8271.979427 RD_PRO [b4] <- !! this is T's stale response -> desynchronization
When in SSIF_ABORTING state, a newly arrived command should still be
handled to avoid dropping the request or causing message
desynchronization.
Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Message-ID: <20260403090603.3988423-3-zhangjian.3032@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ssif_bmc.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c
index 6cc5c210799ca..ca185793cf978 100644
--- a/drivers/char/ipmi/ssif_bmc.c
+++ b/drivers/char/ipmi/ssif_bmc.c
@@ -458,6 +458,15 @@ static bool supported_write_cmd(u8 cmd)
return false;
}
+static bool supported_write_start_cmd(u8 cmd)
+{
+ if (cmd == SSIF_IPMI_SINGLEPART_WRITE ||
+ cmd == SSIF_IPMI_MULTIPART_WRITE_START)
+ return true;
+
+ return false;
+}
+
/* Process the IPMI response that will be read by master */
static void handle_read_processed(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
{
@@ -709,6 +718,11 @@ static void on_write_received_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state = SSIF_ABORTING;
else
ssif_bmc->state = SSIF_REQ_RECVING;
+ } else if (ssif_bmc->state == SSIF_ABORTING) {
+ if (supported_write_start_cmd(*val)) {
+ ssif_bmc->state = SSIF_SMBUS_CMD;
+ ssif_bmc->aborting = false;
+ }
}
/* This is response sending state */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 516/957] ipmi: ssif_bmc: change log level to dbg in irq callback
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 515/957] ipmi: ssif_bmc: fix message desynchronization after truncated response Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 517/957] perf cgroup: Update metric leader in evlist__expand_cgroup Greg Kroah-Hartman
` (446 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jian Zhang, Corey Minyard,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Zhang <zhangjian.3032@bytedance.com>
[ Upstream commit c9c99b7b7051eb7121b3224bfce181fb023b0269 ]
Long-running tests indicate that this logging can occasionally disrupt
timing and lead to request/response corruption.
Irq handler need to be executed as fast as possible,
most I2C slave IRQ implementations are byte-level, logging here
can significantly affect transfer behavior and timing. It is recommended
to use dev_dbg() for these messages.
Fixes: dd2bc5cc9e25 ("ipmi: ssif_bmc: Add SSIF BMC driver")
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
Message-ID: <20260403090603.3988423-4-zhangjian.3032@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ssif_bmc.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/char/ipmi/ssif_bmc.c b/drivers/char/ipmi/ssif_bmc.c
index ca185793cf978..a45e80d13e10e 100644
--- a/drivers/char/ipmi/ssif_bmc.c
+++ b/drivers/char/ipmi/ssif_bmc.c
@@ -569,7 +569,7 @@ static void process_request_part(struct ssif_bmc_ctx *ssif_bmc)
len = ssif_bmc->request.len + part->length;
/* Do the bound check here, not allow the request len exceed 254 bytes */
if (len > IPMI_SSIF_PAYLOAD_MAX) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: Request exceeded 254 bytes, aborting");
/* Request too long, aborting */
ssif_bmc->aborting = true;
@@ -615,7 +615,7 @@ static void on_read_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_REQ_RECVING ||
ssif_bmc->state == SSIF_RES_SENDING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected READ REQUESTED in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -624,7 +624,7 @@ static void on_read_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
} else if (ssif_bmc->state == SSIF_SMBUS_CMD) {
if (!supported_read_cmd(ssif_bmc->part_buf.smbus_cmd)) {
- dev_warn(&ssif_bmc->client->dev, "Warn: Unknown SMBus read command=0x%x",
+ dev_dbg(&ssif_bmc->client->dev, "Warn: Unknown SMBus read command=0x%x",
ssif_bmc->part_buf.smbus_cmd);
ssif_bmc->aborting = true;
}
@@ -659,7 +659,7 @@ static void on_read_processed_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_REQ_RECVING ||
ssif_bmc->state == SSIF_SMBUS_CMD) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected READ PROCESSED in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -684,7 +684,7 @@ static void on_write_requested_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
} else if (ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_REQ_RECVING ||
ssif_bmc->state == SSIF_RES_SENDING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected WRITE REQUEST in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -699,7 +699,7 @@ static void on_write_received_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
{
if (ssif_bmc->state == SSIF_READY ||
ssif_bmc->state == SSIF_RES_SENDING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected WRITE RECEIVED in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_ABORTING;
@@ -709,7 +709,7 @@ static void on_write_received_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
} else if (ssif_bmc->state == SSIF_SMBUS_CMD) {
if (!supported_write_cmd(ssif_bmc->part_buf.smbus_cmd)) {
- dev_warn(&ssif_bmc->client->dev, "Warn: Unknown SMBus write command=0x%x",
+ dev_dbg(&ssif_bmc->client->dev, "Warn: Unknown SMBus write command=0x%x",
ssif_bmc->part_buf.smbus_cmd);
ssif_bmc->aborting = true;
}
@@ -738,7 +738,7 @@ static void on_stop_event(struct ssif_bmc_ctx *ssif_bmc, u8 *val)
ssif_bmc->state == SSIF_START ||
ssif_bmc->state == SSIF_SMBUS_CMD ||
ssif_bmc->state == SSIF_ABORTING) {
- dev_warn(&ssif_bmc->client->dev,
+ dev_dbg(&ssif_bmc->client->dev,
"Warn: %s unexpected SLAVE STOP in state=%s\n",
__func__, state_to_string(ssif_bmc->state));
ssif_bmc->state = SSIF_READY;
@@ -805,7 +805,7 @@ static int ssif_bmc_cb(struct i2c_client *client, enum i2c_slave_event event, u8
break;
default:
- dev_warn(&ssif_bmc->client->dev, "Warn: Unknown i2c slave event\n");
+ dev_dbg(&ssif_bmc->client->dev, "Warn: Unknown i2c slave event\n");
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 517/957] perf cgroup: Update metric leader in evlist__expand_cgroup
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 516/957] ipmi: ssif_bmc: change log level to dbg in irq callback Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 518/957] pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description Greg Kroah-Hartman
` (445 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Sun Jian, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit c9ef786c0970991578397043f1c819229e2b7197 ]
When the evlist is expanded the metric leader wasn't being updated. As
the original evsel is deleted this creates a use-after-free in
stat-shadow's prepare_metric. This was detected running the "perf stat
--bpf-counters --for-each-cgroup test" with sanitizers.
The change itself puts the copied evsel into the priv field (known
unused because of evsel__clone use) and then in a second pass over the
list updates the copied values using the priv pointer.
Fixes: d1c5a0e86a4e ("perf stat: Add --for-each-cgroup option")
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Sun Jian <sun.jian.kdev@gmail.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/cgroup.c | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/tools/perf/util/cgroup.c b/tools/perf/util/cgroup.c
index 25e2769b5e74f..0038d2ac647c4 100644
--- a/tools/perf/util/cgroup.c
+++ b/tools/perf/util/cgroup.c
@@ -416,7 +416,6 @@ static bool has_pattern_string(const char *str)
int evlist__expand_cgroup(struct evlist *evlist, const char *str, bool open_cgroup)
{
struct evlist *orig_list, *tmp_list;
- struct evsel *pos, *evsel, *leader;
struct rblist orig_metric_events;
struct cgroup *cgrp = NULL;
struct cgroup_name *cn;
@@ -451,6 +450,7 @@ int evlist__expand_cgroup(struct evlist *evlist, const char *str, bool open_cgro
goto out_err;
list_for_each_entry(cn, &cgroup_list, list) {
+ struct evsel *pos;
char *name;
if (!cn->used)
@@ -466,21 +466,37 @@ int evlist__expand_cgroup(struct evlist *evlist, const char *str, bool open_cgro
if (cgrp == NULL)
continue;
- leader = NULL;
+ /* copy the list and set to the new cgroup. */
evlist__for_each_entry(orig_list, pos) {
- evsel = evsel__clone(/*dest=*/NULL, pos);
+ struct evsel *evsel = evsel__clone(/*dest=*/NULL, pos);
+
if (evsel == NULL)
goto out_err;
+ /* stash the copy during the copying. */
+ pos->priv = evsel;
cgroup__put(evsel->cgrp);
evsel->cgrp = cgroup__get(cgrp);
- if (evsel__is_group_leader(pos))
- leader = evsel;
- evsel__set_leader(evsel, leader);
-
evlist__add(tmp_list, evsel);
}
+ /* update leader information using stashed pointer to copy. */
+ evlist__for_each_entry(orig_list, pos) {
+ struct evsel *evsel = pos->priv;
+
+ if (evsel__leader(pos))
+ evsel__set_leader(evsel, evsel__leader(pos)->priv);
+
+ if (pos->metric_leader)
+ evsel->metric_leader = pos->metric_leader->priv;
+
+ if (pos->first_wildcard_match)
+ evsel->first_wildcard_match = pos->first_wildcard_match->priv;
+ }
+ /* the stashed copy is no longer used. */
+ evlist__for_each_entry(orig_list, pos)
+ pos->priv = NULL;
+
/* cgroup__new() has a refcount, release it here */
cgroup__put(cgrp);
nr_cgroups++;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 518/957] pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 517/957] perf cgroup: Update metric leader in evlist__expand_cgroup Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 519/957] pinctrl: sophgo: pinctrl-sg2044: " Greg Kroah-Hartman
` (444 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inochi Amaoto, Chen Wang,
Linus Walleij, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Inochi Amaoto <inochiama@gmail.com>
[ Upstream commit ca1c2ddff00480c213903a1479b56203536e92de ]
Fix the SoC model in module description string, it should be
sg2042 instead of sg2002.
Fixes: 1e67465d3b74 ("pinctrl: sophgo: add support for SG2042 SoC")
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Reviewed-by: Chen Wang <unicorn_wang@outlook.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/sophgo/pinctrl-sg2042.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/sophgo/pinctrl-sg2042.c b/drivers/pinctrl/sophgo/pinctrl-sg2042.c
index 185305ac897d9..8dba12e122a45 100644
--- a/drivers/pinctrl/sophgo/pinctrl-sg2042.c
+++ b/drivers/pinctrl/sophgo/pinctrl-sg2042.c
@@ -651,5 +651,5 @@ static struct platform_driver sg2042_pinctrl_driver = {
};
module_platform_driver(sg2042_pinctrl_driver);
-MODULE_DESCRIPTION("Pinctrl driver for the SG2002 series SoC");
+MODULE_DESCRIPTION("Pinctrl driver for the SG2042 series SoC");
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 519/957] pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 518/957] pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 520/957] perf maps: Fix fixup_overlap_and_insert that can break sorted by name order Greg Kroah-Hartman
` (443 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Inochi Amaoto, Chen Wang,
Linus Walleij, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Inochi Amaoto <inochiama@gmail.com>
[ Upstream commit 7648112358a4207916d3e38bfee49f85552fe95f ]
Fix the SoC model in module description string, it should be
sg2044 instead of sg2002.
Fixes: 614a54cb5ac3 ("pinctrl: sophgo: add support for SG2044 SoC")
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Reviewed-by: Chen Wang <unicorn_wang@outlook.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/sophgo/pinctrl-sg2044.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/sophgo/pinctrl-sg2044.c b/drivers/pinctrl/sophgo/pinctrl-sg2044.c
index b0c46d8954ca1..cf0b674c038f0 100644
--- a/drivers/pinctrl/sophgo/pinctrl-sg2044.c
+++ b/drivers/pinctrl/sophgo/pinctrl-sg2044.c
@@ -714,5 +714,5 @@ static struct platform_driver sg2044_pinctrl_driver = {
};
module_platform_driver(sg2044_pinctrl_driver);
-MODULE_DESCRIPTION("Pinctrl driver for the SG2002 series SoC");
+MODULE_DESCRIPTION("Pinctrl driver for the SG2044 series SoC");
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 520/957] perf maps: Fix fixup_overlap_and_insert that can break sorted by name order
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 519/957] pinctrl: sophgo: pinctrl-sg2044: " Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 521/957] perf maps: Fix copy_from " Greg Kroah-Hartman
` (442 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit c4f3ff3289380437d26177e8f2fe4b7507816ee3 ]
When an entry in the address array is replaced, the corresponding name
entry is replaced. The entries names may sort differently and so it is
important that the sorted by name property be cleared on the maps.
Fixes: 0d11fab32714 ("perf maps: Fixup maps_by_name when modifying maps_by_address")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/maps.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
index c51ec159ac769..ff82d1d937b2f 100644
--- a/tools/perf/util/maps.c
+++ b/tools/perf/util/maps.c
@@ -924,6 +924,7 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
if (maps_by_name) {
map__put(maps_by_name[ni]);
maps_by_name[ni] = map__get(new);
+ maps__set_maps_by_name_sorted(maps, false);
}
err = __maps__insert_sorted(maps, i + 1, after, NULL);
@@ -949,6 +950,7 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new)
if (maps_by_name) {
map__put(maps_by_name[ni]);
maps_by_name[ni] = map__get(new);
+ maps__set_maps_by_name_sorted(maps, false);
}
check_invariants(maps);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 521/957] perf maps: Fix copy_from that can break sorted by name order
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 520/957] perf maps: Fix fixup_overlap_and_insert that can break sorted by name order Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 522/957] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
` (441 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit f552b132e4d5248715828e7e5c2bf7889bf05b2e ]
When an parent is copied into a child the name array is populated in
address not name order. Make sure the name array isn't flagged as sorted.
Fixes: 659ad3492b91 ("perf maps: Switch from rbtree to lazily sorted array for addresses")
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/maps.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
index ff82d1d937b2f..23aa8a95d0454 100644
--- a/tools/perf/util/maps.c
+++ b/tools/perf/util/maps.c
@@ -1032,16 +1032,9 @@ int maps__copy_from(struct maps *dest, struct maps *parent)
map__put(new);
}
maps__set_maps_by_address_sorted(dest, maps__maps_by_address_sorted(parent));
- if (!err) {
- RC_CHK_ACCESS(dest)->last_search_by_name_idx =
- RC_CHK_ACCESS(parent)->last_search_by_name_idx;
- maps__set_maps_by_name_sorted(dest,
- dest_maps_by_name &&
- maps__maps_by_name_sorted(parent));
- } else {
- RC_CHK_ACCESS(dest)->last_search_by_name_idx = 0;
- maps__set_maps_by_name_sorted(dest, false);
- }
+ RC_CHK_ACCESS(dest)->last_search_by_name_idx = 0;
+ /* Values were copied into the name array in address order. */
+ maps__set_maps_by_name_sorted(dest, false);
} else {
/* Unexpected copying to a maps containing entries. */
for (unsigned int i = 0; !err && i < n; i++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 522/957] perf util: Kill die() prototype, dead for a long time
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 521/957] perf maps: Fix copy_from " Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 523/957] i3c: master: dw-i3c: Fix missing reset assertion in remove() callback Greg Kroah-Hartman
` (440 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Arnaldo Carvalho de Melo,
Namhyung Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit e5cce1b9c82fbd48e2f1f7a25a9fad8ee228176f ]
In fef2a735167a827a ("perf tools: Kill die()") the die() function was
removed, but not the prototype in util.h, now when building with
LIBPERL=1, during a 'make -C tools/perf build-test' routine test, it is
failing as perl likes die() calls and then this clashes with this
remnant, remove it.
Fixes: fef2a735167a827a ("perf tools: Kill die()")
Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/util.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h
index 3423778e39a56..523550e7d7ed1 100644
--- a/tools/perf/util/util.h
+++ b/tools/perf/util/util.h
@@ -29,7 +29,6 @@ extern bool perf_guest;
/* General helper functions */
void usage(const char *err) __noreturn;
-void die(const char *err, ...) __noreturn __printf(1, 2);
struct dirent;
struct strlist;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 523/957] i3c: master: dw-i3c: Fix missing reset assertion in remove() callback
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 522/957] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 524/957] i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers() Greg Kroah-Hartman
` (439 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Zabel, Felix Gu, Frank Li,
Alexandre Belloni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit bef1eef667186cedb0bc6d152464acb3c97d5f72 ]
The reset line acquired during probe is currently left deasserted when
the driver is unbound.
Switch to devm_reset_control_get_optional_exclusive_deasserted() to
ensure the reset is automatically re-asserted by the devres core when
the driver is removed.
Fixes: 62fe9d06f570 ("i3c: dw: Add power management support")
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260320-dw-i3c-v3-1-477040c2e3f5@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/dw-i3c-master.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index 825eb2d20e9eb..c6cfcacb18106 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1554,13 +1554,11 @@ int dw_i3c_common_probe(struct dw_i3c_master *master,
if (IS_ERR(master->pclk))
return PTR_ERR(master->pclk);
- master->core_rst = devm_reset_control_get_optional_exclusive(&pdev->dev,
- "core_rst");
+ master->core_rst = devm_reset_control_get_optional_exclusive_deasserted(&pdev->dev,
+ "core_rst");
if (IS_ERR(master->core_rst))
return PTR_ERR(master->core_rst);
- reset_control_deassert(master->core_rst);
-
spin_lock_init(&master->xferqueue.lock);
INIT_LIST_HEAD(&master->xferqueue.list);
@@ -1572,7 +1570,7 @@ int dw_i3c_common_probe(struct dw_i3c_master *master,
dw_i3c_master_irq_handler, 0,
dev_name(&pdev->dev), master);
if (ret)
- goto err_assert_rst;
+ return ret;
platform_set_drvdata(pdev, master);
@@ -1610,9 +1608,6 @@ int dw_i3c_common_probe(struct dw_i3c_master *master,
pm_runtime_set_suspended(&pdev->dev);
pm_runtime_dont_use_autosuspend(&pdev->dev);
-err_assert_rst:
- reset_control_assert(master->core_rst);
-
return ret;
}
EXPORT_SYMBOL_GPL(dw_i3c_common_probe);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 524/957] i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (522 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 523/957] i3c: master: dw-i3c: Fix missing reset assertion in remove() callback Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 525/957] i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() Greg Kroah-Hartman
` (438 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tommaso Merciai, Frank Li, Felix Gu,
Alexandre Belloni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit d7665c3b4f575251e449e2656879392346ca612b ]
The xfer structure allocated by renesas_i3c_alloc_xfer() was never freed
in the renesas_i3c_i3c_xfers() function. Use the __free(kfree) cleanup
attribute to automatically free the memory when the variable goes out of
scope.
Fixes: d028219a9f14 ("i3c: master: Add basic driver for the Renesas I3C controller")
Tested-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Reviewed-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260406-renesas-v3-1-4b724d7708f4@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/renesas-i3c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i3c/master/renesas-i3c.c b/drivers/i3c/master/renesas-i3c.c
index 275f7b9242886..5b1bf5a0266cc 100644
--- a/drivers/i3c/master/renesas-i3c.c
+++ b/drivers/i3c/master/renesas-i3c.c
@@ -8,6 +8,7 @@
#include <linux/bitfield.h>
#include <linux/bitops.h>
+#include <linux/cleanup.h>
#include <linux/clk.h>
#include <linux/completion.h>
#include <linux/err.h>
@@ -800,13 +801,12 @@ static int renesas_i3c_priv_xfers(struct i3c_dev_desc *dev, struct i3c_priv_xfer
struct i3c_master_controller *m = i3c_dev_get_master(dev);
struct renesas_i3c *i3c = to_renesas_i3c(m);
struct renesas_i3c_i2c_dev_data *data = i3c_dev_get_master_data(dev);
- struct renesas_i3c_xfer *xfer;
int i;
/* Enable I3C bus. */
renesas_i3c_bus_enable(m, true);
- xfer = renesas_i3c_alloc_xfer(i3c, 1);
+ struct renesas_i3c_xfer *xfer __free(kfree) = renesas_i3c_alloc_xfer(i3c, 1);
if (!xfer)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 525/957] i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (523 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 524/957] i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 526/957] i3c: master: Fix error codes at send_ccc_cmd Greg Kroah-Hartman
` (437 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Frank Li,
Alexandre Belloni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 256cc1f1305a8e5dcadf8ca208d04a3acadd26f1 ]
The dw_i3c_master_i3c_xfers() function allocates memory for the xfer
structure using dw_i3c_master_alloc_xfer(). If pm_runtime_resume_and_get()
fails, the function returns without freeing the allocated xfer, resulting
in a memory leak.
Since dw_i3c_master_free_xfer() is a thin wrapper around kfree(), use
the __free(kfree) cleanup attribute to handle the free automatically on
all exit paths.
Fixes: 62fe9d06f570 ("i3c: dw: Add power management support")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260404-dw-i3c-2-v3-1-8f7d146549c1@gmail.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/dw-i3c-master.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index c6cfcacb18106..585f320119741 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -6,6 +6,7 @@
*/
#include <linux/bitops.h>
+#include <linux/cleanup.h>
#include <linux/clk.h>
#include <linux/completion.h>
#include <linux/err.h>
@@ -905,7 +906,6 @@ static int dw_i3c_master_priv_xfers(struct i3c_dev_desc *dev,
struct i3c_master_controller *m = i3c_dev_get_master(dev);
struct dw_i3c_master *master = to_dw_i3c_master(m);
unsigned int nrxwords = 0, ntxwords = 0;
- struct dw_i3c_xfer *xfer;
int i, ret = 0;
if (!i3c_nxfers)
@@ -925,7 +925,7 @@ static int dw_i3c_master_priv_xfers(struct i3c_dev_desc *dev,
nrxwords > master->caps.datafifodepth)
return -EOPNOTSUPP;
- xfer = dw_i3c_master_alloc_xfer(master, i3c_nxfers);
+ struct dw_i3c_xfer *xfer __free(kfree) = dw_i3c_master_alloc_xfer(master, i3c_nxfers);
if (!xfer)
return -ENOMEM;
@@ -976,7 +976,6 @@ static int dw_i3c_master_priv_xfers(struct i3c_dev_desc *dev,
}
ret = xfer->ret;
- dw_i3c_master_free_xfer(xfer);
pm_runtime_put_autosuspend(master->dev);
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 526/957] i3c: master: Fix error codes at send_ccc_cmd
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (524 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 525/957] i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 527/957] i3c: master: adi: Fix error propagation for CCCs Greg Kroah-Hartman
` (436 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Adrian Hunter,
Jorge Marques, Alexandre Belloni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Marques <jorge.marques@analog.com>
[ Upstream commit ef8b5229348f0719aca557c4ca5530630ae4d134 ]
i3c_master_send_ccc_cmd_locked() would propagate cmd->err (positive,
Mx codes) to the ret variable, cascading down multiple methods until
reaching methods that explicitly stated they would return 0 on success
or negative error code. For example, the call chain:
i3c_device_enable_ibi <- i3c_dev_enable_ibi_locked <-
master->ops.enable_ibi <- i3c_master_enec_locked <-
i3c_master_enec_disec_locked <- i3c_master_send_ccc_cmd_locked
Fix this by returning the ret value, callers can still read the cmd->err
value if ret is negative.
All corner cases where the Mx codes do need to be handled individually,
are resolved in previous commits. Those corner cases are all scenarios
when I3C_ERROR_M2 is expected and acceptable.
The prerequisite patches for the fix are:
i3c: master: Move rstdaa error suppression
i3c: master: Move entdaa error suppression
i3c: master: Move bus_init error suppression
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-iio/aYXvT5FW0hXQwhm_@stanley.mountain/
Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Jorge Marques <jorge.marques@analog.com>
Link: https://patch.msgid.link/20260323-ad4062-positive-error-fix-v3-4-30bdc68004be@analog.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 32 +++++++++++++-------------------
1 file changed, 13 insertions(+), 19 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index 425e36b36009b..4ecbabcec48b4 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -826,11 +826,17 @@ static void i3c_ccc_cmd_init(struct i3c_ccc_cmd *cmd, bool rnw, u8 id,
cmd->err = I3C_ERROR_UNKNOWN;
}
+/**
+ * i3c_master_send_ccc_cmd_locked() - send a CCC (Common Command Codes)
+ * @master: master used to send frames on the bus
+ * @cmd: command to send
+ *
+ * Return: 0 in case of success, or a negative error code otherwise.
+ * I3C Mx error codes are stored in cmd->err.
+ */
static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
struct i3c_ccc_cmd *cmd)
{
- int ret;
-
if (!cmd || !master)
return -EINVAL;
@@ -848,15 +854,7 @@ static int i3c_master_send_ccc_cmd_locked(struct i3c_master_controller *master,
!master->ops->supports_ccc_cmd(master, cmd))
return -EOPNOTSUPP;
- ret = master->ops->send_ccc_cmd(master, cmd);
- if (ret) {
- if (cmd->err != I3C_ERROR_UNKNOWN)
- return cmd->err;
-
- return ret;
- }
-
- return 0;
+ return master->ops->send_ccc_cmd(master, cmd);
}
static struct i2c_dev_desc *
@@ -960,8 +958,7 @@ static int i3c_master_rstdaa_locked(struct i3c_master_controller *master,
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_entdaa_locked(struct i3c_master_controller *master)
{
@@ -1013,8 +1010,7 @@ static int i3c_master_enec_disec_locked(struct i3c_master_controller *master,
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_disec_locked(struct i3c_master_controller *master, u8 addr,
u8 evts)
@@ -1034,8 +1030,7 @@ EXPORT_SYMBOL_GPL(i3c_master_disec_locked);
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_enec_locked(struct i3c_master_controller *master, u8 addr,
u8 evts)
@@ -1060,8 +1055,7 @@ EXPORT_SYMBOL_GPL(i3c_master_enec_locked);
*
* This function must be called with the bus lock held in write mode.
*
- * Return: 0 in case of success, a positive I3C error code if the error is
- * one of the official Mx error codes, and a negative error code otherwise.
+ * Return: 0 in case of success, or a negative error code otherwise.
*/
int i3c_master_defslvs_locked(struct i3c_master_controller *master)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 527/957] i3c: master: adi: Fix error propagation for CCCs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (525 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 526/957] i3c: master: Fix error codes at send_ccc_cmd Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 528/957] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
` (435 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Frank Li,
Jorge Marques, Alexandre Belloni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Marques <jorge.marques@analog.com>
[ Upstream commit 0b73da96b6eb6b9354654f96a9d423ab22cb222d ]
adi_i3c_master_send_ccc_cmd() always returned 0, ignoring the transfer
result populated in the completion path. As a consequence, CCC command
errors were silently dropped, including the default -ETIMEDOUT and
later overwritten by adi_i3c_master_end_xfer_locked().
Fix this by returning xfer->ret so that callers correctly receive any
transfer error codes.
Fixes: a79ac2cdc91d ("i3c: master: Add driver for Analog Devices I3C Controller IP")
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Jorge Marques <jorge.marques@analog.com>
Link: https://patch.msgid.link/20260323-ad4062-positive-error-fix-v3-5-30bdc68004be@analog.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/adi-i3c-master.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i3c/master/adi-i3c-master.c b/drivers/i3c/master/adi-i3c-master.c
index 82ac0b3d057ab..d329faf4b3f96 100644
--- a/drivers/i3c/master/adi-i3c-master.c
+++ b/drivers/i3c/master/adi-i3c-master.c
@@ -362,7 +362,7 @@ static int adi_i3c_master_send_ccc_cmd(struct i3c_master_controller *m,
cmd->err = adi_i3c_cmd_get_err(&xfer->cmds[0]);
- return 0;
+ return xfer->ret;
}
static int adi_i3c_master_priv_xfers(struct i3c_dev_desc *dev,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 528/957] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (526 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 527/957] i3c: master: adi: Fix error propagation for CCCs Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 529/957] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
` (434 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Billy Tsai, Frank Li,
Alexandre Belloni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Billy Tsai <billy_tsai@aspeedtech.com>
[ Upstream commit d35a6db887eeae7c57b719521e39d64f929c6dc3 ]
In DMA mode, the IBI status descriptor encodes the payload using
CHUNKS (number of chunks) and DATA_LENGTH (valid bytes in the last
chunk). All preceding chunks are implicitly full-sized.
The current code accumulates full chunk sizes for non-final status
descriptors, but for the final status descriptor it only adds
DATA_LENGTH. This ignores the contribution of the preceding full
chunks described by the same final status entry.
As a result, the computed IBI payload length is truncated whenever
the final status spans multiple chunks. For example, with a chunk
size of 4 bytes, CHUNKS=2 and DATA_LENGTH=1 should result in a total
payload size of 5 bytes, but the current code reports only 1 byte.
Fix the calculation by adding the size of (CHUNKS - 1) full chunks
plus DATA_LENGTH for the last chunk.
Fixes: 9ad9a52cce28 ("i3c/master: introduce the mipi-i3c-hci driver")
Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260407-i3c-hci-dma-v2-1-a583187b9d22@aspeedtech.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index fe8894f6fe607..42ee94767be3d 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -683,7 +683,10 @@ static void hci_dma_process_ibi(struct i3c_hci *hci, struct hci_rh_data *rh)
if (!(ibi_status & IBI_LAST_STATUS)) {
ibi_size += chunks * rh->ibi_chunk_sz;
} else {
- ibi_size += FIELD_GET(IBI_DATA_LENGTH, ibi_status);
+ if (chunks) {
+ ibi_size += (chunks - 1) * rh->ibi_chunk_sz;
+ ibi_size += FIELD_GET(IBI_DATA_LENGTH, ibi_status);
+ }
last_ptr = ptr;
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 529/957] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (527 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 528/957] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 530/957] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
` (433 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Linus Walleij,
Daniel Thompson (RISCstar), Lee Jones, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 797cc011ae02bda26f93d25a4442d7a1a77d84df ]
The devm_gpiod_get_optional() function may return an ERR_PTR in case of
genuine GPIO acquisition errors, not just NULL which indicates the
legitimate absence of an optional GPIO.
Add an IS_ERR() check after the call in sky81452_bl_parse_dt(). On
error, return the error code to ensure proper failure handling rather
than proceeding with invalid pointers.
Fixes: e1915eec54a6 ("backlight: sky81452: Convert to GPIO descriptors")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Reviewed-by: Daniel Thompson (RISCstar) <danielt@kernel.org>
Link: https://patch.msgid.link/20260203021625.578678-1-nichen@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/sky81452-backlight.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c
index 2749231f03854..b2679b24de14b 100644
--- a/drivers/video/backlight/sky81452-backlight.c
+++ b/drivers/video/backlight/sky81452-backlight.c
@@ -202,6 +202,9 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt(
pdata->dpwm_mode = of_property_read_bool(np, "skyworks,dpwm-mode");
pdata->phase_shift = of_property_read_bool(np, "skyworks,phase-shift");
pdata->gpiod_enable = devm_gpiod_get_optional(dev, NULL, GPIOD_OUT_HIGH);
+ if (IS_ERR(pdata->gpiod_enable))
+ return dev_err_cast_probe(dev, pdata->gpiod_enable,
+ "failed to get gpio\n");
ret = of_property_count_u32_elems(np, "led-sources");
if (ret < 0) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 530/957] platform/surface: surfacepro3_button: Drop wakeup source on remove
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (528 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 529/957] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 531/957] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
` (432 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Ilpo Järvinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 1410a228ab2d36fe2b383415a632ae12048d4f3a ]
The wakeup source added by device_init_wakeup() in surface_button_add()
needs to be dropped during driver removal, so update the driver to do
that.
Fixes: 19351f340765 ("platform/x86: surfacepro3: Support for wakeup from suspend-to-idle")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/4368848.1IzOArtZ34@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/surface/surfacepro3_button.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/platform/surface/surfacepro3_button.c b/drivers/platform/surface/surfacepro3_button.c
index 2755601f979cd..7c7622f8f8716 100644
--- a/drivers/platform/surface/surfacepro3_button.c
+++ b/drivers/platform/surface/surfacepro3_button.c
@@ -243,6 +243,7 @@ static void surface_button_remove(struct acpi_device *device)
{
struct surface_button *button = acpi_driver_data(device);
+ device_init_wakeup(&device->dev, false);
input_unregister_device(button->input);
kfree(button);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 531/957] leds: lgm-sso: Remove duplicate assignments for priv->mmap
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (529 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 530/957] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 532/957] usb: typec: Fix error pointer dereference Greg Kroah-Hartman
` (431 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Ni, Lee Jones, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
[ Upstream commit 7186d0330c3f3e86de577687a82f4ebd96dcb5ac ]
Remove duplicate assignment of priv->mmap in intel_sso_led_probe().
Fixes: fba8a6f2263b ("leds: lgm-sso: Fix clock handling")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Link: https://patch.msgid.link/20260226033048.3715915-1-nichen@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/blink/leds-lgm-sso.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/leds/blink/leds-lgm-sso.c b/drivers/leds/blink/leds-lgm-sso.c
index 8923d2df47049..3d9ef9a54805c 100644
--- a/drivers/leds/blink/leds-lgm-sso.c
+++ b/drivers/leds/blink/leds-lgm-sso.c
@@ -808,8 +808,6 @@ static int intel_sso_led_probe(struct platform_device *pdev)
priv->fpid_clkrate = clk_get_rate(priv->clocks[1].clk);
- priv->mmap = syscon_node_to_regmap(dev->of_node);
-
priv->mmap = syscon_node_to_regmap(dev->of_node);
if (IS_ERR(priv->mmap)) {
dev_err(dev, "Failed to map iomem!\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 532/957] usb: typec: Fix error pointer dereference
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (530 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 531/957] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 533/957] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
` (430 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ethan Tidmore, Heikki Krogerus,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Tidmore <ethantidmore06@gmail.com>
[ Upstream commit f2529d08fcb429ea01bb87c326342f41483f8b2f ]
The variable tps->partner is checked for an error pointer and then if it
is, it sends an error message but does not return and then immediately
dereferenced a few lines below:
tps->partner = typec_register_partner(tps->port, &desc);
if (IS_ERR(tps->partner))
dev_warn(tps->dev, "%s: failed to register partnet\n", __func__);
if (desc.identity) {
typec_partner_set_identity(tps->partner);
cd321x->cur_partner_identity = st.partner_identity;
}
Add early return and fix spelling mistake in error message.
Detected by Smatch:
drivers/usb/typec/tipd/core.c:827 cd321x_update_work() error:
'tps->partner' dereferencing possible ERR_PTR()
Fixes: 82432bbfb9e83 ("usb: typec: tipd: Handle mode transitions for CD321x")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260218214621.38154-1-ethantidmore06@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/tipd/core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
index 2b1049c9a6f3c..01c657bc84e68 100644
--- a/drivers/usb/typec/tipd/core.c
+++ b/drivers/usb/typec/tipd/core.c
@@ -814,8 +814,10 @@ static void cd321x_update_work(struct work_struct *work)
desc.identity = &st.partner_identity;
tps->partner = typec_register_partner(tps->port, &desc);
- if (IS_ERR(tps->partner))
- dev_warn(tps->dev, "%s: failed to register partnet\n", __func__);
+ if (IS_ERR(tps->partner)) {
+ dev_warn(tps->dev, "%s: failed to register partner\n", __func__);
+ return;
+ }
if (desc.identity) {
typec_partner_set_identity(tps->partner);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 533/957] tty: hvc_iucv: fix off-by-one in number of supported devices
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (531 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 532/957] usb: typec: Fix error pointer dereference Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 534/957] usb: typec: ps883x: Fix Oops at unbind Greg Kroah-Hartman
` (429 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit f2a880e802ad12d1e38039d1334fb1475d0f5241 ]
MAX_HVC_IUCV_LINES == HVC_ALLOC_TTY_ADAPTERS == 8.
This is the number of entries in:
static struct hvc_iucv_private *hvc_iucv_table[MAX_HVC_IUCV_LINES];
Sometimes hvc_iucv_table[] is limited by:
(a) if (num > hvc_iucv_devices) // for error detection
or
(b) for (i = 0; i < hvc_iucv_devices; i++) // in 2 places
(so these 2 don't agree; second one appears to be correct to me.)
hvc_iucv_devices can be 0..8. This is a counter.
(c) if (hvc_iucv_devices > MAX_HVC_IUCV_LINES)
If hvc_iucv_devices == 8, (a) allows the code to access hvc_iucv_table[8].
Oops.
Fixes: 44a01d5ba8a4 ("[S390] s390/hvc_console: z/VM IUCV hypervisor console support")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260130072939.1535869-1-rdunlap@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/hvc/hvc_iucv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/hvc/hvc_iucv.c b/drivers/tty/hvc/hvc_iucv.c
index 4ca7472c38e01..612e13b6f22bc 100644
--- a/drivers/tty/hvc/hvc_iucv.c
+++ b/drivers/tty/hvc/hvc_iucv.c
@@ -131,7 +131,7 @@ static struct iucv_handler hvc_iucv_handler = {
*/
static struct hvc_iucv_private *hvc_iucv_get_private(uint32_t num)
{
- if (num > hvc_iucv_devices)
+ if (num >= hvc_iucv_devices)
return NULL;
return hvc_iucv_table[num];
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 534/957] usb: typec: ps883x: Fix Oops at unbind
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (532 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 533/957] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 535/957] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
` (428 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mostafa Saleh, Konrad Dybcio,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mostafa Saleh <smostafa@google.com>
[ Upstream commit 381133848a033c2086cf9cafb226f425bd0414ff ]
When trying to unbind a device in order to bind to it vfio-platform as:
echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind
I get the following Oops:
[ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
[ 436.487762] Mem abort info:
[ 436.490716] ESR = 0x0000000096000004
[ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits
[ 436.500071] SET = 0, FnV = 0
[ 436.503250] EA = 0, S1PTW = 0
[ 436.506505] FSC = 0x04: level 0 translation fault
[ 436.511533] Data abort info:
[ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000
[ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000
[ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP
[ 436.550374] Modules linked in:
[ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT
[ 436.564440] Tainted: [W]=WARN
[ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025
[ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 436.581841] pc : ps883x_retimer_remove+0x14/0x94
[ 436.586605] lr : i2c_device_remove+0x28/0x84
[ 436.591017] sp : ffff8000847137c0
That's because the ps883x_retimer_remove() retrieves the driver data
from i2c_get_clientdata() which was never set at probe. So, add
i2c_set_clientdata() at the end of the probe.
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Fixes: 257a087c8b52 ("usb: typec: Add support for Parade PS8830 Type-C Retimer")
Link: https://patch.msgid.link/20260313155534.1916773-1-smostafa@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/mux/ps883x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/typec/mux/ps883x.c b/drivers/usb/typec/mux/ps883x.c
index ad59babf7ccec..f1f65d4e5729b 100644
--- a/drivers/usb/typec/mux/ps883x.c
+++ b/drivers/usb/typec/mux/ps883x.c
@@ -411,6 +411,7 @@ static int ps883x_retimer_probe(struct i2c_client *client)
goto err_switch_unregister;
}
+ i2c_set_clientdata(client, retimer);
return 0;
err_switch_unregister:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 535/957] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (533 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 534/957] usb: typec: ps883x: Fix Oops at unbind Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 536/957] platform/x86: barco-p50-gpio: normalize return value of gpio_get Greg Kroah-Hartman
` (427 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Ilpo Järvinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 8baeff2c1d33dad8572216c6ad3a7425852507d4 ]
An ACPI notify handler is leaked if device_create_file() returns an
error in acpi_pcc_hotkey_add().
Also, it is pointless to call pcc_unregister_optd_notifier() in
acpi_pcc_hotkey_remove() if pcc->platform is NULL and it is better
to arrange the cleanup code in that function in the same order as
the rollback code in acpi_pcc_hotkey_add().
Address the above by placing the pcc_register_optd_notifier() call in
acpi_pcc_hotkey_add() after the device_create_file() return value
check and placing the pcc_unregister_optd_notifier() call in
acpi_pcc_hotkey_remove() right before the device_remove_file() call.
Fixes: d5a81d8e864b ("platform/x86: panasonic-laptop: Add support for optical driver power in Y and W series")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2411055.ElGaqSPkdT@rafael.j.wysocki
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/panasonic-laptop.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
index 937f1a5b78edf..848ebf46a59b1 100644
--- a/drivers/platform/x86/panasonic-laptop.c
+++ b/drivers/platform/x86/panasonic-laptop.c
@@ -1093,9 +1093,10 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
}
result = device_create_file(&pcc->platform->dev,
&dev_attr_cdpower);
- pcc_register_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
if (result)
goto out_platform;
+
+ pcc_register_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
} else {
pcc->platform = NULL;
}
@@ -1129,10 +1130,10 @@ static void acpi_pcc_hotkey_remove(struct acpi_device *device)
i8042_remove_filter(panasonic_i8042_filter);
if (pcc->platform) {
+ pcc_unregister_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
device_remove_file(&pcc->platform->dev, &dev_attr_cdpower);
platform_device_unregister(pcc->platform);
}
- pcc_unregister_optd_notifier(pcc, "\\_SB.PCI0.EHCI.ERHB.OPTD");
sysfs_remove_group(&device->dev.kobj, &pcc_attr_group);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 536/957] platform/x86: barco-p50-gpio: normalize return value of gpio_get
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (534 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 535/957] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
@ 2026-05-20 16:16 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 537/957] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
` (426 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Dmitry Torokhov,
Bartosz Golaszewski, Ilpo Järvinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[ Upstream commit 1c9d30d37aaffe3454d70b89a77f8aaecda257bf ]
The GPIO get callback is expected to return 0 or 1 (or a negative error
code). Ensure that the value returned by p50_gpio_get() is normalized
to the [0, 1] range.
Fixes: 86ef402d805d606a ("gpiolib: sanitize the return value of gpio_chip::get()")
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260318-barco-p50-gpio-set-v2-1-c0a4a6416163@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/barco-p50-gpio.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/barco-p50-gpio.c b/drivers/platform/x86/barco-p50-gpio.c
index 6f13e81f98fbb..360ffd8505d6c 100644
--- a/drivers/platform/x86/barco-p50-gpio.c
+++ b/drivers/platform/x86/barco-p50-gpio.c
@@ -275,8 +275,11 @@ static int p50_gpio_get(struct gpio_chip *gc, unsigned int offset)
mutex_lock(&p50->lock);
ret = p50_send_mbox_cmd(p50, P50_MBOX_CMD_READ_GPIO, gpio_params[offset], 0);
- if (ret == 0)
+ if (ret == 0) {
ret = p50_read_mbox_reg(p50, P50_MBOX_REG_DATA);
+ if (ret >= 0)
+ ret = !!ret;
+ }
mutex_unlock(&p50->lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 537/957] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (535 preceding siblings ...)
2026-05-20 16:16 ` [PATCH 6.18 536/957] platform/x86: barco-p50-gpio: normalize return value of gpio_get Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 538/957] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
` (425 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Lee Jones, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit a5a65a7fb2f7796bbe492cd6be59c92cb64377d1 ]
The memory allocated for cell.name using kmemdup() is not freed when
mfd_add_devices() fails. Fix that by using devm_kmemdup().
Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20260120102622.66921-1-nihaal@cse.iitm.ac.in
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mc13xxx-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c
index 920797b806ced..786eab3b2d03c 100644
--- a/drivers/mfd/mc13xxx-core.c
+++ b/drivers/mfd/mc13xxx-core.c
@@ -377,7 +377,7 @@ static int mc13xxx_add_subdevice_pdata(struct mc13xxx *mc13xxx,
if (snprintf(buf, sizeof(buf), format, name) > sizeof(buf))
return -E2BIG;
- cell.name = kmemdup(buf, strlen(buf) + 1, GFP_KERNEL);
+ cell.name = devm_kmemdup(mc13xxx->dev, buf, strlen(buf) + 1, GFP_KERNEL);
if (!cell.name)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 538/957] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (536 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 537/957] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 539/957] NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg Greg Kroah-Hartman
` (424 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anna Schumaker, Jeff Layton,
Andy Shevchenko, Chuck Lever, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit f83c8dda456ce4863f346aa26d88efa276eda35d ]
Clang compiler is not happy about set but unused variable
(when dprintk() is no-op):
.../blocklayout/blocklayout.c:384:9: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
Remove a leftover from the previous cleanup.
Fixes: 3a6fd1f004fc ("pnfs/blocklayout: remove read-modify-write handling in bl_write_pagelist")
Acked-by: Anna Schumaker <anna.schumkaer@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/blocklayout.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
index 0e4c67373e4f9..83e4a32b30182 100644
--- a/fs/nfs/blocklayout/blocklayout.c
+++ b/fs/nfs/blocklayout/blocklayout.c
@@ -381,14 +381,13 @@ bl_write_pagelist(struct nfs_pgio_header *header, int sync)
sector_t isect, extent_length = 0;
struct parallel_io *par = NULL;
loff_t offset = header->args.offset;
- size_t count = header->args.count;
struct page **pages = header->args.pages;
int pg_index = header->args.pgbase >> PAGE_SHIFT;
unsigned int pg_len;
struct blk_plug plug;
int i;
- dprintk("%s enter, %zu@%lld\n", __func__, count, offset);
+ dprintk("%s enter, %u@%lld\n", __func__, header->args.count, offset);
/* At this point, header->page_aray is a (sequential) list of nfs_pages.
* We want to write each, and if there is an error set pnfs_error
@@ -429,7 +428,6 @@ bl_write_pagelist(struct nfs_pgio_header *header, int sync)
}
offset += pg_len;
- count -= pg_len;
isect += (pg_len >> SECTOR_SHIFT);
extent_length -= (pg_len >> SECTOR_SHIFT);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 539/957] NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (537 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 538/957] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 540/957] platform/x86: asus-wmi: adjust screenpad power/brightness handling Greg Kroah-Hartman
` (423 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dai Ngo, Jeff Layton, Chuck Lever,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
[ Upstream commit b48f44f36e6607b2f818560f19deb86b4a9c717b ]
In nfsd4_add_rdaccess_to_wrdeleg, if fp->fi_fds[O_RDONLY] is already
set by another thread, __nfs4_file_get_access should not be called
to increment the nfs4_file access count since that was already done
by the thread that added READ access to the file. The extra fi_access
count in nfs4_file can prevent the corresponding nfsd_file from being
freed.
When stopping nfs-server service, these extra access counts trigger a
BUG in kmem_cache_destroy() that shows nfsd_file object remaining on
__kmem_cache_shutdown.
This problem can be reproduced by running the Git project's test
suite over NFS.
Fixes: 8072e34e1387 ("nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()")
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index c5dba49c90356..adc33830438bb 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6255,12 +6255,12 @@ nfsd4_add_rdaccess_to_wrdeleg(struct svc_rqst *rqstp, struct nfsd4_open *open,
return (false);
fp = stp->st_stid.sc_file;
spin_lock(&fp->fi_lock);
- __nfs4_file_get_access(fp, NFS4_SHARE_ACCESS_READ);
if (!fp->fi_fds[O_RDONLY]) {
+ __nfs4_file_get_access(fp, NFS4_SHARE_ACCESS_READ);
fp->fi_fds[O_RDONLY] = nf;
+ fp->fi_rdeleg_file = nfsd_file_get(fp->fi_fds[O_RDONLY]);
nf = NULL;
}
- fp->fi_rdeleg_file = nfsd_file_get(fp->fi_fds[O_RDONLY]);
spin_unlock(&fp->fi_lock);
if (nf)
nfsd_file_put(nf);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 540/957] platform/x86: asus-wmi: adjust screenpad power/brightness handling
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (538 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 539/957] NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 541/957] platform/x86: asus-wmi: fix screenpad brightness range Greg Kroah-Hartman
` (422 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Benato, Luke Jones,
Ilpo Järvinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 130d29c5627cd50e786e926ad7ef66322c5a0c09 ]
Fix illogical screen off control by hardcoding 0 and 1 depending on the
requested brightness and also do not rely on the last screenpad power
state to issue screen brightness commands.
Fixes: 2c97d3e55b70 ("platform/x86: asus-wmi: add support for ASUS screenpad")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Luke Jones <luke@ljones.dev>
Link: https://patch.msgid.link/20260302174431.349816-2-denis.benato@linux.dev
Link: https://patch.msgid.link/20260326231154.856729-2-ethantidmore06@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/asus-wmi.c | 34 +++++++++++++--------------------
1 file changed, 13 insertions(+), 21 deletions(-)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index 8e3300f5c2943..e6fe6ed6a63da 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -4154,32 +4154,24 @@ static int read_screenpad_brightness(struct backlight_device *bd)
static int update_screenpad_bl_status(struct backlight_device *bd)
{
- struct asus_wmi *asus = bl_get_data(bd);
- int power, err = 0;
- u32 ctrl_param;
+ u32 ctrl_param = bd->props.brightness;
+ int err = 0;
- power = read_screenpad_backlight_power(asus);
- if (power < 0)
- return power;
+ if (bd->props.power) {
+ err = asus_wmi_set_devstate(ASUS_WMI_DEVID_SCREENPAD_POWER, 1, NULL);
+ if (err < 0)
+ return err;
- if (bd->props.power != power) {
- if (power != BACKLIGHT_POWER_ON) {
- /* Only brightness > 0 can power it back on */
- ctrl_param = asus->driver->screenpad_brightness - ASUS_SCREENPAD_BRIGHT_MIN;
- err = asus_wmi_set_devstate(ASUS_WMI_DEVID_SCREENPAD_LIGHT,
- ctrl_param, NULL);
- } else {
- err = asus_wmi_set_devstate(ASUS_WMI_DEVID_SCREENPAD_POWER, 0, NULL);
- }
- } else if (power == BACKLIGHT_POWER_ON) {
- /* Only set brightness if powered on or we get invalid/unsync state */
- ctrl_param = bd->props.brightness + ASUS_SCREENPAD_BRIGHT_MIN;
err = asus_wmi_set_devstate(ASUS_WMI_DEVID_SCREENPAD_LIGHT, ctrl_param, NULL);
+ if (err < 0)
+ return err;
}
- /* Ensure brightness is stored to turn back on with */
- if (err == 0)
- asus->driver->screenpad_brightness = bd->props.brightness + ASUS_SCREENPAD_BRIGHT_MIN;
+ if (!bd->props.power) {
+ err = asus_wmi_set_devstate(ASUS_WMI_DEVID_SCREENPAD_POWER, 0, NULL);
+ if (err < 0)
+ return err;
+ }
return err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 541/957] platform/x86: asus-wmi: fix screenpad brightness range
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (539 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 540/957] platform/x86: asus-wmi: adjust screenpad power/brightness handling Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 542/957] tty: serial: ip22zilog: Fix section mispatch warning Greg Kroah-Hartman
` (421 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Benato, Luke Jones,
Ilpo Järvinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Benato <denis.benato@linux.dev>
[ Upstream commit 8d95d1f4aa5c76202b0833a70998769384612488 ]
Fix screenpad brightness range being too limited without reason:
testing this patch on a Zenbook Duo showed the hardware minimum not being
too low, therefore allow the user to configure the entire range, and
expose to userspace the hardware brightness range and value.
Fixes: 2c97d3e55b70 ("platform/x86: asus-wmi: add support for ASUS screenpad")
Signed-off-by: Denis Benato <denis.benato@linux.dev>
Signed-off-by: Luke Jones <luke@ljones.dev>
Link: https://patch.msgid.link/20260302174431.349816-3-denis.benato@linux.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/asus-wmi.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index e6fe6ed6a63da..9026744d72267 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -127,7 +127,6 @@ module_param(fnlock_default, bool, 0444);
#define NVIDIA_TEMP_MIN 75
#define NVIDIA_TEMP_MAX 87
-#define ASUS_SCREENPAD_BRIGHT_MIN 20
#define ASUS_SCREENPAD_BRIGHT_MAX 255
#define ASUS_SCREENPAD_BRIGHT_DEFAULT 60
@@ -4143,13 +4142,13 @@ static int read_screenpad_brightness(struct backlight_device *bd)
return err;
/* The device brightness can only be read if powered, so return stored */
if (err == BACKLIGHT_POWER_OFF)
- return asus->driver->screenpad_brightness - ASUS_SCREENPAD_BRIGHT_MIN;
+ return bd->props.brightness;
err = asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_SCREENPAD_LIGHT, &retval);
if (err < 0)
return err;
- return (retval & ASUS_WMI_DSTS_BRIGHTNESS_MASK) - ASUS_SCREENPAD_BRIGHT_MIN;
+ return retval & ASUS_WMI_DSTS_BRIGHTNESS_MASK;
}
static int update_screenpad_bl_status(struct backlight_device *bd)
@@ -4189,22 +4188,19 @@ static int asus_screenpad_init(struct asus_wmi *asus)
int err, power;
int brightness = 0;
- power = read_screenpad_backlight_power(asus);
+ power = asus_wmi_get_devstate_simple(asus, ASUS_WMI_DEVID_SCREENPAD_POWER);
if (power < 0)
return power;
- if (power != BACKLIGHT_POWER_OFF) {
+ if (power) {
err = asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_SCREENPAD_LIGHT, &brightness);
if (err < 0)
return err;
}
- /* default to an acceptable min brightness on boot if too low */
- if (brightness < ASUS_SCREENPAD_BRIGHT_MIN)
- brightness = ASUS_SCREENPAD_BRIGHT_DEFAULT;
memset(&props, 0, sizeof(struct backlight_properties));
props.type = BACKLIGHT_RAW; /* ensure this bd is last to be picked */
- props.max_brightness = ASUS_SCREENPAD_BRIGHT_MAX - ASUS_SCREENPAD_BRIGHT_MIN;
+ props.max_brightness = ASUS_SCREENPAD_BRIGHT_MAX;
bd = backlight_device_register("asus_screenpad",
&asus->platform_device->dev, asus,
&asus_screenpad_bl_ops, &props);
@@ -4215,7 +4211,7 @@ static int asus_screenpad_init(struct asus_wmi *asus)
asus->screenpad_backlight_device = bd;
asus->driver->screenpad_brightness = brightness;
- bd->props.brightness = brightness - ASUS_SCREENPAD_BRIGHT_MIN;
+ bd->props.brightness = brightness;
bd->props.power = power;
backlight_update_status(bd);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 542/957] tty: serial: ip22zilog: Fix section mispatch warning
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (540 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 541/957] platform/x86: asus-wmi: fix screenpad brightness range Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 543/957] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
` (420 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Thomas Bogendoerfer, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Bogendoerfer <tbogendoerfer@suse.de>
[ Upstream commit a1a81aef99e853dec84241d701fbf587d713eb5b ]
ip22zilog_prepare() is now called by driver probe routine, so it
shouldn't be in the __init section any longer.
Fixes: 3fc36ae6abd2 ("tty: serial: ip22zilog: Use platform device for probing")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202604020945.c9jAvCPs-lkp@intel.com/
Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
Link: https://patch.msgid.link/20260402102154.136620-1-tbogendoerfer@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/ip22zilog.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/serial/ip22zilog.c b/drivers/tty/serial/ip22zilog.c
index 6e19c6713849a..a12101dc05546 100644
--- a/drivers/tty/serial/ip22zilog.c
+++ b/drivers/tty/serial/ip22zilog.c
@@ -1025,7 +1025,7 @@ static struct uart_driver ip22zilog_reg = {
#endif
};
-static void __init ip22zilog_prepare(struct uart_ip22zilog_port *up)
+static void ip22zilog_prepare(struct uart_ip22zilog_port *up)
{
unsigned char sysrq_on = IS_ENABLED(CONFIG_SERIAL_IP22_ZILOG_CONSOLE);
int brg;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 543/957] fs/ntfs3: terminate the cached volume label after UTF-8 conversion
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (541 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 542/957] tty: serial: ip22zilog: Fix section mispatch warning Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 544/957] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
` (419 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Konstantin Komarov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit a6cd43fe9b083fa23fe1595666d5738856cb261a ]
ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s()
and stores the result in sbi->volume.label. The converted label is later
exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only
returns the number of bytes written and does not add a trailing NUL.
If the converted label fills the entire fixed buffer,
ntfs3_label_show() can read past the end of sbi->volume.label while
looking for a terminator.
Terminate the cached label explicitly after a successful conversion and
clamp the exact-full case to the last byte of the buffer.
Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/super.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index e6c0908e27c29..9a2e3d0efd998 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1277,8 +1277,13 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
le32_to_cpu(attr->res.data_size) >> 1,
UTF16_LITTLE_ENDIAN, sbi->volume.label,
sizeof(sbi->volume.label));
- if (err < 0)
+ if (err < 0) {
sbi->volume.label[0] = 0;
+ } else if (err >= sizeof(sbi->volume.label)) {
+ sbi->volume.label[sizeof(sbi->volume.label) - 1] = 0;
+ } else {
+ sbi->volume.label[err] = 0;
+ }
} else {
/* Should we break mounting here? */
//err = -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 544/957] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (542 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 543/957] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 545/957] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
` (418 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Ilpo Järvinen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit f8fd138c2363c0e2d3235c32bfb4fb5c6474e4ae ]
Ensure the temp value has been properly parsed from the user-provided
buffer and initialized to be used in later operations. While at it,
prefer a convenient kstrtoul() helper.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: ad6ce87e5bd4 ("[PATCH] dell_rbu: changes in packet update mechanism")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Link: https://patch.msgid.link/20260403134240.604837-1-pchelkin@ispras.ru
[ij: add include]
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/dell/dell_rbu.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c
index 403df9bd9522b..69d7c0a931a7c 100644
--- a/drivers/platform/x86/dell/dell_rbu.c
+++ b/drivers/platform/x86/dell/dell_rbu.c
@@ -30,6 +30,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/init.h>
+#include <linux/kstrtox.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/string.h>
@@ -619,9 +620,12 @@ static ssize_t packet_size_write(struct file *filp, struct kobject *kobj,
char *buffer, loff_t pos, size_t count)
{
unsigned long temp;
+
+ if (kstrtoul(buffer, 10, &temp))
+ return -EINVAL;
+
spin_lock(&rbu_data.lock);
packet_empty_list();
- sscanf(buffer, "%lu", &temp);
if (temp < 0xffffffff)
rbu_data.packetsize = temp;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 545/957] platform/x86: dell-wmi-sysman: bound enumeration string aggregation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (543 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 544/957] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 546/957] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
` (417 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Ilpo Järvinen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 3c34471c26abc52a37f5ad90949e2e4b8027eb14 ]
populate_enum_data() aggregates firmware-provided value-modifier
and possible-value strings into fixed 512-byte struct members.
The current code bounds each individual source string but then
appends every string and separator with raw strcat() and no
remaining-space check.
Switch the aggregation loops to a bounded append helper and
reject enumeration packages whose combined strings do not fit
in the destination buffers.
Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260408084501.1-dell-wmi-sysman-v2-pengpeng@iscas.ac.cn
[ij: add include]
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../dell/dell-wmi-sysman/enum-attributes.c | 34 +++++++++++++++----
1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
index fc2f58b4cbc6e..7e44ba3015627 100644
--- a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+++ b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
@@ -6,10 +6,32 @@
* Copyright (c) 2020 Dell Inc.
*/
+#include <linux/bug.h>
+
#include "dell-wmi-sysman.h"
get_instance_id(enumeration);
+static int append_enum_string(char *dest, const char *src)
+{
+ size_t dest_len = strlen(dest);
+ ssize_t copied;
+
+ if (WARN_ON_ONCE(dest_len >= MAX_BUFF))
+ return -EINVAL;
+
+ copied = strscpy(dest + dest_len, src, MAX_BUFF - dest_len);
+ if (copied < 0)
+ return -EINVAL;
+
+ dest_len += copied;
+ copied = strscpy(dest + dest_len, ";", MAX_BUFF - dest_len);
+ if (copied < 0)
+ return -EINVAL;
+
+ return 0;
+}
+
static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf)
{
int instance_id = get_enumeration_instance_id(kobj);
@@ -176,9 +198,9 @@ int populate_enum_data(union acpi_object *enumeration_obj, int instance_id,
return -EINVAL;
if (check_property_type(enumeration, next_obj, ACPI_TYPE_STRING))
return -EINVAL;
- strcat(wmi_priv.enumeration_data[instance_id].dell_value_modifier,
- enumeration_obj[next_obj++].string.pointer);
- strcat(wmi_priv.enumeration_data[instance_id].dell_value_modifier, ";");
+ if (append_enum_string(wmi_priv.enumeration_data[instance_id].dell_value_modifier,
+ enumeration_obj[next_obj++].string.pointer))
+ return -EINVAL;
}
if (next_obj >= enum_property_count)
@@ -193,9 +215,9 @@ int populate_enum_data(union acpi_object *enumeration_obj, int instance_id,
return -EINVAL;
if (check_property_type(enumeration, next_obj, ACPI_TYPE_STRING))
return -EINVAL;
- strcat(wmi_priv.enumeration_data[instance_id].possible_values,
- enumeration_obj[next_obj++].string.pointer);
- strcat(wmi_priv.enumeration_data[instance_id].possible_values, ";");
+ if (append_enum_string(wmi_priv.enumeration_data[instance_id].possible_values,
+ enumeration_obj[next_obj++].string.pointer))
+ return -EINVAL;
}
return sysfs_create_group(attr_name_kobj, &enumeration_attr_group);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 546/957] RDMA/core: Prefer NLA_NUL_STRING
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (544 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 545/957] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 547/957] dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur Greg Kroah-Hartman
` (416 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Jason Gunthorpe,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 6ed3d14fc45d3da6025e7fe4a6a09066856698e2 ]
These attributes are evaluated as c-string (passed to strcmp), but
NLA_STRING doesn't check for the presence of a \0 terminator.
Either this needs to switch to nla_strcmp() and needs to adjust printf fmt
specifier to not use plain %s, or this needs to use NLA_NUL_STRING.
As the code has been this way for long time, it seems to me that userspace
does include the terminating nul, even tough its not enforced so far, and
thus NLA_NUL_STRING use is the simpler solution.
Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service")
Link: https://patch.msgid.link/r/20260330122742.13315-1-fw@strlen.de
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/iwpm_msg.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/core/iwpm_msg.c b/drivers/infiniband/core/iwpm_msg.c
index 3c9a9869212bb..feb09008eb9ca 100644
--- a/drivers/infiniband/core/iwpm_msg.c
+++ b/drivers/infiniband/core/iwpm_msg.c
@@ -365,9 +365,9 @@ int iwpm_remove_mapping(struct sockaddr_storage *local_addr, u8 nl_client)
/* netlink attribute policy for the received response to register pid request */
static const struct nla_policy resp_reg_policy[IWPM_NLA_RREG_PID_MAX] = {
[IWPM_NLA_RREG_PID_SEQ] = { .type = NLA_U32 },
- [IWPM_NLA_RREG_IBDEV_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_RREG_IBDEV_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_DEVNAME_SIZE - 1 },
- [IWPM_NLA_RREG_ULIB_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_RREG_ULIB_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_ULIBNAME_SIZE - 1 },
[IWPM_NLA_RREG_ULIB_VER] = { .type = NLA_U16 },
[IWPM_NLA_RREG_PID_ERR] = { .type = NLA_U16 }
@@ -677,7 +677,7 @@ int iwpm_remote_info_cb(struct sk_buff *skb, struct netlink_callback *cb)
/* netlink attribute policy for the received request for mapping info */
static const struct nla_policy resp_mapinfo_policy[IWPM_NLA_MAPINFO_REQ_MAX] = {
- [IWPM_NLA_MAPINFO_ULIB_NAME] = { .type = NLA_STRING,
+ [IWPM_NLA_MAPINFO_ULIB_NAME] = { .type = NLA_NUL_STRING,
.len = IWPM_ULIBNAME_SIZE - 1 },
[IWPM_NLA_MAPINFO_ULIB_VER] = { .type = NLA_U16 }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 547/957] dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (545 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 546/957] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 548/957] clk: qcom: gcc-glymur: Add video axi clock resets for glymur Greg Kroah-Hartman
` (415 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taniya Das, Krzysztof Kozlowski,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taniya Das <taniya.das@oss.qualcomm.com>
[ Upstream commit 7c3260327fc874b7c89d7bb230cd569d2e78aff7 ]
The global clock controller video axi reset clocks are required by
the video SW driver to assert and deassert the clock resets.
Signed-off-by: Taniya Das <taniya.das@oss.qualcomm.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260202-glymur_videocc-v2-1-8f7d8b4d8edd@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 1c8ce43e1e07 ("clk: qcom: gcc-glymur: Add video axi clock resets for glymur")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,glymur-gcc.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/dt-bindings/clock/qcom,glymur-gcc.h b/include/dt-bindings/clock/qcom,glymur-gcc.h
index 10c12b8c51c34..6907653c79927 100644
--- a/include/dt-bindings/clock/qcom,glymur-gcc.h
+++ b/include/dt-bindings/clock/qcom,glymur-gcc.h
@@ -574,5 +574,6 @@
#define GCC_VIDEO_AXI0_CLK_ARES 89
#define GCC_VIDEO_AXI1_CLK_ARES 90
#define GCC_VIDEO_BCR 91
+#define GCC_VIDEO_AXI0C_CLK_ARES 92
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 548/957] clk: qcom: gcc-glymur: Add video axi clock resets for glymur
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (546 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 547/957] dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 549/957] clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
` (414 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taniya Das, Dmitry Baryshkov,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taniya Das <taniya.das@oss.qualcomm.com>
[ Upstream commit 1c8ce43e1e07ecc531fb517f95620ed85e998608 ]
The global clock controller video axi reset clocks are required by
the video SW driver to assert and deassert the clock resets during
their power down sequence. Hence add these clock resets.
Fixes: efe504300a17 ("clk: qcom: gcc: Add support for Global Clock Controller")
Signed-off-by: Taniya Das <taniya.das@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260202-glymur_videocc-v2-3-8f7d8b4d8edd@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-glymur.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/qcom/gcc-glymur.c b/drivers/clk/qcom/gcc-glymur.c
index 17e860307fa10..eff3248d483ad 100644
--- a/drivers/clk/qcom/gcc-glymur.c
+++ b/drivers/clk/qcom/gcc-glymur.c
@@ -8508,6 +8508,7 @@ static const struct qcom_reset_map gcc_glymur_resets[] = {
[GCC_VIDEO_AXI0_CLK_ARES] = { 0x3201c, 2 },
[GCC_VIDEO_AXI1_CLK_ARES] = { 0x32044, 2 },
[GCC_VIDEO_BCR] = { 0x32000 },
+ [GCC_VIDEO_AXI0C_CLK_ARES] = { 0x32030, 2 },
};
static const struct clk_rcg_dfs_data gcc_dfs_clocks[] = {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 549/957] clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (547 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 548/957] clk: qcom: gcc-glymur: Add video axi clock resets for glymur Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 550/957] clk: qcom: dispcc-sm8450: " Greg Kroah-Hartman
` (413 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abel Vesa,
Konrad Dybcio, Taniya Das, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit e7c8eb1646db5d967d77ee67793dd95a2c5ff451 ]
The clk_dp_ops are supposed to be used for DP-related clocks with a
proper MND divier. Use shared RCG2 ops for dptx1_aux_clk_src, the same
as all other DPTX AUX clocks in this driver.
Fixes: b4d15211c408 ("clk: qcom: dispcc-glymur: Add support for Display Clock Controller")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260112-dp-aux-clks-v1-1-456b0c11b069@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-glymur.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-glymur.c b/drivers/clk/qcom/dispcc-glymur.c
index 5203fa6383f6a..f352165bf56fc 100644
--- a/drivers/clk/qcom/dispcc-glymur.c
+++ b/drivers/clk/qcom/dispcc-glymur.c
@@ -417,7 +417,7 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_aux_clk_src = {
.parent_data = disp_cc_parent_data_1,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_1),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_dp_ops,
+ .ops = &clk_rcg2_shared_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 550/957] clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (548 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 549/957] clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 551/957] clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock Greg Kroah-Hartman
` (412 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abel Vesa,
Konrad Dybcio, Taniya Das, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 141af1be817c42c7f1e1605348d4b1983d319bea ]
The clk_dp_ops are supposed to be used for DP-related clocks with a
proper MND divier. Use standard RCG2 ops for dptx1_aux_clk_src, the same
as all other DPTX AUX clocks in this driver.
Fixes: 16fb89f92ec4 ("clk: qcom: Add support for Display Clock Controller on SM8450")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260112-dp-aux-clks-v1-2-456b0c11b069@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8450.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm8450.c b/drivers/clk/qcom/dispcc-sm8450.c
index 9ce9fd28e55b2..2e91332dd92ab 100644
--- a/drivers/clk/qcom/dispcc-sm8450.c
+++ b/drivers/clk/qcom/dispcc-sm8450.c
@@ -409,7 +409,7 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_aux_clk_src = {
.parent_data = disp_cc_parent_data_1,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_1),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_dp_ops,
+ .ops = &clk_rcg2_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 551/957] clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (549 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 550/957] clk: qcom: dispcc-sm8450: " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 552/957] scsi: sg: Fix sysctl sg-big-buff register during sg_init() Greg Kroah-Hartman
` (411 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andre Przywara, Jernej Skrabec,
Chen-Yu Tsai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wens@kernel.org>
[ Upstream commit fb20ccf70cf695f178d7c32e2d33b376560df0ff ]
When the PRCM clk driver was added, somehow the r-spi module clock
was skipped over.
Add it so that r-spi can actually work.
Fixes: 8cea339cfb81 ("clk: sunxi-ng: add support for the A523/T527 PRCM CCU")
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://patch.msgid.link/20260217093004.3239051-1-wens@kernel.org
Signed-off-by: Chen-Yu Tsai <wens@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
index 0339c4af0fe5b..db0e36d8838e7 100644
--- a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
+++ b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c
@@ -83,9 +83,22 @@ static SUNXI_CCU_MUX_DATA_WITH_GATE(r_pwmctrl_clk, "r-pwmctrl",
static SUNXI_CCU_GATE_HW(bus_r_pwmctrl_clk, "bus-r-pwmctrl",
&r_apb0_clk.common.hw, 0x13c, BIT(0), 0);
-/* SPI clock is /M/N (same as new MMC?) */
+static const struct clk_parent_data r_spi_parents[] = {
+ { .fw_name = "hosc" },
+ { .fw_name = "pll-periph" },
+ { .name = "pll-periph0-300M" },
+ { .name = "pll-periph1-300M" },
+ { .name = "pll-audio" },
+};
+static SUNXI_CCU_DUALDIV_MUX_GATE(r_spi_clk, "r-spi", r_spi_parents, 0x150,
+ 0, 5, /* M */
+ 8, 5, /* P */
+ 24, 3, /* mux */
+ BIT(31), /* gate */
+ 0);
static SUNXI_CCU_GATE_HW(bus_r_spi_clk, "bus-r-spi",
&r_ahb_clk.common.hw, 0x15c, BIT(0), 0);
+
static SUNXI_CCU_GATE_HW(bus_r_spinlock_clk, "bus-r-spinlock",
&r_ahb_clk.common.hw, 0x16c, BIT(0), 0);
static SUNXI_CCU_GATE_HW(bus_r_msgbox_clk, "bus-r-msgbox",
@@ -138,6 +151,7 @@ static struct ccu_common *sun55i_a523_r_ccu_clks[] = {
&bus_r_twd_clk.common,
&r_pwmctrl_clk.common,
&bus_r_pwmctrl_clk.common,
+ &r_spi_clk.common,
&bus_r_spi_clk.common,
&bus_r_spinlock_clk.common,
&bus_r_msgbox_clk.common,
@@ -169,6 +183,7 @@ static struct clk_hw_onecell_data sun55i_a523_r_hw_clks = {
[CLK_BUS_R_TWD] = &bus_r_twd_clk.common.hw,
[CLK_R_PWMCTRL] = &r_pwmctrl_clk.common.hw,
[CLK_BUS_R_PWMCTRL] = &bus_r_pwmctrl_clk.common.hw,
+ [CLK_R_SPI] = &r_spi_clk.common.hw,
[CLK_BUS_R_SPI] = &bus_r_spi_clk.common.hw,
[CLK_BUS_R_SPINLOCK] = &bus_r_spinlock_clk.common.hw,
[CLK_BUS_R_MSGBOX] = &bus_r_msgbox_clk.common.hw,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 552/957] scsi: sg: Fix sysctl sg-big-buff register during sg_init()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (550 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 551/957] clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 553/957] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
` (410 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Erkun, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Erkun <yangerkun@huawei.com>
[ Upstream commit 3033c471aaf675254efaa0da431e95d91a104b41 ]
Commit 26d1c80fd61e ("scsi/sg: move sg-big-buff sysctl to scsi/sg.c") made
a mistake. sysctl sg-big-buff was not created because the call to
register_sg_sysctls() was placed on the wrong code path.
Fixes: 26d1c80fd61e ("scsi/sg: move sg-big-buff sysctl to scsi/sg.c")
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260127062044.3034148-2-yangerkun@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 57fba34832ad1..c93cc9323f563 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1689,13 +1689,13 @@ init_sg(void)
sg_sysfs_valid = 1;
rc = scsi_register_interface(&sg_interface);
if (0 == rc) {
+ register_sg_sysctls();
#ifdef CONFIG_SCSI_PROC_FS
sg_proc_init();
#endif /* CONFIG_SCSI_PROC_FS */
return 0;
}
class_unregister(&sg_sysfs_class);
- register_sg_sysctls();
err_out:
unregister_chrdev_region(MKDEV(SCSI_GENERIC_MAJOR, 0), SG_MAX_DEVS);
return rc;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 553/957] scsi: sg: Resolve soft lockup issue when opening /dev/sgX
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (551 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 552/957] scsi: sg: Fix sysctl sg-big-buff register during sg_init() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 554/957] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers Greg Kroah-Hartman
` (409 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Erkun, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Erkun <yangerkun@huawei.com>
[ Upstream commit d06a310b45e153872033dd0cf19d5a2279121099 ]
The parameter def_reserved_size defines the default buffer size reserved
for each Sg_fd and should be restricted to a range between 0 and 1,048,576
(see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the
function sg_proc_write_dressz enforces this limit, it is possible to bypass
it by directly modifying the module parameter as shown below, which then
causes a soft lockup:
echo -1 > /sys/module/sg/parameters/def_reserved_size
exec 4<> /dev/sg0
watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537]
Modules loaded:
CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134,
PREEMPT disabled
Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version
1.16.1-2.fc37 dated 04/01/2014
...
Call Trace:
sg_build_reserve+0x5c/0xa0
sg_add_sfp+0x168/0x270
sg_open+0x16e/0x340
chrdev_open+0xbe/0x230
do_dentry_open+0x175/0x480
vfs_open+0x34/0xf0
do_open+0x265/0x3d0
path_openat+0x110/0x290
do_filp_open+0xc3/0x170
do_sys_openat2+0x71/0xe0
__x64_sys_openat+0x6d/0xa0
do_syscall_64+0x62/0x310
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The fix is to use module_param_cb to validate and reject invalid values
assigned to def_reserved_size.
Fixes: 6460e75a104d ("[SCSI] sg: fixes for large page_size")
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260127062044.3034148-3-yangerkun@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index c93cc9323f563..21c3962ee1cb5 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1621,10 +1621,35 @@ sg_remove_device(struct device *cl_dev)
}
module_param_named(scatter_elem_sz, scatter_elem_sz, int, S_IRUGO | S_IWUSR);
-module_param_named(def_reserved_size, def_reserved_size, int,
- S_IRUGO | S_IWUSR);
module_param_named(allow_dio, sg_allow_dio, int, S_IRUGO | S_IWUSR);
+static int def_reserved_size_set(const char *val, const struct kernel_param *kp)
+{
+ int size, ret;
+
+ if (!val)
+ return -EINVAL;
+
+ ret = kstrtoint(val, 0, &size);
+ if (ret)
+ return ret;
+
+ /* limit to 1 MB */
+ if (size < 0 || size > 1048576)
+ return -ERANGE;
+
+ def_reserved_size = size;
+ return 0;
+}
+
+static const struct kernel_param_ops def_reserved_size_ops = {
+ .set = def_reserved_size_set,
+ .get = param_get_int,
+};
+
+module_param_cb(def_reserved_size, &def_reserved_size_ops, &def_reserved_size,
+ S_IRUGO | S_IWUSR);
+
MODULE_AUTHOR("Douglas Gilbert");
MODULE_DESCRIPTION("SCSI generic (sg) driver");
MODULE_LICENSE("GPL");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 554/957] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (552 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 553/957] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 555/957] clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting Greg Kroah-Hartman
` (408 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, White Lewis, Pengyu Luo,
Dmitry Baryshkov, Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: White Lewis <liu224806@gmail.com>
[ Upstream commit 0b151a6307205eb867250985a910a88787cbf12e ]
The four byte_div_clk_src dividers (disp{0,1}_cc_mdss_byte{0,1}_div_clk_src)
had CLK_SET_RATE_PARENT set. When the DSI driver calls clk_set_rate() on
byte_intf_clk, the rate-change propagates through the divider up to the
parent PLL (byte_clk_src), halving the byte clock rate.
A simiar issue had been also encountered on SM8750.
b8501febdc51 ("clk: qcom: dispcc-sm8750: Drop incorrect CLK_SET_RATE_PARENT on byte intf parent").
Likewise, remove CLK_SET_RATE_PARENT from all four byte divider clocks
so that clk_set_rate() on the divider adjusts only the divider ratio,
leaving the parent PLL untouched.
Fixes: 4a66e76fdb6d ("clk: qcom: Add SC8280XP display clock controller")
Signed-off-by: White Lewis <liu224806@gmail.com>
[pengyu: reword]
Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260303115550.9279-1-mitltlatltl@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sc8280xp.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/clk/qcom/dispcc-sc8280xp.c b/drivers/clk/qcom/dispcc-sc8280xp.c
index 5903a759d4af4..e91dfed0f37e9 100644
--- a/drivers/clk/qcom/dispcc-sc8280xp.c
+++ b/drivers/clk/qcom/dispcc-sc8280xp.c
@@ -1160,7 +1160,6 @@ static struct clk_regmap_div disp0_cc_mdss_byte0_div_clk_src = {
&disp0_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -1175,7 +1174,6 @@ static struct clk_regmap_div disp1_cc_mdss_byte0_div_clk_src = {
&disp1_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -1190,7 +1188,6 @@ static struct clk_regmap_div disp0_cc_mdss_byte1_div_clk_src = {
&disp0_cc_mdss_byte1_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -1205,7 +1202,6 @@ static struct clk_regmap_div disp1_cc_mdss_byte1_div_clk_src = {
&disp1_cc_mdss_byte1_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 555/957] clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (553 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 554/957] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 556/957] clk: qcom: dispcc-milos: " Greg Kroah-Hartman
` (407 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 98ea9eda030587601db56425efcd32263d853591 ]
The clock tree for byte_clk_src is as follows:
┌──────byte0_clk_src─────┐
│ │
byte0_clk byte0_div_clk_src
│
byte0_intf_clk
If both of its direct children have CLK_SET_RATE_PARENT with different
requests, byte0_clk_src (and its parent) will be reconfigured. In this
case, byte0_intf should strictly follow the rate of byte0_clk (with
some adjustments based on PHY mode).
Remove CLK_SET_RATE_PARENT from byte0_div_clk_src to avoid this issue.
Fixes: b4d15211c408 ("clk: qcom: dispcc-glymur: Add support for Display Clock Controller")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260304-topic-dsi_byte_fixup-v1-1-b79b29f83176@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-glymur.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/clk/qcom/dispcc-glymur.c b/drivers/clk/qcom/dispcc-glymur.c
index f352165bf56fc..bef74f58405ba 100644
--- a/drivers/clk/qcom/dispcc-glymur.c
+++ b/drivers/clk/qcom/dispcc-glymur.c
@@ -747,7 +747,6 @@ static struct clk_regmap_div disp_cc_mdss_byte0_div_clk_src = {
&disp_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -762,7 +761,6 @@ static struct clk_regmap_div disp_cc_mdss_byte1_div_clk_src = {
&disp_cc_mdss_byte1_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 556/957] clk: qcom: dispcc-milos: Fix DSI byte clock rate setting
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (554 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 555/957] clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 557/957] clk: qcom: dispcc-sm4450: " Greg Kroah-Hartman
` (406 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit dd5b76257b4048151006620c9895e2f5f0d997eb ]
The clock tree for byte_clk_src is as follows:
┌──────byte0_clk_src─────┐
│ │
byte0_clk byte0_div_clk_src
│
byte0_intf_clk
If both of its direct children have CLK_SET_RATE_PARENT with different
requests, byte0_clk_src (and its parent) will be reconfigured. In this
case, byte0_intf should strictly follow the rate of byte0_clk (with
some adjustments based on PHY mode).
Remove CLK_SET_RATE_PARENT from byte0_div_clk_src to avoid this issue.
Fixes: f40b5217dce1 ("clk: qcom: Add Display Clock controller (DISPCC) driver for Milos")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260304-topic-dsi_byte_fixup-v1-3-b79b29f83176@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-milos.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-milos.c b/drivers/clk/qcom/dispcc-milos.c
index 95b6dd89d9ae3..339cb1c63ba77 100644
--- a/drivers/clk/qcom/dispcc-milos.c
+++ b/drivers/clk/qcom/dispcc-milos.c
@@ -394,7 +394,6 @@ static struct clk_regmap_div disp_cc_mdss_byte0_div_clk_src = {
&disp_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 557/957] clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (555 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 556/957] clk: qcom: dispcc-milos: " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 558/957] clk: qcom: dispcc[01]-sa8775p: " Greg Kroah-Hartman
` (405 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 7bc48fcdf9e77bf68ef04af015d50df2a9acac00 ]
The clock tree for byte_clk_src is as follows:
┌──────byte0_clk_src─────┐
│ │
byte0_clk byte0_div_clk_src
│
byte0_intf_clk
If both of its direct children have CLK_SET_RATE_PARENT with different
requests, byte0_clk_src (and its parent) will be reconfigured. In this
case, byte0_intf should strictly follow the rate of byte0_clk (with
some adjustments based on PHY mode).
Remove CLK_SET_RATE_PARENT from byte0_div_clk_src to avoid this issue.
Fixes: 76f05f1ec766 ("clk: qcom: Add DISPCC driver support for SM4450")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260304-topic-dsi_byte_fixup-v1-4-b79b29f83176@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm4450.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm4450.c b/drivers/clk/qcom/dispcc-sm4450.c
index e8752d01c8e62..2fdacc26df698 100644
--- a/drivers/clk/qcom/dispcc-sm4450.c
+++ b/drivers/clk/qcom/dispcc-sm4450.c
@@ -335,7 +335,6 @@ static struct clk_regmap_div disp_cc_mdss_byte0_div_clk_src = {
&disp_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 558/957] clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (556 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 557/957] clk: qcom: dispcc-sm4450: " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 559/957] clk: renesas: r9a09g057: Add clock and reset entries for RTC Greg Kroah-Hartman
` (404 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit 2851b6c6a42e22c243aa4cd606a49e2b9acfb6d6 ]
The clock tree for byte_clk_src is as follows:
┌──────byte0_clk_src─────┐
│ │
byte0_clk byte0_div_clk_src
│
byte0_intf_clk
If both of its direct children have CLK_SET_RATE_PARENT with different
requests, byte0_clk_src (and its parent) will be reconfigured. In this
case, byte0_intf should strictly follow the rate of byte0_clk (with
some adjustments based on PHY mode).
Remove CLK_SET_RATE_PARENT from byte0_div_clk_src to avoid this issue.
Fixes: e700bfd2f976 ("clk: qcom: Add support for Display clock Controllers on SA8775P")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260304-topic-dsi_byte_fixup-v1-5-b79b29f83176@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc0-sa8775p.c | 2 --
drivers/clk/qcom/dispcc1-sa8775p.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/drivers/clk/qcom/dispcc0-sa8775p.c b/drivers/clk/qcom/dispcc0-sa8775p.c
index aeda9cf4bfee8..b248fa9705873 100644
--- a/drivers/clk/qcom/dispcc0-sa8775p.c
+++ b/drivers/clk/qcom/dispcc0-sa8775p.c
@@ -591,7 +591,6 @@ static struct clk_regmap_div mdss_0_disp_cc_mdss_byte0_div_clk_src = {
&mdss_0_disp_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -606,7 +605,6 @@ static struct clk_regmap_div mdss_0_disp_cc_mdss_byte1_div_clk_src = {
&mdss_0_disp_cc_mdss_byte1_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
diff --git a/drivers/clk/qcom/dispcc1-sa8775p.c b/drivers/clk/qcom/dispcc1-sa8775p.c
index cd55d1c119024..9882edbb79f9e 100644
--- a/drivers/clk/qcom/dispcc1-sa8775p.c
+++ b/drivers/clk/qcom/dispcc1-sa8775p.c
@@ -591,7 +591,6 @@ static struct clk_regmap_div mdss_1_disp_cc_mdss_byte0_div_clk_src = {
&mdss_1_disp_cc_mdss_byte0_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
@@ -606,7 +605,6 @@ static struct clk_regmap_div mdss_1_disp_cc_mdss_byte1_div_clk_src = {
&mdss_1_disp_cc_mdss_byte1_clk_src.clkr.hw,
},
.num_parents = 1,
- .flags = CLK_SET_RATE_PARENT,
.ops = &clk_regmap_div_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 559/957] clk: renesas: r9a09g057: Add clock and reset entries for RTC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (557 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 558/957] clk: qcom: dispcc[01]-sa8775p: " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 560/957] clk: renesas: r9a09g057: Add entries for RSCIs Greg Kroah-Hartman
` (403 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Geert Uytterhoeven,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
[ Upstream commit 7a03ef9f8223434f19e19a37acc32dcb581ab475 ]
Add module clock and reset entries for the RTC module on the Renesas RZ/V2H
(R9A09G057) SoC.
Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20251021080705.18116-2-ovidiu.panait.rb@renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Stable-dep-of: 1b4f047dc401 ("clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a09g057-cpg.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/clk/renesas/r9a09g057-cpg.c b/drivers/clk/renesas/r9a09g057-cpg.c
index 6389c4b6a5231..4e47fea3f8946 100644
--- a/drivers/clk/renesas/r9a09g057-cpg.c
+++ b/drivers/clk/renesas/r9a09g057-cpg.c
@@ -239,6 +239,8 @@ static const struct rzv2h_mod_clk r9a09g057_mod_clks[] __initconst = {
BUS_MSTOP(5, BIT(13))),
DEF_MOD("wdt_3_clk_loco", CLK_QEXTAL, 5, 2, 2, 18,
BUS_MSTOP(5, BIT(13))),
+ DEF_MOD("rtc_0_clk_rtc", CLK_PLLCM33_DIV16, 5, 3, 2, 19,
+ BUS_MSTOP(3, BIT(11) | BIT(12))),
DEF_MOD("rspi_0_pclk", CLK_PLLCLN_DIV8, 5, 4, 2, 20,
BUS_MSTOP(11, BIT(0))),
DEF_MOD("rspi_0_pclk_sfr", CLK_PLLCLN_DIV8, 5, 5, 2, 21,
@@ -401,6 +403,8 @@ static const struct rzv2h_reset r9a09g057_resets[] __initconst = {
DEF_RST(7, 6, 3, 7), /* WDT_1_RESET */
DEF_RST(7, 7, 3, 8), /* WDT_2_RESET */
DEF_RST(7, 8, 3, 9), /* WDT_3_RESET */
+ DEF_RST(7, 9, 3, 10), /* RTC_0_RST_RTC */
+ DEF_RST(7, 10, 3, 11), /* RTC_0_RST_RTC_V */
DEF_RST(7, 11, 3, 12), /* RSPI_0_PRESETN */
DEF_RST(7, 12, 3, 13), /* RSPI_0_TRESETN */
DEF_RST(7, 13, 3, 14), /* RSPI_1_PRESETN */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 560/957] clk: renesas: r9a09g057: Add entries for RSCIs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (558 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 559/957] clk: renesas: r9a09g057: Add clock and reset entries for RTC Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 561/957] clk: renesas: r9a09g057: Fix ordering of module clocks array Greg Kroah-Hartman
` (402 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, Geert Uytterhoeven,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
[ Upstream commit 2efea3b35cc916f04f06b89f2e2557dbd9c48109 ]
Add clock and reset entries for the RSCI IPs.
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20251203094147.6429-3-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Stable-dep-of: 1b4f047dc401 ("clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a09g057-cpg.c | 126 ++++++++++++++++++++++++++++
1 file changed, 126 insertions(+)
diff --git a/drivers/clk/renesas/r9a09g057-cpg.c b/drivers/clk/renesas/r9a09g057-cpg.c
index 4e47fea3f8946..ac3d309365b45 100644
--- a/drivers/clk/renesas/r9a09g057-cpg.c
+++ b/drivers/clk/renesas/r9a09g057-cpg.c
@@ -44,6 +44,9 @@ enum clk_ids {
CLK_PLLCLN_DIV2,
CLK_PLLCLN_DIV8,
CLK_PLLCLN_DIV16,
+ CLK_PLLCLN_DIV64,
+ CLK_PLLCLN_DIV256,
+ CLK_PLLCLN_DIV1024,
CLK_PLLDTY_ACPU,
CLK_PLLDTY_ACPU_DIV2,
CLK_PLLDTY_ACPU_DIV4,
@@ -144,6 +147,9 @@ static const struct cpg_core_clk r9a09g057_core_clks[] __initconst = {
DEF_FIXED(".pllcln_div2", CLK_PLLCLN_DIV2, CLK_PLLCLN, 1, 2),
DEF_FIXED(".pllcln_div8", CLK_PLLCLN_DIV8, CLK_PLLCLN, 1, 8),
DEF_FIXED(".pllcln_div16", CLK_PLLCLN_DIV16, CLK_PLLCLN, 1, 16),
+ DEF_FIXED(".pllcln_div64", CLK_PLLCLN_DIV64, CLK_PLLCLN, 1, 64),
+ DEF_FIXED(".pllcln_div256", CLK_PLLCLN_DIV256, CLK_PLLCLN, 1, 256),
+ DEF_FIXED(".pllcln_div1024", CLK_PLLCLN_DIV1024, CLK_PLLCLN, 1, 1024),
DEF_DDIV(".plldty_acpu", CLK_PLLDTY_ACPU, CLK_PLLDTY, CDDIV0_DIVCTL2, dtable_2_64),
DEF_FIXED(".plldty_acpu_div2", CLK_PLLDTY_ACPU_DIV2, CLK_PLLDTY_ACPU, 1, 2),
@@ -239,6 +245,106 @@ static const struct rzv2h_mod_clk r9a09g057_mod_clks[] __initconst = {
BUS_MSTOP(5, BIT(13))),
DEF_MOD("wdt_3_clk_loco", CLK_QEXTAL, 5, 2, 2, 18,
BUS_MSTOP(5, BIT(13))),
+ DEF_MOD("rsci0_pclk", CLK_PLLCLN_DIV16, 5, 13, 2, 29,
+ BUS_MSTOP(11, BIT(3))),
+ DEF_MOD("rsci0_tclk", CLK_PLLCLN_DIV16, 5, 14, 2, 30,
+ BUS_MSTOP(11, BIT(3))),
+ DEF_MOD("rsci0_ps_ps3_n", CLK_PLLCLN_DIV1024, 5, 15, 2, 31,
+ BUS_MSTOP(11, BIT(3))),
+ DEF_MOD("rsci0_ps_ps2_n", CLK_PLLCLN_DIV256, 6, 0, 3, 0,
+ BUS_MSTOP(11, BIT(3))),
+ DEF_MOD("rsci0_ps_ps1_n", CLK_PLLCLN_DIV64, 6, 1, 3, 1,
+ BUS_MSTOP(11, BIT(3))),
+ DEF_MOD("rsci1_pclk", CLK_PLLCLN_DIV16, 6, 2, 3, 2,
+ BUS_MSTOP(11, BIT(4))),
+ DEF_MOD("rsci1_tclk", CLK_PLLCLN_DIV16, 6, 3, 3, 3,
+ BUS_MSTOP(11, BIT(4))),
+ DEF_MOD("rsci1_ps_ps3_n", CLK_PLLCLN_DIV1024, 6, 4, 3, 4,
+ BUS_MSTOP(11, BIT(4))),
+ DEF_MOD("rsci1_ps_ps2_n", CLK_PLLCLN_DIV256, 6, 5, 3, 5,
+ BUS_MSTOP(11, BIT(4))),
+ DEF_MOD("rsci1_ps_ps1_n", CLK_PLLCLN_DIV64, 6, 6, 3, 6,
+ BUS_MSTOP(11, BIT(4))),
+ DEF_MOD("rsci2_pclk", CLK_PLLCLN_DIV16, 6, 7, 3, 7,
+ BUS_MSTOP(11, BIT(5))),
+ DEF_MOD("rsci2_tclk", CLK_PLLCLN_DIV16, 6, 8, 3, 8,
+ BUS_MSTOP(11, BIT(5))),
+ DEF_MOD("rsci2_ps_ps3_n", CLK_PLLCLN_DIV1024, 6, 9, 3, 9,
+ BUS_MSTOP(11, BIT(5))),
+ DEF_MOD("rsci2_ps_ps2_n", CLK_PLLCLN_DIV256, 6, 10, 3, 10,
+ BUS_MSTOP(11, BIT(5))),
+ DEF_MOD("rsci2_ps_ps1_n", CLK_PLLCLN_DIV64, 6, 11, 3, 11,
+ BUS_MSTOP(11, BIT(5))),
+ DEF_MOD("rsci3_pclk", CLK_PLLCLN_DIV16, 6, 12, 3, 12,
+ BUS_MSTOP(11, BIT(6))),
+ DEF_MOD("rsci3_tclk", CLK_PLLCLN_DIV16, 6, 13, 3, 13,
+ BUS_MSTOP(11, BIT(6))),
+ DEF_MOD("rsci3_ps_ps3_n", CLK_PLLCLN_DIV1024, 6, 14, 3, 14,
+ BUS_MSTOP(11, BIT(6))),
+ DEF_MOD("rsci3_ps_ps2_n", CLK_PLLCLN_DIV256, 6, 15, 3, 15,
+ BUS_MSTOP(11, BIT(6))),
+ DEF_MOD("rsci3_ps_ps1_n", CLK_PLLCLN_DIV64, 7, 0, 3, 16,
+ BUS_MSTOP(11, BIT(6))),
+ DEF_MOD("rsci4_pclk", CLK_PLLCLN_DIV16, 7, 1, 3, 17,
+ BUS_MSTOP(11, BIT(7))),
+ DEF_MOD("rsci4_tclk", CLK_PLLCLN_DIV16, 7, 2, 3, 18,
+ BUS_MSTOP(11, BIT(7))),
+ DEF_MOD("rsci4_ps_ps3_n", CLK_PLLCLN_DIV1024, 7, 3, 3, 19,
+ BUS_MSTOP(11, BIT(7))),
+ DEF_MOD("rsci4_ps_ps2_n", CLK_PLLCLN_DIV256, 7, 4, 3, 20,
+ BUS_MSTOP(11, BIT(7))),
+ DEF_MOD("rsci4_ps_ps1_n", CLK_PLLCLN_DIV64, 7, 5, 3, 21,
+ BUS_MSTOP(11, BIT(7))),
+ DEF_MOD("rsci5_pclk", CLK_PLLCLN_DIV16, 7, 6, 3, 22,
+ BUS_MSTOP(11, BIT(8))),
+ DEF_MOD("rsci5_tclk", CLK_PLLCLN_DIV16, 7, 7, 3, 23,
+ BUS_MSTOP(11, BIT(8))),
+ DEF_MOD("rsci5_ps_ps3_n", CLK_PLLCLN_DIV1024, 7, 8, 3, 24,
+ BUS_MSTOP(11, BIT(8))),
+ DEF_MOD("rsci5_ps_ps2_n", CLK_PLLCLN_DIV256, 7, 9, 3, 25,
+ BUS_MSTOP(11, BIT(8))),
+ DEF_MOD("rsci5_ps_ps1_n", CLK_PLLCLN_DIV64, 7, 10, 3, 26,
+ BUS_MSTOP(11, BIT(8))),
+ DEF_MOD("rsci6_pclk", CLK_PLLCLN_DIV16, 7, 11, 3, 27,
+ BUS_MSTOP(11, BIT(9))),
+ DEF_MOD("rsci6_tclk", CLK_PLLCLN_DIV16, 7, 12, 3, 28,
+ BUS_MSTOP(11, BIT(9))),
+ DEF_MOD("rsci6_ps_ps3_n", CLK_PLLCLN_DIV1024, 7, 13, 3, 29,
+ BUS_MSTOP(11, BIT(9))),
+ DEF_MOD("rsci6_ps_ps2_n", CLK_PLLCLN_DIV256, 7, 14, 3, 30,
+ BUS_MSTOP(11, BIT(9))),
+ DEF_MOD("rsci6_ps_ps1_n", CLK_PLLCLN_DIV64, 7, 15, 3, 31,
+ BUS_MSTOP(11, BIT(9))),
+ DEF_MOD("rsci7_pclk", CLK_PLLCLN_DIV16, 8, 0, 4, 0,
+ BUS_MSTOP(11, BIT(10))),
+ DEF_MOD("rsci7_tclk", CLK_PLLCLN_DIV16, 8, 1, 4, 1,
+ BUS_MSTOP(11, BIT(10))),
+ DEF_MOD("rsci7_ps_ps3_n", CLK_PLLCLN_DIV1024, 8, 2, 4, 2,
+ BUS_MSTOP(11, BIT(10))),
+ DEF_MOD("rsci7_ps_ps2_n", CLK_PLLCLN_DIV256, 8, 3, 4, 3,
+ BUS_MSTOP(11, BIT(10))),
+ DEF_MOD("rsci7_ps_ps1_n", CLK_PLLCLN_DIV64, 8, 4, 4, 4,
+ BUS_MSTOP(11, BIT(10))),
+ DEF_MOD("rsci8_pclk", CLK_PLLCLN_DIV16, 8, 5, 4, 5,
+ BUS_MSTOP(11, BIT(11))),
+ DEF_MOD("rsci8_tclk", CLK_PLLCLN_DIV16, 8, 6, 4, 6,
+ BUS_MSTOP(11, BIT(11))),
+ DEF_MOD("rsci8_ps_ps3_n", CLK_PLLCLN_DIV1024, 8, 7, 4, 7,
+ BUS_MSTOP(11, BIT(11))),
+ DEF_MOD("rsci8_ps_ps2_n", CLK_PLLCLN_DIV256, 8, 8, 4, 8,
+ BUS_MSTOP(11, BIT(11))),
+ DEF_MOD("rsci8_ps_ps1_n", CLK_PLLCLN_DIV64, 8, 9, 4, 9,
+ BUS_MSTOP(11, BIT(11))),
+ DEF_MOD("rsci9_pclk", CLK_PLLCLN_DIV16, 8, 10, 4, 10,
+ BUS_MSTOP(11, BIT(12))),
+ DEF_MOD("rsci9_tclk", CLK_PLLCLN_DIV16, 8, 11, 4, 11,
+ BUS_MSTOP(11, BIT(12))),
+ DEF_MOD("rsci9_ps_ps3_n", CLK_PLLCLN_DIV1024, 8, 12, 4, 12,
+ BUS_MSTOP(11, BIT(12))),
+ DEF_MOD("rsci9_ps_ps2_n", CLK_PLLCLN_DIV256, 8, 13, 4, 13,
+ BUS_MSTOP(11, BIT(12))),
+ DEF_MOD("rsci9_ps_ps1_n", CLK_PLLCLN_DIV64, 8, 14, 4, 14,
+ BUS_MSTOP(11, BIT(12))),
DEF_MOD("rtc_0_clk_rtc", CLK_PLLCM33_DIV16, 5, 3, 2, 19,
BUS_MSTOP(3, BIT(11) | BIT(12))),
DEF_MOD("rspi_0_pclk", CLK_PLLCLN_DIV8, 5, 4, 2, 20,
@@ -403,6 +509,26 @@ static const struct rzv2h_reset r9a09g057_resets[] __initconst = {
DEF_RST(7, 6, 3, 7), /* WDT_1_RESET */
DEF_RST(7, 7, 3, 8), /* WDT_2_RESET */
DEF_RST(7, 8, 3, 9), /* WDT_3_RESET */
+ DEF_RST(8, 1, 3, 18), /* RSCI0_PRESETN */
+ DEF_RST(8, 2, 3, 19), /* RSCI0_TRESETN */
+ DEF_RST(8, 3, 3, 20), /* RSCI1_PRESETN */
+ DEF_RST(8, 4, 3, 21), /* RSCI1_TRESETN */
+ DEF_RST(8, 5, 3, 22), /* RSCI2_PRESETN */
+ DEF_RST(8, 6, 3, 23), /* RSCI2_TRESETN */
+ DEF_RST(8, 7, 3, 24), /* RSCI3_PRESETN */
+ DEF_RST(8, 8, 3, 25), /* RSCI3_TRESETN */
+ DEF_RST(8, 9, 3, 26), /* RSCI4_PRESETN */
+ DEF_RST(8, 10, 3, 27), /* RSCI4_TRESETN */
+ DEF_RST(8, 11, 3, 28), /* RSCI5_PRESETN */
+ DEF_RST(8, 12, 3, 29), /* RSCI5_TRESETN */
+ DEF_RST(8, 13, 3, 30), /* RSCI6_PRESETN */
+ DEF_RST(8, 14, 3, 31), /* RSCI6_TRESETN */
+ DEF_RST(8, 15, 4, 0), /* RSCI7_PRESETN */
+ DEF_RST(9, 0, 4, 1), /* RSCI7_TRESETN */
+ DEF_RST(9, 1, 4, 2), /* RSCI8_PRESETN */
+ DEF_RST(9, 2, 4, 3), /* RSCI8_TRESETN */
+ DEF_RST(9, 3, 4, 4), /* RSCI9_PRESETN */
+ DEF_RST(9, 4, 4, 5), /* RSCI9_TRESETN */
DEF_RST(7, 9, 3, 10), /* RTC_0_RST_RTC */
DEF_RST(7, 10, 3, 11), /* RTC_0_RST_RTC_V */
DEF_RST(7, 11, 3, 12), /* RSPI_0_PRESETN */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 561/957] clk: renesas: r9a09g057: Fix ordering of module clocks array
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (559 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 560/957] clk: renesas: r9a09g057: Add entries for RSCIs Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 562/957] clk: renesas: r9a09g057: Remove entries for WDT{0,2,3} Greg Kroah-Hartman
` (401 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Geert Uytterhoeven,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
[ Upstream commit 79cac2b8dc1d9f63fbf6c6793e423052118cc51a ]
The r9a09g057_mod_clks array is sorted by CPG_CLKON register number and
bit position. Move the RTC and RSPI module clock entries to their
correct position to restore the array sort order.
Fixes: 2efea3b35cc9 ("clk: renesas: r9a09g057: Add entries for RSCIs")
Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260125190314.26729-1-ovidiu.panait.rb@renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Stable-dep-of: 1b4f047dc401 ("clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a09g057-cpg.c | 40 ++++++++++++++---------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/drivers/clk/renesas/r9a09g057-cpg.c b/drivers/clk/renesas/r9a09g057-cpg.c
index ac3d309365b45..647e394727f6b 100644
--- a/drivers/clk/renesas/r9a09g057-cpg.c
+++ b/drivers/clk/renesas/r9a09g057-cpg.c
@@ -245,6 +245,26 @@ static const struct rzv2h_mod_clk r9a09g057_mod_clks[] __initconst = {
BUS_MSTOP(5, BIT(13))),
DEF_MOD("wdt_3_clk_loco", CLK_QEXTAL, 5, 2, 2, 18,
BUS_MSTOP(5, BIT(13))),
+ DEF_MOD("rtc_0_clk_rtc", CLK_PLLCM33_DIV16, 5, 3, 2, 19,
+ BUS_MSTOP(3, BIT(11) | BIT(12))),
+ DEF_MOD("rspi_0_pclk", CLK_PLLCLN_DIV8, 5, 4, 2, 20,
+ BUS_MSTOP(11, BIT(0))),
+ DEF_MOD("rspi_0_pclk_sfr", CLK_PLLCLN_DIV8, 5, 5, 2, 21,
+ BUS_MSTOP(11, BIT(0))),
+ DEF_MOD("rspi_0_tclk", CLK_PLLCLN_DIV8, 5, 6, 2, 22,
+ BUS_MSTOP(11, BIT(0))),
+ DEF_MOD("rspi_1_pclk", CLK_PLLCLN_DIV8, 5, 7, 2, 23,
+ BUS_MSTOP(11, BIT(1))),
+ DEF_MOD("rspi_1_pclk_sfr", CLK_PLLCLN_DIV8, 5, 8, 2, 24,
+ BUS_MSTOP(11, BIT(1))),
+ DEF_MOD("rspi_1_tclk", CLK_PLLCLN_DIV8, 5, 9, 2, 25,
+ BUS_MSTOP(11, BIT(1))),
+ DEF_MOD("rspi_2_pclk", CLK_PLLCLN_DIV8, 5, 10, 2, 26,
+ BUS_MSTOP(11, BIT(2))),
+ DEF_MOD("rspi_2_pclk_sfr", CLK_PLLCLN_DIV8, 5, 11, 2, 27,
+ BUS_MSTOP(11, BIT(2))),
+ DEF_MOD("rspi_2_tclk", CLK_PLLCLN_DIV8, 5, 12, 2, 28,
+ BUS_MSTOP(11, BIT(2))),
DEF_MOD("rsci0_pclk", CLK_PLLCLN_DIV16, 5, 13, 2, 29,
BUS_MSTOP(11, BIT(3))),
DEF_MOD("rsci0_tclk", CLK_PLLCLN_DIV16, 5, 14, 2, 30,
@@ -345,26 +365,6 @@ static const struct rzv2h_mod_clk r9a09g057_mod_clks[] __initconst = {
BUS_MSTOP(11, BIT(12))),
DEF_MOD("rsci9_ps_ps1_n", CLK_PLLCLN_DIV64, 8, 14, 4, 14,
BUS_MSTOP(11, BIT(12))),
- DEF_MOD("rtc_0_clk_rtc", CLK_PLLCM33_DIV16, 5, 3, 2, 19,
- BUS_MSTOP(3, BIT(11) | BIT(12))),
- DEF_MOD("rspi_0_pclk", CLK_PLLCLN_DIV8, 5, 4, 2, 20,
- BUS_MSTOP(11, BIT(0))),
- DEF_MOD("rspi_0_pclk_sfr", CLK_PLLCLN_DIV8, 5, 5, 2, 21,
- BUS_MSTOP(11, BIT(0))),
- DEF_MOD("rspi_0_tclk", CLK_PLLCLN_DIV8, 5, 6, 2, 22,
- BUS_MSTOP(11, BIT(0))),
- DEF_MOD("rspi_1_pclk", CLK_PLLCLN_DIV8, 5, 7, 2, 23,
- BUS_MSTOP(11, BIT(1))),
- DEF_MOD("rspi_1_pclk_sfr", CLK_PLLCLN_DIV8, 5, 8, 2, 24,
- BUS_MSTOP(11, BIT(1))),
- DEF_MOD("rspi_1_tclk", CLK_PLLCLN_DIV8, 5, 9, 2, 25,
- BUS_MSTOP(11, BIT(1))),
- DEF_MOD("rspi_2_pclk", CLK_PLLCLN_DIV8, 5, 10, 2, 26,
- BUS_MSTOP(11, BIT(2))),
- DEF_MOD("rspi_2_pclk_sfr", CLK_PLLCLN_DIV8, 5, 11, 2, 27,
- BUS_MSTOP(11, BIT(2))),
- DEF_MOD("rspi_2_tclk", CLK_PLLCLN_DIV8, 5, 12, 2, 28,
- BUS_MSTOP(11, BIT(2))),
DEF_MOD("scif_0_clk_pck", CLK_PLLCM33_DIV16, 8, 15, 4, 15,
BUS_MSTOP(3, BIT(14))),
DEF_MOD("i3c_0_pclkrw", CLK_PLLCLN_DIV16, 9, 0, 4, 16,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 562/957] clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (560 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 561/957] clk: renesas: r9a09g057: Fix ordering of module clocks array Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 563/957] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
` (400 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabrizio Castro, Geert Uytterhoeven,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
[ Upstream commit 1b4f047dc4010d51821694cc4ed73b52b3040a5c ]
The HW user manual for the Renesas RZ/V2H(P) SoC specifies
that only the WDT1 IP is supposed to be used by Linux,
while the WDT{0,2,3} IPs are supposed to be used by the CM33
and CR8 cores.
Remove the clock and reset entries for WDT{0,2,3} to prevent
interfering with the CM33 and CR8 cores.
This change is harmless as only WDT1 is used by Linux, there
are no users for the WDT{0,2,3} cores.
Fixes: 3aeccbe08171 ("clk: renesas: r9a09g057: Add clock and reset entries for GTM/RIIC/SDHI/WDT")
Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260203124247.7320-4-fabrizio.castro.jz@renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a09g057-cpg.c | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/drivers/clk/renesas/r9a09g057-cpg.c b/drivers/clk/renesas/r9a09g057-cpg.c
index 647e394727f6b..5d799dd9fbfc1 100644
--- a/drivers/clk/renesas/r9a09g057-cpg.c
+++ b/drivers/clk/renesas/r9a09g057-cpg.c
@@ -229,22 +229,10 @@ static const struct rzv2h_mod_clk r9a09g057_mod_clks[] __initconst = {
BUS_MSTOP(11, BIT(15))),
DEF_MOD("gtm_7_pclk", CLK_PLLCLN_DIV16, 4, 10, 2, 10,
BUS_MSTOP(12, BIT(0))),
- DEF_MOD("wdt_0_clkp", CLK_PLLCM33_DIV16, 4, 11, 2, 11,
- BUS_MSTOP(3, BIT(10))),
- DEF_MOD("wdt_0_clk_loco", CLK_QEXTAL, 4, 12, 2, 12,
- BUS_MSTOP(3, BIT(10))),
DEF_MOD("wdt_1_clkp", CLK_PLLCLN_DIV16, 4, 13, 2, 13,
BUS_MSTOP(1, BIT(0))),
DEF_MOD("wdt_1_clk_loco", CLK_QEXTAL, 4, 14, 2, 14,
BUS_MSTOP(1, BIT(0))),
- DEF_MOD("wdt_2_clkp", CLK_PLLCLN_DIV16, 4, 15, 2, 15,
- BUS_MSTOP(5, BIT(12))),
- DEF_MOD("wdt_2_clk_loco", CLK_QEXTAL, 5, 0, 2, 16,
- BUS_MSTOP(5, BIT(12))),
- DEF_MOD("wdt_3_clkp", CLK_PLLCLN_DIV16, 5, 1, 2, 17,
- BUS_MSTOP(5, BIT(13))),
- DEF_MOD("wdt_3_clk_loco", CLK_QEXTAL, 5, 2, 2, 18,
- BUS_MSTOP(5, BIT(13))),
DEF_MOD("rtc_0_clk_rtc", CLK_PLLCM33_DIV16, 5, 3, 2, 19,
BUS_MSTOP(3, BIT(11) | BIT(12))),
DEF_MOD("rspi_0_pclk", CLK_PLLCLN_DIV8, 5, 4, 2, 20,
@@ -505,10 +493,7 @@ static const struct rzv2h_reset r9a09g057_resets[] __initconst = {
DEF_RST(7, 2, 3, 3), /* GTM_5_PRESETZ */
DEF_RST(7, 3, 3, 4), /* GTM_6_PRESETZ */
DEF_RST(7, 4, 3, 5), /* GTM_7_PRESETZ */
- DEF_RST(7, 5, 3, 6), /* WDT_0_RESET */
DEF_RST(7, 6, 3, 7), /* WDT_1_RESET */
- DEF_RST(7, 7, 3, 8), /* WDT_2_RESET */
- DEF_RST(7, 8, 3, 9), /* WDT_3_RESET */
DEF_RST(8, 1, 3, 18), /* RSCI0_PRESETN */
DEF_RST(8, 2, 3, 19), /* RSCI0_TRESETN */
DEF_RST(8, 3, 3, 20), /* RSCI1_PRESETN */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 563/957] scsi: target: core: Fix integer overflow in UNMAP bounds check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (561 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 562/957] clk: renesas: r9a09g057: Remove entries for WDT{0,2,3} Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 564/957] scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item Greg Kroah-Hartman
` (399 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 2bf2d65f76697820dbc4227d13866293576dd90a ]
sbc_execute_unmap() checks LBA + range does not exceed the device capacity,
but does not guard against LBA + range wrapping around on 64-bit overflow.
Add an overflow check matching the pattern already used for WRITE_SAME in
the same file.
Fixes: 86d7182985d2 ("target: Add sbc_execute_unmap() helper")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881593C61AD52C69FBDB0BDAF7CA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_sbc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index fe8beb7dbab12..4c828a3ac18c7 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -1136,7 +1136,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
goto err;
}
- if (lba + range > dev->transport->get_blocks(dev) + 1) {
+ if (lba + range < lba ||
+ lba + range > dev->transport->get_blocks(dev) + 1) {
ret = TCM_ADDRESS_OUT_OF_RANGE;
goto err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 564/957] scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (562 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 563/957] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 565/957] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
` (398 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Krzysztof Kozlowski,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit bdce3a69c578090dd5e3c77bcdaaca10c3a41e34 ]
Add the mphy reset property to the devicetree bindings for the Rockchip
RK3576 UFS host controller. The mphy reset signal is used to reset the
physical adapter. Resetting other components while leaving the mphy unreset
may occasionally prevent the UFS controller from successfully linking up
with the device.
This addresses an intermittent hardware bug where the UFS link fails to
establish under specific timing conditions with certain chips. While
difficult to reproduce initially, this issue was consistently observed in
downstream testing and requires explicit mphy reset control for full
stability.
Although this change increases the maxItems for resets and adds a new entry
(which technically alters the binding ABI), it does not break compatibility
for existing Linux systems. The driver uses
devm_reset_control_array_get_exclusive() to manage resets, allowing it to
function correctly with both older Device Trees (without the mphy entry)
and newer ones.
Fixes: d90e92023771 ("scsi: ufs: dt-bindings: Document Rockchip UFS host controller")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/1773368467-109650-1-git-send-email-shawn.lin@rock-chips.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../devicetree/bindings/ufs/rockchip,rk3576-ufshc.yaml | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/Documentation/devicetree/bindings/ufs/rockchip,rk3576-ufshc.yaml b/Documentation/devicetree/bindings/ufs/rockchip,rk3576-ufshc.yaml
index c7d17cf4dc42b..e738153a309c8 100644
--- a/Documentation/devicetree/bindings/ufs/rockchip,rk3576-ufshc.yaml
+++ b/Documentation/devicetree/bindings/ufs/rockchip,rk3576-ufshc.yaml
@@ -41,7 +41,7 @@ properties:
maxItems: 1
resets:
- maxItems: 4
+ maxItems: 5
reset-names:
items:
@@ -49,6 +49,7 @@ properties:
- const: sys
- const: ufs
- const: grf
+ - const: mphy
reset-gpios:
maxItems: 1
@@ -98,8 +99,8 @@ examples:
interrupts = <GIC_SPI 361 IRQ_TYPE_LEVEL_HIGH>;
power-domains = <&power RK3576_PD_USB>;
resets = <&cru SRST_A_UFS_BIU>, <&cru SRST_A_UFS_SYS>, <&cru SRST_A_UFS>,
- <&cru SRST_P_UFS_GRF>;
- reset-names = "biu", "sys", "ufs", "grf";
+ <&cru SRST_P_UFS_GRF>, <&cru SRST_MPHY_INIT>;
+ reset-names = "biu", "sys", "ufs", "grf", "mphy";
reset-gpios = <&gpio4 RK_PD0 GPIO_ACTIVE_LOW>;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 565/957] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (563 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 564/957] scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 566/957] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
` (397 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Krzysztof Kozlowski,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 76404ffbf07f28a5ec04748e18fce3dac2e78ef6 ]
There are 5 more GDSCs that we were ignoring and not putting to sleep,
which are listed in downstream DTS. Add them.
Signed-off-by: Val Packett <val@packett.cool>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-2-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 3565741eb985 ("clk: qcom: gcc-sc8180x: Add missing GDSCs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/dt-bindings/clock/qcom,gcc-sc8180x.h b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
index b9d8438a15ffb..9ed7b794aacc4 100644
--- a/include/dt-bindings/clock/qcom,gcc-sc8180x.h
+++ b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
@@ -322,5 +322,10 @@
#define USB30_MP_GDSC 8
#define USB30_PRIM_GDSC 9
#define USB30_SEC_GDSC 10
+#define HLOS1_VOTE_MMNOC_MMU_TBU_HF0_GDSC 11
+#define HLOS1_VOTE_MMNOC_MMU_TBU_HF1_GDSC 12
+#define HLOS1_VOTE_MMNOC_MMU_TBU_SF_GDSC 13
+#define HLOS1_VOTE_TURING_MMU_TBU0_GDSC 14
+#define HLOS1_VOTE_TURING_MMU_TBU1_GDSC 15
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 566/957] clk: qcom: gcc-sc8180x: Add missing GDSCs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (564 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 565/957] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 567/957] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
` (396 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Val Packett, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 3565741eb985a8a7cc6656eb33496195468cb99e ]
There are 5 more GDSCs that we were ignoring and not putting to sleep,
which are listed in downstream DTS. Add them.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Link: https://lore.kernel.org/r/20260312112321.370983-3-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 50 ++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index 31e788e22ab4a..55dabf6259b29 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4266,6 +4266,51 @@ static struct gdsc usb30_mp_gdsc = {
.flags = POLL_CFG_GDSCR,
};
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc = {
+ .gdscr = 0x7d050,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc = {
+ .gdscr = 0x7d058,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_mmnoc_mmu_tbu_sf_gdsc = {
+ .gdscr = 0x7d054,
+ .pd = {
+ .name = "hlos1_vote_mmnoc_mmu_tbu_sf_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_turing_mmu_tbu0_gdsc = {
+ .gdscr = 0x7d05c,
+ .pd = {
+ .name = "hlos1_vote_turing_mmu_tbu0_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
+static struct gdsc hlos1_vote_turing_mmu_tbu1_gdsc = {
+ .gdscr = 0x7d060,
+ .pd = {
+ .name = "hlos1_vote_turing_mmu_tbu1_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+ .flags = VOTABLE,
+};
+
static struct clk_regmap *gcc_sc8180x_clocks[] = {
[GCC_AGGRE_NOC_PCIE_TBU_CLK] = &gcc_aggre_noc_pcie_tbu_clk.clkr,
[GCC_AGGRE_UFS_CARD_AXI_CLK] = &gcc_aggre_ufs_card_axi_clk.clkr,
@@ -4595,6 +4640,11 @@ static struct gdsc *gcc_sc8180x_gdscs[] = {
[USB30_MP_GDSC] = &usb30_mp_gdsc,
[USB30_PRIM_GDSC] = &usb30_prim_gdsc,
[USB30_SEC_GDSC] = &usb30_sec_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_HF0_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_HF1_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_hf1_gdsc,
+ [HLOS1_VOTE_MMNOC_MMU_TBU_SF_GDSC] = &hlos1_vote_mmnoc_mmu_tbu_sf_gdsc,
+ [HLOS1_VOTE_TURING_MMU_TBU0_GDSC] = &hlos1_vote_turing_mmu_tbu0_gdsc,
+ [HLOS1_VOTE_TURING_MMU_TBU1_GDSC] = &hlos1_vote_turing_mmu_tbu1_gdsc,
};
static const struct regmap_config gcc_sc8180x_regmap_config = {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 567/957] clk: qcom: gcc-sc8180x: Use retention for USB power domains
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (565 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 566/957] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 568/957] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
` (395 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Val Packett, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 25bc96f26cd6c19dde13a0b9859183e531d6fbfc ]
The USB subsystem does not expect to lose its state on suspend:
xhci-hcd xhci-hcd.0.auto: xHC error in resume, USBSTS 0x401, Reinit
usb usb1: root hub lost power or was reset
(The reinitialization usually succeeds, but it does slow down resume.)
To maintain state during suspend, the relevant GDSCs need to stay in
retention mode, like they do on other similar SoCs. Change the mode to
PWRSTS_RET_ON to fix.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Link: https://lore.kernel.org/r/20260312112321.370983-4-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index 55dabf6259b29..b116a9c0b2d94 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4172,7 +4172,7 @@ static struct gdsc usb30_sec_gdsc = {
.pd = {
.name = "usb30_sec_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4190,7 +4190,7 @@ static struct gdsc usb30_prim_gdsc = {
.pd = {
.name = "usb30_prim_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4262,7 +4262,7 @@ static struct gdsc usb30_mp_gdsc = {
.pd = {
.name = "usb30_mp_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 568/957] clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (566 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 567/957] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 569/957] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
` (394 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Val Packett,
Konrad Dybcio, Manivannan Sadhasivam, Bjorn Andersson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit ccb92c78b42edd26225b4d5920847dfee3e1b093 ]
As the PCIe host controller driver does not yet support dealing with the
loss of state during suspend, use retention for relevant GDSCs.
This fixes the link not surviving upon resume:
nvme 0002:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
nvme nvme0: controller is down; will reset: CSTS=0xffffffff, PCI_STATUS read failed (134)
nvme 0002:01:00.0: Unable to change power state from D3cold to D0, device inaccessible
nvme nvme0: Disabling device after reset failure: -19
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://lore.kernel.org/r/20260312112321.370983-5-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index b116a9c0b2d94..4095a1f54a099 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -4199,7 +4199,7 @@ static struct gdsc pcie_0_gdsc = {
.pd = {
.name = "pcie_0_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4226,7 +4226,7 @@ static struct gdsc pcie_1_gdsc = {
.pd = {
.name = "pcie_1_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4235,7 +4235,7 @@ static struct gdsc pcie_2_gdsc = {
.pd = {
.name = "pcie_2_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
@@ -4253,7 +4253,7 @@ static struct gdsc pcie_3_gdsc = {
.pd = {
.name = "pcie_3_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
.flags = POLL_CFG_GDSCR,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 569/957] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (567 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 568/957] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 570/957] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
` (393 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit 8c522da70f0c2e5148c4c13ccb1c64cca57a6fdb ]
mdss_gdsc can get stuck on boot due to RCGs being left on from last boot.
As a fix, commit 01a0a6cc8cfd ("clk: qcom: Park shared RCGs upon
registration") introduced a callback to ensure the RCG is off upon init.
However, the fix depends on all shared RCGs being marked as such in code.
For SM8150/SC8180X/SM8250 the MDSS vsync clock was using regular ops,
unlike the same clock in the SC7180 code. This was causing display to
frequently fail to initialize after rebooting on the Surface Pro X.
Fix by using shared ops for this clock.
Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-8-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8250.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
index 8f433e1e70283..cdfdb2cfb02b2 100644
--- a/drivers/clk/qcom/dispcc-sm8250.c
+++ b/drivers/clk/qcom/dispcc-sm8250.c
@@ -632,7 +632,7 @@ static struct clk_rcg2 disp_cc_mdss_vsync_clk_src = {
.parent_data = disp_cc_parent_data_1,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_1),
.flags = CLK_SET_RATE_PARENT,
- .ops = &clk_rcg2_ops,
+ .ops = &clk_rcg2_shared_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 570/957] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (568 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 569/957] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 571/957] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
` (392 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
[ Upstream commit acf7a91d0b0e9e3ef374944021de62062125b7e4 ]
Add CLK_OPS_PARENT_ENABLE to MDSS pixel clock sources to ensure parent
clocks are enabled during clock operations, preventing potential
stability issues during display configuration.
Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250")
Signed-off-by: Val Packett <val@packett.cool>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260312112321.370983-9-val@packett.cool
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm8250.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
index cdfdb2cfb02b2..e59cdadd56479 100644
--- a/drivers/clk/qcom/dispcc-sm8250.c
+++ b/drivers/clk/qcom/dispcc-sm8250.c
@@ -578,7 +578,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk0_clk_src = {
.name = "disp_cc_mdss_pclk0_clk_src",
.parent_data = disp_cc_parent_data_6,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_6),
- .flags = CLK_SET_RATE_PARENT,
+ .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE,
.ops = &clk_pixel_ops,
},
};
@@ -592,7 +592,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk1_clk_src = {
.name = "disp_cc_mdss_pclk1_clk_src",
.parent_data = disp_cc_parent_data_6,
.num_parents = ARRAY_SIZE(disp_cc_parent_data_6),
- .flags = CLK_SET_RATE_PARENT,
+ .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE,
.ops = &clk_pixel_ops,
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 571/957] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (569 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 570/957] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 572/957] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
` (391 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Frank Li, Peng Fan,
Abel Vesa, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 4b84d496c804b470124cd3a08e928df6801d8eae ]
The function pll6_bypassed() calls of_parse_phandle_with_args()
but never calls of_node_put() to release the reference, causing
a memory leak.
Fix this by adding proper cleanup calls on all exit paths.
Fixes: 3cc48976e9763 ("clk: imx6q: handle ENET PLL bypass")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260203-clk-imx6q-v3-1-6cd2696bb371@gmail.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx6q.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c
index bf4c1d9c99287..ba696cf34fe3b 100644
--- a/drivers/clk/imx/clk-imx6q.c
+++ b/drivers/clk/imx/clk-imx6q.c
@@ -238,8 +238,11 @@ static bool pll6_bypassed(struct device_node *node)
return false;
if (clkspec.np == node &&
- clkspec.args[0] == IMX6QDL_PLL6_BYPASS)
+ clkspec.args[0] == IMX6QDL_PLL6_BYPASS) {
+ of_node_put(clkspec.np);
break;
+ }
+ of_node_put(clkspec.np);
}
/* PLL6 bypass is not part of the assigned clock list */
@@ -249,6 +252,9 @@ static bool pll6_bypassed(struct device_node *node)
ret = of_parse_phandle_with_args(node, "assigned-clock-parents",
"#clock-cells", index, &clkspec);
+ if (!ret)
+ of_node_put(clkspec.np);
+
if (clkspec.args[0] != IMX6QDL_CLK_PLL6)
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 572/957] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (570 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 571/957] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 573/957] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
` (390 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Gu, Frank Li, Peng Fan,
Abel Vesa, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 9faf207208951460f3f7eefbc112246c8d28ff1b ]
The function of_assigned_ldb_sels() calls of_parse_phandle_with_args()
but never calls of_node_put() to release the reference, causing a memory
leak.
Fix this by adding proper cleanup calls on all exit paths.
Fixes: 5d283b083800 ("clk: imx6: Fix procedure to switch the parent of LDB_DI_CLK")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260203-clk-imx6q-v3-2-6cd2696bb371@gmail.com
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx6q.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c
index ba696cf34fe3b..048e2ddba490b 100644
--- a/drivers/clk/imx/clk-imx6q.c
+++ b/drivers/clk/imx/clk-imx6q.c
@@ -188,9 +188,11 @@ static void of_assigned_ldb_sels(struct device_node *node,
}
if (clkspec.np != node || clkspec.args[0] >= IMX6QDL_CLK_END) {
pr_err("ccm: parent clock %d not in ccm\n", index);
+ of_node_put(clkspec.np);
return;
}
parent = clkspec.args[0];
+ of_node_put(clkspec.np);
rc = of_parse_phandle_with_args(node, "assigned-clocks",
"#clock-cells", index, &clkspec);
@@ -198,9 +200,11 @@ static void of_assigned_ldb_sels(struct device_node *node,
return;
if (clkspec.np != node || clkspec.args[0] >= IMX6QDL_CLK_END) {
pr_err("ccm: child clock %d not in ccm\n", index);
+ of_node_put(clkspec.np);
return;
}
child = clkspec.args[0];
+ of_node_put(clkspec.np);
if (child != IMX6QDL_CLK_LDB_DI0_SEL &&
child != IMX6QDL_CLK_LDB_DI1_SEL)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 573/957] clk: imx8mq: Correct the CSI PHY sels
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (571 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 572/957] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 574/957] x86/um/vdso: Drop VDSO64-y from Makefile Greg Kroah-Hartman
` (389 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Krzyszkowiak, Peng Fan,
Abel Vesa, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
[ Upstream commit d16f57caa78776e6e8a88b96cb2597797b376138 ]
According to i.MX 8M Quad Reference Manual (Section 5.1.2 Table 5-1)
MIPI_CSI1_PHY_REF_CLK_ROOT and MIPI_CSI2_PHY_REF_CLK_ROOT have
SYSTEM_PLL2_DIV3 available as their second source, which corresponds
to sys2_pll_333m rather than sys2_pll_125m.
Fixes: b80522040cd3 ("clk: imx: Add clock driver for i.MX8MQ CCM")
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260128-imx8mq-csi-clk-v1-1-ac028ed26e8c@puri.sm
Signed-off-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx8mq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/imx/clk-imx8mq.c b/drivers/clk/imx/clk-imx8mq.c
index f70ed231b92d6..cedc8a02aa1f0 100644
--- a/drivers/clk/imx/clk-imx8mq.c
+++ b/drivers/clk/imx/clk-imx8mq.c
@@ -237,7 +237,7 @@ static const char * const imx8mq_dsi_esc_sels[] = {"osc_25m", "sys2_pll_100m", "
static const char * const imx8mq_csi1_core_sels[] = {"osc_25m", "sys1_pll_266m", "sys2_pll_250m", "sys1_pll_800m",
"sys2_pll_1000m", "sys3_pll_out", "audio_pll2_out", "video_pll1_out", };
-static const char * const imx8mq_csi1_phy_sels[] = {"osc_25m", "sys2_pll_125m", "sys2_pll_100m", "sys1_pll_800m",
+static const char * const imx8mq_csi1_phy_sels[] = {"osc_25m", "sys2_pll_333m", "sys2_pll_100m", "sys1_pll_800m",
"sys2_pll_1000m", "clk_ext2", "audio_pll2_out", "video_pll1_out", };
static const char * const imx8mq_csi1_esc_sels[] = {"osc_25m", "sys2_pll_100m", "sys1_pll_80m", "sys1_pll_800m",
@@ -246,7 +246,7 @@ static const char * const imx8mq_csi1_esc_sels[] = {"osc_25m", "sys2_pll_100m",
static const char * const imx8mq_csi2_core_sels[] = {"osc_25m", "sys1_pll_266m", "sys2_pll_250m", "sys1_pll_800m",
"sys2_pll_1000m", "sys3_pll_out", "audio_pll2_out", "video_pll1_out", };
-static const char * const imx8mq_csi2_phy_sels[] = {"osc_25m", "sys2_pll_125m", "sys2_pll_100m", "sys1_pll_800m",
+static const char * const imx8mq_csi2_phy_sels[] = {"osc_25m", "sys2_pll_333m", "sys2_pll_100m", "sys1_pll_800m",
"sys2_pll_1000m", "clk_ext2", "audio_pll2_out", "video_pll1_out", };
static const char * const imx8mq_csi2_esc_sels[] = {"osc_25m", "sys2_pll_100m", "sys1_pll_80m", "sys1_pll_800m",
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 574/957] x86/um/vdso: Drop VDSO64-y from Makefile
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (572 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 573/957] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 575/957] x86/um: fix vDSO installation Greg Kroah-Hartman
` (388 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Johannes Berg,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 3c9b904f9033fb250db72d258bbdec791dc89405 ]
This symbol is unnecessary, remove it.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://patch.msgid.link/20251013-uml-vdso-cleanup-v1-4-a079c7adcc69@weissschuh.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: d1895c15fc7d ("x86/um: fix vDSO installation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/um/vdso/Makefile | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/arch/x86/um/vdso/Makefile b/arch/x86/um/vdso/Makefile
index 7478d11dacb71..8a7c8b37cb6eb 100644
--- a/arch/x86/um/vdso/Makefile
+++ b/arch/x86/um/vdso/Makefile
@@ -3,16 +3,13 @@
# Building vDSO images for x86.
#
-VDSO64-y := y
-
-vdso-install-$(VDSO64-y) += vdso.so
-
+vdso-install-y += vdso.so
# files to link into the vdso
vobjs-y := vdso-note.o um_vdso.o
# files to link into kernel
-obj-$(VDSO64-y) += vdso.o vma.o
+obj-y += vdso.o vma.o
vobjs := $(foreach F,$(vobjs-y),$(obj)/$F)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 575/957] x86/um: fix vDSO installation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (573 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 574/957] x86/um/vdso: Drop VDSO64-y from Makefile Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 576/957] clk: qoriq: avoid format string warning Greg Kroah-Hartman
` (387 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Johannes Berg,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit d1895c15fc7d90a615bc8c455feb02acaf08ef1e ]
The generic vDSO installation logic used by 'make vdso_install' requires
that $(vdso-install-y) is defined by the top-level architecture Makefile
and that it contains a path relative to the root of the tree.
For UML neither of these is satisfied.
Move the definition of $(vdso-install-y) to a place which is included by
the arch/um/Makefile and use the full relative path.
Fixes: f1c2bb8b9964 ("um: implement a x86_64 vDSO")
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://patch.msgid.link/20260318-um-vdso-install-v1-1-26a4ca5c4210@weissschuh.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/Makefile.um | 2 ++
arch/x86/um/vdso/Makefile | 2 --
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/Makefile.um b/arch/x86/Makefile.um
index c86cbd9cbba38..19c13afa474e9 100644
--- a/arch/x86/Makefile.um
+++ b/arch/x86/Makefile.um
@@ -60,4 +60,6 @@ ELF_FORMAT := elf64-x86-64
LINK-$(CONFIG_LD_SCRIPT_DYN_RPATH) += -Wl,-rpath,/lib64
LINK-y += -m64
+vdso-install-y += arch/x86/um/vdso/vdso.so.dbg
+
endif
diff --git a/arch/x86/um/vdso/Makefile b/arch/x86/um/vdso/Makefile
index 8a7c8b37cb6eb..7664cbedbe30f 100644
--- a/arch/x86/um/vdso/Makefile
+++ b/arch/x86/um/vdso/Makefile
@@ -3,8 +3,6 @@
# Building vDSO images for x86.
#
-vdso-install-y += vdso.so
-
# files to link into the vdso
vobjs-y := vdso-note.o um_vdso.o
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 576/957] clk: qoriq: avoid format string warning
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (574 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 575/957] x86/um: fix vDSO installation Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 577/957] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
` (386 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Kees Cook,
Stephen Boyd, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 096abbb6682ee031a0f5ce9f4c71ead9fa63d31e ]
clang-22 warns about the use of non-variadic format arguments passed into
snprintf():
drivers/clk/clk-qoriq.c:925:39: error: diagnostic behavior may be improved by adding the
'format(printf, 7, 8)' attribute to the declaration of 'create_mux_common' [-Werror,-Wmissing-format-attribute]
910 | static struct clk * __init create_mux_common(struct clockgen *cg,
| __attribute__((format(printf, 7, 8)))
911 | struct mux_hwclock *hwc,
912 | const struct clk_ops *ops,
913 | unsigned long min_rate,
914 | unsigned long max_rate,
915 | unsigned long pct80_rate,
916 | const char *fmt, int idx)
917 | {
918 | struct clk_init_data init = {};
919 | struct clk *clk;
920 | const struct clockgen_pll_div *div;
921 | const char *parent_names[NUM_MUX_PARENTS];
922 | char name[32];
923 | int i, j;
924 |
925 | snprintf(name, sizeof(name), fmt, idx);
| ^
drivers/clk/clk-qoriq.c:910:28: note: 'create_mux_common' declared here
910 | static struct clk * __init create_mux_common(struct clockgen *cg,
Rework this to pass the 'int idx' as a varargs argument, allowing the
format string to be verified at the caller location.
Fixes: 0dfc86b3173f ("clk: qoriq: Move chip-specific knowledge into driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk-qoriq.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/clk/clk-qoriq.c b/drivers/clk/clk-qoriq.c
index a560edeb4b55a..03f9381e26fb7 100644
--- a/drivers/clk/clk-qoriq.c
+++ b/drivers/clk/clk-qoriq.c
@@ -907,13 +907,11 @@ static const struct clockgen_pll_div *get_pll_div(struct clockgen *cg,
return &cg->pll[pll].div[div];
}
-static struct clk * __init create_mux_common(struct clockgen *cg,
- struct mux_hwclock *hwc,
- const struct clk_ops *ops,
- unsigned long min_rate,
- unsigned long max_rate,
- unsigned long pct80_rate,
- const char *fmt, int idx)
+static struct clk * __init __printf(7, 8)
+create_mux_common(struct clockgen *cg, struct mux_hwclock *hwc,
+ const struct clk_ops *ops, unsigned long min_rate,
+ unsigned long max_rate, unsigned long pct80_rate,
+ const char *fmt, ...)
{
struct clk_init_data init = {};
struct clk *clk;
@@ -921,8 +919,11 @@ static struct clk * __init create_mux_common(struct clockgen *cg,
const char *parent_names[NUM_MUX_PARENTS];
char name[32];
int i, j;
+ va_list args;
- snprintf(name, sizeof(name), fmt, idx);
+ va_start(args, fmt);
+ vsnprintf(name, sizeof(name), fmt, args);
+ va_end(args);
for (i = 0, j = 0; i < NUM_MUX_PARENTS; i++) {
unsigned long rate;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 577/957] clk: xgene: Fix mapping leak in xgene_pllclk_init()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (575 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 576/957] clk: qoriq: avoid format string warning Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 578/957] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
` (385 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Brian Masney,
Stephen Boyd, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit f520a492e07bc6718e26cfb7543ab4cadd8bb0e2 ]
If xgene_register_clk_pll() fails, the mapped register block is never
unmapped.
Fixes: 308964caeebc45eb ("clk: Add APM X-Gene SoC clock driver")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk-xgene.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/clk-xgene.c b/drivers/clk/clk-xgene.c
index 92e39f3237c2f..7dc247eb880fb 100644
--- a/drivers/clk/clk-xgene.c
+++ b/drivers/clk/clk-xgene.c
@@ -188,6 +188,8 @@ static void xgene_pllclk_init(struct device_node *np, enum xgene_pll_type pll_ty
of_clk_add_provider(np, of_clk_src_simple_get, clk);
clk_register_clkdev(clk, clk_name, NULL);
pr_debug("Add %s clock PLL\n", clk_name);
+ } else {
+ iounmap(reg);
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 578/957] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (576 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 577/957] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 579/957] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
` (384 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Taniya Das,
Krzysztof Kozlowski, Bjorn Andersson, Sasha Levin, Val Packett
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit fc6e29d42872680dca017f2e5169eefe971f8d89 ]
The MDSS resets have so far been left undescribed. Fix that.
Fixes: 75616da71291 ("dt-bindings: clock: Introduce QCOM sc7180 display clock bindings")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Tested-by: Val Packett <val@packett.cool> # sc7180-ecs-liva-qc710
Link: https://lore.kernel.org/r/20260120-topic-7180_dispcc_bcr-v1-1-0b1b442156c3@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: b0bc6011c549 ("clk: qcom: dispcc-sc7180: Add missing MDSS resets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,dispcc-sc7180.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/dt-bindings/clock/qcom,dispcc-sc7180.h b/include/dt-bindings/clock/qcom,dispcc-sc7180.h
index b9b51617a335d..0705103060748 100644
--- a/include/dt-bindings/clock/qcom,dispcc-sc7180.h
+++ b/include/dt-bindings/clock/qcom,dispcc-sc7180.h
@@ -6,6 +6,7 @@
#ifndef _DT_BINDINGS_CLK_QCOM_DISP_CC_SC7180_H
#define _DT_BINDINGS_CLK_QCOM_DISP_CC_SC7180_H
+/* Clocks */
#define DISP_CC_PLL0 0
#define DISP_CC_PLL0_OUT_EVEN 1
#define DISP_CC_MDSS_AHB_CLK 2
@@ -40,7 +41,11 @@
#define DISP_CC_MDSS_VSYNC_CLK_SRC 31
#define DISP_CC_XO_CLK 32
-/* DISP_CC GDSCR */
+/* Resets */
+#define DISP_CC_MDSS_CORE_BCR 0
+#define DISP_CC_MDSS_RSCC_BCR 1
+
+/* GDSCs */
#define MDSS_GDSC 0
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 579/957] clk: qcom: dispcc-sc7180: Add missing MDSS resets
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (577 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 578/957] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 580/957] clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc() Greg Kroah-Hartman
` (383 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Taniya Das, Bjorn Andersson, Sasha Levin, Val Packett
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
[ Upstream commit b0bc6011c5499bdfddd0390262bfa13dce1eff74 ]
The MDSS resets have so far been left undescribed. Fix that.
Fixes: dd3d06622138 ("clk: qcom: Add display clock controller driver for SC7180")
Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Tested-by: Val Packett <val@packett.cool> # sc7180-ecs-liva-qc710
Link: https://lore.kernel.org/r/20260120-topic-7180_dispcc_bcr-v1-2-0b1b442156c3@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sc7180.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/clk/qcom/dispcc-sc7180.c b/drivers/clk/qcom/dispcc-sc7180.c
index ab1a8d419863d..d7e37fbbe87ed 100644
--- a/drivers/clk/qcom/dispcc-sc7180.c
+++ b/drivers/clk/qcom/dispcc-sc7180.c
@@ -17,6 +17,7 @@
#include "clk-regmap-divider.h"
#include "common.h"
#include "gdsc.h"
+#include "reset.h"
enum {
P_BI_TCXO,
@@ -636,6 +637,11 @@ static struct gdsc mdss_gdsc = {
.flags = HW_CTRL,
};
+static const struct qcom_reset_map disp_cc_sc7180_resets[] = {
+ [DISP_CC_MDSS_CORE_BCR] = { 0x2000 },
+ [DISP_CC_MDSS_RSCC_BCR] = { 0x4000 },
+};
+
static struct gdsc *disp_cc_sc7180_gdscs[] = {
[MDSS_GDSC] = &mdss_gdsc,
};
@@ -687,6 +693,8 @@ static const struct qcom_cc_desc disp_cc_sc7180_desc = {
.config = &disp_cc_sc7180_regmap_config,
.clks = disp_cc_sc7180_clocks,
.num_clks = ARRAY_SIZE(disp_cc_sc7180_clocks),
+ .resets = disp_cc_sc7180_resets,
+ .num_resets = ARRAY_SIZE(disp_cc_sc7180_resets),
.gdscs = disp_cc_sc7180_gdscs,
.num_gdscs = ARRAY_SIZE(disp_cc_sc7180_gdscs),
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 580/957] clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (578 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 579/957] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 581/957] f2fs: use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page() Greg Kroah-Hartman
` (382 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuwei Wu, Yixun Lan, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuwei Wu <shuwei.wu@mailbox.org>
[ Upstream commit 54e97360b44bed6b4399dd3be3d65f392df940fa ]
Fix inverted condition that skips frequency change trigger,
causing kernel panics during cpufreq scaling.
Fixes: 1b72c59db0ad ("clk: spacemit: Add clock support for SpacemiT K1 SoC")
Signed-off-by: Shuwei Wu <shuwei.wu@mailbox.org>
Reviewed-by: Yixun Lan <dlan@kernel.org>
Link: https://lore.kernel.org/r/20260305-k1-clk-fix-v1-1-abca85d6e266@mailbox.org
Signed-off-by: Yixun Lan <dlan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/spacemit/ccu_mix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/spacemit/ccu_mix.c b/drivers/clk/spacemit/ccu_mix.c
index 67f8b12b4f5b7..9a3fc9ea1ce56 100644
--- a/drivers/clk/spacemit/ccu_mix.c
+++ b/drivers/clk/spacemit/ccu_mix.c
@@ -69,7 +69,7 @@ static int ccu_mix_trigger_fc(struct clk_hw *hw)
struct ccu_common *common = hw_to_ccu_common(hw);
unsigned int val;
- if (common->reg_fc)
+ if (!common->reg_fc)
return 0;
ccu_update(common, fc, common->mask_fc, common->mask_fc);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 581/957] f2fs: use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (579 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 580/957] clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 582/957] f2fs: avoid reading already updated pages during GC Greg Kroah-Hartman
` (381 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit e0b89d00ea9f846da42fc92f200c96254d0e2fef ]
Let's use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page() in
ra_data_block() and move_data_block(), then remove f2fs_pagecache_get_page()
since it has no user.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 570e2ccc7cb3 ("f2fs: avoid reading already updated pages during GC")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/f2fs.h | 10 ----------
fs/f2fs/gc.c | 23 +++++++++++++----------
2 files changed, 13 insertions(+), 20 deletions(-)
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 939bd1fb57070..c0747dd2ce511 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -2996,16 +2996,6 @@ static inline struct folio *f2fs_filemap_get_folio(
return __filemap_get_folio(mapping, index, fgp_flags, gfp_mask);
}
-static inline struct page *f2fs_pagecache_get_page(
- struct address_space *mapping, pgoff_t index,
- fgf_t fgp_flags, gfp_t gfp_mask)
-{
- if (time_to_inject(F2FS_M_SB(mapping), FAULT_PAGE_GET))
- return NULL;
-
- return pagecache_get_page(mapping, index, fgp_flags, gfp_mask);
-}
-
static inline void f2fs_folio_put(struct folio *folio, bool unlock)
{
if (IS_ERR_OR_NULL(folio))
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 9d2f4f22fd396..5647e76c6bdb0 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1211,7 +1211,7 @@ static int ra_data_block(struct inode *inode, pgoff_t index)
struct address_space *mapping = f2fs_is_cow_file(inode) ?
F2FS_I(inode)->atomic_inode->i_mapping : inode->i_mapping;
struct dnode_of_data dn;
- struct folio *folio;
+ struct folio *folio, *efolio;
struct f2fs_io_info fio = {
.sbi = sbi,
.ino = inode->i_ino,
@@ -1266,14 +1266,15 @@ static int ra_data_block(struct inode *inode, pgoff_t index)
f2fs_wait_on_block_writeback(inode, dn.data_blkaddr);
- fio.encrypted_page = f2fs_pagecache_get_page(META_MAPPING(sbi),
- dn.data_blkaddr,
+ efolio = f2fs_filemap_get_folio(META_MAPPING(sbi), dn.data_blkaddr,
FGP_LOCK | FGP_CREAT, GFP_NOFS);
- if (!fio.encrypted_page) {
- err = -ENOMEM;
+ if (IS_ERR(efolio)) {
+ err = PTR_ERR(efolio);
goto put_folio;
}
+ fio.encrypted_page = &efolio->page;
+
err = f2fs_submit_page_bio(&fio);
if (err)
goto put_encrypted_page;
@@ -1313,7 +1314,7 @@ static int move_data_block(struct inode *inode, block_t bidx,
struct dnode_of_data dn;
struct f2fs_summary sum;
struct node_info ni;
- struct folio *folio, *mfolio;
+ struct folio *folio, *mfolio, *efolio;
block_t newaddr;
int err = 0;
bool lfs_mode = f2fs_lfs_mode(fio.sbi);
@@ -1407,14 +1408,16 @@ static int move_data_block(struct inode *inode, block_t bidx,
goto up_out;
}
- fio.encrypted_page = f2fs_pagecache_get_page(META_MAPPING(fio.sbi),
- newaddr, FGP_LOCK | FGP_CREAT, GFP_NOFS);
- if (!fio.encrypted_page) {
- err = -ENOMEM;
+ efolio = f2fs_filemap_get_folio(META_MAPPING(fio.sbi), newaddr,
+ FGP_LOCK | FGP_CREAT, GFP_NOFS);
+ if (IS_ERR(efolio)) {
+ err = PTR_ERR(efolio);
f2fs_folio_put(mfolio, true);
goto recover_block;
}
+ fio.encrypted_page = &efolio->page;
+
/* write target block */
f2fs_wait_on_page_writeback(fio.encrypted_page, DATA, true, true);
memcpy(page_address(fio.encrypted_page),
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 582/957] f2fs: avoid reading already updated pages during GC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (580 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 581/957] f2fs: use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 583/957] clk: qcom: gdsc: Fix error path on registration of multiple pm subdomains Greg Kroah-Hartman
` (380 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianan Huang, Sheng Yong, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianan Huang <huangjianan@xiaomi.com>
[ Upstream commit 570e2ccc7cb35fe720106964e65060602d3d2ac4 ]
We found the following issue during fuzz testing:
page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9
memcg:f8ffff800e269c00
aops:f2fs_meta_aops ino:2
flags: 0x52880000000080a9(locked|waiters|uptodate|lru|private|zone=1|kasantag=0x4a)
raw: 52880000000080a9 fffffffec6e17588 fffffffec0ccc088 a7ffff8067063618
raw: 000000000018b2dc 0000000000000009 00000003ffffffff f8ffff800e269c00
page dumped because: VM_BUG_ON_FOLIO(folio_test_uptodate(folio))
page_owner tracks the page as allocated
post_alloc_hook+0x58c/0x5ec
prep_new_page+0x34/0x284
get_page_from_freelist+0x2dcc/0x2e8c
__alloc_pages_noprof+0x280/0x76c
__folio_alloc_noprof+0x18/0xac
__filemap_get_folio+0x6bc/0xdc4
pagecache_get_page+0x3c/0x104
do_garbage_collect+0x5c78/0x77a4
f2fs_gc+0xd74/0x25f0
gc_thread_func+0xb28/0x2930
kthread+0x464/0x5d8
ret_from_fork+0x10/0x20
------------[ cut here ]------------
kernel BUG at mm/filemap.c:1563!
folio_end_read+0x140/0x168
f2fs_finish_read_bio+0x5c4/0xb80
f2fs_read_end_io+0x64c/0x708
bio_endio+0x85c/0x8c0
blk_update_request+0x690/0x127c
scsi_end_request+0x9c/0xb8c
scsi_io_completion+0xf0/0x250
scsi_finish_command+0x430/0x45c
scsi_complete+0x178/0x6d4
blk_mq_complete_request+0xcc/0x104
scsi_done_internal+0x214/0x454
scsi_done+0x24/0x34
which is similar to the problem reported by syzbot:
https://syzkaller.appspot.com/bug?extid=3686758660f980b402dc
This case is consistent with the description in commit 9bf1a3f
("f2fs: avoid GC causing encrypted file corrupted"):
Page 1 is moved from blkaddr A to blkaddr B by move_data_block, and after
being written it is marked as uptodate. Then, Page 1 is moved from blkaddr
B to blkaddr C, VM_BUG_ON_FOLIO was triggered in the endio initiated by
ra_data_block.
There is no need to read Page 1 again from blkaddr B, since it has already
been updated. Therefore, avoid initiating I/O in this case.
Fixes: 6aa58d8ad20a ("f2fs: readahead encrypted block during GC")
Signed-off-by: Jianan Huang <huangjianan@xiaomi.com>
Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/gc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 5647e76c6bdb0..3d9f326ae840a 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1222,7 +1222,7 @@ static int ra_data_block(struct inode *inode, pgoff_t index)
.encrypted_page = NULL,
.in_list = 0,
};
- int err;
+ int err = 0;
folio = f2fs_grab_cache_folio(mapping, index, true);
if (IS_ERR(folio))
@@ -1275,6 +1275,9 @@ static int ra_data_block(struct inode *inode, pgoff_t index)
fio.encrypted_page = &efolio->page;
+ if (folio_test_uptodate(efolio))
+ goto put_encrypted_page;
+
err = f2fs_submit_page_bio(&fio);
if (err)
goto put_encrypted_page;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 583/957] clk: qcom: gdsc: Fix error path on registration of multiple pm subdomains
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (581 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 582/957] f2fs: avoid reading already updated pages during GC Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 584/957] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
` (379 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Dmitry Baryshkov,
Bryan ODonoghue, Bjorn Andersson, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit 16ba98dace9e7cfe25ad8a314e34befacd91f86f ]
Some pm subdomains may be left in added to a parent domain state, if
gdsc_add_subdomain_list() function fails in the middle and bails from
a GDSC power domain controller registration out.
Fixes: b489235b4dc0 ("clk: qcom: Support attaching GDSCs to multiple parents")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Bryan O'Donoghue <bod@kernel.org>
Link: https://lore.kernel.org/r/20260328012619.832770-1-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gdsc.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c
index 7deabf8400cf6..95aa071202455 100644
--- a/drivers/clk/qcom/gdsc.c
+++ b/drivers/clk/qcom/gdsc.c
@@ -518,10 +518,20 @@ static int gdsc_add_subdomain_list(struct dev_pm_domain_list *pd_list,
ret = pm_genpd_add_subdomain(genpd, subdomain);
if (ret)
- return ret;
+ goto remove_added_subdomains;
}
return 0;
+
+remove_added_subdomains:
+ for (i--; i >= 0; i--) {
+ struct device *dev = pd_list->pd_devs[i];
+ struct generic_pm_domain *genpd = pd_to_genpd(dev->pm_domain);
+
+ pm_genpd_remove_subdomain(genpd, subdomain);
+ }
+
+ return ret;
}
static void gdsc_remove_subdomain_list(struct dev_pm_domain_list *pd_list,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 584/957] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (582 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 583/957] clk: qcom: gdsc: Fix error path on registration of multiple pm subdomains Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 585/957] f2fs: expand scalability of f2fs mount option Greg Kroah-Hartman
` (378 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Petr Mladek,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 36776b7f8a8955b4e75b5d490a75fee0c7a2a7ef ]
print_hex_dump_bytes() claims to be a simple wrapper around
print_hex_dump(), but it actally calls print_hex_dump_debug(), which
means no output is printed if (dynamic) DEBUG is disabled.
Update the documentation to match the implementation.
Fixes: 091cb0994edd20d6 ("lib/hexdump: make print_hex_dump_bytes() a nop on !DEBUG builds")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/3d5c3069fd9102ecaf81d044b750cd613eb72a08.1774970392.git.geert+renesas@glider.be
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/printk.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/printk.h b/include/linux/printk.h
index 9a8eaed5f8778..a98d64b45bc93 100644
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -816,7 +816,8 @@ static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
#endif
/**
- * print_hex_dump_bytes - shorthand form of print_hex_dump() with default params
+ * print_hex_dump_bytes - shorthand form of print_hex_dump_debug() with default
+ * params
* @prefix_str: string to prefix each line with;
* caller supplies trailing spaces for alignment if desired
* @prefix_type: controls whether prefix of an offset, address, or none
@@ -824,7 +825,7 @@ static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
* @buf: data blob to dump
* @len: number of bytes in the @buf
*
- * Calls print_hex_dump(), with log level of KERN_DEBUG,
+ * Calls print_hex_dump_debug(), with log level of KERN_DEBUG,
* rowsize of 16, groupsize of 1, and ASCII output included.
*/
#define print_hex_dump_bytes(prefix_str, prefix_type, buf, len) \
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 585/957] f2fs: expand scalability of f2fs mount option
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (583 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 584/957] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 586/957] f2fs: fix to preserve previous reserve_{blocks,node} value when remount Greg Kroah-Hartman
` (377 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 1627a303bca692edc6552630aa2f878c8a726a01 ]
opt field in structure f2fs_mount_info and opt_mask field in structure
f2fs_fs_context is 32-bits variable, now we're running out of available
bits in them, let's expand them to 64-bits for better scalability.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 01968164d947 ("f2fs: fix to preserve previous reserve_{blocks,node} value when remount")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/f2fs.h | 85 ++++++++++++++++++++++++++-----------------------
fs/f2fs/super.c | 36 ++++++++++-----------
2 files changed, 63 insertions(+), 58 deletions(-)
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index c0747dd2ce511..b3731ba46f571 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -96,47 +96,52 @@ extern const char *f2fs_fault_name[FAULT_MAX];
/*
* For mount options
*/
-#define F2FS_MOUNT_DISABLE_ROLL_FORWARD 0x00000001
-#define F2FS_MOUNT_DISCARD 0x00000002
-#define F2FS_MOUNT_NOHEAP 0x00000004
-#define F2FS_MOUNT_XATTR_USER 0x00000008
-#define F2FS_MOUNT_POSIX_ACL 0x00000010
-#define F2FS_MOUNT_DISABLE_EXT_IDENTIFY 0x00000020
-#define F2FS_MOUNT_INLINE_XATTR 0x00000040
-#define F2FS_MOUNT_INLINE_DATA 0x00000080
-#define F2FS_MOUNT_INLINE_DENTRY 0x00000100
-#define F2FS_MOUNT_FLUSH_MERGE 0x00000200
-#define F2FS_MOUNT_NOBARRIER 0x00000400
-#define F2FS_MOUNT_FASTBOOT 0x00000800
-#define F2FS_MOUNT_READ_EXTENT_CACHE 0x00001000
-#define F2FS_MOUNT_DATA_FLUSH 0x00002000
-#define F2FS_MOUNT_FAULT_INJECTION 0x00004000
-#define F2FS_MOUNT_USRQUOTA 0x00008000
-#define F2FS_MOUNT_GRPQUOTA 0x00010000
-#define F2FS_MOUNT_PRJQUOTA 0x00020000
-#define F2FS_MOUNT_QUOTA 0x00040000
-#define F2FS_MOUNT_INLINE_XATTR_SIZE 0x00080000
-#define F2FS_MOUNT_RESERVE_ROOT 0x00100000
-#define F2FS_MOUNT_DISABLE_CHECKPOINT 0x00200000
-#define F2FS_MOUNT_NORECOVERY 0x00400000
-#define F2FS_MOUNT_ATGC 0x00800000
-#define F2FS_MOUNT_MERGE_CHECKPOINT 0x01000000
-#define F2FS_MOUNT_GC_MERGE 0x02000000
-#define F2FS_MOUNT_COMPRESS_CACHE 0x04000000
-#define F2FS_MOUNT_AGE_EXTENT_CACHE 0x08000000
-#define F2FS_MOUNT_NAT_BITS 0x10000000
-#define F2FS_MOUNT_INLINECRYPT 0x20000000
-/*
- * Some f2fs environments expect to be able to pass the "lazytime" option
- * string rather than using the MS_LAZYTIME flag, so this must remain.
- */
-#define F2FS_MOUNT_LAZYTIME 0x40000000
-#define F2FS_MOUNT_RESERVE_NODE 0x80000000
+enum f2fs_mount_opt {
+ F2FS_MOUNT_DISABLE_ROLL_FORWARD,
+ F2FS_MOUNT_DISCARD,
+ F2FS_MOUNT_NOHEAP,
+ F2FS_MOUNT_XATTR_USER,
+ F2FS_MOUNT_POSIX_ACL,
+ F2FS_MOUNT_DISABLE_EXT_IDENTIFY,
+ F2FS_MOUNT_INLINE_XATTR,
+ F2FS_MOUNT_INLINE_DATA,
+ F2FS_MOUNT_INLINE_DENTRY,
+ F2FS_MOUNT_FLUSH_MERGE,
+ F2FS_MOUNT_NOBARRIER,
+ F2FS_MOUNT_FASTBOOT,
+ F2FS_MOUNT_READ_EXTENT_CACHE,
+ F2FS_MOUNT_DATA_FLUSH,
+ F2FS_MOUNT_FAULT_INJECTION,
+ F2FS_MOUNT_USRQUOTA,
+ F2FS_MOUNT_GRPQUOTA,
+ F2FS_MOUNT_PRJQUOTA,
+ F2FS_MOUNT_QUOTA,
+ F2FS_MOUNT_INLINE_XATTR_SIZE,
+ F2FS_MOUNT_RESERVE_ROOT,
+ F2FS_MOUNT_DISABLE_CHECKPOINT,
+ F2FS_MOUNT_NORECOVERY,
+ F2FS_MOUNT_ATGC,
+ F2FS_MOUNT_MERGE_CHECKPOINT,
+ F2FS_MOUNT_GC_MERGE,
+ F2FS_MOUNT_COMPRESS_CACHE,
+ F2FS_MOUNT_AGE_EXTENT_CACHE,
+ F2FS_MOUNT_NAT_BITS,
+ F2FS_MOUNT_INLINECRYPT,
+ /*
+ * Some f2fs environments expect to be able to pass the "lazytime" option
+ * string rather than using the MS_LAZYTIME flag, so this must remain.
+ */
+ F2FS_MOUNT_LAZYTIME,
+ F2FS_MOUNT_RESERVE_NODE,
+};
#define F2FS_OPTION(sbi) ((sbi)->mount_opt)
-#define clear_opt(sbi, option) (F2FS_OPTION(sbi).opt &= ~F2FS_MOUNT_##option)
-#define set_opt(sbi, option) (F2FS_OPTION(sbi).opt |= F2FS_MOUNT_##option)
-#define test_opt(sbi, option) (F2FS_OPTION(sbi).opt & F2FS_MOUNT_##option)
+#define clear_opt(sbi, option) \
+ (F2FS_OPTION(sbi).opt &= ~BIT(F2FS_MOUNT_##option))
+#define set_opt(sbi, option) \
+ (F2FS_OPTION(sbi).opt |= BIT(F2FS_MOUNT_##option))
+#define test_opt(sbi, option) \
+ (F2FS_OPTION(sbi).opt & BIT(F2FS_MOUNT_##option))
#define ver_after(a, b) (typecheck(unsigned long long, a) && \
typecheck(unsigned long long, b) && \
@@ -183,7 +188,7 @@ struct f2fs_rwsem {
};
struct f2fs_mount_info {
- unsigned int opt;
+ unsigned long long opt;
block_t root_reserved_blocks; /* root reserved blocks */
block_t root_reserved_nodes; /* root reserved nodes */
kuid_t s_resuid; /* reserved blocks for uid */
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 96325bbc70386..8790d9d4348a1 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -352,7 +352,7 @@ static match_table_t f2fs_checkpoint_tokens = {
struct f2fs_fs_context {
struct f2fs_mount_info info;
- unsigned int opt_mask; /* Bits changed */
+ unsigned long long opt_mask; /* Bits changed */
unsigned int spec_mask;
unsigned short qname_mask;
};
@@ -360,23 +360,23 @@ struct f2fs_fs_context {
#define F2FS_CTX_INFO(ctx) ((ctx)->info)
static inline void ctx_set_opt(struct f2fs_fs_context *ctx,
- unsigned int flag)
+ enum f2fs_mount_opt flag)
{
- ctx->info.opt |= flag;
- ctx->opt_mask |= flag;
+ ctx->info.opt |= BIT(flag);
+ ctx->opt_mask |= BIT(flag);
}
static inline void ctx_clear_opt(struct f2fs_fs_context *ctx,
- unsigned int flag)
+ enum f2fs_mount_opt flag)
{
- ctx->info.opt &= ~flag;
- ctx->opt_mask |= flag;
+ ctx->info.opt &= ~BIT(flag);
+ ctx->opt_mask |= BIT(flag);
}
static inline bool ctx_test_opt(struct f2fs_fs_context *ctx,
- unsigned int flag)
+ enum f2fs_mount_opt flag)
{
- return ctx->info.opt & flag;
+ return ctx->info.opt & BIT(flag);
}
void f2fs_printk(struct f2fs_sb_info *sbi, bool limit_rate,
@@ -1371,7 +1371,7 @@ static int f2fs_check_compression(struct fs_context *fc,
ctx_test_opt(ctx, F2FS_MOUNT_COMPRESS_CACHE))
f2fs_info(sbi, "Image doesn't support compression");
clear_compression_spec(ctx);
- ctx->opt_mask &= ~F2FS_MOUNT_COMPRESS_CACHE;
+ ctx->opt_mask &= ~BIT(F2FS_MOUNT_COMPRESS_CACHE);
return 0;
}
if (ctx->spec_mask & F2FS_SPEC_compress_extension) {
@@ -1439,42 +1439,42 @@ static int f2fs_check_opt_consistency(struct fs_context *fc,
return -EINVAL;
if (f2fs_hw_should_discard(sbi) &&
- (ctx->opt_mask & F2FS_MOUNT_DISCARD) &&
+ (ctx->opt_mask & BIT(F2FS_MOUNT_DISCARD)) &&
!ctx_test_opt(ctx, F2FS_MOUNT_DISCARD)) {
f2fs_warn(sbi, "discard is required for zoned block devices");
return -EINVAL;
}
if (!f2fs_hw_support_discard(sbi) &&
- (ctx->opt_mask & F2FS_MOUNT_DISCARD) &&
+ (ctx->opt_mask & BIT(F2FS_MOUNT_DISCARD)) &&
ctx_test_opt(ctx, F2FS_MOUNT_DISCARD)) {
f2fs_warn(sbi, "device does not support discard");
ctx_clear_opt(ctx, F2FS_MOUNT_DISCARD);
- ctx->opt_mask &= ~F2FS_MOUNT_DISCARD;
+ ctx->opt_mask &= ~BIT(F2FS_MOUNT_DISCARD);
}
if (f2fs_sb_has_device_alias(sbi) &&
- (ctx->opt_mask & F2FS_MOUNT_READ_EXTENT_CACHE) &&
+ (ctx->opt_mask & BIT(F2FS_MOUNT_READ_EXTENT_CACHE)) &&
!ctx_test_opt(ctx, F2FS_MOUNT_READ_EXTENT_CACHE)) {
f2fs_err(sbi, "device aliasing requires extent cache");
return -EINVAL;
}
if (test_opt(sbi, RESERVE_ROOT) &&
- (ctx->opt_mask & F2FS_MOUNT_RESERVE_ROOT) &&
+ (ctx->opt_mask & BIT(F2FS_MOUNT_RESERVE_ROOT)) &&
ctx_test_opt(ctx, F2FS_MOUNT_RESERVE_ROOT)) {
f2fs_info(sbi, "Preserve previous reserve_root=%u",
F2FS_OPTION(sbi).root_reserved_blocks);
ctx_clear_opt(ctx, F2FS_MOUNT_RESERVE_ROOT);
- ctx->opt_mask &= ~F2FS_MOUNT_RESERVE_ROOT;
+ ctx->opt_mask &= ~BIT(F2FS_MOUNT_RESERVE_ROOT);
}
if (test_opt(sbi, RESERVE_NODE) &&
- (ctx->opt_mask & F2FS_MOUNT_RESERVE_NODE) &&
+ (ctx->opt_mask & BIT(F2FS_MOUNT_RESERVE_NODE)) &&
ctx_test_opt(ctx, F2FS_MOUNT_RESERVE_NODE)) {
f2fs_info(sbi, "Preserve previous reserve_node=%u",
F2FS_OPTION(sbi).root_reserved_nodes);
ctx_clear_opt(ctx, F2FS_MOUNT_RESERVE_NODE);
- ctx->opt_mask &= ~F2FS_MOUNT_RESERVE_NODE;
+ ctx->opt_mask &= ~BIT(F2FS_MOUNT_RESERVE_NODE);
}
err = f2fs_check_test_dummy_encryption(fc, sb);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 586/957] f2fs: fix to preserve previous reserve_{blocks,node} value when remount
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (584 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 585/957] f2fs: expand scalability of f2fs mount option Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 587/957] clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON Greg Kroah-Hartman
` (376 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiguo Niu, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiguo Niu <zhiguo.niu@unisoc.com>
[ Upstream commit 01968164d94762db2f703647c5acfa28613844f1 ]
The following steps will change previous value of reserve_{blocks,node},
this dones not match the original intention.
1.mount -t f2fs -o reserve_root=8192 imgfile test_mount/
F2FS-fs (loop56): Mounted with checkpoint version = 1b69f8c7
mount info:
/dev/block/loop56 on /data/test_mount type f2fs (xxx,reserve_root=8192,reserve_node=0,resuid=0,resgid=0,xxx)
2.mount -t f2fs -o remount,reserve_root=4096 /data/test_mount
F2FS-fs (loop56): Preserve previous reserve_root=8192
check mount info: reserve_root change to 4096
/dev/block/loop56 on /data/test_mount type f2fs (xxx,reserve_root=4096,reserve_node=0,resuid=0,resgid=0,xxx)
Prior to commit d18535132523 ("f2fs: separate the options parsing and options checking"),
the value of reserve_{blocks,node} was only set during the first mount, along with
the corresponding mount option F2FS_MOUNT_RESERVE_{ROOT,NODE} . If the mount option
F2FS_MOUNT_RESERVE_{ROOT,NODE} was found to have been set during the mount/remount,
the previously value of reserve_{blocks,node} would also be preserved, as shown in
the code below.
if (test_opt(sbi, RESERVE_ROOT)) {
f2fs_info(sbi, "Preserve previous reserve_root=%u",
F2FS_OPTION(sbi).root_reserved_blocks);
} else {
F2FS_OPTION(sbi).root_reserved_blocks = arg;
set_opt(sbi, RESERVE_ROOT);
}
But commit d18535132523 ("f2fs: separate the options parsing and options checking")
only preserved the previous mount option; it did not preserve the previous value of
reserve_{blocks,node}. Since value of reserve_{blocks,node} value is assigned
or not depends on ctx->spec_mask, ctx->spec_mask should be alos handled in
f2fs_check_opt_consistency.
This patch will clear the corresponding ctx->spec_mask bits in f2fs_check_opt_consistency
to preserve the previously values of reserve_{blocks,node} if it already have a value.
Fixes: d18535132523 ("f2fs: separate the options parsing and options checking")
Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/super.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 8790d9d4348a1..7e04ae8f32f0e 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1467,6 +1467,7 @@ static int f2fs_check_opt_consistency(struct fs_context *fc,
F2FS_OPTION(sbi).root_reserved_blocks);
ctx_clear_opt(ctx, F2FS_MOUNT_RESERVE_ROOT);
ctx->opt_mask &= ~BIT(F2FS_MOUNT_RESERVE_ROOT);
+ ctx->spec_mask &= ~F2FS_SPEC_reserve_root;
}
if (test_opt(sbi, RESERVE_NODE) &&
(ctx->opt_mask & BIT(F2FS_MOUNT_RESERVE_NODE)) &&
@@ -1475,6 +1476,7 @@ static int f2fs_check_opt_consistency(struct fs_context *fc,
F2FS_OPTION(sbi).root_reserved_nodes);
ctx_clear_opt(ctx, F2FS_MOUNT_RESERVE_NODE);
ctx->opt_mask &= ~BIT(F2FS_MOUNT_RESERVE_NODE);
+ ctx->spec_mask &= ~F2FS_SPEC_reserve_node;
}
err = f2fs_check_test_dummy_encryption(fc, sb);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 587/957] clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (585 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 586/957] f2fs: fix to preserve previous reserve_{blocks,node} value when remount Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 588/957] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
` (375 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Dmitry Baryshkov,
Jagadeesh Kona, Taniya Das, Abel Vesa, Bjorn Andersson,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jagadeesh Kona <jagadeesh.kona@oss.qualcomm.com>
[ Upstream commit 05566ebcc0cd170bd4f50c907ee3ed8e106251e3 ]
In Hamoa, SMMU invalidation requires the GCC_AGGRE_USB_NOC_AXI_CLK
to be on for the USB QTB to be functional. This is currently
explicitly enabled by the DWC3 glue driver, so an invalidation
happening while the USB controller is suspended will fault.
Solve this by voting for the GCC MMU USB QTB clock.
Fixes: 161b7c401f4b ("clk: qcom: Add Global Clock controller (GCC) driver for X1E80100")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Jagadeesh Kona <jagadeesh.kona@oss.qualcomm.com>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260327-hamoa-usb-qtb-clk-always-on-v2-1-7d8a406e650f@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-x1e80100.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/qcom/gcc-x1e80100.c b/drivers/clk/qcom/gcc-x1e80100.c
index ef8d2df188d3b..104b1bf6a5010 100644
--- a/drivers/clk/qcom/gcc-x1e80100.c
+++ b/drivers/clk/qcom/gcc-x1e80100.c
@@ -6751,6 +6751,7 @@ static int gcc_x1e80100_probe(struct platform_device *pdev)
qcom_branch_set_clk_en(regmap, 0x32004); /* GCC_VIDEO_AHB_CLK */
qcom_branch_set_clk_en(regmap, 0x32030); /* GCC_VIDEO_XO_CLK */
qcom_branch_set_clk_en(regmap, 0x71004); /* GCC_GPU_CFG_AHB_CLK */
+ qcom_branch_set_clk_en(regmap, 0x7d01c); /* GCC_HLOS1_VOTE_AGGRE_NOC_MMU_USB_QTB_CLK */
/* Clear GDSC_SLEEP_ENA_VOTE to stop votes being auto-removed in sleep. */
regmap_write(regmap, 0x52224, 0x0);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 588/957] clk: visconti: pll: initialize clk_init_data to zero
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (586 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 587/957] clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 589/957] f2fs: allow empty mount string for Opt_usr|grp|projjquota Greg Kroah-Hartman
` (374 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Benoît Monin,
Nobuhiro Iwamatsu, Stephen Boyd, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 1603cbb64173a0e9fa7500f2a686f4aa011c58b9 ]
Sashiko reported the following:
> The struct clk_init_data init is declared on the stack without being
> fully zero-initialized. While fields like name, flags, parent_names,
> num_parents, and ops are explicitly assigned, the parent_data and
> parent_hws fields are left containing stack garbage.
clk_core_populate_parent_map() currently prefers the parent names over
the parent data and hws, so this isn't a problem at the moment. If that
ordering ever changed in the future, then this could lead to some
unexpected crashes. Let's just go ahead and make sure that the struct
clk_init_data is initialized to zero as a good practice.
Fixes: b4cbe606dc367 ("clk: visconti: Add support common clock driver and reset driver")
Link: https://sashiko.dev/#/patchset/20260326042317.122536-1-rosenp%40gmail.com
Signed-off-by: Brian Masney <bmasney@redhat.com>
Reviewed-by: Benoît Monin <benoit.monin@bootlin.com>
Reviewed-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.x90@mail.toshiba>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/visconti/pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/visconti/pll.c b/drivers/clk/visconti/pll.c
index 681721d850320..9d088239a1b2c 100644
--- a/drivers/clk/visconti/pll.c
+++ b/drivers/clk/visconti/pll.c
@@ -249,7 +249,7 @@ static struct clk_hw *visconti_register_pll(struct visconti_pll_provider *ctx,
const struct visconti_pll_rate_table *rate_table,
spinlock_t *lock)
{
- struct clk_init_data init;
+ struct clk_init_data init = {};
struct visconti_pll *pll;
struct clk_hw *pll_hw_clk;
size_t len;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 589/957] f2fs: allow empty mount string for Opt_usr|grp|projjquota
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (587 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 588/957] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 590/957] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
` (373 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daeho Jeong, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
[ Upstream commit 2a3db1e02ce08c14af04da70bb99e8a0a31eb9e8 ]
The fsparam_string_empty() gives an error when mounting without string, since
its type is set to fsparam_flag in VFS. So, let's allow the flag as well.
This addresses xfstests/f2fs/015 and f2fs/021.
Fixes: d18535132523 ("f2fs: separate the options parsing and options checking")
Reviewed-by: Daeho Jeong <daehojeong@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/super.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 7e04ae8f32f0e..cb8e8a587ba9e 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -285,9 +285,12 @@ static const struct fs_parameter_spec f2fs_param_specs[] = {
fsparam_flag("usrquota", Opt_usrquota),
fsparam_flag("grpquota", Opt_grpquota),
fsparam_flag("prjquota", Opt_prjquota),
- fsparam_string_empty("usrjquota", Opt_usrjquota),
- fsparam_string_empty("grpjquota", Opt_grpjquota),
- fsparam_string_empty("prjjquota", Opt_prjjquota),
+ fsparam_string("usrjquota", Opt_usrjquota),
+ fsparam_flag("usrjquota", Opt_usrjquota),
+ fsparam_string("grpjquota", Opt_grpjquota),
+ fsparam_flag("grpjquota", Opt_grpjquota),
+ fsparam_string("prjjquota", Opt_prjjquota),
+ fsparam_flag("prjjquota", Opt_prjjquota),
fsparam_flag("nat_bits", Opt_nat_bits),
fsparam_enum("jqfmt", Opt_jqfmt, f2fs_param_jqfmt),
fsparam_enum("alloc_mode", Opt_alloc, f2fs_param_alloc_mode),
@@ -931,26 +934,26 @@ static int f2fs_parse_param(struct fs_context *fc, struct fs_parameter *param)
ctx_set_opt(ctx, F2FS_MOUNT_PRJQUOTA);
break;
case Opt_usrjquota:
- if (!*param->string)
- ret = f2fs_unnote_qf_name(fc, USRQUOTA);
- else
+ if (param->type == fs_value_is_string && *param->string)
ret = f2fs_note_qf_name(fc, USRQUOTA, param);
+ else
+ ret = f2fs_unnote_qf_name(fc, USRQUOTA);
if (ret)
return ret;
break;
case Opt_grpjquota:
- if (!*param->string)
- ret = f2fs_unnote_qf_name(fc, GRPQUOTA);
- else
+ if (param->type == fs_value_is_string && *param->string)
ret = f2fs_note_qf_name(fc, GRPQUOTA, param);
+ else
+ ret = f2fs_unnote_qf_name(fc, GRPQUOTA);
if (ret)
return ret;
break;
case Opt_prjjquota:
- if (!*param->string)
- ret = f2fs_unnote_qf_name(fc, PRJQUOTA);
- else
+ if (param->type == fs_value_is_string && *param->string)
ret = f2fs_note_qf_name(fc, PRJQUOTA, param);
+ else
+ ret = f2fs_unnote_qf_name(fc, PRJQUOTA);
if (ret)
return ret;
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 590/957] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (588 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 589/957] f2fs: allow empty mount string for Opt_usr|grp|projjquota Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 591/957] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
` (372 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongpeng Yang, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 5909bedbed38c558bee7cb6758ceedf9bc3a9194 ]
In f2fs_sbi_show(), the extension_list, extension_count and
hot_ext_count are read without holding sbi->sb_lock. If a concurrent
sysfs store modifies the extension list via f2fs_update_extension_list(),
the show path may read inconsistent count and array contents, potentially
leading to out-of-bounds access or displaying stale data.
Fix this by holding sb_lock around the entire extension list read
and format operation.
Fixes: b6a06cbbb5f7 ("f2fs: support hot file extension")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/sysfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
index a75c3ef300bd2..1f5982a0a6326 100644
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -377,10 +377,12 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
if (!strcmp(a->attr.name, "extension_list")) {
__u8 (*extlist)[F2FS_EXTENSION_LEN] =
sbi->raw_super->extension_list;
- int cold_count = le32_to_cpu(sbi->raw_super->extension_count);
- int hot_count = sbi->raw_super->hot_ext_count;
+ int cold_count, hot_count;
int len = 0, i;
+ f2fs_down_read(&sbi->sb_lock);
+ cold_count = le32_to_cpu(sbi->raw_super->extension_count);
+ hot_count = sbi->raw_super->hot_ext_count;
len += sysfs_emit_at(buf, len, "cold file extension:\n");
for (i = 0; i < cold_count; i++)
len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
@@ -388,6 +390,7 @@ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
len += sysfs_emit_at(buf, len, "hot file extension:\n");
for (i = cold_count; i < cold_count + hot_count; i++)
len += sysfs_emit_at(buf, len, "%s\n", extlist[i]);
+ f2fs_up_read(&sbi->sb_lock);
return len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 591/957] drm/i915/wm: Verify the correct plane DDB entry
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (589 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 590/957] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 592/957] virt: arm-cca-guest: fix error check for RSI_INCOMPLETE Greg Kroah-Hartman
` (371 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Vinod Govindapillai, Tvrtko Ursulin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit a97c88a176b6b8d116f4d3f508f3bd02bc77b462 ]
Actually verify the DDB entry for the plane we're looking
at instead of always verifying the cursor DDB.
Fixes: 7d4561722c3b ("drm/i915: Tweak plane ddb allocation tracking")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patch.msgid.link/20260324134843.2364-5-ville.syrjala@linux.intel.com
Reviewed-by: Vinod Govindapillai <vinod.govindapillai@intel.com>
(cherry picked from commit f002f7c7439de18117a31ca84dc87a59719c3dd6)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/skl_watermark.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/skl_watermark.c b/drivers/gpu/drm/i915/display/skl_watermark.c
index d74cbb43ae6fb..a5862998bf144 100644
--- a/drivers/gpu/drm/i915/display/skl_watermark.c
+++ b/drivers/gpu/drm/i915/display/skl_watermark.c
@@ -3935,8 +3935,8 @@ void intel_wm_state_verify(struct intel_atomic_state *state,
}
/* DDB */
- hw_ddb_entry = &hw->ddb[PLANE_CURSOR];
- sw_ddb_entry = &new_crtc_state->wm.skl.plane_ddb[PLANE_CURSOR];
+ hw_ddb_entry = &hw->ddb[plane->id];
+ sw_ddb_entry = &new_crtc_state->wm.skl.plane_ddb[plane->id];
if (!skl_ddb_entry_equal(hw_ddb_entry, sw_ddb_entry)) {
drm_err(display->drm,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 592/957] virt: arm-cca-guest: fix error check for RSI_INCOMPLETE
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (590 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 591/957] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 593/957] crypto: eip93 - fix hmac setkey algo selection Greg Kroah-Hartman
` (370 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sami Mujawar, Jagdish Gediya,
Steven Price, Gavin Shan, Suzuki K Poulose, Yeoreum Yun,
Catalin Marinas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sami Mujawar <sami.mujawar@arm.com>
[ Upstream commit e534e9d13d0b7bdbb2cccdace7b96b769a10540e ]
The RSI interface can return RSI_INCOMPLETE when a report spans
multiple granules. This is an expected condition and should not be
treated as a fatal error.
Currently, arm_cca_report_new() checks for `info.result != RSI_SUCCESS`
and bails out, which incorrectly flags RSI_INCOMPLETE as a failure.
Fix the check to only break out on results other than RSI_SUCCESS or
RSI_INCOMPLETE.
This ensures partial reports are handled correctly and avoids spurious
-ENXIO errors when generating attestation reports.
Fixes: 7999edc484ca ("virt: arm-cca-guest: TSM_REPORT support for realms")
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Reported-by: Jagdish Gediya <Jagdish.Gediya@arm.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Gavin Shan <gshan@redhat.com>
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/virt/coco/arm-cca-guest/arm-cca-guest.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/virt/coco/arm-cca-guest/arm-cca-guest.c b/drivers/virt/coco/arm-cca-guest/arm-cca-guest.c
index 0c9ea24a200c9..66d00b6ceb789 100644
--- a/drivers/virt/coco/arm-cca-guest/arm-cca-guest.c
+++ b/drivers/virt/coco/arm-cca-guest/arm-cca-guest.c
@@ -157,7 +157,8 @@ static int arm_cca_report_new(struct tsm_report *report, void *data)
} while (info.result == RSI_INCOMPLETE &&
info.offset < RSI_GRANULE_SIZE);
- if (info.result != RSI_SUCCESS) {
+ /* Break out in case of failure */
+ if (info.result != RSI_SUCCESS && info.result != RSI_INCOMPLETE) {
ret = -ENXIO;
token_size = 0;
goto exit_free_granule_page;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 593/957] crypto: eip93 - fix hmac setkey algo selection
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (591 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 592/957] virt: arm-cca-guest: fix error check for RSI_INCOMPLETE Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 594/957] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
` (369 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksander Jan Bajkowski,
Kenneth Kasilag, Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksander Jan Bajkowski <olek2@wp.pl>
[ Upstream commit 3ba3b02f897b14e34977e1886d95ffe64d907204 ]
eip93_hmac_setkey() allocates a temporary ahash transform for
computing HMAC ipad/opad key material. The allocation uses the
driver-specific cra_driver_name (e.g. "sha256-eip93") but passes
CRYPTO_ALG_ASYNC as the mask, which excludes async algorithms.
Since the EIP93 hash algorithms are the only ones registered
under those driver names and they are inherently async, the
lookup is self-contradictory and always fails with -ENOENT.
When called from the AEAD setkey path, this failure leaves the
SA record partially initialized with zeroed digest fields. A
subsequent crypto operation then dereferences a NULL pointer in
the request context, resulting in a kernel panic:
```
pc : eip93_aead_handle_result+0xc8c/0x1240 [crypto_hw_eip93]
lr : eip93_aead_handle_result+0xbec/0x1240 [crypto_hw_eip93]
sp : ffffffc082feb820
x29: ffffffc082feb820 x28: ffffff8011043980 x27: 0000000000000000
x26: 0000000000000000 x25: ffffffc078da0bc8 x24: 0000000091043980
x23: ffffff8004d59e50 x22: ffffff8004d59410 x21: ffffff8004d593c0
x20: ffffff8004d593c0 x19: ffffff8004d4f300 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000007fda7aa498
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: fffffffff8127a80 x9 : 0000000000000000
x8 : ffffff8004d4f380 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000008 x3 : 0000000000000009
x2 : 0000000000000008 x1 : 0000000028000003 x0 : ffffff8004d388c0
Code: 910142b6 f94012e0 f9002aa0 f90006d3 (f9400740)
```
The reported symbol eip93_aead_handle_result+0xc8c is a
resolution artifact from static functions being merged under
the nearest exported symbol. Decoding the faulting sequence:
```
910142b6 ADD X22, X21, #0x50
f94012e0 LDR X0, [X23, #0x20]
f9002aa0 STR X0, [X21, #0x50]
f90006d3 STR X19, [X22, #0x8]
f9400740 LDR X0, [X26, #0x8]
```
The faulting LDR at [X26, #0x8] is loading ctx->flags
(offset 8 in eip93_hash_ctx), where ctx has been resolved
to NULL from a partially initialized or unreachable
transform context following the failed setkey.
Fix this by dropping the CRYPTO_ALG_ASYNC mask from the
crypto_alloc_ahash() call. The code already handles async
completion correctly via crypto_wait_req(), so there is no
requirement to restrict the lookup to synchronous algorithms.
Note that hashing a single 64-byte block through the hardware
is likely slower than doing it in software due to the DMA
round-trip overhead, but offloading it may still spare CPU
cycles on the slower embedded cores where this IP is found.
Fixes: 9739f5f93b78 ("crypto: eip93 - Add Inside Secure SafeXcel EIP-93 crypto engine support")
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
[Detailed investigation report of this bug]
Signed-off-by: Kenneth Kasilag <kenneth@kasilag.me>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/inside-secure/eip93/eip93-common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/inside-secure/eip93/eip93-common.c b/drivers/crypto/inside-secure/eip93/eip93-common.c
index 66153aa2493f2..43a2df542583b 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-common.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-common.c
@@ -731,7 +731,7 @@ int eip93_hmac_setkey(u32 ctx_flags, const u8 *key, unsigned int keylen,
return -EINVAL;
}
- ahash_tfm = crypto_alloc_ahash(alg_name, 0, CRYPTO_ALG_ASYNC);
+ ahash_tfm = crypto_alloc_ahash(alg_name, 0, 0);
if (IS_ERR(ahash_tfm))
return PTR_ERR(ahash_tfm);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 594/957] crypto: sa2ul - Fix AEAD fallback algorithm names
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (592 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 593/957] crypto: eip93 - fix hmac setkey algo selection Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 595/957] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
` (368 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, T Pratham, Manorit Chawdhry,
Herbert Xu, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: T Pratham <t-pratham@ti.com>
[ Upstream commit 8451ab6ad686ffdcdf9ddadaa446a79ab48e5590 ]
For authenc AEAD algorithms, sa2ul is trying to register very specific
-ce version as a fallback. This causes registration failure on SoCs
which do not have ARMv8-CE enabled/available. Change the fallback
algorithm from the specific driver name to generic algorithm name so
that the kernel can allocate any available fallback.
Fixes: d2c8ac187fc92 ("crypto: sa2ul - Add AEAD algorithm support")
Signed-off-by: T Pratham <t-pratham@ti.com>
Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/sa2ul.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c
index fdc0b24860691..52fe4baeff934 100644
--- a/drivers/crypto/sa2ul.c
+++ b/drivers/crypto/sa2ul.c
@@ -1744,13 +1744,13 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash,
static int sa_cra_init_aead_sha1(struct crypto_aead *tfm)
{
return sa_cra_init_aead(tfm, "sha1",
- "authenc(hmac(sha1-ce),cbc(aes-ce))");
+ "authenc(hmac(sha1),cbc(aes))");
}
static int sa_cra_init_aead_sha256(struct crypto_aead *tfm)
{
return sa_cra_init_aead(tfm, "sha256",
- "authenc(hmac(sha256-ce),cbc(aes-ce))");
+ "authenc(hmac(sha256),cbc(aes))");
}
static void sa_exit_tfm_aead(struct crypto_aead *tfm)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 595/957] crypto: ccp - copy IV using skcipher ivsize
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (593 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 594/957] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 596/957] erofs: unify lcn as u64 for 32-bit platforms Greg Kroah-Hartman
` (367 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moses, Tom Lendacky, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moses <p@1g4.org>
[ Upstream commit a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4 ]
AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.
ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV
buffer while RFC3686 skciphers expose an 8-byte IV, so the restore
overruns the provided buffer.
Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
Fixes: 2b789435d7f3 ("crypto: ccp - CCP AES crypto API support")
Signed-off-by: Paul Moses <p@1g4.org>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccp/ccp-crypto-aes.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/ccp/ccp-crypto-aes.c b/drivers/crypto/ccp/ccp-crypto-aes.c
index 685d42ec7adea..b5be3af8b2fe5 100644
--- a/drivers/crypto/ccp/ccp-crypto-aes.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes.c
@@ -30,8 +30,11 @@ static int ccp_aes_complete(struct crypto_async_request *async_req, int ret)
if (ret)
return ret;
- if (ctx->u.aes.mode != CCP_AES_MODE_ECB)
- memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE);
+ if (ctx->u.aes.mode != CCP_AES_MODE_ECB) {
+ size_t ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(req));
+
+ memcpy(req->iv, rctx->iv, ivsize);
+ }
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 596/957] erofs: unify lcn as u64 for 32-bit platforms
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (594 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 595/957] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
@ 2026-05-20 16:17 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 597/957] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
` (366 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gao Xiang, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit 2d8c7edcb661812249469f4a5b62e9339118846f ]
As sashiko reported [1], `lcn` was typed as `unsigned long` (or
`unsigned int` sometimes), which is only 32 bits wide on 32-bit
platforms, which causes `(lcn << lclusterbits)` to be truncated
at 4 GiB.
In order to consolidate the logic, just use `u64` consistently
around the codebase.
[1] https://sashiko.dev/r/20260420034612.1899973-1-hsiangkao%40linux.alibaba.com
Fixes: 152a333a5895 ("staging: erofs: add compacted compression indexes support")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/zmap.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
index 30775502b56da..abf7ddc64c63b 100644
--- a/fs/erofs/zmap.c
+++ b/fs/erofs/zmap.c
@@ -10,7 +10,7 @@
struct z_erofs_maprecorder {
struct inode *inode;
struct erofs_map_blocks *map;
- unsigned long lcn;
+ u64 lcn;
/* compression extent information gathered */
u8 type, headtype;
u16 clusterofs;
@@ -20,8 +20,7 @@ struct z_erofs_maprecorder {
bool partialref, in_mbox;
};
-static int z_erofs_load_full_lcluster(struct z_erofs_maprecorder *m,
- unsigned long lcn)
+static int z_erofs_load_full_lcluster(struct z_erofs_maprecorder *m, u64 lcn)
{
struct inode *const inode = m->inode;
struct erofs_inode *const vi = EROFS_I(inode);
@@ -94,7 +93,7 @@ static int get_compacted_la_distance(unsigned int lobits,
}
static int z_erofs_load_compact_lcluster(struct z_erofs_maprecorder *m,
- unsigned long lcn, bool lookahead)
+ u64 lcn, bool lookahead)
{
struct inode *const inode = m->inode;
struct erofs_inode *const vi = EROFS_I(inode);
@@ -234,7 +233,7 @@ static int z_erofs_load_compact_lcluster(struct z_erofs_maprecorder *m,
}
static int z_erofs_load_lcluster_from_disk(struct z_erofs_maprecorder *m,
- unsigned int lcn, bool lookahead)
+ u64 lcn, bool lookahead)
{
struct erofs_inode *vi = EROFS_I(m->inode);
int err;
@@ -249,7 +248,7 @@ static int z_erofs_load_lcluster_from_disk(struct z_erofs_maprecorder *m,
return err;
if (m->type >= Z_EROFS_LCLUSTER_TYPE_MAX) {
- erofs_err(m->inode->i_sb, "unknown type %u @ lcn %u of nid %llu",
+ erofs_err(m->inode->i_sb, "unknown type %u @ lcn %llu of nid %llu",
m->type, lcn, EROFS_I(m->inode)->nid);
DBG_BUGON(1);
return -EOPNOTSUPP;
@@ -269,7 +268,7 @@ static int z_erofs_extent_lookback(struct z_erofs_maprecorder *m,
const unsigned int lclusterbits = vi->z_lclusterbits;
while (m->lcn >= lookback_distance) {
- unsigned long lcn = m->lcn - lookback_distance;
+ u64 lcn = m->lcn - lookback_distance;
int err;
if (!lookback_distance)
@@ -286,7 +285,7 @@ static int z_erofs_extent_lookback(struct z_erofs_maprecorder *m,
m->map->m_la = (lcn << lclusterbits) | m->clusterofs;
return 0;
}
- erofs_err(sb, "bogus lookback distance %u @ lcn %lu of nid %llu",
+ erofs_err(sb, "bogus lookback distance %u @ lcn %llu of nid %llu",
lookback_distance, m->lcn, vi->nid);
DBG_BUGON(1);
return -EFSCORRUPTED;
@@ -300,7 +299,7 @@ static int z_erofs_get_extent_compressedlen(struct z_erofs_maprecorder *m,
struct erofs_inode *vi = EROFS_I(inode);
bool bigpcl1 = vi->z_advise & Z_EROFS_ADVISE_BIG_PCLUSTER_1;
bool bigpcl2 = vi->z_advise & Z_EROFS_ADVISE_BIG_PCLUSTER_2;
- unsigned long lcn = m->lcn + 1;
+ u64 lcn = m->lcn + 1;
int err;
DBG_BUGON(m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD);
@@ -331,7 +330,7 @@ static int z_erofs_get_extent_compressedlen(struct z_erofs_maprecorder *m,
m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD);
if (m->type == Z_EROFS_LCLUSTER_TYPE_NONHEAD && m->delta[0] != 1) {
- erofs_err(sb, "bogus CBLKCNT @ lcn %lu of nid %llu", lcn, vi->nid);
+ erofs_err(sb, "bogus CBLKCNT @ lcn %llu of nid %llu", lcn, vi->nid);
DBG_BUGON(1);
return -EFSCORRUPTED;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 597/957] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (595 preceding siblings ...)
2026-05-20 16:17 ` [PATCH 6.18 596/957] erofs: unify lcn as u64 for 32-bit platforms Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 598/957] arm64: dts: imx8mp-debix-som-a: " Greg Kroah-Hartman
` (365 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Peng Fan, Frank Li,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 3b778178997aee24537b521a8cb60970bc1ce01c ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there is interrupt storm for i.MX8MP DEBIX Model A. Per schematic, there
is no on board PULL-UP resistors for GPIO1_IO03, so need to set PAD
PUE and PU together to make pull up work properly.
Fixes: c86d350aae68e ("arm64: dts: Add device tree for the Debix Model A Board")
Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Closes: https://lore.kernel.org/all/20260323105858.GA2185714@killaraus.ideasonboard.com/
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts b/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts
index af02af9e5334d..740cac4cb31d9 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-debix-model-a.dts
@@ -440,7 +440,7 @@ MX8MP_IOMUXC_SAI5_RXC__I2C6_SDA 0x400001c3
pinctrl_pmic: pmicirqgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 598/957] arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (596 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 597/957] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 599/957] arm64: dts: imx8mp-navqp: " Greg Kroah-Hartman
` (364 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Kieran Bingham,
Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 2ea7872048a179b0ea8dadc67771961df3f0fc4a ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there is interrupt storm for i.MX8MP DEBIX SOM A. Need to set PAD
PUE and PU together to make pull up work properly.
Fixes: 21baf0b47f81b ("arm64: dts: freescale: Add DEBIX SOM A and SOM A I/O Board support")
Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Closes: https://lore.kernel.org/all/20260323105858.GA2185714@killaraus.ideasonboard.com/
Reported-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Closes: https://lore.kernel.org/imx/20260324194353.GB2352505@killaraus.ideasonboard.com/T/#m9a07fdc75496369a7d76d52c5e34ed140dcabfe3
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts | 2 +-
arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts
index d241db3743a9c..ed89d2ccb6ce2 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a-bmb-08.dts
@@ -452,7 +452,7 @@ MX8MP_IOMUXC_SAI1_RXD1__GPIO4_IO03 0x140
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi
index 91094c2277443..b31e8fe95ca74 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-debix-som-a.dtsi
@@ -241,7 +241,7 @@ MX8MP_IOMUXC_I2C4_SDA__I2C4_SDA 0x400001c3
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 599/957] arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (597 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 598/957] arm64: dts: imx8mp-debix-som-a: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 600/957] arm64: dts: imx8mp-icore-mx8mp: " Greg Kroah-Hartman
` (363 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 741d6ac1a2a2e0f3e2cae5eef3516cdd75119e83 ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there will be interrupt storm for i.MX8MP NAVQP. Per schematic, there
is no on board PULL-UP resistors for GPIO1_IO03, so need to set PAD
PUE and PU together to make pull up work properly.
Fixes: 682729a9d506d ("arm64: dts: freescale: Add device tree for Emcraft Systems NavQ+ Kit")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-navqp.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-navqp.dts b/arch/arm64/boot/dts/freescale/imx8mp-navqp.dts
index 4a4f7c1adc23f..9dedb9f11145e 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-navqp.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-navqp.dts
@@ -356,7 +356,7 @@ MX8MP_IOMUXC_I2C4_SDA__I2C4_SDA 0x400001c3
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 600/957] arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (598 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 599/957] arm64: dts: imx8mp-navqp: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 601/957] arm64: dts: imx8mp-edm-g: " Greg Kroah-Hartman
` (362 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit ea8c90f5c7ceeb6657a8fe564aa7b190dce298a6 ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: eefe06b295087 ("arm64: dts: imx8mp: Add Engicam i.Core MX8M Plus SoM")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
index a6319824ea2eb..69558ffefa9a6 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-icore-mx8mp.dtsi
@@ -132,7 +132,7 @@ MX8MP_IOMUXC_I2C1_SDA__I2C1_SDA 0x400001c3
pinctrl_pmic: pmicgrp {
fsl,pins = <
- MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01 0x41
+ MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 601/957] arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (599 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 600/957] arm64: dts: imx8mp-icore-mx8mp: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 602/957] arm64: dts: imx8mp-aristainetos3a-som-v1: " Greg Kroah-Hartman
` (361 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit c46c5a54443440ce0f71de9f4df9dd860f5c2afd ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: 95e882c021c8b ("arm64: dts: imx8mp: Add TechNexion EDM-G-IMX8M-PLUS SOM on WB-EDM-G carrier board")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-edm-g.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-edm-g.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-edm-g.dtsi
index 3f1e0837f349f..91b87a7248dd1 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-edm-g.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-edm-g.dtsi
@@ -563,7 +563,7 @@ MX8MP_IOMUXC_GPIO1_IO01__GPIO1_IO01 0x41 /* PCIE RST */
pinctrl_pmic: pmicirqgrp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 602/957] arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (600 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 601/957] arm64: dts: imx8mp-edm-g: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 603/957] arm64: dts: imx8mp-nitrogen-som: " Greg Kroah-Hartman
` (360 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit e6d2d8e49ca34bb39126a69128794d08ffd7c83e ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: eead8f3536d5c ("arm64: dts: imx8mp: add aristainetos3 board support")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-aristainetos3a-som-v1.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-aristainetos3a-som-v1.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-aristainetos3a-som-v1.dtsi
index f654d866e58c0..e7666e54310be 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-aristainetos3a-som-v1.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-aristainetos3a-som-v1.dtsi
@@ -903,7 +903,7 @@ MX8MP_IOMUXC_SAI1_MCLK__GPIO4_IO20 0x41
pinctrl_pmic: aristainetos3-pmic-grp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 603/957] arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (601 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 602/957] arm64: dts: imx8mp-aristainetos3a-som-v1: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 604/957] arm64: dts: imx8mp-sr-som: " Greg Kroah-Hartman
` (359 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 16611eda2c7584a1a7d6f80511d825e5108f026c ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: ab4d874c9f44e ("arm64: dts: imx8mp: Add device tree for Nitrogen8M Plus ENC Carrier Board")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-nitrogen-som.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-nitrogen-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-nitrogen-som.dtsi
index f658309612eff..8465b36d440ae 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-nitrogen-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-nitrogen-som.dtsi
@@ -296,7 +296,7 @@ MX8MP_IOMUXC_I2C4_SDA__I2C4_SDA 0x400001c3
pinctrl_pmic: pmicirqgrp {
fsl,pins = <
- MX8MP_IOMUXC_NAND_ALE__GPIO3_IO00 0x41
+ MX8MP_IOMUXC_NAND_ALE__GPIO3_IO00 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 604/957] arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (602 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 603/957] arm64: dts: imx8mp-nitrogen-som: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 605/957] arm64: dts: imx8mp-ultra-mach-sbc: " Greg Kroah-Hartman
` (358 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peng Fan, Josua Mayer, Frank Li,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 695a476275cfb9c798a696aeaa43967701d5c78a ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: a009c0c66ecb4 ("arm64: dts: add description for solidrun imx8mp som and cubox-m")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Josua Mayer <josua@solid-run.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-sr-som.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-sr-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-sr-som.dtsi
index 4e6629f940bfa..82a3ed80235a8 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-sr-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-sr-som.dtsi
@@ -174,7 +174,7 @@ pmic: pmic@25 {
pinctrl-0 = <&pmic_pins>;
pinctrl-names = "default";
interrupt-parent = <&gpio1>;
- interrupts = <3 GPIO_ACTIVE_LOW>;
+ interrupts = <3 IRQ_TYPE_LEVEL_LOW>;
nxp,i2c-lt-enable;
regulators {
@@ -417,7 +417,7 @@ MX8MP_IOMUXC_SAI1_RXD1__GPIO4_IO03 0x160
pmic_pins: pinctrl-pmic-grp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x41
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 605/957] arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (603 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 604/957] arm64: dts: imx8mp-sr-som: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 606/957] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
` (357 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit daaf41ee72fb5fad936e7051a015cccae9b33937 ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: d1c1400bd3b8b ("arm64: dts: imx8mp: Add initial support for Ultratronik imx8mp-ultra-mach-sbc board")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-ultra-mach-sbc.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-ultra-mach-sbc.dts b/arch/arm64/boot/dts/freescale/imx8mp-ultra-mach-sbc.dts
index 9ecec1a418781..3e6f9c88cc200 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-ultra-mach-sbc.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-ultra-mach-sbc.dts
@@ -275,7 +275,7 @@ pmic@25 {
reg = <0x25>;
pinctrl-0 = <&pinctrl_pmic>;
interrupt-parent = <&gpio1>;
- interrupts = <3 GPIO_ACTIVE_LOW>;
+ interrupts = <3 IRQ_TYPE_LEVEL_LOW>;
/*
* i.MX 8M Plus Data Sheet for Consumer Products
@@ -739,7 +739,7 @@ MX8MP_IOMUXC_GPIO1_IO07__GPIO1_IO07 0x40 /* NFC_INT */
pinctrl_pmic: pmic-grp {
fsl,pins = <
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x40 /* #PMIC_INT */
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0 /* #PMIC_INT */
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 606/957] arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (604 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 605/957] arm64: dts: imx8mp-ultra-mach-sbc: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 607/957] arm64: dts: imx8mp-data-modul-edm-sbc: " Greg Kroah-Hartman
` (356 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit f9ed5afc988da3e22543725e35be6addbb0497bc ]
PMIC_nINT is low level triggered, but the current PAD settings is
PE=0,PUE=0,FSEL_1_FAST_SLEW_RATE=1,SION=1. So PAD needs to be configured
as PULL UP with PULL Enable, no need SION. Correct it.
Fixes: 8d6712695bc8e ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
index f8303b7e2bd22..0a6a60670f762 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
@@ -989,7 +989,7 @@ MX8MP_IOMUXC_SAI5_RXC__GPIO3_IO20 0x22
pinctrl_pmic: dhcom-pmic-grp {
fsl,pins = <
/* PMIC_nINT */
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x40000090
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 607/957] arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (605 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 606/957] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 608/957] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
` (355 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 8ff145577e93f312ff398cb950ee3bd44835f5be ]
PMIC_nINT is low level triggered, but the current PAD settings is
PE=0,PUE=0,FSEL_1_FAST_SLEW_RATE=1,SION=1. So PAD needs to be configured
as PULL UP with PULL Enable, no need SION. Correct it.
Fixes: 562d222f23f0f ("arm64: dts: imx8mp: Add support for Data Modul i.MX8M Plus eDM SBC")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
index 16078ff60ef08..fa13662ca3667 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
@@ -900,7 +900,7 @@ MX8MP_IOMUXC_SAI3_RXFS__AUDIOMIX_PDM_BIT_STREAM00 0x0
pinctrl_pmic: pmic-grp {
fsl,pins = <
/* PMIC_nINT */
- MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x40000090
+ MX8MP_IOMUXC_GPIO1_IO03__GPIO1_IO03 0x1c0
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 608/957] PCMCIA: Fix garbled log messages for KERN_CONT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (606 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 607/957] arm64: dts: imx8mp-data-modul-edm-sbc: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 609/957] reset: amlogic: t7: Fix null reset ops Greg Kroah-Hartman
` (354 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Dominik Brodowski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit bfeaa6814bd3f9a1f6d525b3b35a03b9a0368961 ]
For years the PCMCIA info messages are messed up by superfluous
newlines. While f2e6cf76751d ("pcmcia: Convert dev_printk to
dev_<level>") converted the code to pr_cont(), dev_info enforces a \n
via vprintk_store setting LOG_NEWLINE, breaking subsequent pr_cont.
Fix by logging the device name manually to allow pr_cont to work for
more readable and not \n distorted logs.
Fixes: f2e6cf76751d ("pcmcia: Convert dev_printk to dev_<level>")
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pcmcia/rsrc_nonstatic.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
index da494fe451baf..efc439c748862 100644
--- a/drivers/pcmcia/rsrc_nonstatic.c
+++ b/drivers/pcmcia/rsrc_nonstatic.c
@@ -188,7 +188,7 @@ static void do_io_probe(struct pcmcia_socket *s, unsigned int base,
int any;
u_char *b, hole, most;
- dev_info(&s->dev, "cs: IO port probe %#x-%#x:", base, base+num-1);
+ pr_info("%s: cs: IO port probe %#x-%#x:", dev_name(&s->dev), base, base+num-1);
/* First, what does a floating port look like? */
b = kzalloc(256, GFP_KERNEL);
@@ -410,8 +410,8 @@ static int do_mem_probe(struct pcmcia_socket *s, u_long base, u_long num,
struct socket_data *s_data = s->resource_data;
u_long i, j, bad, fail, step;
- dev_info(&s->dev, "cs: memory probe 0x%06lx-0x%06lx:",
- base, base+num-1);
+ pr_info("%s: cs: memory probe 0x%06lx-0x%06lx:",
+ dev_name(&s->dev), base, base+num-1);
bad = fail = 0;
step = (num < 0x20000) ? 0x2000 : ((num>>4) & ~0x1fff);
/* don't allow too large steps */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 609/957] reset: amlogic: t7: Fix null reset ops
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (607 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 608/957] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 610/957] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
` (353 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ronald Claveau, Philipp Zabel,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ronald Claveau <linux-kernel-dev@aliel.fr>
[ Upstream commit 9797524ef2b69c6b187b55bd844eb72a8c1cbd99 ]
Fix missing reset ops causing kernel null pointer dereference.
This SOC's reset is currently not used yet.
Signed-off-by: Ronald Claveau <linux-kernel-dev@aliel.fr>
Fixes: fb4c31587adf ("reset: amlogic: add auxiliary reset driver support")
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/reset/amlogic/reset-meson.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/reset/amlogic/reset-meson.c b/drivers/reset/amlogic/reset-meson.c
index 84610365a823c..c303e8590dd68 100644
--- a/drivers/reset/amlogic/reset-meson.c
+++ b/drivers/reset/amlogic/reset-meson.c
@@ -42,6 +42,7 @@ static const struct meson_reset_param meson_s4_param = {
};
static const struct meson_reset_param t7_param = {
+ .reset_ops = &meson_reset_ops,
.reset_num = 224,
.reset_offset = 0x0,
.level_offset = 0x40,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 610/957] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (608 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 609/957] reset: amlogic: t7: Fix null reset ops Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 611/957] arm64: dts: imx8mn-tqma8mqnl: " Greg Kroah-Hartman
` (352 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 721dec3ee9ff5231d13a412ff87df63b966d137b ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
While at here, also correct interrupt type as IRQ_TYPE_LEVEL_LOW.
Fixes: cbd3ef64eb9d1 ("arm64: dts: Add support for Emtop SoM & Baseboard")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi
index 67d22d3768aa8..507d1824d99d9 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-emtop-som.dtsi
@@ -60,7 +60,7 @@ pmic@25 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_pmic>;
interrupt-parent = <&gpio1>;
- interrupts = <3 IRQ_TYPE_EDGE_RISING>;
+ interrupts = <3 IRQ_TYPE_LEVEL_LOW>;
regulators {
buck1: BUCK1 {
@@ -194,7 +194,7 @@ MX8MM_IOMUXC_I2C1_SDA_I2C1_SDA 0x400001c3
pinctrl_pmic: emtop-pmic-grp {
fsl,pins = <
- MX8MM_IOMUXC_GPIO1_IO03_GPIO1_IO3 0x41
+ MX8MM_IOMUXC_GPIO1_IO03_GPIO1_IO3 0x141
>;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 611/957] arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (609 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 610/957] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 612/957] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
` (351 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 0fb37990774113afd943eaa91323679388584b6d ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: 3e56e354db6d3 ("arm64: dts: freescale: add initial device tree for TQMa8MQNL with i.MX8MN")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
index e2ccebf6ee13f..5e2c6d6e94550 100644
--- a/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-tqma8mqnl.dtsi
@@ -298,7 +298,7 @@ pinctrl_i2c1_gpio: i2c1gpiogrp {
};
pinctrl_pmic: pmicgrp {
- fsl,pins = <MX8MN_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x84>;
+ fsl,pins = <MX8MN_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x1c4>;
};
pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 612/957] arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (610 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 611/957] arm64: dts: imx8mn-tqma8mqnl: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 613/957] arm64: dts: marvell: armada-37xx: use usb2-phy in USB3 controllers phy-names Greg Kroah-Hartman
` (350 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Frank Li, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 42a9f5a16328ed78a88e0498556965b6c6ec515c ]
With commit 5d0efaf47ee90 ("regulator: pca9450: Correct interrupt type"),
there might be interrupt storm for this board. Need to set PAD PUE and PU
together to make pull up work properly.
Fixes: dfcd1b6f7620e ("arm64: dts: freescale: add initial device tree for TQMa8MQML with i.MX8MM")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
index b82e9790ea205..a0e8b158c4edf 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-tqma8mqml.dtsi
@@ -291,7 +291,7 @@ pinctrl_i2c1_gpio: i2c1gpiogrp {
};
pinctrl_pmic: pmicgrp {
- fsl,pins = <MX8MM_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x94>;
+ fsl,pins = <MX8MM_IOMUXC_GPIO1_IO08_GPIO1_IO8 0x1d4>;
};
pinctrl_reg_usdhc2_vmmc: regusdhc2vmmcgrp {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 613/957] arm64: dts: marvell: armada-37xx: use usb2-phy in USB3 controllers phy-names
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (611 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 612/957] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 614/957] pwm: stm32: Fix rounding issue for requests with inverted polarity Greg Kroah-Hartman
` (349 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Gregory CLEMENT,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit 0fef19844624f8bc07651b4d26088d8940affba3 ]
Instead of the generic 'usb2-phy' name, the Armada 37xx device trees
are using a custom 'usb2-utmi-otg-phy' name for the USB2 PHY in the USB3
controller node. Since commit 53a2d95df836 ("usb: core: add phy notify
connect and disconnect"), this triggers a bug [1] in the USB core which
causes double use of the USB3 PHY.
Change the PHY name to 'usb2-phy' in the SoC and in the uDPU specific
dtsi files in order to avoid triggering the bug and also to keep the
names in line with the ones used by other platforms.
Link: https://lore.kernel.org/r/20260330-usb-avoid-usb3-phy-double-use-v1-1-d2113aecb535@gmail.com # [1]
Fixes: 53a2d95df836 ("usb: core: add phy notify connect and disconnect")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 2 +-
arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
index cd856c0aba71e..12deacb741ccb 100644
--- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
@@ -161,7 +161,7 @@ ð1 {
&usb3 {
status = "okay";
phys = <&usb2_utmi_otg_phy>;
- phy-names = "usb2-utmi-otg-phy";
+ phy-names = "usb2-phy";
};
&uart0 {
diff --git a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
index c612317043ea7..a66157cb439b4 100644
--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
@@ -373,7 +373,7 @@ usb3: usb@58000 {
interrupts = <GIC_SPI 3 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&sb_periph_clk 12>;
phys = <&comphy0 0>, <&usb2_utmi_otg_phy>;
- phy-names = "usb3-phy", "usb2-utmi-otg-phy";
+ phy-names = "usb3-phy", "usb2-phy";
status = "disabled";
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 614/957] pwm: stm32: Fix rounding issue for requests with inverted polarity
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (612 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 613/957] arm64: dts: marvell: armada-37xx: use usb2-phy in USB3 controllers phy-names Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 615/957] net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir Greg Kroah-Hartman
` (348 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Uwe Kleine-König, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 5d087c485b6ecf200a9ebb2a032bf8571d330250 ]
The calculation of the number of pwm clk ticks from a time length in
nanoseconds involves a division and thus some rounding. That might
result in
duty_ticks + offset_ticks < period_ticks
despite
duty_length_ns + duty_offset_ns >= period_length_ns
. The stm32 PWM cannot configure offset_ticks freely, it can only select
0 or period_length_ns - duty_length_ns---that is the classic normal and
inverted polarity. The decision to select the hardware polarity must be
done using the ticks values and not the nanoseconds times to adhere to
the rounding rules by the pwm core.
With the pwm clk running at 208900 kHz on my test machine
(stm32mp135f-dk), a test case that was handled wrong is:
# pwmround -P 9999962 -O 24970 -D 9974992
period_length = 9999962
duty_length = 9974840
duty_offset = 25123
With this change applied the rounding is done correctly:
# pwmround -P 9999962 -O 24970 -D 9974992
period_length = 9999962
duty_length = 9974840
duty_offset = 0
Fixes: deaba9cff809 ("pwm: stm32: Implementation of the waveform callbacks")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/c5e7767cee821b5f6e00f95bd14a5e13015646fb.1776264104.git.u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-stm32.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
index 2594fb771b04a..935257a890b06 100644
--- a/drivers/pwm/pwm-stm32.c
+++ b/drivers/pwm/pwm-stm32.c
@@ -68,7 +68,7 @@ static int stm32_pwm_round_waveform_tohw(struct pwm_chip *chip,
struct stm32_pwm *priv = to_stm32_pwm_dev(chip);
unsigned int ch = pwm->hwpwm;
unsigned long rate;
- u64 ccr, duty;
+ u64 duty_ticks, offset_ticks;
int ret;
if (wf->period_length_ns == 0) {
@@ -164,23 +164,25 @@ static int stm32_pwm_round_waveform_tohw(struct pwm_chip *chip,
wfhw->arr = min_t(u64, arr, priv->max_arr) - 1;
}
- duty = mul_u64_u64_div_u64(wf->duty_length_ns, rate,
- (u64)NSEC_PER_SEC * (wfhw->psc + 1));
- duty = min_t(u64, duty, wfhw->arr + 1);
+ duty_ticks = mul_u64_u64_div_u64(wf->duty_length_ns, rate,
+ (u64)NSEC_PER_SEC * (wfhw->psc + 1));
+ duty_ticks = min_t(u64, duty_ticks, wfhw->arr + 1);
- if (wf->duty_length_ns && wf->duty_offset_ns &&
- wf->duty_length_ns + wf->duty_offset_ns >= wf->period_length_ns) {
+ offset_ticks = mul_u64_u64_div_u64(wf->duty_offset_ns, rate,
+ (u64)NSEC_PER_SEC * (wfhw->psc + 1));
+ offset_ticks = min_t(u64, offset_ticks, wfhw->arr + 1);
+
+ if (duty_ticks && offset_ticks &&
+ duty_ticks + offset_ticks >= wfhw->arr + 1) {
wfhw->ccer |= TIM_CCER_CCxP(ch + 1);
if (priv->have_complementary_output)
wfhw->ccer |= TIM_CCER_CCxNP(ch + 1);
- ccr = wfhw->arr + 1 - duty;
+ wfhw->ccr = wfhw->arr + 1 - duty_ticks;
} else {
- ccr = duty;
+ wfhw->ccr = duty_ticks;
}
- wfhw->ccr = min_t(u64, ccr, wfhw->arr + 1);
-
out:
dev_dbg(&chip->dev, "pwm#%u: %lld/%lld [+%lld] @%lu -> CCER: %08x, PSC: %08x, ARR: %08x, CCR: %08x\n",
pwm->hwpwm, wf->duty_length_ns, wf->period_length_ns, wf->duty_offset_ns,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 615/957] net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (613 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 614/957] pwm: stm32: Fix rounding issue for requests with inverted polarity Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 616/957] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF Greg Kroah-Hartman
` (347 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Simon Horman, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit 4510d140524ca7d6e772db962e013f26f09a63b1 ]
In tcf_blockcast_redir(), when iterating block ports to redirect
packets to multiple devices, the mac_header_xmit flag is queried
from the wrong device. The loop sends to dev_prev but queries
dev_is_mac_header_xmit(dev) — which is the NEXT device in the
iteration, not the one being sent to.
This causes tcf_mirred_to_dev() to make incorrect decisions about
whether to push or pull the MAC header. When the block contains
mixed device types (e.g., an ethernet veth and a tunnel device),
intermediate devices get the wrong mac_header_xmit flag, leading to
skb header corruption. In the worst case, skb_push_rcsum with an
incorrect mac_len can exhaust headroom and panic.
The last device in the loop is handled correctly (line 365-366 uses
dev_is_mac_header_xmit(dev_prev)), confirming this is a copy-paste
oversight for the intermediate devices.
Fix by using dev_prev instead of dev for the mac_header_xmit query,
consistent with the device actually being sent to.
Fixes: 42f39036cda8 ("net/sched: act_mirred: Allow mirred to block")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260413084927.71353-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_mirred.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 5f01f567c934d..18d9378a9c113 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -370,7 +370,7 @@ static int tcf_blockcast_redir(struct sk_buff *skb, struct tcf_mirred *m,
goto assign_prev;
tcf_mirred_to_dev(skb, m, dev_prev,
- dev_is_mac_header_xmit(dev),
+ dev_is_mac_header_xmit(dev_prev),
mirred_eaction, retval);
assign_prev:
dev_prev = dev;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 616/957] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (614 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 615/957] net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 617/957] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
` (346 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Vadim Fedorenko,
Eric Dumazet, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit fa92a77b0ed4d5f11a71665a232ac5a54a4b055d ]
macvlan_get_size() does not account for IFLA_MACVLAN_BC_CUTOFF, but
macvlan_fill_info() conditionally includes it when port->bc_cutoff != 1.
This causes nla_put_s32() to fail with -EMSGSIZE when the netlink skb
runs out of space, triggering a WARN_ON in rtnetlink and preventing the
interface from being dumped.
The bug can be reproduced with:
ip link add macvlan0 link eth0 type macvlan mode bridge
ip link set macvlan0 type macvlan bc_cutoff 0
ip -d link show macvlan0 # fails with -EMSGSIZE
The bc_cutoff feature was added in commit 954d1fa1ac93 ("macvlan: Add
netlink attribute for broadcast cutoff"), which added the nla_put_s32()
call in macvlan_fill_info() but missed adding the corresponding
nla_total_size(4) in macvlan_get_size(). A follow-up commit
55cef78c244d ("macvlan: add forgotten nla_policy for
IFLA_MACVLAN_BC_CUTOFF") fixed the missing nla_policy entry but still
did not fix the size calculation.
Fixes: 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260413085349.73977-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macvlan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index e9d288a05e39e..35dcaa985cfdc 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1682,6 +1682,7 @@ static size_t macvlan_get_size(const struct net_device *dev)
+ macvlan_get_size_mac(vlan) /* IFLA_MACVLAN_MACADDR */
+ nla_total_size(4) /* IFLA_MACVLAN_BC_QUEUE_LEN */
+ nla_total_size(4) /* IFLA_MACVLAN_BC_QUEUE_LEN_USED */
+ + nla_total_size(4) /* IFLA_MACVLAN_BC_CUTOFF */
);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 617/957] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (615 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 616/957] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 618/957] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
` (345 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu,
Toke Høiland-Jørgensen, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit f9e40664706927d7ae22a448a3383e23c38a4c0b ]
cake_update_flowkeys() is supposed to update the flow dissector keys
with the NAT-translated addresses and ports from conntrack, so that
CAKE's per-flow fairness correctly identifies post-NAT flows as
belonging to the same connection.
For the source port, this works correctly:
keys->ports.src = port;
But for the destination port, the assignment is reversed:
port = keys->ports.dst;
This means the NAT destination port is never updated in the flow keys.
As a result, when multiple connections are NATed to the same destination,
CAKE treats them as separate flows because the original (pre-NAT)
destination ports differ. This breaks CAKE's NAT-aware flow isolation
when using the "nat" mode.
The bug was introduced in commit b0c19ed6088a ("sch_cake: Take advantage
of skb->hash where appropriate") which refactored the original direct
assignment into a compare-and-conditionally-update pattern, but wrote
the destination port update backwards.
Fix by reversing the assignment direction to match the source port
pattern.
Fixes: b0c19ed6088a ("sch_cake: Take advantage of skb->hash where appropriate")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20260413110041.44704-1-phx0fer@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index d325a90cde9ee..1a2023cd55109 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -606,7 +606,7 @@ static bool cake_update_flowkeys(struct flow_keys *keys,
}
port = rev ? tuple.src.u.all : tuple.dst.u.all;
if (port != keys->ports.dst) {
- port = keys->ports.dst;
+ keys->ports.dst = port;
upd = true;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 618/957] nexthop: fix IPv6 route referencing IPv4 nexthop
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (616 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 617/957] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 619/957] net: airoha: Wait for NPU PPE configuration to complete in airoha_ppe_offload_setup() Greg Kroah-Hartman
` (344 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, David Ahern,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 29c95185ba32b621fbc3800fb86e7dc3edf5c2be ]
syzbot reported a panic [1] [2].
When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag
of all groups containing this nexthop is not updated. This is because
nh_group_v4_update is only called when replacing AF_INET to AF_INET6,
but the reverse direction (AF_INET6 to AF_INET) is missed.
This allows a stale has_v4=false to bypass fib6_check_nexthop, causing
IPv6 routes to be attached to groups that effectively contain only AF_INET
members. Subsequent route lookups then call nexthop_fib6_nh() which
returns NULL for the AF_INET member, leading to a NULL pointer
dereference.
Fix by calling nh_group_v4_update whenever the family changes, not just
AF_INET to AF_INET6.
Reproducer:
# AF_INET6 blackhole
ip -6 nexthop add id 1 blackhole
# group with has_v4=false
ip nexthop add id 100 group 1
# replace with AF_INET (no -6), has_v4 stays false
ip nexthop replace id 1 blackhole
# pass stale has_v4 check
ip -6 route add 2001:db8::/64 nhid 100
# panic
ping -6 2001:db8::1
[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0
[2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
Fixes: 7bf4796dd099 ("nexthops: add support for replace")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260413114522.147784-1-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/nexthop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index c958b8edfe540..5a95b64b61c59 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2469,10 +2469,10 @@ static int replace_nexthop_single(struct net *net, struct nexthop *old,
goto err_notify;
}
- /* When replacing an IPv4 nexthop with an IPv6 nexthop, potentially
+ /* When replacing a nexthop with one of a different family, potentially
* update IPv4 indication in all the groups using the nexthop.
*/
- if (oldi->family == AF_INET && newi->family == AF_INET6) {
+ if (oldi->family != newi->family) {
list_for_each_entry(nhge, &old->grp_list, nh_list) {
struct nexthop *nhp = nhge->nh_parent;
struct nh_group *nhg;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 619/957] net: airoha: Wait for NPU PPE configuration to complete in airoha_ppe_offload_setup()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (617 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 618/957] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 620/957] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
` (343 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit f3206328bb52c2787197d80d7cbd687946047d5f ]
In order to properly enable flowtable hw offloading, poll
REG_PPE_FLOW_CFG register in airoha_ppe_offload_setup routine and
wait for NPU PPE configuration triggered by ppe_init callback to complete
before running airoha_ppe_hw_init().
Fixes: 00a7678310fe3 ("net: airoha: Introduce flowtable offload support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260414-airoha-wait-for-npu-config-offload-setup-v2-1-5a9bf6d43aee@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_ppe.c | 28 ++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index 81a7056e3510a..e9994c794c703 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -1321,6 +1321,29 @@ static struct airoha_npu *airoha_ppe_npu_get(struct airoha_eth *eth)
return npu;
}
+static int airoha_ppe_wait_for_npu_init(struct airoha_eth *eth)
+{
+ int err;
+ u32 val;
+
+ /* PPE_FLOW_CFG default register value is 0. Since we reset FE
+ * during the device probe we can just check the configured value
+ * is not 0 here.
+ */
+ err = read_poll_timeout(airoha_fe_rr, val, val, USEC_PER_MSEC,
+ 100 * USEC_PER_MSEC, false, eth,
+ REG_PPE_PPE_FLOW_CFG(0));
+ if (err)
+ return err;
+
+ if (airoha_ppe_is_enabled(eth, 1))
+ err = read_poll_timeout(airoha_fe_rr, val, val, USEC_PER_MSEC,
+ 100 * USEC_PER_MSEC, false, eth,
+ REG_PPE_PPE_FLOW_CFG(1));
+
+ return err;
+}
+
static int airoha_ppe_offload_setup(struct airoha_eth *eth)
{
struct airoha_npu *npu = airoha_ppe_npu_get(eth);
@@ -1334,6 +1357,11 @@ static int airoha_ppe_offload_setup(struct airoha_eth *eth)
if (err)
goto error_npu_put;
+ /* Wait for NPU PPE configuration to complete */
+ err = airoha_ppe_wait_for_npu_init(eth);
+ if (err)
+ goto error_npu_put;
+
ppe_num_stats_entries = airoha_ppe_get_total_num_stats_entries(ppe);
if (ppe_num_stats_entries > 0) {
err = npu->ops.ppe_init_stats(npu, ppe->foe_stats_dma,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 620/957] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (618 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 619/957] net: airoha: Wait for NPU PPE configuration to complete in airoha_ppe_offload_setup() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 621/957] net: dsa: cpu_dp->orig_ethtool_ops might be NULL Greg Kroah-Hartman
` (342 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junxi Qian, Vinicius Costa Gomes,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 105425b1969c5affe532713cfac1c0b320d7ac2b ]
In advance_sched(), when should_change_schedules() returns true,
switch_schedules() is called to promote the admin schedule to oper.
switch_schedules() queues the old oper schedule for RCU freeing via
call_rcu(), but 'next' still points into an entry of the old oper
schedule. The subsequent 'next->end_time = end_time' and
rcu_assign_pointer(q->current_entry, next) are use-after-free.
Fix this by selecting 'next' from the new oper schedule immediately
after switch_schedules(), and using its pre-calculated end_time.
setup_first_end_time() sets the first entry's end_time to
base_time + interval when the schedule is installed, so the value
is already correct.
The deleted 'end_time = sched_base_time(admin)' assignment was also
harmful independently: it would overwrite the new first entry's
pre-calculated end_time with just base_time.
Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
Reported-by: Junxi Qian <qjx1298677004@gmail.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 39b735386996e..91b85360f8091 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -971,11 +971,12 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
}
if (should_change_schedules(admin, oper, end_time)) {
- /* Set things so the next time this runs, the new
- * schedule runs.
- */
- end_time = sched_base_time(admin);
switch_schedules(q, &admin, &oper);
+ /* After changing schedules, the next entry is the first one
+ * in the new schedule, with a pre-calculated end_time.
+ */
+ next = list_first_entry(&oper->entries, struct sched_entry, list);
+ end_time = next->end_time;
}
next->end_time = end_time;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 621/957] net: dsa: cpu_dp->orig_ethtool_ops might be NULL
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (619 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 620/957] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 622/957] net: dsa: use kernel data types for ethtool ops on conduit Greg Kroah-Hartman
` (341 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit eba81b0a6de39e2466d37e410003642282b4e546 ]
In theory this would have been seen by now, but it seems that all
drivers used as DSA conduit interfaces thus far have had ethtool_ops
set, and it's hard to even find modern Ethernet drivers (and not VF
ones) which don't use ethtool.
Here is the unfiltered list of drivers which register any sort of
net_device but don't set its ethtool_ops pointer. I don't think any of
them 'risks' being used as a DSA conduit, maybe except for moxart,
rnpbge and icssm, I'm not sure.
- drivers/net/can/dev/dev.c
- drivers/net/wwan/qcom_bam_dmux.c
- drivers/net/wwan/t7xx/t7xx_netdev.c
- drivers/net/arcnet/arcnet.c
- drivers/net/hamradio/
- drivers/net/slip/slip.c
- drivers/net/ethernet/ezchip/nps_enet.c
- drivers/net/ethernet/moxa/moxart_ether.c
- drivers/net/ethernet/wangxun/txgbevf/txgbevf_main.c
- drivers/net/ethernet/wangxun/ngbevf/ngbevf_main.c
- drivers/net/ethernet/huawei/hinic3/hinic3_main.c
- drivers/net/ethernet/i825xx/
- drivers/net/ethernet/ti/icssm/icssm_prueth.c
- drivers/net/ethernet/seeq/
- drivers/net/ethernet/litex/litex_liteeth.c
- drivers/net/ethernet/sunplus/spl2sw_driver.c
- drivers/net/ethernet/mucse/rnpgbe/rnpgbe_main.c
- drivers/net/ipa/
- drivers/net/wireless/microchip/wilc1000/
- drivers/net/wireless/mediatek/mt76/dma.c
- drivers/net/wireless/ath/ath12k/
- drivers/net/wireless/ath/ath11k/
- drivers/net/wireless/ath/ath6kl/
- drivers/net/wireless/ath/ath10k/
- drivers/net/wireless/intel/iwlwifi/pcie/gen1_2/trans.c
- drivers/net/wireless/virtual/mac80211_hwsim.c
- drivers/net/wireless/quantenna/qtnfmac/pcie/pcie.c
- drivers/net/wireless/realtek/rtw89/core.c
- drivers/net/wireless/realtek/rtw88/pci.c
- drivers/net/caif/
- drivers/net/plip/
- drivers/net/wan/
- drivers/net/mctp/
- drivers/net/ppp/
- drivers/net/thunderbolt/
Nonetheless, it's good for the framework not to make such assumptions,
and not panic when coming across such kind of host device in the future.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251122112311.138784-2-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0f99e0c3e19b ("net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/conduit.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/dsa/conduit.c b/net/dsa/conduit.c
index 4ae255cfb23f8..f80795b3d0460 100644
--- a/net/dsa/conduit.c
+++ b/net/dsa/conduit.c
@@ -26,7 +26,7 @@ static int dsa_conduit_get_regs_len(struct net_device *dev)
int ret = 0;
int len;
- if (ops->get_regs_len) {
+ if (ops && ops->get_regs_len) {
netdev_lock_ops(dev);
len = ops->get_regs_len(dev);
netdev_unlock_ops(dev);
@@ -59,7 +59,7 @@ static void dsa_conduit_get_regs(struct net_device *dev,
int port = cpu_dp->index;
int len;
- if (ops->get_regs_len && ops->get_regs) {
+ if (ops && ops->get_regs_len && ops->get_regs) {
netdev_lock_ops(dev);
len = ops->get_regs_len(dev);
if (len < 0) {
@@ -97,7 +97,7 @@ static void dsa_conduit_get_ethtool_stats(struct net_device *dev,
int port = cpu_dp->index;
int count = 0;
- if (ops->get_sset_count && ops->get_ethtool_stats) {
+ if (ops && ops->get_sset_count && ops->get_ethtool_stats) {
netdev_lock_ops(dev);
count = ops->get_sset_count(dev, ETH_SS_STATS);
ops->get_ethtool_stats(dev, stats, data);
@@ -118,11 +118,11 @@ static void dsa_conduit_get_ethtool_phy_stats(struct net_device *dev,
int port = cpu_dp->index;
int count = 0;
- if (dev->phydev && !ops->get_ethtool_phy_stats) {
+ if (dev->phydev && (!ops || !ops->get_ethtool_phy_stats)) {
count = phy_ethtool_get_sset_count(dev->phydev);
if (count >= 0)
phy_ethtool_get_stats(dev->phydev, stats, data);
- } else if (ops->get_sset_count && ops->get_ethtool_phy_stats) {
+ } else if (ops && ops->get_sset_count && ops->get_ethtool_phy_stats) {
netdev_lock_ops(dev);
count = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
ops->get_ethtool_phy_stats(dev, stats, data);
@@ -145,9 +145,9 @@ static int dsa_conduit_get_sset_count(struct net_device *dev, int sset)
netdev_lock_ops(dev);
if (sset == ETH_SS_PHY_STATS && dev->phydev &&
- !ops->get_ethtool_phy_stats)
+ (!ops || !ops->get_ethtool_phy_stats))
count = phy_ethtool_get_sset_count(dev->phydev);
- else if (ops->get_sset_count)
+ else if (ops && ops->get_sset_count)
count = ops->get_sset_count(dev, sset);
netdev_unlock_ops(dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 622/957] net: dsa: use kernel data types for ethtool ops on conduit
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (620 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 621/957] net: dsa: cpu_dp->orig_ethtool_ops might be NULL Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 623/957] net: dsa: append ethtool counters of all hidden ports to conduit Greg Kroah-Hartman
` (340 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 8afabd27fe46ebf991b4aea20b74e08196c15c0c ]
Suppress some checkpatch 'CHECK' messages about u8 being preferable over
uint8_t, etc. No functional change.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251122112311.138784-3-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0f99e0c3e19b ("net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/conduit.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/net/dsa/conduit.c b/net/dsa/conduit.c
index f80795b3d0460..c210e31296558 100644
--- a/net/dsa/conduit.c
+++ b/net/dsa/conduit.c
@@ -89,7 +89,7 @@ static void dsa_conduit_get_regs(struct net_device *dev,
static void dsa_conduit_get_ethtool_stats(struct net_device *dev,
struct ethtool_stats *stats,
- uint64_t *data)
+ u64 *data)
{
struct dsa_port *cpu_dp = dev->dsa_ptr;
const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops;
@@ -110,7 +110,7 @@ static void dsa_conduit_get_ethtool_stats(struct net_device *dev,
static void dsa_conduit_get_ethtool_phy_stats(struct net_device *dev,
struct ethtool_stats *stats,
- uint64_t *data)
+ u64 *data)
{
struct dsa_port *cpu_dp = dev->dsa_ptr;
const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops;
@@ -160,8 +160,8 @@ static int dsa_conduit_get_sset_count(struct net_device *dev, int sset)
return count;
}
-static void dsa_conduit_get_strings(struct net_device *dev, uint32_t stringset,
- uint8_t *data)
+static void dsa_conduit_get_strings(struct net_device *dev, u32 stringset,
+ u8 *data)
{
struct dsa_port *cpu_dp = dev->dsa_ptr;
const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops;
@@ -169,8 +169,7 @@ static void dsa_conduit_get_strings(struct net_device *dev, uint32_t stringset,
int port = cpu_dp->index;
int len = ETH_GSTRING_LEN;
int mcount = 0, count, i;
- uint8_t pfx[4];
- uint8_t *ndata;
+ u8 pfx[4], *ndata;
snprintf(pfx, sizeof(pfx), "p%.2d", port);
/* We do not want to be NULL-terminated, since this is a prefix */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 623/957] net: dsa: append ethtool counters of all hidden ports to conduit
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (621 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 622/957] net: dsa: use kernel data types for ethtool ops on conduit Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 624/957] net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops Greg Kroah-Hartman
` (339 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit f647ed2ca78ec4efcc436915b441da9de0974926 ]
Currently there is no way to see packet counters on cascade ports, and
no clarity on how the API for that would look like.
Because it's something that is currently needed, just extend the hack
where ethtool -S on the conduit interface dumps CPU port counters, and
also use it to dump counters of cascade ports.
Note that the "pXX_" naming convention changes to "sXX_pYY", to
distinguish between ports having the same index but belonging to
different switches. This has a slight chance of causing regressions to
existing tooling:
- grepping for "p04_counter_name" still works, but might return more
than one string now
- grepping for " p04_counter_name" no longer works
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251122112311.138784-4-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0f99e0c3e19b ("net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/conduit.c | 126 ++++++++++++++++++++++++++++++++++------------
1 file changed, 93 insertions(+), 33 deletions(-)
diff --git a/net/dsa/conduit.c b/net/dsa/conduit.c
index c210e31296558..a1b044467bd6f 100644
--- a/net/dsa/conduit.c
+++ b/net/dsa/conduit.c
@@ -87,25 +87,51 @@ static void dsa_conduit_get_regs(struct net_device *dev,
}
}
+static ssize_t dsa_conduit_append_port_stats(struct dsa_switch *ds, int port,
+ u64 *data, size_t start)
+{
+ int count;
+
+ if (!ds->ops->get_sset_count)
+ return 0;
+
+ count = ds->ops->get_sset_count(ds, port, ETH_SS_STATS);
+ if (count < 0)
+ return count;
+
+ if (ds->ops->get_ethtool_stats)
+ ds->ops->get_ethtool_stats(ds, port, data + start);
+
+ return count;
+}
+
static void dsa_conduit_get_ethtool_stats(struct net_device *dev,
struct ethtool_stats *stats,
u64 *data)
{
- struct dsa_port *cpu_dp = dev->dsa_ptr;
+ struct dsa_port *dp, *cpu_dp = dev->dsa_ptr;
const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops;
- struct dsa_switch *ds = cpu_dp->ds;
- int port = cpu_dp->index;
- int count = 0;
+ struct dsa_switch_tree *dst = cpu_dp->dst;
+ int count, mcount = 0;
if (ops && ops->get_sset_count && ops->get_ethtool_stats) {
netdev_lock_ops(dev);
- count = ops->get_sset_count(dev, ETH_SS_STATS);
+ mcount = ops->get_sset_count(dev, ETH_SS_STATS);
ops->get_ethtool_stats(dev, stats, data);
netdev_unlock_ops(dev);
}
- if (ds->ops->get_ethtool_stats)
- ds->ops->get_ethtool_stats(ds, port, data + count);
+ list_for_each_entry(dp, &dst->ports, list) {
+ if (!dsa_port_is_dsa(dp) && !dsa_port_is_cpu(dp))
+ continue;
+
+ count = dsa_conduit_append_port_stats(dp->ds, dp->index,
+ data, mcount);
+ if (count < 0)
+ return;
+
+ mcount += count;
+ }
}
static void dsa_conduit_get_ethtool_phy_stats(struct net_device *dev,
@@ -136,11 +162,18 @@ static void dsa_conduit_get_ethtool_phy_stats(struct net_device *dev,
ds->ops->get_ethtool_phy_stats(ds, port, data + count);
}
+static void dsa_conduit_append_port_sset_count(struct dsa_switch *ds, int port,
+ int sset, int *count)
+{
+ if (ds->ops->get_sset_count)
+ *count += ds->ops->get_sset_count(ds, port, sset);
+}
+
static int dsa_conduit_get_sset_count(struct net_device *dev, int sset)
{
- struct dsa_port *cpu_dp = dev->dsa_ptr;
+ struct dsa_port *dp, *cpu_dp = dev->dsa_ptr;
const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops;
- struct dsa_switch *ds = cpu_dp->ds;
+ struct dsa_switch_tree *dst = cpu_dp->dst;
int count = 0;
netdev_lock_ops(dev);
@@ -154,26 +187,57 @@ static int dsa_conduit_get_sset_count(struct net_device *dev, int sset)
if (count < 0)
count = 0;
- if (ds->ops->get_sset_count)
- count += ds->ops->get_sset_count(ds, cpu_dp->index, sset);
+ list_for_each_entry(dp, &dst->ports, list) {
+ if (!dsa_port_is_dsa(dp) && !dsa_port_is_cpu(dp))
+ continue;
+
+ dsa_conduit_append_port_sset_count(dp->ds, dp->index, sset,
+ &count);
+ }
return count;
}
-static void dsa_conduit_get_strings(struct net_device *dev, u32 stringset,
- u8 *data)
+static ssize_t dsa_conduit_append_port_strings(struct dsa_switch *ds, int port,
+ u32 stringset, u8 *data,
+ size_t start)
{
- struct dsa_port *cpu_dp = dev->dsa_ptr;
- const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops;
- struct dsa_switch *ds = cpu_dp->ds;
- int port = cpu_dp->index;
int len = ETH_GSTRING_LEN;
- int mcount = 0, count, i;
- u8 pfx[4], *ndata;
+ u8 pfx[8], *ndata;
+ int count, i;
+
+ if (!ds->ops->get_strings)
+ return 0;
- snprintf(pfx, sizeof(pfx), "p%.2d", port);
+ snprintf(pfx, sizeof(pfx), "s%.2d_p%.2d", ds->index, port);
/* We do not want to be NULL-terminated, since this is a prefix */
pfx[sizeof(pfx) - 1] = '_';
+ ndata = data + start * len;
+ /* This function copies ETH_GSTRINGS_LEN bytes, we will mangle
+ * the output after to prepend our CPU port prefix we
+ * constructed earlier
+ */
+ ds->ops->get_strings(ds, port, stringset, ndata);
+ count = ds->ops->get_sset_count(ds, port, stringset);
+ if (count < 0)
+ return count;
+
+ for (i = 0; i < count; i++) {
+ memmove(ndata + (i * len + sizeof(pfx)),
+ ndata + i * len, len - sizeof(pfx));
+ memcpy(ndata + i * len, pfx, sizeof(pfx));
+ }
+
+ return count;
+}
+
+static void dsa_conduit_get_strings(struct net_device *dev, u32 stringset,
+ u8 *data)
+{
+ struct dsa_port *dp, *cpu_dp = dev->dsa_ptr;
+ const struct ethtool_ops *ops = cpu_dp->orig_ethtool_ops;
+ struct dsa_switch_tree *dst = cpu_dp->dst;
+ int count, mcount = 0;
netdev_lock_ops(dev);
if (stringset == ETH_SS_PHY_STATS && dev->phydev &&
@@ -191,21 +255,17 @@ static void dsa_conduit_get_strings(struct net_device *dev, u32 stringset,
}
netdev_unlock_ops(dev);
- if (ds->ops->get_strings) {
- ndata = data + mcount * len;
- /* This function copies ETH_GSTRINGS_LEN bytes, we will mangle
- * the output after to prepend our CPU port prefix we
- * constructed earlier
- */
- ds->ops->get_strings(ds, port, stringset, ndata);
- count = ds->ops->get_sset_count(ds, port, stringset);
+ list_for_each_entry(dp, &dst->ports, list) {
+ if (!dsa_port_is_dsa(dp) && !dsa_port_is_cpu(dp))
+ continue;
+
+ count = dsa_conduit_append_port_strings(dp->ds, dp->index,
+ stringset, data,
+ mcount);
if (count < 0)
return;
- for (i = 0; i < count; i++) {
- memmove(ndata + (i * len + sizeof(pfx)),
- ndata + i * len, len - sizeof(pfx));
- memcpy(ndata + i * len, pfx, sizeof(pfx));
- }
+
+ mcount += count;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 624/957] net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (622 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 623/957] net: dsa: append ethtool counters of all hidden ports to conduit Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 625/957] net: enetc: correct the command BD ring consumer index Greg Kroah-Hartman
` (338 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanislav Fomichev,
Maxime Chevallier, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fomichev <sdf.kernel@gmail.com>
[ Upstream commit 0f99e0c3e19badaf3fdced0d3feba623e59eed41 ]
DSA replaces the conduit (master) device's ethtool_ops with its own
wrappers that aggregate stats from both the conduit and DSA switch
ports. Taking the lock again inside the DSA wrappers causes a deadlock.
Stumbled upon this when booting qemu with fbnic and CONFIG_NET_DSA_LOOP=y
(which looks like some kind of testing device that auto-populates the ports
of eth0). `ethtool -i` is enough to deadlock. This means we have basically zero
coverage for DSA stuff with real ops locked devs.
Remove the redundant netdev_lock_ops()/netdev_unlock_ops() calls from
the DSA conduit ethtool wrappers.
Fixes: 2bcf4772e45a ("net: ethtool: try to protect all callback with netdev instance lock")
Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260414231035.1917035-1-sdf@fomichev.me
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/conduit.c | 16 +---------------
1 file changed, 1 insertion(+), 15 deletions(-)
diff --git a/net/dsa/conduit.c b/net/dsa/conduit.c
index a1b044467bd6f..8398d72d7e4d3 100644
--- a/net/dsa/conduit.c
+++ b/net/dsa/conduit.c
@@ -27,9 +27,7 @@ static int dsa_conduit_get_regs_len(struct net_device *dev)
int len;
if (ops && ops->get_regs_len) {
- netdev_lock_ops(dev);
len = ops->get_regs_len(dev);
- netdev_unlock_ops(dev);
if (len < 0)
return len;
ret += len;
@@ -60,15 +58,11 @@ static void dsa_conduit_get_regs(struct net_device *dev,
int len;
if (ops && ops->get_regs_len && ops->get_regs) {
- netdev_lock_ops(dev);
len = ops->get_regs_len(dev);
- if (len < 0) {
- netdev_unlock_ops(dev);
+ if (len < 0)
return;
- }
regs->len = len;
ops->get_regs(dev, regs, data);
- netdev_unlock_ops(dev);
data += regs->len;
}
@@ -115,10 +109,8 @@ static void dsa_conduit_get_ethtool_stats(struct net_device *dev,
int count, mcount = 0;
if (ops && ops->get_sset_count && ops->get_ethtool_stats) {
- netdev_lock_ops(dev);
mcount = ops->get_sset_count(dev, ETH_SS_STATS);
ops->get_ethtool_stats(dev, stats, data);
- netdev_unlock_ops(dev);
}
list_for_each_entry(dp, &dst->ports, list) {
@@ -149,10 +141,8 @@ static void dsa_conduit_get_ethtool_phy_stats(struct net_device *dev,
if (count >= 0)
phy_ethtool_get_stats(dev->phydev, stats, data);
} else if (ops && ops->get_sset_count && ops->get_ethtool_phy_stats) {
- netdev_lock_ops(dev);
count = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
ops->get_ethtool_phy_stats(dev, stats, data);
- netdev_unlock_ops(dev);
}
if (count < 0)
@@ -176,13 +166,11 @@ static int dsa_conduit_get_sset_count(struct net_device *dev, int sset)
struct dsa_switch_tree *dst = cpu_dp->dst;
int count = 0;
- netdev_lock_ops(dev);
if (sset == ETH_SS_PHY_STATS && dev->phydev &&
(!ops || !ops->get_ethtool_phy_stats))
count = phy_ethtool_get_sset_count(dev->phydev);
else if (ops && ops->get_sset_count)
count = ops->get_sset_count(dev, sset);
- netdev_unlock_ops(dev);
if (count < 0)
count = 0;
@@ -239,7 +227,6 @@ static void dsa_conduit_get_strings(struct net_device *dev, u32 stringset,
struct dsa_switch_tree *dst = cpu_dp->dst;
int count, mcount = 0;
- netdev_lock_ops(dev);
if (stringset == ETH_SS_PHY_STATS && dev->phydev &&
!ops->get_ethtool_phy_stats) {
mcount = phy_ethtool_get_sset_count(dev->phydev);
@@ -253,7 +240,6 @@ static void dsa_conduit_get_strings(struct net_device *dev, u32 stringset,
mcount = 0;
ops->get_strings(dev, stringset, data);
}
- netdev_unlock_ops(dev);
list_for_each_entry(dp, &dst->ports, list) {
if (!dsa_port_is_dsa(dp) && !dsa_port_is_cpu(dp))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 625/957] net: enetc: correct the command BD ring consumer index
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (623 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 624/957] net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 626/957] net: enetc: fix NTMP DMA use-after-free issue Greg Kroah-Hartman
` (337 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 759a32900b6f3db3d0f34a3b61123742723b50b4 ]
The command BD ring cousumer index register has the consumer index as
the lower 10 bits, and the bit 31 is SBE, which indicates whether a
system bus error occurred during execution of the CBD command. So if a
system bus error occurs, reading the register will get the SBE bit set.
However, the current implementation directly uses the register value as
the consumer index without masking it. Therefore, if a system bus error
occurs, an incorrect consumer index will be obtained, causing errors in
the processing of the command BD ring. Thus, we need to mask out the
other bits to obtain the correct consumer index.
In addition, this patch adds a check for the SBE bit after the polling
loop and returns an error if the bit is set.
Fixes: 4701073c3deb ("net: enetc: add initial netc-lib driver to support NTMP")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20260415060833.2303846-2-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/ntmp.c | 13 ++++++++++---
drivers/net/ethernet/freescale/enetc/ntmp_private.h | 2 ++
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/ntmp.c b/drivers/net/ethernet/freescale/enetc/ntmp.c
index 0c1d343253bfb..b188eb2d40c0d 100644
--- a/drivers/net/ethernet/freescale/enetc/ntmp.c
+++ b/drivers/net/ethernet/freescale/enetc/ntmp.c
@@ -55,7 +55,7 @@ int ntmp_init_cbdr(struct netc_cbdr *cbdr, struct device *dev,
spin_lock_init(&cbdr->ring_lock);
cbdr->next_to_use = netc_read(cbdr->regs.pir);
- cbdr->next_to_clean = netc_read(cbdr->regs.cir);
+ cbdr->next_to_clean = netc_read(cbdr->regs.cir) & NETC_CBDRCIR_INDEX;
/* Step 1: Configure the base address of the Control BD Ring */
netc_write(cbdr->regs.bar0, lower_32_bits(cbdr->dma_base_align));
@@ -98,7 +98,7 @@ static void ntmp_clean_cbdr(struct netc_cbdr *cbdr)
int i;
i = cbdr->next_to_clean;
- while (netc_read(cbdr->regs.cir) != i) {
+ while ((netc_read(cbdr->regs.cir) & NETC_CBDRCIR_INDEX) != i) {
cbd = ntmp_get_cbd(cbdr, i);
memset(cbd, 0, sizeof(*cbd));
i = (i + 1) % cbdr->bd_num;
@@ -135,12 +135,19 @@ static int netc_xmit_ntmp_cmd(struct ntmp_user *user, union netc_cbd *cbd)
cbdr->next_to_use = i;
netc_write(cbdr->regs.pir, i);
- err = read_poll_timeout_atomic(netc_read, val, val == i,
+ err = read_poll_timeout_atomic(netc_read, val,
+ (val & NETC_CBDRCIR_INDEX) == i,
NETC_CBDR_DELAY_US, NETC_CBDR_TIMEOUT,
true, cbdr->regs.cir);
if (unlikely(err))
goto cbdr_unlock;
+ if (unlikely(val & NETC_CBDRCIR_SBE)) {
+ dev_err(user->dev, "Command BD system bus error\n");
+ err = -EIO;
+ goto cbdr_unlock;
+ }
+
dma_rmb();
/* Get the writeback command BD, because the caller may need
* to check some other fields of the response header.
diff --git a/drivers/net/ethernet/freescale/enetc/ntmp_private.h b/drivers/net/ethernet/freescale/enetc/ntmp_private.h
index 34394e40fddd4..3459cc45b6103 100644
--- a/drivers/net/ethernet/freescale/enetc/ntmp_private.h
+++ b/drivers/net/ethernet/freescale/enetc/ntmp_private.h
@@ -12,6 +12,8 @@
#define NTMP_EID_REQ_LEN 8
#define NETC_CBDR_BD_NUM 256
+#define NETC_CBDRCIR_INDEX GENMASK(9, 0)
+#define NETC_CBDRCIR_SBE BIT(31)
union netc_cbd {
struct {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 626/957] net: enetc: fix NTMP DMA use-after-free issue
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (624 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 625/957] net: enetc: correct the command BD ring consumer index Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 627/957] smb: move smb_version_values to common/smbglob.h Greg Kroah-Hartman
` (336 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 3cade698881eb238f88cbbfec82acc2110440a3f ]
The AI-generated review reported a potential DMA use-after-free issue
[1]. If netc_xmit_ntmp_cmd() times out and returns an error, the pending
command is not explicitly aborted, while ntmp_free_data_mem()
unconditionally frees the DMA buffer. If the buffer has already been
reallocated elsewhere, this may lead to silent memory corruption. Because
the hardware eventually processes the pending command and perform a DMA
write of the response to the physical address of the freed buffer.
To resolve this issue, this patch does the following modifications:
1. Convert cbdr->ring_lock from a spinlock to a mutex
The lock was originally a spinlock in case NTMP operations might be
invoked from atomic context. After downstream support for all NTMP
tables, no such usage has materialized. A mutex lock is now required
because the driver now needs to reclaim used BDs and release associated
DMA memory within the lock's context, while dma_free_coherent() might
sleep.
2. Introduce software command BD (struct netc_swcbd)
The hardware write-back overwrites the addr and len fields of the BD,
so the driver cannot rely on the hardware BD to free the associated DMA
memory. The driver now maintains a software shadow BD storing the DMA
buffer pointer, DMA address, and size. And netc_xmit_ntmp_cmd() only
reclaims older BDs when the number of used BDs reaches
NETC_CBDR_CLEAN_WORK (16). The software BD enables correct DMA memory
release. With this, struct ntmp_dma_buf and ntmp_free_data_mem() are no
longer needed and are removed.
3. Require callers to hold ring_lock across netc_xmit_ntmp_cmd()
netc_xmit_ntmp_cmd() releases the ring_lock before the caller finishes
consuming the response. At this point, if a concurrent thread submits
a new command, it may trigger ntmp_clean_cbdr() and free the DMA buffer
while it is still in use. Move ring_lock ownership to the caller to
ensure the response buffer cannot be reclaimed prematurely. So the
helpers ntmp_select_and_lock_cbdr() and ntmp_unlock_cbdr() are added.
These changes eliminate the DMA use-after-free condition and ensure safe
and consistent BD reclamation and DMA buffer lifecycle management.
Fixes: 4701073c3deb ("net: enetc: add initial netc-lib driver to support NTMP")
Link: https://lore.kernel.org/netdev/20260403011729.1795413-1-kuba@kernel.org/ # [1]
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20260415060833.2303846-3-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/ntmp.c | 214 ++++++++++--------
.../ethernet/freescale/enetc/ntmp_private.h | 8 +-
include/linux/fsl/ntmp.h | 9 +-
3 files changed, 134 insertions(+), 97 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/ntmp.c b/drivers/net/ethernet/freescale/enetc/ntmp.c
index b188eb2d40c0d..70bbc5d2d5d42 100644
--- a/drivers/net/ethernet/freescale/enetc/ntmp.c
+++ b/drivers/net/ethernet/freescale/enetc/ntmp.c
@@ -7,6 +7,7 @@
#include <linux/dma-mapping.h>
#include <linux/fsl/netc_global.h>
#include <linux/iopoll.h>
+#include <linux/vmalloc.h>
#include "ntmp_private.h"
@@ -42,6 +43,12 @@ int ntmp_init_cbdr(struct netc_cbdr *cbdr, struct device *dev,
if (!cbdr->addr_base)
return -ENOMEM;
+ cbdr->swcbd = vcalloc(cbd_num, sizeof(struct netc_swcbd));
+ if (!cbdr->swcbd) {
+ dma_free_coherent(dev, size, cbdr->addr_base, cbdr->dma_base);
+ return -ENOMEM;
+ }
+
cbdr->dma_size = size;
cbdr->bd_num = cbd_num;
cbdr->regs = *regs;
@@ -52,7 +59,7 @@ int ntmp_init_cbdr(struct netc_cbdr *cbdr, struct device *dev,
cbdr->addr_base_align = PTR_ALIGN(cbdr->addr_base,
NTMP_BASE_ADDR_ALIGN);
- spin_lock_init(&cbdr->ring_lock);
+ mutex_init(&cbdr->ring_lock);
cbdr->next_to_use = netc_read(cbdr->regs.pir);
cbdr->next_to_clean = netc_read(cbdr->regs.cir) & NETC_CBDRCIR_INDEX;
@@ -71,10 +78,24 @@ int ntmp_init_cbdr(struct netc_cbdr *cbdr, struct device *dev,
}
EXPORT_SYMBOL_GPL(ntmp_init_cbdr);
+static void ntmp_free_data_mem(struct device *dev, struct netc_swcbd *swcbd)
+{
+ if (unlikely(!swcbd->buf))
+ return;
+
+ dma_free_coherent(dev, swcbd->size + NTMP_DATA_ADDR_ALIGN,
+ swcbd->buf, swcbd->dma);
+}
+
void ntmp_free_cbdr(struct netc_cbdr *cbdr)
{
/* Disable the Control BD Ring */
netc_write(cbdr->regs.mr, 0);
+
+ for (int i = 0; i < cbdr->bd_num; i++)
+ ntmp_free_data_mem(cbdr->dev, &cbdr->swcbd[i]);
+
+ vfree(cbdr->swcbd);
dma_free_coherent(cbdr->dev, cbdr->dma_size, cbdr->addr_base,
cbdr->dma_base);
memset(cbdr, 0, sizeof(*cbdr));
@@ -94,40 +115,59 @@ static union netc_cbd *ntmp_get_cbd(struct netc_cbdr *cbdr, int index)
static void ntmp_clean_cbdr(struct netc_cbdr *cbdr)
{
- union netc_cbd *cbd;
- int i;
+ int i = cbdr->next_to_clean;
- i = cbdr->next_to_clean;
while ((netc_read(cbdr->regs.cir) & NETC_CBDRCIR_INDEX) != i) {
- cbd = ntmp_get_cbd(cbdr, i);
+ union netc_cbd *cbd = ntmp_get_cbd(cbdr, i);
+ struct netc_swcbd *swcbd = &cbdr->swcbd[i];
+
+ ntmp_free_data_mem(cbdr->dev, swcbd);
+ memset(swcbd, 0, sizeof(*swcbd));
memset(cbd, 0, sizeof(*cbd));
i = (i + 1) % cbdr->bd_num;
}
+ dma_wmb();
cbdr->next_to_clean = i;
}
-static int netc_xmit_ntmp_cmd(struct ntmp_user *user, union netc_cbd *cbd)
+static void ntmp_select_and_lock_cbdr(struct ntmp_user *user,
+ struct netc_cbdr **cbdr)
+{
+ /* Currently only ENETC is supported, and it has only one command
+ * BD ring.
+ */
+ *cbdr = &user->ring[0];
+
+ mutex_lock(&(*cbdr)->ring_lock);
+}
+
+static void ntmp_unlock_cbdr(struct netc_cbdr *cbdr)
+{
+ mutex_unlock(&cbdr->ring_lock);
+}
+
+static int netc_xmit_ntmp_cmd(struct netc_cbdr *cbdr, union netc_cbd *cbd,
+ struct netc_swcbd *swcbd)
{
union netc_cbd *cur_cbd;
- struct netc_cbdr *cbdr;
- int i, err;
+ int i, err, used_bds;
u16 status;
u32 val;
- /* Currently only i.MX95 ENETC is supported, and it only has one
- * command BD ring
- */
- cbdr = &user->ring[0];
-
- spin_lock_bh(&cbdr->ring_lock);
-
- if (unlikely(!ntmp_get_free_cbd_num(cbdr)))
+ used_bds = cbdr->bd_num - ntmp_get_free_cbd_num(cbdr);
+ if (unlikely(used_bds >= NETC_CBDR_CLEAN_WORK)) {
ntmp_clean_cbdr(cbdr);
+ if (unlikely(!ntmp_get_free_cbd_num(cbdr))) {
+ ntmp_free_data_mem(cbdr->dev, swcbd);
+ return -EBUSY;
+ }
+ }
i = cbdr->next_to_use;
cur_cbd = ntmp_get_cbd(cbdr, i);
*cur_cbd = *cbd;
+ cbdr->swcbd[i] = *swcbd;
dma_wmb();
/* Update producer index of both software and hardware */
@@ -135,17 +175,16 @@ static int netc_xmit_ntmp_cmd(struct ntmp_user *user, union netc_cbd *cbd)
cbdr->next_to_use = i;
netc_write(cbdr->regs.pir, i);
- err = read_poll_timeout_atomic(netc_read, val,
- (val & NETC_CBDRCIR_INDEX) == i,
- NETC_CBDR_DELAY_US, NETC_CBDR_TIMEOUT,
- true, cbdr->regs.cir);
+ err = read_poll_timeout(netc_read, val,
+ (val & NETC_CBDRCIR_INDEX) == i,
+ NETC_CBDR_DELAY_US, NETC_CBDR_TIMEOUT,
+ true, cbdr->regs.cir);
if (unlikely(err))
- goto cbdr_unlock;
+ return err;
if (unlikely(val & NETC_CBDRCIR_SBE)) {
- dev_err(user->dev, "Command BD system bus error\n");
- err = -EIO;
- goto cbdr_unlock;
+ dev_err(cbdr->dev, "Command BD system bus error\n");
+ return -EIO;
}
dma_rmb();
@@ -157,40 +196,29 @@ static int netc_xmit_ntmp_cmd(struct ntmp_user *user, union netc_cbd *cbd)
/* Check the writeback error status */
status = le16_to_cpu(cbd->resp_hdr.error_rr) & NTMP_RESP_ERROR;
if (unlikely(status)) {
- err = -EIO;
- dev_err(user->dev, "Command BD error: 0x%04x\n", status);
+ dev_err(cbdr->dev, "Command BD error: 0x%04x\n", status);
+ return -EIO;
}
- ntmp_clean_cbdr(cbdr);
- dma_wmb();
-
-cbdr_unlock:
- spin_unlock_bh(&cbdr->ring_lock);
-
- return err;
+ return 0;
}
-static int ntmp_alloc_data_mem(struct ntmp_dma_buf *data, void **buf_align)
+static int ntmp_alloc_data_mem(struct device *dev, struct netc_swcbd *swcbd,
+ void **buf_align)
{
void *buf;
- buf = dma_alloc_coherent(data->dev, data->size + NTMP_DATA_ADDR_ALIGN,
- &data->dma, GFP_KERNEL);
+ buf = dma_alloc_coherent(dev, swcbd->size + NTMP_DATA_ADDR_ALIGN,
+ &swcbd->dma, GFP_KERNEL);
if (!buf)
return -ENOMEM;
- data->buf = buf;
+ swcbd->buf = buf;
*buf_align = PTR_ALIGN(buf, NTMP_DATA_ADDR_ALIGN);
return 0;
}
-static void ntmp_free_data_mem(struct ntmp_dma_buf *data)
-{
- dma_free_coherent(data->dev, data->size + NTMP_DATA_ADDR_ALIGN,
- data->buf, data->dma);
-}
-
static void ntmp_fill_request_hdr(union netc_cbd *cbd, dma_addr_t dma,
int len, int table_id, int cmd,
int access_method)
@@ -241,37 +269,39 @@ static int ntmp_delete_entry_by_id(struct ntmp_user *user, int tbl_id,
u8 tbl_ver, u32 entry_id, u32 req_len,
u32 resp_len)
{
- struct ntmp_dma_buf data = {
- .dev = user->dev,
+ struct netc_swcbd swcbd = {
.size = max(req_len, resp_len),
};
struct ntmp_req_by_eid *req;
+ struct netc_cbdr *cbdr;
union netc_cbd cbd;
int err;
- err = ntmp_alloc_data_mem(&data, (void **)&req);
+ err = ntmp_alloc_data_mem(user->dev, &swcbd, (void **)&req);
if (err)
return err;
ntmp_fill_crd_eid(req, tbl_ver, 0, 0, entry_id);
- ntmp_fill_request_hdr(&cbd, data.dma, NTMP_LEN(req_len, resp_len),
+ ntmp_fill_request_hdr(&cbd, swcbd.dma, NTMP_LEN(req_len, resp_len),
tbl_id, NTMP_CMD_DELETE, NTMP_AM_ENTRY_ID);
- err = netc_xmit_ntmp_cmd(user, &cbd);
+ ntmp_select_and_lock_cbdr(user, &cbdr);
+ err = netc_xmit_ntmp_cmd(cbdr, &cbd, &swcbd);
if (err)
dev_err(user->dev,
"Failed to delete entry 0x%x of %s, err: %pe",
entry_id, ntmp_table_name(tbl_id), ERR_PTR(err));
-
- ntmp_free_data_mem(&data);
+ ntmp_unlock_cbdr(cbdr);
return err;
}
-static int ntmp_query_entry_by_id(struct ntmp_user *user, int tbl_id,
- u32 len, struct ntmp_req_by_eid *req,
- dma_addr_t dma, bool compare_eid)
+static int ntmp_query_entry_by_id(struct netc_cbdr *cbdr, int tbl_id,
+ struct ntmp_req_by_eid *req,
+ struct netc_swcbd *swcbd,
+ bool compare_eid)
{
+ u32 len = NTMP_LEN(sizeof(*req), swcbd->size);
struct ntmp_cmn_resp_query *resp;
int cmd = NTMP_CMD_QUERY;
union netc_cbd cbd;
@@ -283,10 +313,11 @@ static int ntmp_query_entry_by_id(struct ntmp_user *user, int tbl_id,
cmd = NTMP_CMD_QU;
/* Request header */
- ntmp_fill_request_hdr(&cbd, dma, len, tbl_id, cmd, NTMP_AM_ENTRY_ID);
- err = netc_xmit_ntmp_cmd(user, &cbd);
+ ntmp_fill_request_hdr(&cbd, swcbd->dma, len, tbl_id, cmd,
+ NTMP_AM_ENTRY_ID);
+ err = netc_xmit_ntmp_cmd(cbdr, &cbd, swcbd);
if (err) {
- dev_err(user->dev,
+ dev_err(cbdr->dev,
"Failed to query entry 0x%x of %s, err: %pe\n",
entry_id, ntmp_table_name(tbl_id), ERR_PTR(err));
return err;
@@ -300,7 +331,7 @@ static int ntmp_query_entry_by_id(struct ntmp_user *user, int tbl_id,
resp = (struct ntmp_cmn_resp_query *)req;
if (unlikely(le32_to_cpu(resp->entry_id) != entry_id)) {
- dev_err(user->dev,
+ dev_err(cbdr->dev,
"%s: query EID 0x%x doesn't match response EID 0x%x\n",
ntmp_table_name(tbl_id), entry_id, le32_to_cpu(resp->entry_id));
return -EIO;
@@ -312,15 +343,15 @@ static int ntmp_query_entry_by_id(struct ntmp_user *user, int tbl_id,
int ntmp_maft_add_entry(struct ntmp_user *user, u32 entry_id,
struct maft_entry_data *maft)
{
- struct ntmp_dma_buf data = {
- .dev = user->dev,
+ struct netc_swcbd swcbd = {
.size = sizeof(struct maft_req_add),
};
struct maft_req_add *req;
+ struct netc_cbdr *cbdr;
union netc_cbd cbd;
int err;
- err = ntmp_alloc_data_mem(&data, (void **)&req);
+ err = ntmp_alloc_data_mem(user->dev, &swcbd, (void **)&req);
if (err)
return err;
@@ -329,14 +360,15 @@ int ntmp_maft_add_entry(struct ntmp_user *user, u32 entry_id,
req->keye = maft->keye;
req->cfge = maft->cfge;
- ntmp_fill_request_hdr(&cbd, data.dma, NTMP_LEN(data.size, 0),
+ ntmp_fill_request_hdr(&cbd, swcbd.dma, NTMP_LEN(swcbd.size, 0),
NTMP_MAFT_ID, NTMP_CMD_ADD, NTMP_AM_ENTRY_ID);
- err = netc_xmit_ntmp_cmd(user, &cbd);
+
+ ntmp_select_and_lock_cbdr(user, &cbdr);
+ err = netc_xmit_ntmp_cmd(cbdr, &cbd, &swcbd);
if (err)
dev_err(user->dev, "Failed to add MAFT entry 0x%x, err: %pe\n",
entry_id, ERR_PTR(err));
-
- ntmp_free_data_mem(&data);
+ ntmp_unlock_cbdr(cbdr);
return err;
}
@@ -345,31 +377,31 @@ EXPORT_SYMBOL_GPL(ntmp_maft_add_entry);
int ntmp_maft_query_entry(struct ntmp_user *user, u32 entry_id,
struct maft_entry_data *maft)
{
- struct ntmp_dma_buf data = {
- .dev = user->dev,
+ struct netc_swcbd swcbd = {
.size = sizeof(struct maft_resp_query),
};
struct maft_resp_query *resp;
struct ntmp_req_by_eid *req;
+ struct netc_cbdr *cbdr;
int err;
- err = ntmp_alloc_data_mem(&data, (void **)&req);
+ err = ntmp_alloc_data_mem(user->dev, &swcbd, (void **)&req);
if (err)
return err;
ntmp_fill_crd_eid(req, user->tbl.maft_ver, 0, 0, entry_id);
- err = ntmp_query_entry_by_id(user, NTMP_MAFT_ID,
- NTMP_LEN(sizeof(*req), data.size),
- req, data.dma, true);
+
+ ntmp_select_and_lock_cbdr(user, &cbdr);
+ err = ntmp_query_entry_by_id(cbdr, NTMP_MAFT_ID, req, &swcbd, true);
if (err)
- goto end;
+ goto unlock_cbdr;
resp = (struct maft_resp_query *)req;
maft->keye = resp->keye;
maft->cfge = resp->cfge;
-end:
- ntmp_free_data_mem(&data);
+unlock_cbdr:
+ ntmp_unlock_cbdr(cbdr);
return err;
}
@@ -385,8 +417,9 @@ EXPORT_SYMBOL_GPL(ntmp_maft_delete_entry);
int ntmp_rsst_update_entry(struct ntmp_user *user, const u32 *table,
int count)
{
- struct ntmp_dma_buf data = {.dev = user->dev};
struct rsst_req_update *req;
+ struct netc_swcbd swcbd;
+ struct netc_cbdr *cbdr;
union netc_cbd cbd;
int err, i;
@@ -394,8 +427,8 @@ int ntmp_rsst_update_entry(struct ntmp_user *user, const u32 *table,
/* HW only takes in a full 64 entry table */
return -EINVAL;
- data.size = struct_size(req, groups, count);
- err = ntmp_alloc_data_mem(&data, (void **)&req);
+ swcbd.size = struct_size(req, groups, count);
+ err = ntmp_alloc_data_mem(user->dev, &swcbd, (void **)&req);
if (err)
return err;
@@ -405,15 +438,15 @@ int ntmp_rsst_update_entry(struct ntmp_user *user, const u32 *table,
for (i = 0; i < count; i++)
req->groups[i] = (u8)(table[i]);
- ntmp_fill_request_hdr(&cbd, data.dma, NTMP_LEN(data.size, 0),
+ ntmp_fill_request_hdr(&cbd, swcbd.dma, NTMP_LEN(swcbd.size, 0),
NTMP_RSST_ID, NTMP_CMD_UPDATE, NTMP_AM_ENTRY_ID);
- err = netc_xmit_ntmp_cmd(user, &cbd);
+ ntmp_select_and_lock_cbdr(user, &cbdr);
+ err = netc_xmit_ntmp_cmd(cbdr, &cbd, &swcbd);
if (err)
dev_err(user->dev, "Failed to update RSST entry, err: %pe\n",
ERR_PTR(err));
-
- ntmp_free_data_mem(&data);
+ ntmp_unlock_cbdr(cbdr);
return err;
}
@@ -421,8 +454,9 @@ EXPORT_SYMBOL_GPL(ntmp_rsst_update_entry);
int ntmp_rsst_query_entry(struct ntmp_user *user, u32 *table, int count)
{
- struct ntmp_dma_buf data = {.dev = user->dev};
struct ntmp_req_by_eid *req;
+ struct netc_swcbd swcbd;
+ struct netc_cbdr *cbdr;
union netc_cbd cbd;
int err, i;
u8 *group;
@@ -431,21 +465,23 @@ int ntmp_rsst_query_entry(struct ntmp_user *user, u32 *table, int count)
/* HW only takes in a full 64 entry table */
return -EINVAL;
- data.size = NTMP_ENTRY_ID_SIZE + RSST_STSE_DATA_SIZE(count) +
- RSST_CFGE_DATA_SIZE(count);
- err = ntmp_alloc_data_mem(&data, (void **)&req);
+ swcbd.size = NTMP_ENTRY_ID_SIZE + RSST_STSE_DATA_SIZE(count) +
+ RSST_CFGE_DATA_SIZE(count);
+ err = ntmp_alloc_data_mem(user->dev, &swcbd, (void **)&req);
if (err)
return err;
/* Set the request data buffer */
ntmp_fill_crd_eid(req, user->tbl.rsst_ver, 0, 0, 0);
- ntmp_fill_request_hdr(&cbd, data.dma, NTMP_LEN(sizeof(*req), data.size),
+ ntmp_fill_request_hdr(&cbd, swcbd.dma, NTMP_LEN(sizeof(*req), swcbd.size),
NTMP_RSST_ID, NTMP_CMD_QUERY, NTMP_AM_ENTRY_ID);
- err = netc_xmit_ntmp_cmd(user, &cbd);
+
+ ntmp_select_and_lock_cbdr(user, &cbdr);
+ err = netc_xmit_ntmp_cmd(cbdr, &cbd, &swcbd);
if (err) {
dev_err(user->dev, "Failed to query RSST entry, err: %pe\n",
ERR_PTR(err));
- goto end;
+ goto unlock_cbdr;
}
group = (u8 *)req;
@@ -453,8 +489,8 @@ int ntmp_rsst_query_entry(struct ntmp_user *user, u32 *table, int count)
for (i = 0; i < count; i++)
table[i] = group[i];
-end:
- ntmp_free_data_mem(&data);
+unlock_cbdr:
+ ntmp_unlock_cbdr(cbdr);
return err;
}
diff --git a/drivers/net/ethernet/freescale/enetc/ntmp_private.h b/drivers/net/ethernet/freescale/enetc/ntmp_private.h
index 3459cc45b6103..f8dff3ba2c28a 100644
--- a/drivers/net/ethernet/freescale/enetc/ntmp_private.h
+++ b/drivers/net/ethernet/freescale/enetc/ntmp_private.h
@@ -14,6 +14,7 @@
#define NETC_CBDR_BD_NUM 256
#define NETC_CBDRCIR_INDEX GENMASK(9, 0)
#define NETC_CBDRCIR_SBE BIT(31)
+#define NETC_CBDR_CLEAN_WORK 16
union netc_cbd {
struct {
@@ -56,13 +57,6 @@ union netc_cbd {
} resp_hdr; /* NTMP Response Message Header Format */
};
-struct ntmp_dma_buf {
- struct device *dev;
- size_t size;
- void *buf;
- dma_addr_t dma;
-};
-
struct ntmp_cmn_req_data {
__le16 update_act;
u8 dbg_opt;
diff --git a/include/linux/fsl/ntmp.h b/include/linux/fsl/ntmp.h
index 916dc4fe7de3b..83a449b4d6ec4 100644
--- a/include/linux/fsl/ntmp.h
+++ b/include/linux/fsl/ntmp.h
@@ -31,6 +31,12 @@ struct netc_tbl_vers {
u8 rsst_ver;
};
+struct netc_swcbd {
+ void *buf;
+ dma_addr_t dma;
+ size_t size;
+};
+
struct netc_cbdr {
struct device *dev;
struct netc_cbdr_regs regs;
@@ -44,9 +50,10 @@ struct netc_cbdr {
void *addr_base_align;
dma_addr_t dma_base;
dma_addr_t dma_base_align;
+ struct netc_swcbd *swcbd;
/* Serialize the order of command BD ring */
- spinlock_t ring_lock;
+ struct mutex ring_lock;
};
struct ntmp_user {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 627/957] smb: move smb_version_values to common/smbglob.h
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (625 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 626/957] net: enetc: fix NTMP DMA use-after-free issue Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 628/957] ksmbd: fix use-after-free in smb2_open during durable reconnect Greg Kroah-Hartman
` (335 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, ZhangGuoDong,
Namjae Jeon, Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhangGuoDong <zhangguodong@kylinos.cn>
[ Upstream commit 34cf191bb6a349dc88ec2c4f6355fe006ac669e0 ]
Merge the struct members of the server and the client:
- req_capabilities: from client
- header_preamble_size: from client
- cap_unicode: from client
- capabilities: from server, rename to req_capabilities
- max_read_size: from server
- max_write_size: from server
- max_trans_size: from server
- max_credits: from server
- create_durable_size: from server
- create_durable_v2_size: from server
- create_mxac_size: from server
- create_disk_id_size: from server
- create_posix_size: from server
Then move duplicate definitions to common header file.
Co-developed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: ZhangGuoDong <zhangguodong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Stable-dep-of: 1baff47b81f9 ("ksmbd: fix use-after-free in smb2_open during durable reconnect")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/cifsglob.h | 22 ----------------------
fs/smb/common/cifsglob.h | 31 +++++++++++++++++++++++++++++++
fs/smb/server/smb2misc.c | 2 +-
fs/smb/server/smb2ops.c | 32 ++++++++++++++++----------------
fs/smb/server/smb2pdu.c | 10 +++++-----
fs/smb/server/smb_common.h | 29 -----------------------------
6 files changed, 53 insertions(+), 73 deletions(-)
diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
index 3059fcf12ed13..69deb29502a8c 100644
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -634,28 +634,6 @@ struct smb_version_operations {
struct kvec *xattr_iov);
};
-struct smb_version_values {
- char *version_string;
- __u16 protocol_id;
- __u32 req_capabilities;
- __u32 large_lock_type;
- __u32 exclusive_lock_type;
- __u32 shared_lock_type;
- __u32 unlock_lock_type;
- size_t header_preamble_size;
- size_t header_size;
- size_t max_header_size;
- size_t read_rsp_size;
- __le16 lock_cmd;
- unsigned int cap_unix;
- unsigned int cap_nt_find;
- unsigned int cap_large_files;
- unsigned int cap_unicode;
- __u16 signing_enabled;
- __u16 signing_required;
- size_t create_lease_size;
-};
-
#define HEADER_SIZE(server) (server->vals->header_size)
#define MAX_HEADER_SIZE(server) (server->vals->max_header_size)
#define HEADER_PREAMBLE_SIZE(server) (server->vals->header_preamble_size)
diff --git a/fs/smb/common/cifsglob.h b/fs/smb/common/cifsglob.h
index 00fd215e3eb54..eda5e666a7617 100644
--- a/fs/smb/common/cifsglob.h
+++ b/fs/smb/common/cifsglob.h
@@ -9,6 +9,37 @@
#ifndef _COMMON_CIFS_GLOB_H
#define _COMMON_CIFS_GLOB_H
+struct smb_version_values {
+ char *version_string;
+ __u16 protocol_id;
+ __le16 lock_cmd;
+ __u32 req_capabilities;
+ __u32 max_read_size;
+ __u32 max_write_size;
+ __u32 max_trans_size;
+ __u32 max_credits;
+ __u32 large_lock_type;
+ __u32 exclusive_lock_type;
+ __u32 shared_lock_type;
+ __u32 unlock_lock_type;
+ size_t header_preamble_size;
+ size_t header_size;
+ size_t max_header_size;
+ size_t read_rsp_size;
+ unsigned int cap_unix;
+ unsigned int cap_nt_find;
+ unsigned int cap_large_files;
+ unsigned int cap_unicode;
+ __u16 signing_enabled;
+ __u16 signing_required;
+ size_t create_lease_size;
+ size_t create_durable_size;
+ size_t create_durable_v2_size;
+ size_t create_mxac_size;
+ size_t create_disk_id_size;
+ size_t create_posix_size;
+};
+
static inline void inc_rfc1001_len(void *buf, int count)
{
be32_add_cpu((__be32 *)buf, count);
diff --git a/fs/smb/server/smb2misc.c b/fs/smb/server/smb2misc.c
index ae501024665e1..67a2d7a793f6e 100644
--- a/fs/smb/server/smb2misc.c
+++ b/fs/smb/server/smb2misc.c
@@ -460,7 +460,7 @@ int ksmbd_smb2_check_message(struct ksmbd_work *work)
}
validate_credit:
- if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&
+ if ((work->conn->vals->req_capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&
smb2_validate_credit_charge(work->conn, hdr))
return 1;
diff --git a/fs/smb/server/smb2ops.c b/fs/smb/server/smb2ops.c
index 606aa3c5189a2..bcf05caa2304d 100644
--- a/fs/smb/server/smb2ops.c
+++ b/fs/smb/server/smb2ops.c
@@ -15,7 +15,7 @@
static struct smb_version_values smb21_server_values = {
.version_string = SMB21_VERSION_STRING,
.protocol_id = SMB21_PROT_ID,
- .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
+ .req_capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
.max_read_size = SMB21_DEFAULT_IOSIZE,
.max_write_size = SMB21_DEFAULT_IOSIZE,
.max_trans_size = SMB21_DEFAULT_IOSIZE,
@@ -41,7 +41,7 @@ static struct smb_version_values smb21_server_values = {
static struct smb_version_values smb30_server_values = {
.version_string = SMB30_VERSION_STRING,
.protocol_id = SMB30_PROT_ID,
- .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
+ .req_capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
.max_read_size = SMB3_DEFAULT_IOSIZE,
.max_write_size = SMB3_DEFAULT_IOSIZE,
.max_trans_size = SMB3_DEFAULT_TRANS_SIZE,
@@ -68,7 +68,7 @@ static struct smb_version_values smb30_server_values = {
static struct smb_version_values smb302_server_values = {
.version_string = SMB302_VERSION_STRING,
.protocol_id = SMB302_PROT_ID,
- .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
+ .req_capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
.max_read_size = SMB3_DEFAULT_IOSIZE,
.max_write_size = SMB3_DEFAULT_IOSIZE,
.max_trans_size = SMB3_DEFAULT_TRANS_SIZE,
@@ -95,7 +95,7 @@ static struct smb_version_values smb302_server_values = {
static struct smb_version_values smb311_server_values = {
.version_string = SMB311_VERSION_STRING,
.protocol_id = SMB311_PROT_ID,
- .capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
+ .req_capabilities = SMB2_GLOBAL_CAP_LARGE_MTU,
.max_read_size = SMB3_DEFAULT_IOSIZE,
.max_write_size = SMB3_DEFAULT_IOSIZE,
.max_trans_size = SMB3_DEFAULT_TRANS_SIZE,
@@ -204,7 +204,7 @@ void init_smb2_1_server(struct ksmbd_conn *conn)
conn->signing_algorithm = SIGNING_ALG_HMAC_SHA256_LE;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_LEASING;
}
/**
@@ -221,20 +221,20 @@ void init_smb3_0_server(struct ksmbd_conn *conn)
conn->signing_algorithm = SIGNING_ALG_AES_CMAC_LE;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING |
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_LEASING |
SMB2_GLOBAL_CAP_DIRECTORY_LEASING;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION &&
conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
(!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
}
/**
@@ -251,19 +251,19 @@ void init_smb3_02_server(struct ksmbd_conn *conn)
conn->signing_algorithm = SIGNING_ALG_AES_CMAC_LE;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING |
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_LEASING |
SMB2_GLOBAL_CAP_DIRECTORY_LEASING;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION ||
(!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) &&
conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION))
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_PERSISTENT_HANDLES;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_PERSISTENT_HANDLES;
}
/**
@@ -280,14 +280,14 @@ int init_smb3_11_server(struct ksmbd_conn *conn)
conn->signing_algorithm = SIGNING_ALG_AES_CMAC_LE;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_LEASES)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING |
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_LEASING |
SMB2_GLOBAL_CAP_DIRECTORY_LEASING;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL;
if (server_conf.flags & KSMBD_GLOBAL_FLAG_DURABLE_HANDLE)
- conn->vals->capabilities |= SMB2_GLOBAL_CAP_PERSISTENT_HANDLES;
+ conn->vals->req_capabilities |= SMB2_GLOBAL_CAP_PERSISTENT_HANDLES;
INIT_LIST_HEAD(&conn->preauth_sess_table);
return 0;
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 006b386cf9122..16ea123f61223 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -291,7 +291,7 @@ int init_smb2_neg_rsp(struct ksmbd_work *work)
/* Not setting conn guid rsp->ServerGUID, as it
* not used by client for identifying connection
*/
- rsp->Capabilities = cpu_to_le32(conn->vals->capabilities);
+ rsp->Capabilities = cpu_to_le32(conn->vals->req_capabilities);
/* Default Max Message Size till SMB2.0, 64K*/
rsp->MaxTransactSize = cpu_to_le32(conn->vals->max_trans_size);
rsp->MaxReadSize = cpu_to_le32(conn->vals->max_read_size);
@@ -965,7 +965,7 @@ bool smb3_encryption_negotiated(struct ksmbd_conn *conn)
* SMB 3.0 and 3.0.2 dialects use the SMB2_GLOBAL_CAP_ENCRYPTION flag.
* SMB 3.1.1 uses the cipher_type field.
*/
- return (conn->vals->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) ||
+ return (conn->vals->req_capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) ||
conn->cipher_type;
}
@@ -1219,7 +1219,7 @@ int smb2_handle_negotiate(struct ksmbd_work *work)
rc = -EINVAL;
goto err_out;
}
- rsp->Capabilities = cpu_to_le32(conn->vals->capabilities);
+ rsp->Capabilities = cpu_to_le32(conn->vals->req_capabilities);
/* For stats */
conn->connection_type = conn->dialect;
@@ -3505,7 +3505,7 @@ int smb2_open(struct ksmbd_work *work)
share_ret = ksmbd_smb_check_shared_mode(fp->filp, fp);
if (!test_share_config_flag(work->tcon->share_conf, KSMBD_SHARE_FLAG_OPLOCKS) ||
(req_op_level == SMB2_OPLOCK_LEVEL_LEASE &&
- !(conn->vals->capabilities & SMB2_GLOBAL_CAP_LEASING))) {
+ !(conn->vals->req_capabilities & SMB2_GLOBAL_CAP_LEASING))) {
if (share_ret < 0 && !S_ISDIR(file_inode(fp->filp)->i_mode)) {
rc = share_ret;
goto err_out1;
@@ -8100,7 +8100,7 @@ static int fsctl_validate_negotiate_info(struct ksmbd_conn *conn,
goto err_out;
}
- neg_rsp->Capabilities = cpu_to_le32(conn->vals->capabilities);
+ neg_rsp->Capabilities = cpu_to_le32(conn->vals->req_capabilities);
memset(neg_rsp->Guid, 0, SMB2_CLIENT_GUID_SIZE);
neg_rsp->SecurityMode = cpu_to_le16(conn->srv_sec_mode);
neg_rsp->Dialect = cpu_to_le16(conn->dialect);
diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h
index 863716207a0de..dac783b46545d 100644
--- a/fs/smb/server/smb_common.h
+++ b/fs/smb/server/smb_common.h
@@ -338,35 +338,6 @@ struct file_id_full_dir_info {
char FileName[];
} __packed; /* level 0x105 FF rsp data */
-struct smb_version_values {
- char *version_string;
- __u16 protocol_id;
- __le16 lock_cmd;
- __u32 capabilities;
- __u32 max_read_size;
- __u32 max_write_size;
- __u32 max_trans_size;
- __u32 max_credits;
- __u32 large_lock_type;
- __u32 exclusive_lock_type;
- __u32 shared_lock_type;
- __u32 unlock_lock_type;
- size_t header_size;
- size_t max_header_size;
- size_t read_rsp_size;
- unsigned int cap_unix;
- unsigned int cap_nt_find;
- unsigned int cap_large_files;
- __u16 signing_enabled;
- __u16 signing_required;
- size_t create_lease_size;
- size_t create_durable_size;
- size_t create_durable_v2_size;
- size_t create_mxac_size;
- size_t create_disk_id_size;
- size_t create_posix_size;
-};
-
struct filesystem_posix_info {
/* For undefined recommended transfer size return -1 in that field */
__le32 OptimalTransferSize; /* bsize on some os, iosize on other os */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 628/957] ksmbd: fix use-after-free in smb2_open during durable reconnect
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (626 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 627/957] smb: move smb_version_values to common/smbglob.h Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 629/957] tcp: move tp->chrono_type next tp->chrono_stat[] Greg Kroah-Hartman
` (334 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akif, Namjae Jeon, Steve French,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akif <akif.sait111@gmail.com>
[ Upstream commit 1baff47b81f94f9231c91236aa511420d0e266b9 ]
In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference
to the durable file descriptor early during the durable reconnect
process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails)
or a scavenger accesses the file, it leads to a use-after-free when
accessing fp properties (eg fp->create_time).
Move the single put to the end of the function below err_out2 so fp
stays valid until smb2_open returns.
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Signed-off-by: Akif <akif.sait111@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 16ea123f61223..4bfbfe53aa4eb 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -3024,29 +3024,23 @@ int smb2_open(struct ksmbd_work *work)
if (dh_info.reconnected == true) {
rc = smb2_check_durable_oplock(conn, share, dh_info.fp,
lc, sess->user, name);
- if (rc) {
- ksmbd_put_durable_fd(dh_info.fp);
+ if (rc)
goto err_out2;
- }
rc = ksmbd_reopen_durable_fd(work, dh_info.fp);
- if (rc) {
- ksmbd_put_durable_fd(dh_info.fp);
+ if (rc)
goto err_out2;
- }
fp = dh_info.fp;
if (ksmbd_override_fsids(work)) {
rc = -ENOMEM;
- ksmbd_put_durable_fd(dh_info.fp);
goto err_out2;
}
file_info = FILE_OPENED;
rc = ksmbd_vfs_getattr(&fp->filp->f_path, &stat);
- ksmbd_put_durable_fd(fp);
if (rc)
goto err_out2;
@@ -3816,6 +3810,9 @@ int smb2_open(struct ksmbd_work *work)
ksmbd_debug(SMB, "Error response: %x\n", rsp->hdr.Status);
}
+ if (dh_info.reconnected)
+ ksmbd_put_durable_fd(dh_info.fp);
+
kfree(name);
kfree(lc);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 629/957] tcp: move tp->chrono_type next tp->chrono_stat[]
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (627 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 628/957] ksmbd: fix use-after-free in smb2_open during durable reconnect Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 630/957] tcp: inline tcp_chrono_start() Greg Kroah-Hartman
` (333 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Neal Cardwell,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 4b78c9cbd8f1fbb9517aee48b372646f4cf05442 ]
chrono_type is currently in tcp_sock_read_txrx group, which
is supposed to hold read-mostly fields.
But chrono_type is mostly written in tx path, it should
be moved to tcp_sock_write_tx group, close to other
chrono fields (chrono_stat[], chrono_start).
Note this adds holes, but data locality is far more important.
Use a full u8 for the time being, compiler can generate
more efficient code.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Link: https://patch.msgid.link/20260308122302.2895067-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 267bf3cf9a6f ("tcp: annotate data-races in tcp_get_info_chrono_stats()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/tcp.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index 20b8c6e21fef3..8e1266cf8ef69 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -231,8 +231,7 @@ struct tcp_sock {
u32 sacked_out; /* SACK'd packets */
u16 tcp_header_len; /* Bytes of tcp header to send */
u8 scaling_ratio; /* see tcp_win_from_space() */
- u8 chrono_type : 2, /* current chronograph type */
- repair : 1,
+ u8 repair : 1,
tcp_usec_ts : 1, /* TSval values in usec */
is_sack_reneg:1, /* in recovery from loss with SACK reneg? */
is_cwnd_limited:1,/* forward progress limited by snd_cwnd? */
@@ -267,6 +266,7 @@ struct tcp_sock {
* total number of data bytes sent.
*/
u32 snd_sml; /* Last byte of the most recently transmitted small packet */
+ u8 chrono_type; /* current chronograph type */
u32 chrono_start; /* Start time in jiffies of a TCP chrono */
u32 chrono_stat[3]; /* Time in jiffies for chrono_stat stats */
u32 write_seq; /* Tail(+1) of data held in tcp send buffer */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 630/957] tcp: inline tcp_chrono_start()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (628 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 629/957] tcp: move tp->chrono_type next tp->chrono_stat[] Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 631/957] tcp: annotate data-races in tcp_get_info_chrono_stats() Greg Kroah-Hartman
` (332 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Neal Cardwell,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d6d4ff335db2d9242937ca474d292010acd35c38 ]
tcp_chrono_start() is small enough, and used in TCP sendmsg()
fast path (from tcp_skb_entail()).
Note clang is already inlining it from functions in tcp_output.c.
Inlining it improves performance and reduces bloat :
$ scripts/bloat-o-meter -t vmlinux.old vmlinux.new
add/remove: 0/2 grow/shrink: 1/0 up/down: 1/-84 (-83)
Function old new delta
tcp_skb_entail 280 281 +1
__pfx_tcp_chrono_start 16 - -16
tcp_chrono_start 68 - -68
Total: Before=25192434, After=25192351, chg -0.00%
Note that tcp_chrono_stop() is too big.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Link: https://patch.msgid.link/20260308123549.2924460-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 267bf3cf9a6f ("tcp: annotate data-races in tcp_get_info_chrono_stats()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tcp.h | 25 ++++++++++++++++++++++++-
net/ipv4/tcp_output.c | 24 ------------------------
2 files changed, 24 insertions(+), 25 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 7647ed5c732c1..6805961726dc1 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2124,7 +2124,30 @@ enum tcp_chrono {
__TCP_CHRONO_MAX,
};
-void tcp_chrono_start(struct sock *sk, const enum tcp_chrono type);
+static inline void tcp_chrono_set(struct tcp_sock *tp, const enum tcp_chrono new)
+{
+ const u32 now = tcp_jiffies32;
+ enum tcp_chrono old = tp->chrono_type;
+
+ if (old > TCP_CHRONO_UNSPEC)
+ tp->chrono_stat[old - 1] += now - tp->chrono_start;
+ tp->chrono_start = now;
+ tp->chrono_type = new;
+}
+
+static inline void tcp_chrono_start(struct sock *sk, const enum tcp_chrono type)
+{
+ struct tcp_sock *tp = tcp_sk(sk);
+
+ /* If there are multiple conditions worthy of tracking in a
+ * chronograph then the highest priority enum takes precedence
+ * over the other conditions. So that if something "more interesting"
+ * starts happening, stop the previous chrono and start a new one.
+ */
+ if (type > tp->chrono_type)
+ tcp_chrono_set(tp, type);
+}
+
void tcp_chrono_stop(struct sock *sk, const enum tcp_chrono type);
/* This helper is needed, because skb->tcp_tsorted_anchor uses
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index b94efb3050d2f..b00bd5044b322 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2813,30 +2813,6 @@ static bool tcp_small_queue_check(struct sock *sk, const struct sk_buff *skb,
return false;
}
-static void tcp_chrono_set(struct tcp_sock *tp, const enum tcp_chrono new)
-{
- const u32 now = tcp_jiffies32;
- enum tcp_chrono old = tp->chrono_type;
-
- if (old > TCP_CHRONO_UNSPEC)
- tp->chrono_stat[old - 1] += now - tp->chrono_start;
- tp->chrono_start = now;
- tp->chrono_type = new;
-}
-
-void tcp_chrono_start(struct sock *sk, const enum tcp_chrono type)
-{
- struct tcp_sock *tp = tcp_sk(sk);
-
- /* If there are multiple conditions worthy of tracking in a
- * chronograph then the highest priority enum takes precedence
- * over the other conditions. So that if something "more interesting"
- * starts happening, stop the previous chrono and start a new one.
- */
- if (type > tp->chrono_type)
- tcp_chrono_set(tp, type);
-}
-
void tcp_chrono_stop(struct sock *sk, const enum tcp_chrono type)
{
struct tcp_sock *tp = tcp_sk(sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 631/957] tcp: annotate data-races in tcp_get_info_chrono_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (629 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 630/957] tcp: inline tcp_chrono_start() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 632/957] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
` (331 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 267bf3cf9a6f0ffb98b8afd983c1950e835f07c9 ]
tcp_get_timestamping_opt_stats() does not own the socket lock,
this is intentional.
It calls tcp_get_info_chrono_stats() while other threads could
change chrono fields in tcp_chrono_set().
I do not think we need coherent TCP socket state snapshot
in tcp_get_timestamping_opt_stats(), I chose to only
add annotations to keep KCSAN happy.
Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tcp.h | 10 +++++++---
net/ipv4/tcp.c | 14 ++++++++++----
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 6805961726dc1..236d9e0d35ed7 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2129,10 +2129,14 @@ static inline void tcp_chrono_set(struct tcp_sock *tp, const enum tcp_chrono new
const u32 now = tcp_jiffies32;
enum tcp_chrono old = tp->chrono_type;
+ /* Following WRITE_ONCE()s pair with READ_ONCE()s in
+ * tcp_get_info_chrono_stats().
+ */
if (old > TCP_CHRONO_UNSPEC)
- tp->chrono_stat[old - 1] += now - tp->chrono_start;
- tp->chrono_start = now;
- tp->chrono_type = new;
+ WRITE_ONCE(tp->chrono_stat[old - 1],
+ tp->chrono_stat[old - 1] + now - tp->chrono_start);
+ WRITE_ONCE(tp->chrono_start, now);
+ WRITE_ONCE(tp->chrono_type, new);
}
static inline void tcp_chrono_start(struct sock *sk, const enum tcp_chrono type)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 94e029c70247d..a33641b9ed7e4 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4151,12 +4151,18 @@ static void tcp_get_info_chrono_stats(const struct tcp_sock *tp,
struct tcp_info *info)
{
u64 stats[__TCP_CHRONO_MAX], total = 0;
- enum tcp_chrono i;
+ enum tcp_chrono i, cur;
+ /* Following READ_ONCE()s pair with WRITE_ONCE()s in tcp_chrono_set().
+ * This is because socket lock might not be owned by us at this point.
+ * This is best effort, tcp_get_timestamping_opt_stats() can
+ * see wrong values. A real fix would be too costly for TCP fast path.
+ */
+ cur = READ_ONCE(tp->chrono_type);
for (i = TCP_CHRONO_BUSY; i < __TCP_CHRONO_MAX; ++i) {
- stats[i] = tp->chrono_stat[i - 1];
- if (i == tp->chrono_type)
- stats[i] += tcp_jiffies32 - tp->chrono_start;
+ stats[i] = READ_ONCE(tp->chrono_stat[i - 1]);
+ if (i == cur)
+ stats[i] += tcp_jiffies32 - READ_ONCE(tp->chrono_start);
stats[i] *= USEC_PER_SEC / HZ;
total += stats[i];
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 632/957] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (630 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 631/957] tcp: annotate data-races in tcp_get_info_chrono_stats() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 633/957] tcp: add data-races annotations around tp->reordering, tp->snd_cwnd Greg Kroah-Hartman
` (330 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 21e92a38cfd891538598ba8f805e0165a820d532 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7e98102f4897 ("tcp: record pkts sent and retransmistted")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_output.c | 8 +++++---
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index a33641b9ed7e4..4695b03f866f8 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4386,9 +4386,9 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u64_64bit(stats, TCP_NLA_SNDBUF_LIMITED,
info.tcpi_sndbuf_limited, TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_DATA_SEGS_OUT,
- tp->data_segs_out, TCP_NLA_PAD);
+ READ_ONCE(tp->data_segs_out), TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_TOTAL_RETRANS,
- tp->total_retrans, TCP_NLA_PAD);
+ READ_ONCE(tp->total_retrans), TCP_NLA_PAD);
rate = READ_ONCE(sk->sk_pacing_rate);
rate64 = (rate != ~0UL) ? rate : ~0ULL;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index b00bd5044b322..c4cf76f71520f 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1603,7 +1603,8 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
if (skb->len != tcp_header_size) {
tcp_event_data_sent(tp, sk);
- tp->data_segs_out += tcp_skb_pcount(skb);
+ WRITE_ONCE(tp->data_segs_out,
+ tp->data_segs_out + tcp_skb_pcount(skb));
tp->bytes_sent += skb->len - tcp_header_size;
}
@@ -3556,7 +3557,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
TCP_ADD_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS, segs);
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
- tp->total_retrans += segs;
+ WRITE_ONCE(tp->total_retrans, tp->total_retrans + segs);
tp->bytes_retrans += skb->len;
/* make sure skb->data is aligned on arches that require it
@@ -4581,7 +4582,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
* However in this case, we are dealing with a passive fastopen
* socket thus we can change total_retrans value.
*/
- tcp_sk_rw(sk)->total_retrans++;
+ WRITE_ONCE(tcp_sk_rw(sk)->total_retrans,
+ tcp_sk_rw(sk)->total_retrans + 1);
}
trace_tcp_retransmit_synack(sk, req);
WRITE_ONCE(req->num_retrans, req->num_retrans + 1);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 633/957] tcp: add data-races annotations around tp->reordering, tp->snd_cwnd
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (631 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 632/957] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 634/957] tcp: annotate data-races around tp->snd_ssthresh Greg Kroah-Hartman
` (329 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 829ba1f329cb7cbd56d599a6d225997fba66dc32 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE(), WRITE_ONCE() data_race() annotations to keep KCSAN happy.
Fixes: bb7c19f96012 ("tcp: add related fields into SCM_TIMESTAMPING_OPT_STATS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tcp.h | 2 +-
net/ipv4/tcp.c | 8 ++++----
net/ipv4/tcp_input.c | 14 ++++++++------
net/ipv4/tcp_metrics.c | 2 +-
4 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 236d9e0d35ed7..18381f4086d04 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1429,7 +1429,7 @@ static inline u32 tcp_snd_cwnd(const struct tcp_sock *tp)
static inline void tcp_snd_cwnd_set(struct tcp_sock *tp, u32 val)
{
WARN_ON_ONCE((int)val <= 0);
- tp->snd_cwnd = val;
+ WRITE_ONCE(tp->snd_cwnd, val);
}
static inline bool tcp_in_slow_start(const struct tcp_sock *tp)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 4695b03f866f8..9e7e5ebcf14d5 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4397,13 +4397,13 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
rate64 = tcp_compute_delivery_rate(tp);
nla_put_u64_64bit(stats, TCP_NLA_DELIVERY_RATE, rate64, TCP_NLA_PAD);
- nla_put_u32(stats, TCP_NLA_SND_CWND, tcp_snd_cwnd(tp));
- nla_put_u32(stats, TCP_NLA_REORDERING, tp->reordering);
- nla_put_u32(stats, TCP_NLA_MIN_RTT, tcp_min_rtt(tp));
+ nla_put_u32(stats, TCP_NLA_SND_CWND, READ_ONCE(tp->snd_cwnd));
+ nla_put_u32(stats, TCP_NLA_REORDERING, READ_ONCE(tp->reordering));
+ nla_put_u32(stats, TCP_NLA_MIN_RTT, data_race(tcp_min_rtt(tp)));
nla_put_u8(stats, TCP_NLA_RECUR_RETRANS,
READ_ONCE(inet_csk(sk)->icsk_retransmits));
- nla_put_u8(stats, TCP_NLA_DELIVERY_RATE_APP_LMT, !!tp->rate_app_limited);
+ nla_put_u8(stats, TCP_NLA_DELIVERY_RATE_APP_LMT, data_race(!!tp->rate_app_limited));
nla_put_u32(stats, TCP_NLA_SND_SSTHRESH, tp->snd_ssthresh);
nla_put_u32(stats, TCP_NLA_DELIVERED, tp->delivered);
nla_put_u32(stats, TCP_NLA_DELIVERED_CE, tp->delivered_ce);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 96486eea26724..64e7bcbb42993 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1260,8 +1260,9 @@ static void tcp_check_sack_reordering(struct sock *sk, const u32 low_seq,
tp->sacked_out,
tp->undo_marker ? tp->undo_retrans : 0);
#endif
- tp->reordering = min_t(u32, (metric + mss - 1) / mss,
- READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering));
+ WRITE_ONCE(tp->reordering,
+ min_t(u32, (metric + mss - 1) / mss,
+ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)));
}
/* This exciting event is worth to be remembered. 8) */
@@ -2220,8 +2221,9 @@ static void tcp_check_reno_reordering(struct sock *sk, const int addend)
if (!tcp_limit_reno_sacked(tp))
return;
- tp->reordering = min_t(u32, tp->packets_out + addend,
- READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering));
+ WRITE_ONCE(tp->reordering,
+ min_t(u32, tp->packets_out + addend,
+ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)));
tp->reord_seen++;
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRENOREORDER);
}
@@ -2360,8 +2362,8 @@ void tcp_enter_loss(struct sock *sk)
reordering = READ_ONCE(net->ipv4.sysctl_tcp_reordering);
if (icsk->icsk_ca_state <= TCP_CA_Disorder &&
tp->sacked_out >= reordering)
- tp->reordering = min_t(unsigned int, tp->reordering,
- reordering);
+ WRITE_ONCE(tp->reordering,
+ min_t(unsigned int, tp->reordering, reordering));
tcp_set_ca_state(sk, TCP_CA_Loss);
tp->high_seq = tp->snd_nxt;
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 45b6ecd164126..170ca11edf6b9 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -496,7 +496,7 @@ void tcp_init_metrics(struct sock *sk)
}
val = tcp_metric_get(tm, TCP_METRIC_REORDERING);
if (val && tp->reordering != val)
- tp->reordering = val;
+ WRITE_ONCE(tp->reordering, val);
crtt = tcp_metric_get(tm, TCP_METRIC_RTT);
rcu_read_unlock();
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 634/957] tcp: annotate data-races around tp->snd_ssthresh
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (632 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 633/957] tcp: add data-races annotations around tp->reordering, tp->snd_cwnd Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 635/957] tcp: annotate data-races around tp->delivered and tp->delivered_ce Greg Kroah-Hartman
` (328 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit fd571afb05ebaeac5d8f09460a0640d4cf6755f8 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7156d194a077 ("tcp: add snd_ssthresh stat in SCM_TIMESTAMPING_OPT_STATS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 2 +-
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_bbr.c | 6 +++---
net/ipv4/tcp_bic.c | 2 +-
net/ipv4/tcp_cdg.c | 4 ++--
net/ipv4/tcp_cubic.c | 6 +++---
net/ipv4/tcp_dctcp.c | 2 +-
net/ipv4/tcp_input.c | 8 ++++----
net/ipv4/tcp_metrics.c | 4 ++--
net/ipv4/tcp_nv.c | 4 ++--
net/ipv4/tcp_output.c | 4 ++--
net/ipv4/tcp_vegas.c | 9 +++++----
net/ipv4/tcp_westwood.c | 4 ++--
net/ipv4/tcp_yeah.c | 3 ++-
14 files changed, 32 insertions(+), 30 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index ae6d0453cf123..bad3fb6318461 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5387,7 +5387,7 @@ static int bpf_sol_tcp_setsockopt(struct sock *sk, int optname,
if (val <= 0)
return -EINVAL;
tp->snd_cwnd_clamp = val;
- tp->snd_ssthresh = val;
+ WRITE_ONCE(tp->snd_ssthresh, val);
break;
case TCP_BPF_DELACK_MAX:
timeout = usecs_to_jiffies(val);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 9e7e5ebcf14d5..3de09b59663d8 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3408,7 +3408,7 @@ int tcp_disconnect(struct sock *sk, int flags)
icsk->icsk_rto = TCP_TIMEOUT_INIT;
WRITE_ONCE(icsk->icsk_rto_min, TCP_RTO_MIN);
WRITE_ONCE(icsk->icsk_delack_max, TCP_DELACK_MAX);
- tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ WRITE_ONCE(tp->snd_ssthresh, TCP_INFINITE_SSTHRESH);
tcp_snd_cwnd_set(tp, TCP_INIT_CWND);
tp->snd_cwnd_cnt = 0;
tp->is_cwnd_limited = 0;
@@ -4404,7 +4404,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u8(stats, TCP_NLA_RECUR_RETRANS,
READ_ONCE(inet_csk(sk)->icsk_retransmits));
nla_put_u8(stats, TCP_NLA_DELIVERY_RATE_APP_LMT, data_race(!!tp->rate_app_limited));
- nla_put_u32(stats, TCP_NLA_SND_SSTHRESH, tp->snd_ssthresh);
+ nla_put_u32(stats, TCP_NLA_SND_SSTHRESH, READ_ONCE(tp->snd_ssthresh));
nla_put_u32(stats, TCP_NLA_DELIVERED, tp->delivered);
nla_put_u32(stats, TCP_NLA_DELIVERED_CE, tp->delivered_ce);
diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
index 760941e55153e..3df6160f51567 100644
--- a/net/ipv4/tcp_bbr.c
+++ b/net/ipv4/tcp_bbr.c
@@ -896,8 +896,8 @@ static void bbr_check_drain(struct sock *sk, const struct rate_sample *rs)
if (bbr->mode == BBR_STARTUP && bbr_full_bw_reached(sk)) {
bbr->mode = BBR_DRAIN; /* drain queue we created */
- tcp_sk(sk)->snd_ssthresh =
- bbr_inflight(sk, bbr_max_bw(sk), BBR_UNIT);
+ WRITE_ONCE(tcp_sk(sk)->snd_ssthresh,
+ bbr_inflight(sk, bbr_max_bw(sk), BBR_UNIT));
} /* fall through to check if in-flight is already small: */
if (bbr->mode == BBR_DRAIN &&
bbr_packets_in_net_at_edt(sk, tcp_packets_in_flight(tcp_sk(sk))) <=
@@ -1042,7 +1042,7 @@ __bpf_kfunc static void bbr_init(struct sock *sk)
struct bbr *bbr = inet_csk_ca(sk);
bbr->prior_cwnd = 0;
- tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ WRITE_ONCE(tp->snd_ssthresh, TCP_INFINITE_SSTHRESH);
bbr->rtt_cnt = 0;
bbr->next_rtt_delivered = tp->delivered;
bbr->prev_ca_state = TCP_CA_Open;
diff --git a/net/ipv4/tcp_bic.c b/net/ipv4/tcp_bic.c
index 58358bf92e1b8..65444ff142413 100644
--- a/net/ipv4/tcp_bic.c
+++ b/net/ipv4/tcp_bic.c
@@ -74,7 +74,7 @@ static void bictcp_init(struct sock *sk)
bictcp_reset(ca);
if (initial_ssthresh)
- tcp_sk(sk)->snd_ssthresh = initial_ssthresh;
+ WRITE_ONCE(tcp_sk(sk)->snd_ssthresh, initial_ssthresh);
}
/*
diff --git a/net/ipv4/tcp_cdg.c b/net/ipv4/tcp_cdg.c
index fbad6c35dee9c..37f094204b6d0 100644
--- a/net/ipv4/tcp_cdg.c
+++ b/net/ipv4/tcp_cdg.c
@@ -162,7 +162,7 @@ static void tcp_cdg_hystart_update(struct sock *sk)
NET_ADD_STATS(sock_net(sk),
LINUX_MIB_TCPHYSTARTTRAINCWND,
tcp_snd_cwnd(tp));
- tp->snd_ssthresh = tcp_snd_cwnd(tp);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_snd_cwnd(tp));
return;
}
}
@@ -181,7 +181,7 @@ static void tcp_cdg_hystart_update(struct sock *sk)
NET_ADD_STATS(sock_net(sk),
LINUX_MIB_TCPHYSTARTDELAYCWND,
tcp_snd_cwnd(tp));
- tp->snd_ssthresh = tcp_snd_cwnd(tp);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_snd_cwnd(tp));
}
}
}
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index 76c23675ae50a..f891e8d1e5458 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -136,7 +136,7 @@ __bpf_kfunc static void cubictcp_init(struct sock *sk)
bictcp_hystart_reset(sk);
if (!hystart && initial_ssthresh)
- tcp_sk(sk)->snd_ssthresh = initial_ssthresh;
+ WRITE_ONCE(tcp_sk(sk)->snd_ssthresh, initial_ssthresh);
}
__bpf_kfunc static void cubictcp_cwnd_event(struct sock *sk, enum tcp_ca_event event)
@@ -423,7 +423,7 @@ static void hystart_update(struct sock *sk, u32 delay)
NET_ADD_STATS(sock_net(sk),
LINUX_MIB_TCPHYSTARTTRAINCWND,
tcp_snd_cwnd(tp));
- tp->snd_ssthresh = tcp_snd_cwnd(tp);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_snd_cwnd(tp));
}
}
}
@@ -443,7 +443,7 @@ static void hystart_update(struct sock *sk, u32 delay)
NET_ADD_STATS(sock_net(sk),
LINUX_MIB_TCPHYSTARTDELAYCWND,
tcp_snd_cwnd(tp));
- tp->snd_ssthresh = tcp_snd_cwnd(tp);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_snd_cwnd(tp));
}
}
}
diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c
index 03abe0848420d..6f103038b0152 100644
--- a/net/ipv4/tcp_dctcp.c
+++ b/net/ipv4/tcp_dctcp.c
@@ -177,7 +177,7 @@ static void dctcp_react_to_loss(struct sock *sk)
struct tcp_sock *tp = tcp_sk(sk);
ca->loss_cwnd = tcp_snd_cwnd(tp);
- tp->snd_ssthresh = max(tcp_snd_cwnd(tp) >> 1U, 2U);
+ WRITE_ONCE(tp->snd_ssthresh, max(tcp_snd_cwnd(tp) >> 1U, 2U));
}
__bpf_kfunc static void dctcp_state(struct sock *sk, u8 new_state)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 64e7bcbb42993..16bb525c04f1d 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2348,7 +2348,7 @@ void tcp_enter_loss(struct sock *sk)
(icsk->icsk_ca_state == TCP_CA_Loss && !icsk->icsk_retransmits)) {
tp->prior_ssthresh = tcp_current_ssthresh(sk);
tp->prior_cwnd = tcp_snd_cwnd(tp);
- tp->snd_ssthresh = icsk->icsk_ca_ops->ssthresh(sk);
+ WRITE_ONCE(tp->snd_ssthresh, icsk->icsk_ca_ops->ssthresh(sk));
tcp_ca_event(sk, CA_EVENT_LOSS);
tcp_init_undo(tp);
}
@@ -2641,7 +2641,7 @@ static void tcp_undo_cwnd_reduction(struct sock *sk, bool unmark_loss)
tcp_snd_cwnd_set(tp, icsk->icsk_ca_ops->undo_cwnd(sk));
if (tp->prior_ssthresh > tp->snd_ssthresh) {
- tp->snd_ssthresh = tp->prior_ssthresh;
+ WRITE_ONCE(tp->snd_ssthresh, tp->prior_ssthresh);
tcp_ecn_withdraw_cwr(tp);
}
}
@@ -2759,7 +2759,7 @@ static void tcp_init_cwnd_reduction(struct sock *sk)
tp->prior_cwnd = tcp_snd_cwnd(tp);
tp->prr_delivered = 0;
tp->prr_out = 0;
- tp->snd_ssthresh = inet_csk(sk)->icsk_ca_ops->ssthresh(sk);
+ WRITE_ONCE(tp->snd_ssthresh, inet_csk(sk)->icsk_ca_ops->ssthresh(sk));
tcp_ecn_queue_cwr(tp);
}
@@ -2901,7 +2901,7 @@ static void tcp_non_congestion_loss_retransmit(struct sock *sk)
if (icsk->icsk_ca_state != TCP_CA_Loss) {
tp->high_seq = tp->snd_nxt;
- tp->snd_ssthresh = tcp_current_ssthresh(sk);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_current_ssthresh(sk));
tp->prior_ssthresh = 0;
tp->undo_marker = 0;
tcp_set_ca_state(sk, TCP_CA_Loss);
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 170ca11edf6b9..7b08d3e58a741 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -490,9 +490,9 @@ void tcp_init_metrics(struct sock *sk)
val = READ_ONCE(net->ipv4.sysctl_tcp_no_ssthresh_metrics_save) ?
0 : tcp_metric_get(tm, TCP_METRIC_SSTHRESH);
if (val) {
- tp->snd_ssthresh = val;
+ WRITE_ONCE(tp->snd_ssthresh, val);
if (tp->snd_ssthresh > tp->snd_cwnd_clamp)
- tp->snd_ssthresh = tp->snd_cwnd_clamp;
+ WRITE_ONCE(tp->snd_ssthresh, tp->snd_cwnd_clamp);
}
val = tcp_metric_get(tm, TCP_METRIC_REORDERING);
if (val && tp->reordering != val)
diff --git a/net/ipv4/tcp_nv.c b/net/ipv4/tcp_nv.c
index a60662f4bdf92..f345897a68dfc 100644
--- a/net/ipv4/tcp_nv.c
+++ b/net/ipv4/tcp_nv.c
@@ -396,8 +396,8 @@ static void tcpnv_acked(struct sock *sk, const struct ack_sample *sample)
/* We have enough data to determine we are congested */
ca->nv_allow_cwnd_growth = 0;
- tp->snd_ssthresh =
- (nv_ssthresh_factor * max_win) >> 3;
+ WRITE_ONCE(tp->snd_ssthresh,
+ (nv_ssthresh_factor * max_win) >> 3);
if (tcp_snd_cwnd(tp) - max_win > 2) {
/* gap > 2, we do exponential cwnd decrease */
int dec;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index c4cf76f71520f..3c25292ae72d8 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -151,7 +151,7 @@ void tcp_cwnd_restart(struct sock *sk, s32 delta)
tcp_ca_event(sk, CA_EVENT_CWND_RESTART);
- tp->snd_ssthresh = tcp_current_ssthresh(sk);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_current_ssthresh(sk));
restart_cwnd = min(restart_cwnd, cwnd);
while ((delta -= inet_csk(sk)->icsk_rto) > 0 && cwnd > restart_cwnd)
@@ -2060,7 +2060,7 @@ static void tcp_cwnd_application_limited(struct sock *sk)
u32 init_win = tcp_init_cwnd(tp, __sk_dst_get(sk));
u32 win_used = max(tp->snd_cwnd_used, init_win);
if (win_used < tcp_snd_cwnd(tp)) {
- tp->snd_ssthresh = tcp_current_ssthresh(sk);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_current_ssthresh(sk));
tcp_snd_cwnd_set(tp, (tcp_snd_cwnd(tp) + win_used) >> 1);
}
tp->snd_cwnd_used = 0;
diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c
index 786848ad37ea8..3ec7308441a78 100644
--- a/net/ipv4/tcp_vegas.c
+++ b/net/ipv4/tcp_vegas.c
@@ -240,7 +240,8 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked)
*/
tcp_snd_cwnd_set(tp, min(tcp_snd_cwnd(tp),
(u32)target_cwnd + 1));
- tp->snd_ssthresh = tcp_vegas_ssthresh(tp);
+ WRITE_ONCE(tp->snd_ssthresh,
+ tcp_vegas_ssthresh(tp));
} else if (tcp_in_slow_start(tp)) {
/* Slow start. */
@@ -256,8 +257,8 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked)
* we slow down.
*/
tcp_snd_cwnd_set(tp, tcp_snd_cwnd(tp) - 1);
- tp->snd_ssthresh
- = tcp_vegas_ssthresh(tp);
+ WRITE_ONCE(tp->snd_ssthresh,
+ tcp_vegas_ssthresh(tp));
} else if (diff < alpha) {
/* We don't have enough extra packets
* in the network, so speed up.
@@ -275,7 +276,7 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked)
else if (tcp_snd_cwnd(tp) > tp->snd_cwnd_clamp)
tcp_snd_cwnd_set(tp, tp->snd_cwnd_clamp);
- tp->snd_ssthresh = tcp_current_ssthresh(sk);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_current_ssthresh(sk));
}
/* Wipe the slate clean for the next RTT. */
diff --git a/net/ipv4/tcp_westwood.c b/net/ipv4/tcp_westwood.c
index c6e97141eef25..b5a42adfd6ca1 100644
--- a/net/ipv4/tcp_westwood.c
+++ b/net/ipv4/tcp_westwood.c
@@ -244,11 +244,11 @@ static void tcp_westwood_event(struct sock *sk, enum tcp_ca_event event)
switch (event) {
case CA_EVENT_COMPLETE_CWR:
- tp->snd_ssthresh = tcp_westwood_bw_rttmin(sk);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_westwood_bw_rttmin(sk));
tcp_snd_cwnd_set(tp, tp->snd_ssthresh);
break;
case CA_EVENT_LOSS:
- tp->snd_ssthresh = tcp_westwood_bw_rttmin(sk);
+ WRITE_ONCE(tp->snd_ssthresh, tcp_westwood_bw_rttmin(sk));
/* Update RTT_min when next ack arrives */
w->reset_rtt_min = 1;
break;
diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c
index 18b07ff5d20e6..74a2538e79e06 100644
--- a/net/ipv4/tcp_yeah.c
+++ b/net/ipv4/tcp_yeah.c
@@ -147,7 +147,8 @@ static void tcp_yeah_cong_avoid(struct sock *sk, u32 ack, u32 acked)
tcp_snd_cwnd_set(tp, max(tcp_snd_cwnd(tp),
yeah->reno_count));
- tp->snd_ssthresh = tcp_snd_cwnd(tp);
+ WRITE_ONCE(tp->snd_ssthresh,
+ tcp_snd_cwnd(tp));
}
if (yeah->reno_count <= 2)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 635/957] tcp: annotate data-races around tp->delivered and tp->delivered_ce
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (633 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 634/957] tcp: annotate data-races around tp->snd_ssthresh Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 636/957] tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE Greg Kroah-Hartman
` (327 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit faa886ad3ce5fc8f5156493491fe189b2b726bc9 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: feb5f2ec6464 ("tcp: export packets delivery info")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tcp_ecn.h | 2 +-
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_input.c | 8 ++++----
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/include/net/tcp_ecn.h b/include/net/tcp_ecn.h
index a709fb1756eb7..59d6944f8d103 100644
--- a/include/net/tcp_ecn.h
+++ b/include/net/tcp_ecn.h
@@ -189,7 +189,7 @@ static inline void tcp_accecn_third_ack(struct sock *sk,
tcp_accecn_validate_syn_feedback(sk, ace, sent_ect)) {
if ((tcp_accecn_extract_syn_ect(ace) == INET_ECN_CE) &&
!tp->delivered_ce)
- tp->delivered_ce++;
+ WRITE_ONCE(tp->delivered_ce, 1);
}
break;
}
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3de09b59663d8..515313ef0c642 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4405,8 +4405,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
READ_ONCE(inet_csk(sk)->icsk_retransmits));
nla_put_u8(stats, TCP_NLA_DELIVERY_RATE_APP_LMT, data_race(!!tp->rate_app_limited));
nla_put_u32(stats, TCP_NLA_SND_SSTHRESH, READ_ONCE(tp->snd_ssthresh));
- nla_put_u32(stats, TCP_NLA_DELIVERED, tp->delivered);
- nla_put_u32(stats, TCP_NLA_DELIVERED_CE, tp->delivered_ce);
+ nla_put_u32(stats, TCP_NLA_DELIVERED, READ_ONCE(tp->delivered));
+ nla_put_u32(stats, TCP_NLA_DELIVERED_CE, READ_ONCE(tp->delivered_ce));
nla_put_u32(stats, TCP_NLA_SNDQ_SIZE, tp->write_seq - tp->snd_una);
nla_put_u8(stats, TCP_NLA_CA_STATE, inet_csk(sk)->icsk_ca_state);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 16bb525c04f1d..b5a3c7ca2605d 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -476,14 +476,14 @@ static bool tcp_accecn_process_option(struct tcp_sock *tp,
static void tcp_count_delivered_ce(struct tcp_sock *tp, u32 ecn_count)
{
- tp->delivered_ce += ecn_count;
+ WRITE_ONCE(tp->delivered_ce, tp->delivered_ce + ecn_count);
}
/* Updates the delivered and delivered_ce counts */
static void tcp_count_delivered(struct tcp_sock *tp, u32 delivered,
bool ece_ack)
{
- tp->delivered += delivered;
+ WRITE_ONCE(tp->delivered, tp->delivered + delivered);
if (tcp_ecn_mode_rfc3168(tp) && ece_ack)
tcp_count_delivered_ce(tp, delivered);
}
@@ -6576,7 +6576,7 @@ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENACTIVE);
/* SYN-data is counted as two separate packets in tcp_ack() */
if (tp->delivered > 1)
- --tp->delivered;
+ WRITE_ONCE(tp->delivered, tp->delivered - 1);
}
tcp_fastopen_add_skb(sk, synack);
@@ -7007,7 +7007,7 @@ tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
SKB_DR_SET(reason, NOT_SPECIFIED);
switch (sk->sk_state) {
case TCP_SYN_RECV:
- tp->delivered++; /* SYN-ACK delivery isn't tracked in tcp_ack */
+ WRITE_ONCE(tp->delivered, tp->delivered + 1); /* SYN-ACK delivery isn't tracked in tcp_ack */
if (!tp->srtt_us)
tcp_synack_rtt_meas(sk, req);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 636/957] tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (634 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 635/957] tcp: annotate data-races around tp->delivered and tp->delivered_ce Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 637/957] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
` (326 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 124199444de467767175a9004e1574dc42523e62 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 87ecc95d81d9 ("tcp: add send queue size stat in SCM_TIMESTAMPING_OPT_STATS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-7-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 4 +++-
net/ipv4/tcp_input.c | 4 ++--
net/ipv4/tcp_output.c | 2 +-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 515313ef0c642..0d6e991155c95 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4408,7 +4408,9 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u32(stats, TCP_NLA_DELIVERED, READ_ONCE(tp->delivered));
nla_put_u32(stats, TCP_NLA_DELIVERED_CE, READ_ONCE(tp->delivered_ce));
- nla_put_u32(stats, TCP_NLA_SNDQ_SIZE, tp->write_seq - tp->snd_una);
+ nla_put_u32(stats, TCP_NLA_SNDQ_SIZE,
+ max_t(int, 0,
+ READ_ONCE(tp->write_seq) - READ_ONCE(tp->snd_una)));
nla_put_u8(stats, TCP_NLA_CA_STATE, inet_csk(sk)->icsk_ca_state);
nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, tp->bytes_sent,
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b5a3c7ca2605d..3e29134a54b19 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3694,7 +3694,7 @@ static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
sock_owned_by_me((struct sock *)tp);
tp->bytes_acked += delta;
tcp_snd_sne_update(tp, ack);
- tp->snd_una = ack;
+ WRITE_ONCE(tp->snd_una, ack);
}
static void tcp_rcv_sne_update(struct tcp_sock *tp, u32 seq)
@@ -7035,7 +7035,7 @@ tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
if (sk->sk_socket)
sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
- tp->snd_una = TCP_SKB_CB(skb)->ack_seq;
+ WRITE_ONCE(tp->snd_una, TCP_SKB_CB(skb)->ack_seq);
tp->snd_wnd = ntohs(th->window) << tp->rx_opt.snd_wscale;
tcp_init_wl(tp, TCP_SKB_CB(skb)->seq);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 3c25292ae72d8..e6aa54d2335c0 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -4089,7 +4089,7 @@ static void tcp_connect_init(struct sock *sk)
tp->snd_wnd = 0;
tcp_init_wl(tp, 0);
tcp_write_queue_purge(sk);
- tp->snd_una = tp->write_seq;
+ WRITE_ONCE(tp->snd_una, tp->write_seq);
tp->snd_sml = tp->write_seq;
tp->snd_up = tp->write_seq;
WRITE_ONCE(tp->snd_nxt, tp->write_seq);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 637/957] tcp: annotate data-races around tp->bytes_sent
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (635 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 636/957] tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 638/957] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
` (325 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ee43e957ce2ec77b2ec47fef28f3c0df6ab01a31 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: ba113c3aa79a ("tcp: add data bytes sent stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-8-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_output.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 0d6e991155c95..7d45a2aab18dd 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4413,7 +4413,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
READ_ONCE(tp->write_seq) - READ_ONCE(tp->snd_una)));
nla_put_u8(stats, TCP_NLA_CA_STATE, inet_csk(sk)->icsk_ca_state);
- nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, tp->bytes_sent,
+ nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, READ_ONCE(tp->bytes_sent),
TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS, tp->bytes_retrans,
TCP_NLA_PAD);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index e6aa54d2335c0..c2492f4be2151 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1605,7 +1605,8 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
tcp_event_data_sent(tp, sk);
WRITE_ONCE(tp->data_segs_out,
tp->data_segs_out + tcp_skb_pcount(skb));
- tp->bytes_sent += skb->len - tcp_header_size;
+ WRITE_ONCE(tp->bytes_sent,
+ tp->bytes_sent + skb->len - tcp_header_size);
}
if (after(tcb->end_seq, tp->snd_nxt) || tcb->seq == tcb->end_seq)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 638/957] tcp: annotate data-races around tp->bytes_retrans
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (636 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 637/957] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 639/957] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
` (324 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5efc7b9f7cbd43401f1af81d3d7f2be00f93390d ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: fb31c9b9f6c8 ("tcp: add data bytes retransmitted stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-9-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 4 ++--
net/ipv4/tcp_output.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 7d45a2aab18dd..35c444caab8a8 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4415,8 +4415,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u64_64bit(stats, TCP_NLA_BYTES_SENT, READ_ONCE(tp->bytes_sent),
TCP_NLA_PAD);
- nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS, tp->bytes_retrans,
- TCP_NLA_PAD);
+ nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS,
+ READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
nla_put_u32(stats, TCP_NLA_DSACK_DUPS, tp->dsack_dups);
nla_put_u32(stats, TCP_NLA_REORD_SEEN, tp->reord_seen);
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index c2492f4be2151..5a443fb14a973 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3559,7 +3559,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
WRITE_ONCE(tp->total_retrans, tp->total_retrans + segs);
- tp->bytes_retrans += skb->len;
+ WRITE_ONCE(tp->bytes_retrans, tp->bytes_retrans + skb->len);
/* make sure skb->data is aligned on arches that require it
* and check if ack-trimming & collapsing extended the headroom
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 639/957] tcp: annotate data-races around tp->dsack_dups
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (637 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 638/957] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 640/957] tcp: annotate data-races around tp->reord_seen Greg Kroah-Hartman
` (323 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a984705ca88b976bf1087978fd98b7f3993da88c ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7e10b6554ff2 ("tcp: add dsack blocks received stats")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-10-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_input.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 35c444caab8a8..3a5801ba3df1a 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4417,7 +4417,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
TCP_NLA_PAD);
nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS,
READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
- nla_put_u32(stats, TCP_NLA_DSACK_DUPS, tp->dsack_dups);
+ nla_put_u32(stats, TCP_NLA_DSACK_DUPS, READ_ONCE(tp->dsack_dups));
nla_put_u32(stats, TCP_NLA_REORD_SEEN, tp->reord_seen);
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3e29134a54b19..90727e1e581e4 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1213,7 +1213,7 @@ static u32 tcp_dsack_seen(struct tcp_sock *tp, u32 start_seq,
else if (tp->tlp_high_seq && tp->tlp_high_seq == end_seq)
state->flag |= FLAG_DSACK_TLP;
- tp->dsack_dups += dup_segs;
+ WRITE_ONCE(tp->dsack_dups, tp->dsack_dups + dup_segs);
/* Skip the DSACK if dup segs weren't retransmitted by sender */
if (tp->dsack_dups > tp->total_retrans)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 640/957] tcp: annotate data-races around tp->reord_seen
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (638 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 639/957] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 641/957] tcp: better handle TCP_TX_DELAY on established flows Greg Kroah-Hartman
` (322 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 62585690e6b2a112c408fe25f142b246ac833c42 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 7ec65372ca53 ("tcp: add stat of data packet reordering events")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-11-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_input.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3a5801ba3df1a..03299c21e4d68 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4418,7 +4418,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u64_64bit(stats, TCP_NLA_BYTES_RETRANS,
READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
nla_put_u32(stats, TCP_NLA_DSACK_DUPS, READ_ONCE(tp->dsack_dups));
- nla_put_u32(stats, TCP_NLA_REORD_SEEN, tp->reord_seen);
+ nla_put_u32(stats, TCP_NLA_REORD_SEEN, READ_ONCE(tp->reord_seen));
nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
nla_put_u32(stats, TCP_NLA_BYTES_NOTSENT,
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 90727e1e581e4..5a944b1ec320c 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1266,7 +1266,7 @@ static void tcp_check_sack_reordering(struct sock *sk, const u32 low_seq,
}
/* This exciting event is worth to be remembered. 8) */
- tp->reord_seen++;
+ WRITE_ONCE(tp->reord_seen, tp->reord_seen + 1);
NET_INC_STATS(sock_net(sk),
ts ? LINUX_MIB_TCPTSREORDER : LINUX_MIB_TCPSACKREORDER);
}
@@ -2224,7 +2224,7 @@ static void tcp_check_reno_reordering(struct sock *sk, const int addend)
WRITE_ONCE(tp->reordering,
min_t(u32, tp->packets_out + addend,
READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering)));
- tp->reord_seen++;
+ WRITE_ONCE(tp->reord_seen, tp->reord_seen + 1);
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRENOREORDER);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 641/957] tcp: better handle TCP_TX_DELAY on established flows
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (639 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 640/957] tcp: annotate data-races around tp->reord_seen Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 642/957] tcp: annotate data-races around tp->srtt_us Greg Kroah-Hartman
` (321 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1c51450f1afff1e7419797720df3fbd9ccbf610c ]
Some applications uses TCP_TX_DELAY socket option after TCP flow
is established.
Some metrics need to be updated, otherwise TCP might take time to
adapt to the new (emulated) RTT.
This patch adjusts tp->srtt_us, tp->rtt_min, icsk_rto
and sk->sk_pacing_rate.
This is best effort, and for instance icsk_rto is reset
without taking backoff into account.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251013145926.833198-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 290b693ce7c9 ("tcp: annotate data-races around tp->srtt_us")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tcp.h | 2 ++
net/ipv4/tcp.c | 31 +++++++++++++++++++++++++++----
net/ipv4/tcp_input.c | 4 ++--
3 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 18381f4086d04..cf507b989bff1 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -462,6 +462,8 @@ enum skb_drop_reason tcp_child_process(struct sock *parent, struct sock *child,
void tcp_enter_loss(struct sock *sk);
void tcp_cwnd_reduction(struct sock *sk, int newly_acked_sacked, int newly_lost, int flag);
void tcp_clear_retrans(struct tcp_sock *tp);
+void tcp_update_pacing_rate(struct sock *sk);
+void tcp_set_rto(struct sock *sk);
void tcp_update_metrics(struct sock *sk);
void tcp_init_metrics(struct sock *sk);
void tcp_metrics_init(void);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 03299c21e4d68..2e62441515fee 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3585,9 +3585,12 @@ static int tcp_repair_options_est(struct sock *sk, sockptr_t optbuf,
DEFINE_STATIC_KEY_FALSE(tcp_tx_delay_enabled);
EXPORT_IPV6_MOD(tcp_tx_delay_enabled);
-static void tcp_enable_tx_delay(void)
+static void tcp_enable_tx_delay(struct sock *sk, int val)
{
- if (!static_branch_unlikely(&tcp_tx_delay_enabled)) {
+ struct tcp_sock *tp = tcp_sk(sk);
+ s32 delta = (val - tp->tcp_tx_delay) << 3;
+
+ if (val && !static_branch_unlikely(&tcp_tx_delay_enabled)) {
static int __tcp_tx_delay_enabled = 0;
if (cmpxchg(&__tcp_tx_delay_enabled, 0, 1) == 0) {
@@ -3595,6 +3598,22 @@ static void tcp_enable_tx_delay(void)
pr_info("TCP_TX_DELAY enabled\n");
}
}
+ /* If we change tcp_tx_delay on a live flow, adjust tp->srtt_us,
+ * tp->rtt_min, icsk_rto and sk->sk_pacing_rate.
+ * This is best effort.
+ */
+ if (delta && sk->sk_state == TCP_ESTABLISHED) {
+ s64 srtt = (s64)tp->srtt_us + delta;
+
+ tp->srtt_us = clamp_t(s64, srtt, 1, ~0U);
+
+ /* Note: does not deal with non zero icsk_backoff */
+ tcp_set_rto(sk);
+
+ minmax_reset(&tp->rtt_min, tcp_jiffies32, ~0U);
+
+ tcp_update_pacing_rate(sk);
+ }
}
/* When set indicates to always queue non-full frames. Later the user clears
@@ -4121,8 +4140,12 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname,
tp->recvmsg_inq = val;
break;
case TCP_TX_DELAY:
- if (val)
- tcp_enable_tx_delay();
+ /* tp->srtt_us is u32, and is shifted by 3 */
+ if (val < 0 || val >= (1U << (31 - 3))) {
+ err = -EINVAL;
+ break;
+ }
+ tcp_enable_tx_delay(sk, val);
WRITE_ONCE(tp->tcp_tx_delay, val);
break;
default:
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 5a944b1ec320c..e8ba52c908da1 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1102,7 +1102,7 @@ static void tcp_rtt_estimator(struct sock *sk, long mrtt_us)
tp->srtt_us = max(1U, srtt);
}
-static void tcp_update_pacing_rate(struct sock *sk)
+void tcp_update_pacing_rate(struct sock *sk)
{
const struct tcp_sock *tp = tcp_sk(sk);
u64 rate;
@@ -1139,7 +1139,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
/* Calculate rto without backoff. This is the second half of Van Jacobson's
* routine referred to above.
*/
-static void tcp_set_rto(struct sock *sk)
+void tcp_set_rto(struct sock *sk)
{
const struct tcp_sock *tp = tcp_sk(sk);
/* Old crap is replaced with new one. 8)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 642/957] tcp: annotate data-races around tp->srtt_us
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (640 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 641/957] tcp: better handle TCP_TX_DELAY on established flows Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 643/957] tcp: annotate data-races around tp->timeout_rehash Greg Kroah-Hartman
` (320 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 290b693ce7c9d48588d88b15a782a3efc6fa036b ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: e8bd8fca6773 ("tcp: add SRTT to SCM_TIMESTAMPING_OPT_STATS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-12-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 5 +++--
net/ipv4/tcp_input.c | 2 +-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 2e62441515fee..a799329281532 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3605,7 +3605,8 @@ static void tcp_enable_tx_delay(struct sock *sk, int val)
if (delta && sk->sk_state == TCP_ESTABLISHED) {
s64 srtt = (s64)tp->srtt_us + delta;
- tp->srtt_us = clamp_t(s64, srtt, 1, ~0U);
+ WRITE_ONCE(tp->srtt_us,
+ clamp_t(s64, srtt, 1, ~0U));
/* Note: does not deal with non zero icsk_backoff */
tcp_set_rto(sk);
@@ -4442,7 +4443,7 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
READ_ONCE(tp->bytes_retrans), TCP_NLA_PAD);
nla_put_u32(stats, TCP_NLA_DSACK_DUPS, READ_ONCE(tp->dsack_dups));
nla_put_u32(stats, TCP_NLA_REORD_SEEN, READ_ONCE(tp->reord_seen));
- nla_put_u32(stats, TCP_NLA_SRTT, tp->srtt_us >> 3);
+ nla_put_u32(stats, TCP_NLA_SRTT, READ_ONCE(tp->srtt_us) >> 3);
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
nla_put_u32(stats, TCP_NLA_BYTES_NOTSENT,
max_t(int, 0, tp->write_seq - tp->snd_nxt));
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index e8ba52c908da1..5fb5f3f6393c1 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1099,7 +1099,7 @@ static void tcp_rtt_estimator(struct sock *sk, long mrtt_us)
tcp_bpf_rtt(sk, mrtt_us, srtt);
}
- tp->srtt_us = max(1U, srtt);
+ WRITE_ONCE(tp->srtt_us, max(1U, srtt));
}
void tcp_update_pacing_rate(struct sock *sk)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 643/957] tcp: annotate data-races around tp->timeout_rehash
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (641 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 642/957] tcp: annotate data-races around tp->srtt_us Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 644/957] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
` (319 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 71c675358b711bbfd8528949249419dc2dfa4ce1 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 32efcc06d2a1 ("tcp: export count for rehash attempts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-13-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 3 ++-
net/ipv4/tcp_timer.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index a799329281532..888fe31e42f0b 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4444,7 +4444,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u32(stats, TCP_NLA_DSACK_DUPS, READ_ONCE(tp->dsack_dups));
nla_put_u32(stats, TCP_NLA_REORD_SEEN, READ_ONCE(tp->reord_seen));
nla_put_u32(stats, TCP_NLA_SRTT, READ_ONCE(tp->srtt_us) >> 3);
- nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH, tp->timeout_rehash);
+ nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH,
+ READ_ONCE(tp->timeout_rehash));
nla_put_u32(stats, TCP_NLA_BYTES_NOTSENT,
max_t(int, 0, tp->write_seq - tp->snd_nxt));
nla_put_u64_64bit(stats, TCP_NLA_EDT, orig_skb->skb_mstamp_ns,
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 2dd73a4e8e517..b2e5848b6980a 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -296,7 +296,7 @@ static int tcp_write_timeout(struct sock *sk)
}
if (sk_rethink_txhash(sk)) {
- tp->timeout_rehash++;
+ WRITE_ONCE(tp->timeout_rehash, tp->timeout_rehash + 1);
__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPTIMEOUTREHASH);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 644/957] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (642 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 643/957] tcp: annotate data-races around tp->timeout_rehash Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 645/957] tcp: annotate data-races around tp->plb_rehash Greg Kroah-Hartman
` (318 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3a63b3d160560ef51e43fb4c880a5cde8078053c ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() annotations to keep KCSAN happy.
WRITE_ONCE() annotations are already present.
Fixes: e08ab0b377a1 ("tcp: add bytes not sent to SCM_TIMESTAMPING_OPT_STATS")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-14-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 888fe31e42f0b..fe91675ae5678 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4447,7 +4447,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u16(stats, TCP_NLA_TIMEOUT_REHASH,
READ_ONCE(tp->timeout_rehash));
nla_put_u32(stats, TCP_NLA_BYTES_NOTSENT,
- max_t(int, 0, tp->write_seq - tp->snd_nxt));
+ max_t(int, 0,
+ READ_ONCE(tp->write_seq) - READ_ONCE(tp->snd_nxt)));
nla_put_u64_64bit(stats, TCP_NLA_EDT, orig_skb->skb_mstamp_ns,
TCP_NLA_PAD);
if (ack_skb)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 645/957] tcp: annotate data-races around tp->plb_rehash
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (643 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 644/957] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 646/957] ice: fix adjust timer programming for E830 devices Greg Kroah-Hartman
` (317 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9e89b9d03a2d2e30dcca166d5af52f9a8eceab25 ]
tcp_get_timestamping_opt_stats() intentionally runs lockless, we must
add READ_ONCE() and WRITE_ONCE() annotations to keep KCSAN happy.
Fixes: 29c1c44646ae ("tcp: add u32 counter in tcp_sock and an SNMP counter for PLB")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260416200319.3608680-15-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp.c | 3 ++-
net/ipv4/tcp_plb.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index fe91675ae5678..2de4748269ca9 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4455,7 +4455,8 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const struct sock *sk,
nla_put_u8(stats, TCP_NLA_TTL,
tcp_skb_ttl_or_hop_limit(ack_skb));
- nla_put_u32(stats, TCP_NLA_REHASH, tp->plb_rehash + tp->timeout_rehash);
+ nla_put_u32(stats, TCP_NLA_REHASH,
+ READ_ONCE(tp->plb_rehash) + READ_ONCE(tp->timeout_rehash));
return stats;
}
diff --git a/net/ipv4/tcp_plb.c b/net/ipv4/tcp_plb.c
index 4bcf7eff95e39..b7f9b60d8991f 100644
--- a/net/ipv4/tcp_plb.c
+++ b/net/ipv4/tcp_plb.c
@@ -79,7 +79,7 @@ void tcp_plb_check_rehash(struct sock *sk, struct tcp_plb_state *plb)
sk_rethink_txhash(sk);
plb->consec_cong_rounds = 0;
- tcp_sk(sk)->plb_rehash++;
+ WRITE_ONCE(tcp_sk(sk)->plb_rehash, tcp_sk(sk)->plb_rehash + 1);
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPPLBREHASH);
}
EXPORT_SYMBOL_GPL(tcp_plb_check_rehash);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 646/957] ice: fix adjust timer programming for E830 devices
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (644 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 645/957] tcp: annotate data-races around tp->plb_rehash Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 647/957] ice: update PCS latency settings for E825 10G/25Gb modes Greg Kroah-Hartman
` (316 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Grzegorz Nitka,
Simon Horman, Rinitha S, Jacob Keller, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grzegorz Nitka <grzegorz.nitka@intel.com>
[ Upstream commit 885c5e57924dc040b23d0ad0d8388f0e35772159 ]
Fix incorrect 'adjust the timer' programming sequence for E830 devices
series. Only shadow registers GLTSYN_SHADJ were programmed in the
current implementation. According to the specification [1], write to
command GLTSYN_CMD register is also required with CMD field set to
"Adjust the Time" value, for the timer adjustment to take the effect.
The flow was broken for the adjustment less than S32_MAX/MIN range
(around +/- 2 seconds). For bigger adjustment, non-atomic programming
flow is used, involving set timer programming. Non-atomic flow is
implemented correctly.
Testing hints:
Run command:
phc_ctl /dev/ptpX get adj 2 get
Expected result:
Returned timestamps differ at least by 2 seconds
[1] Intel® Ethernet Controller E830 Datasheet rev 1.3, chapter 9.7.5.4
https://cdrdv2.intel.com/v1/dl/getContent/787353?explicitVersion=true
Fixes: f00307522786 ("ice: Implement PTP support for E830 devices")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rinitha S <sx.rinitha@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-1-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
index 35680dbe4a7f7..161a0ae8599c1 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
@@ -5381,8 +5381,8 @@ int ice_ptp_write_incval_locked(struct ice_hw *hw, u64 incval)
*/
int ice_ptp_adj_clock(struct ice_hw *hw, s32 adj)
{
+ int err = 0;
u8 tmr_idx;
- int err;
tmr_idx = hw->func_caps.ts_func_info.tmr_index_owned;
@@ -5399,8 +5399,8 @@ int ice_ptp_adj_clock(struct ice_hw *hw, s32 adj)
err = ice_ptp_prep_phy_adj_e810(hw, adj);
break;
case ICE_MAC_E830:
- /* E830 sync PHYs automatically after setting GLTSYN_SHADJ */
- return 0;
+ /* E830 sync PHYs automatically after setting cmd register */
+ break;
case ICE_MAC_GENERIC:
err = ice_ptp_prep_phy_adj_e82x(hw, adj);
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 647/957] ice: update PCS latency settings for E825 10G/25Gb modes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (645 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 646/957] ice: fix adjust timer programming for E830 devices Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 648/957] ice: Remove jumbo_remove step from TX path Greg Kroah-Hartman
` (315 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zoltan Fodor, Aleksandr Loktionov,
Jacob Keller, Grzegorz Nitka, Sunitha Mekala, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grzegorz Nitka <grzegorz.nitka@intel.com>
[ Upstream commit 05567e4052732d70c7ff9655217b3d14d25f639a ]
Update MAC Rx/Tx offset registers settings (PHY_MAC_[RX|TX]_OFFSET
registers) with the data obtained with the latest research. It applies
to PCS latency settings for the following speeds/modes:
* 10Gb NO-FEC
- TX latency changed from 71.25 ns to 73 ns
- RX latency changed from -25.6 ns to -28 ns
* 25Gb NO-FEC
- TX latency changed from 28.17 ns to 33 ns
- RX latency changed from -12.45 ns to -12 ns
* 25Gb RS-FEC
- TX latency changed from 64.5 ns to 69 ns
- RX latency changed from -3.6 ns to -3 ns
The original data came from simulation and pre-production hardware.
The new data measures the actual delays and as such is more accurate.
Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products")
Co-developed-by: Zoltan Fodor <zoltan.fodor@intel.com>
Signed-off-by: Zoltan Fodor <zoltan.fodor@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-2-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h
index 19dddd9b53ddd..4d298c27bfb27 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h
@@ -78,14 +78,14 @@ struct ice_eth56g_mac_reg_cfg eth56g_mac_cfg[NUM_ICE_ETH56G_LNK_SPD] = {
.blktime = 0x666, /* 3.2 */
.tx_offset = {
.serdes = 0x234c, /* 17.6484848 */
- .no_fec = 0x8e80, /* 71.25 */
+ .no_fec = 0x93d9, /* 73 */
.fc = 0xb4a4, /* 90.32 */
.sfd = 0x4a4, /* 2.32 */
.onestep = 0x4ccd /* 38.4 */
},
.rx_offset = {
.serdes = 0xffffeb27, /* -10.42424 */
- .no_fec = 0xffffcccd, /* -25.6 */
+ .no_fec = 0xffffc7b6, /* -28 */
.fc = 0xfffc557b, /* -469.26 */
.sfd = 0x4a4, /* 2.32 */
.bs_ds = 0x32 /* 0.0969697 */
@@ -118,17 +118,17 @@ struct ice_eth56g_mac_reg_cfg eth56g_mac_cfg[NUM_ICE_ETH56G_LNK_SPD] = {
.mktime = 0x147b, /* 10.24, only if RS-FEC enabled */
.tx_offset = {
.serdes = 0xe1e, /* 7.0593939 */
- .no_fec = 0x3857, /* 28.17 */
+ .no_fec = 0x4266, /* 33 */
.fc = 0x48c3, /* 36.38 */
- .rs = 0x8100, /* 64.5 */
+ .rs = 0x8a00, /* 69 */
.sfd = 0x1dc, /* 0.93 */
.onestep = 0x1eb8 /* 15.36 */
},
.rx_offset = {
.serdes = 0xfffff7a9, /* -4.1697 */
- .no_fec = 0xffffe71a, /* -12.45 */
+ .no_fec = 0xffffe700, /* -12 */
.fc = 0xfffe894d, /* -187.35 */
- .rs = 0xfffff8cd, /* -3.6 */
+ .rs = 0xfffff8cc, /* -3 */
.sfd = 0x1dc, /* 0.93 */
.bs_ds = 0x14 /* 0.0387879, RS-FEC 0 */
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 648/957] ice: Remove jumbo_remove step from TX path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (646 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 647/957] ice: update PCS latency settings for E825 10G/25Gb modes Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 649/957] ice: fix double-free of tx_buf skb Greg Kroah-Hartman
` (314 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alice Mikityanska, Paolo Abeni,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Mikityanska <alice@isovalent.com>
[ Upstream commit 8b76102c5e00d1f090e0c31d17b060c76d8fa859 ]
Now that the kernel doesn't insert HBH for BIG TCP IPv6 packets, remove
unnecessary steps from the ice TX path, that used to check and remove
HBH.
Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260205133925.526371-8-alice.kernel@fastmail.im
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1a303baa715e ("ice: fix double-free of tx_buf skb")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 73f08d02f9c76..90dbe5266ce78 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -2594,9 +2594,6 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
ice_trace(xmit_frame_ring, tx_ring, skb);
- if (unlikely(ipv6_hopopt_jumbo_remove(skb)))
- goto out_drop;
-
count = ice_xmit_desc_count(skb);
if (ice_chk_linearize(skb, count)) {
if (__skb_linearize(skb))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 649/957] ice: fix double-free of tx_buf skb
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (647 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 648/957] ice: Remove jumbo_remove step from TX path Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 650/957] ice: fix ICE_AQ_LINK_SPEED_M for 200G Greg Kroah-Hartman
` (313 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit 1a303baa715e6b78d6a406aaf335f87ff35acfcd ]
If ice_tso() or ice_tx_csum() fail, the error path in
ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points
to it and is marked as valid (ICE_TX_BUF_SKB).
'next_to_use' remains unchanged, so the potential problem will
likely fix itself when the next packet is transmitted and the tx_buf
gets overwritten. But if there is no next packet and the interface is
brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf()
will find the tx_buf and free the skb for the second time.
The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error
path, so that ice_unmap_and_free_tx_buf().
Move the initialization of 'first' up, to ensure it's already valid in
case we hit the linearization error path.
The bug was spotted by AI while I had it looking for something else.
It also proposed an initial version of the patch.
I reproduced the bug and tested the fix by adding code to inject
failures, on a build with KASAN.
I looked for similar bugs in related Intel drivers and did not find any.
Fixes: d76a60ba7afb ("ice: Add support for VLANs and offloads")
Assisted-by: Claude:claude-4.6-opus-high Cursor
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-4-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_txrx.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 90dbe5266ce78..e0774a640955d 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -2594,6 +2594,9 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
ice_trace(xmit_frame_ring, tx_ring, skb);
+ /* record the location of the first descriptor for this packet */
+ first = &tx_ring->tx_buf[tx_ring->next_to_use];
+
count = ice_xmit_desc_count(skb);
if (ice_chk_linearize(skb, count)) {
if (__skb_linearize(skb))
@@ -2619,8 +2622,6 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
offload.tx_ring = tx_ring;
- /* record the location of the first descriptor for this packet */
- first = &tx_ring->tx_buf[tx_ring->next_to_use];
first->skb = skb;
first->type = ICE_TX_BUF_SKB;
first->bytecount = max_t(unsigned int, skb->len, ETH_ZLEN);
@@ -2685,6 +2686,7 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_tx_ring *tx_ring)
out_drop:
ice_trace(xmit_frame_ring_drop, tx_ring, skb);
dev_kfree_skb_any(skb);
+ first->type = ICE_TX_BUF_EMPTY;
return NETDEV_TX_OK;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 650/957] ice: fix ICE_AQ_LINK_SPEED_M for 200G
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (648 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 649/957] ice: fix double-free of tx_buf skb Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 651/957] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
` (312 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Greenwalt, Aleksandr Loktionov,
Simon Horman, Sunitha Mekala, Jacob Keller, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Greenwalt <paul.greenwalt@intel.com>
[ Upstream commit 4a3a940059e98539de293a6e36e464094c2e875b ]
When setting PHY configuration during driver initialization, 200G link
speed is not being advertised even when the PHY is capable. This is
because the get PHY capabilities link speed response is being masked by
ICE_AQ_LINK_SPEED_M, which does not include the 200G link speed bit.
ICE_AQ_LINK_SPEED_200GB is defined as BIT(11), but the mask 0x7FF only
covers bits 0-10. Fix ICE_AQ_LINK_SPEED_M to use GENMASK(11, 0) so
that it covers all defined link speed bits including 200G.
Fixes: 24407a01e57c ("ice: Add 200G speed/phy type use")
Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-6-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_adminq_cmd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_adminq_cmd.h b/drivers/net/ethernet/intel/ice/ice_adminq_cmd.h
index 859e9c66f3e7e..3cbb1b0582e32 100644
--- a/drivers/net/ethernet/intel/ice/ice_adminq_cmd.h
+++ b/drivers/net/ethernet/intel/ice/ice_adminq_cmd.h
@@ -1252,7 +1252,7 @@ struct ice_aqc_get_link_status_data {
#define ICE_AQ_LINK_PWR_QSFP_CLASS_3 2
#define ICE_AQ_LINK_PWR_QSFP_CLASS_4 3
__le16 link_speed;
-#define ICE_AQ_LINK_SPEED_M 0x7FF
+#define ICE_AQ_LINK_SPEED_M GENMASK(11, 0)
#define ICE_AQ_LINK_SPEED_10MB BIT(0)
#define ICE_AQ_LINK_SPEED_100MB BIT(1)
#define ICE_AQ_LINK_SPEED_1000MB BIT(2)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 651/957] i40e: dont advertise IFF_SUPP_NOFCS
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (649 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 650/957] ice: fix ICE_AQ_LINK_SPEED_M for 200G Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 652/957] iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2 Greg Kroah-Hartman
` (311 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Aleksandr Loktionov,
Sunitha Mekala, Jacob Keller, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit a24162f18825684ad04e3a5d0531f8a50d679347 ]
i40e advertises IFF_SUPP_NOFCS, allowing users to use the SO_NOFCS
socket option. However, this option is silently ignored, as the driver
does not check skb->no_fcs, and always enables FCS insertion offload.
Fix this by removing the advertisement of IFF_SUPP_NOFCS.
This behavior can be reproduced with a simple AF_PACKET socket:
import socket
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
s.setsockopt(socket.SOL_SOCKET, 43, 1) # SO_NOFCS
s.bind(("eth0", 0))
s.send(b'\xff' * 64)
Previously, send() succeeds but the driver ignores SO_NOFCS.
With this change, send() fails with -EPROTONOSUPPORT, as expected.
Fixes: 41c445ff0f48 ("i40e: main driver core")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-9-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 598739220dfb9..9f19370f1c87a 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -13784,7 +13784,6 @@ static int i40e_config_netdev(struct i40e_vsi *vsi)
netdev->neigh_priv_len = sizeof(u32) * 4;
netdev->priv_flags |= IFF_UNICAST_FLT;
- netdev->priv_flags |= IFF_SUPP_NOFCS;
/* Setup netdev TC information */
i40e_vsi_config_netdev_tc(vsi, vsi->tc_config.enabled_tc);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 652/957] iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (650 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 651/957] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 653/957] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
` (310 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Paul Menzel, Jacob Keller, Rafal Romanowski, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 496d9f91062fa07956702e0f234c5203f03a974d ]
The IAVF_RXD_LEGACY_L2TAG2_M mask was incorrectly defined as
GENMASK_ULL(63, 32), extracting 32 bits from qw2 instead of the
16-bit VLAN tag. In the legacy Rx descriptor layout, the 2nd L2TAG2
(VLAN tag) occupies bits 63:48 of qw2, not 63:32.
The oversized mask causes FIELD_GET to return a 32-bit value where the
actual VLAN tag sits in bits 31:16. When this value is passed to
iavf_receive_skb() as a u16 parameter, it gets truncated to the lower
16 bits (which contain the 1st L2TAG2, typically zero). As a result,
__vlan_hwaccel_put_tag() is never called and software VLAN interfaces
on VFs receive no traffic.
This affects VFs behind ice PF (VIRTCHNL VLAN v2) when the PF
advertises VLAN stripping into L2TAG2_2 and legacy descriptors are
used.
The flex descriptor path already uses the correct mask
(IAVF_RXD_FLEX_L2TAG2_2_M = GENMASK_ULL(63, 48)).
Reproducer:
1. Create 2 VFs on ice PF (echo 2 > sriov_numvfs)
2. Disable spoofchk on both VFs
3. Move each VF into a separate network namespace
4. On each VF: create VLAN interface (e.g. vlan 198), assign IP,
bring up
5. Set rx-vlan-offload OFF on both VFs
6. Ping between VLAN interfaces -> expect PASS
(VLAN tag stays in packet data, kernel matches in-band)
7. Set rx-vlan-offload ON on both VFs
8. Ping between VLAN interfaces -> expect FAIL if bug present
(HW strips VLAN tag into descriptor L2TAG2 field, wrong mask
extracts bits 47:32 instead of 63:48, truncated to u16 -> zero,
__vlan_hwaccel_put_tag() never called, packet delivered to parent
interface, not VLAN interface)
The reproducer requires legacy Rx descriptors. On modern ice + iavf
with full PTP support, flex descriptors are always negotiated and the
buggy legacy path is never reached. Flex descriptors require all of:
- CONFIG_PTP_1588_CLOCK enabled
- VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC granted by PF
- PTP capabilities negotiated (VIRTCHNL_VF_CAP_PTP)
- VIRTCHNL_1588_PTP_CAP_RX_TSTAMP supported
- VIRTCHNL_RXDID_2_FLEX_SQ_NIC present in DDP profile
If any condition is not met, iavf_select_rx_desc_format() falls back
to legacy descriptors (RXDID=1) and the wrong L2TAG2 mask is hit.
Fixes: 2dc8e7c36d80 ("iavf: refactor iavf_clean_rx_irq to support legacy and flex descriptors")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-10-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_type.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_type.h b/drivers/net/ethernet/intel/iavf/iavf_type.h
index 1d8cf29cb65ac..5bb1de1cfd33b 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_type.h
+++ b/drivers/net/ethernet/intel/iavf/iavf_type.h
@@ -277,7 +277,7 @@ struct iavf_rx_desc {
/* L2 Tag 2 Presence */
#define IAVF_RXD_LEGACY_L2TAG2P_M BIT(0)
/* Stripped S-TAG VLAN from the receive packet */
-#define IAVF_RXD_LEGACY_L2TAG2_M GENMASK_ULL(63, 32)
+#define IAVF_RXD_LEGACY_L2TAG2_M GENMASK_ULL(63, 48)
/* Stripped S-TAG VLAN from the receive packet */
#define IAVF_RXD_FLEX_L2TAG2_2_M GENMASK_ULL(63, 48)
/* The packet is a UDP tunneled packet */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 653/957] e1000e: Unroll PTP in probe error handling
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (651 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 652/957] iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2 Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 654/957] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
` (309 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Vollrath, Avigail Dahan,
Jacob Keller, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
[ Upstream commit aa3f7fe409350857c25d050482a2eef2cfd69b58 ]
If probe fails after registering the PTP clock and its delayed work,
these resources must be released.
This was not an issue until a 2016 fix moved the e1000e_ptp_init() call
before the jump to err_register.
Fixes: aa524b66c5ef ("e1000e: don't modify SYSTIM registers during SIOCSHWTSTAMP ioctl")
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260416-iwl-net-submission-2026-04-14-v2-12-686c33c9828d@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 3e39032696100..833b2e7a86d8c 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -7705,6 +7705,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
err_register:
if (!(adapter->flags & FLAG_HAS_AMT))
e1000e_release_hw_control(adapter);
+ e1000e_ptp_remove(adapter);
err_eeprom:
if (hw->phy.ops.check_reset_block && !hw->phy.ops.check_reset_block(hw))
e1000_phy_hw_reset(&adapter->hw);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 654/957] ipv6: fix possible UAF in icmpv6_rcv()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (652 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 653/957] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 655/957] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
` (308 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Fernando Fernandez Mancera, Joe Damato, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f996edd7615e686ada141b7f3395025729ff8ccb ]
Caching saddr and daddr before pskb_pull() is problematic
since skb->head can change.
Remove these temporary variables:
- We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr
when net_dbg_ratelimited() is called in the slow path.
- Avoid potential future misuse after pskb_pull() call.
Fixes: 4b3418fba0fe ("ipv6: icmp: include addresses in debug messages")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Joe Damato <joe@dama.to>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260416103505.2380753-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/icmp.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index aa39aabe4417e..9cf0557d0ed29 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -904,7 +904,6 @@ static int icmpv6_rcv(struct sk_buff *skb)
struct net *net = dev_net_rcu(skb->dev);
struct net_device *dev = icmp6_dev(skb);
struct inet6_dev *idev = __in6_dev_get(dev);
- const struct in6_addr *saddr, *daddr;
struct icmp6hdr *hdr;
u8 type;
@@ -935,12 +934,10 @@ static int icmpv6_rcv(struct sk_buff *skb)
__ICMP6_INC_STATS(dev_net_rcu(dev), idev, ICMP6_MIB_INMSGS);
- saddr = &ipv6_hdr(skb)->saddr;
- daddr = &ipv6_hdr(skb)->daddr;
-
if (skb_checksum_validate(skb, IPPROTO_ICMPV6, ip6_compute_pseudo)) {
net_dbg_ratelimited("ICMPv6 checksum failed [%pI6c > %pI6c]\n",
- saddr, daddr);
+ &ipv6_hdr(skb)->saddr,
+ &ipv6_hdr(skb)->daddr);
goto csum_error;
}
@@ -1020,7 +1017,8 @@ static int icmpv6_rcv(struct sk_buff *skb)
break;
net_dbg_ratelimited("icmpv6: msg of unknown type [%pI6c > %pI6c]\n",
- saddr, daddr);
+ &ipv6_hdr(skb)->saddr,
+ &ipv6_hdr(skb)->daddr);
/*
* error of unknown type.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 655/957] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (653 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 654/957] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 656/957] pppoe: drop PFC frames Greg Kroah-Hartman
` (307 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Xin Long,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 0cf004ffb61cd32d140531c3a84afe975f9fc7ea ]
sctp_getsockopt_peer_auth_chunks() checks that the caller's optval
buffer is large enough for the peer AUTH chunk list with
if (len < num_chunks)
return -EINVAL;
but then writes num_chunks bytes to p->gauth_chunks, which lives
at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8
inside optval. The check is missing the sizeof(struct
sctp_authchunks) = 8-byte header. When the caller supplies
len == num_chunks (for any num_chunks > 0) the test passes but
copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes
past the declared buffer.
The sibling function sctp_getsockopt_local_auth_chunks() at the
next line already has the correct check:
if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
Align the peer variant with its sibling.
Reproducer confirms on v7.0-13-generic: an unprivileged userspace
caller that opens a loopback SCTP association with AUTH enabled,
queries num_chunks with a short optval, then issues the real
getsockopt with len == num_chunks and sentinel bytes painted past
the buffer observes those sentinel bytes overwritten with the
peer's AUTH chunk type. The bytes written are under the peer's
control but land in the caller's own userspace; this is not a
kernel memory corruption, but it is a kernel-side contract
violation that can silently corrupt adjacent userspace data.
Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260416031903.1447072-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index c57a53192beef..2c5ad53984906 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6990,7 +6990,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
/* See if the user provided enough room for all the data */
num_chunks = ntohs(ch->param_hdr.length) - sizeof(struct sctp_paramhdr);
- if (len < num_chunks)
+ if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;
if (copy_to_user(to, ch->chunks, num_chunks))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 656/957] pppoe: drop PFC frames
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (654 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 655/957] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
@ 2026-05-20 16:18 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 657/957] net/mlx5: Fix HCA caps leak on notifier init failure Greg Kroah-Hartman
` (306 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:18 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <qingfang.deng@linux.dev>
[ Upstream commit cc1ff87bce1ccd38410ab10960f576dcd17db679 ]
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.
If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.
To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.
Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415022456.141758-2-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 2 +-
drivers/net/ppp/pppoe.c | 8 +++++++-
include/linux/ppp_defs.h | 16 ++++++++++++++++
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 7ad6c241c3295..507d216256c0d 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2240,7 +2240,7 @@ ppp_do_recv(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
*/
static void __ppp_decompress_proto(struct sk_buff *skb)
{
- if (skb->data[0] & 0x01)
+ if (ppp_skb_is_compressed_proto(skb))
*(u8 *)skb_push(skb, 1) = 0x00;
}
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 4ac6afce267b9..dc6d139432387 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -424,7 +424,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
if (skb_mac_header_len(skb) < ETH_HLEN)
goto drop;
- if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
+ if (!pskb_may_pull(skb, PPPOE_SES_HLEN))
goto drop;
ph = pppoe_hdr(skb);
@@ -434,6 +434,12 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
if (skb->len < len)
goto drop;
+ /* skb->data points to the PPP protocol header after skb_pull_rcsum.
+ * Drop PFC frames.
+ */
+ if (ppp_skb_is_compressed_proto(skb))
+ goto drop;
+
if (pskb_trim_rcsum(skb, len))
goto drop;
diff --git a/include/linux/ppp_defs.h b/include/linux/ppp_defs.h
index b7e57fdbd4139..b1d1f46d7d3be 100644
--- a/include/linux/ppp_defs.h
+++ b/include/linux/ppp_defs.h
@@ -8,6 +8,7 @@
#define _PPP_DEFS_H_
#include <linux/crc-ccitt.h>
+#include <linux/skbuff.h>
#include <uapi/linux/ppp_defs.h>
#define PPP_FCS(fcs, c) crc_ccitt_byte(fcs, c)
@@ -25,4 +26,19 @@ static inline bool ppp_proto_is_valid(u16 proto)
return !!((proto & 0x0101) == 0x0001);
}
+/**
+ * ppp_skb_is_compressed_proto - checks if PPP protocol in a skb is compressed
+ * @skb: skb to check
+ *
+ * Check if the PPP protocol field is compressed (the least significant
+ * bit of the most significant octet is 1). skb->data must point to the PPP
+ * protocol header.
+ *
+ * Return: Whether the PPP protocol field is compressed.
+ */
+static inline bool ppp_skb_is_compressed_proto(const struct sk_buff *skb)
+{
+ return unlikely(skb->data[0] & 0x01);
+}
+
#endif /* _PPP_DEFS_H_ */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 657/957] net/mlx5: Fix HCA caps leak on notifier init failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (655 preceding siblings ...)
2026-05-20 16:18 ` [PATCH 6.18 656/957] pppoe: drop PFC frames Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 658/957] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
` (305 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prathamesh Deshpande, Cosmin Ratiu,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
[ Upstream commit d03fc81a57956248383efec99967d0ae627390a8 ]
mlx5_mdev_init() allocates HCA caps via mlx5_hca_caps_alloc() before
calling mlx5_notifiers_init(). If notifier initialization fails, the
error path jumps to err_hca_caps and skips mlx5_hca_caps_free(), leaking
allocated caps.
Add a dedicated unwind label for notifier-init failure that frees HCA
caps before continuing the existing cleanup sequence.
Fixes: b6b03097f982 ("net/mlx5: Initialize events outside devlink lock")
Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260415005022.34764-1-prathameshdeshpande7@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index 5903a4af9173b..6e10a6de8ebcc 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -1878,7 +1878,7 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
err = mlx5_notifiers_init(dev);
if (err)
- goto err_hca_caps;
+ goto err_notifiers_init;
/* The conjunction of sw_vhca_id with sw_owner_id will be a global
* unique id per function which uses mlx5_core.
@@ -1894,6 +1894,8 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
return 0;
+err_notifiers_init:
+ mlx5_hca_caps_free(dev);
err_hca_caps:
mlx5_adev_cleanup(dev);
err_adev_init:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 658/957] openvswitch: cap upcall PID array size and pre-size vport replies
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (656 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 657/957] net/mlx5: Fix HCA caps leak on notifier init failure Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 659/957] net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll() Greg Kroah-Hartman
` (304 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Ilya Maximets, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 2091c6aa0df6aba47deb5c8ab232b1cb60af3519 ]
The vport netlink reply helpers allocate a fixed-size skb with
nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID
array via ovs_vport_get_upcall_portids(). Since
ovs_vport_set_upcall_portids() accepts any non-zero multiple of
sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID
array large enough to overflow the reply buffer, causing nla_put() to
fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with
unprivileged user namespaces enabled (e.g., Ubuntu default), this is
reachable via unshare -Urn since OVS vport mutation operations use
GENL_UNS_ADMIN_PERM.
kernel BUG at net/openvswitch/datapath.c:2414!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1
RIP: 0010:ovs_vport_cmd_set+0x34c/0x400
Call Trace:
<TASK>
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)
genl_rcv_msg (net/netlink/genetlink.c:1194)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
genl_rcv (net/netlink/genetlink.c:1219)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Kernel panic - not syncing: Fatal exception
Reject attempts to set more PIDs than nr_cpu_ids in
ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply
size in ovs_vport_cmd_msg_size() based on that bound, similar to the
existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already
used by the per-CPU dispatch configuration on the datapath side
(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the
two sides stay consistent.
Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://patch.msgid.link/20260416024653.153456-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 35 +++++++++++++++++++++++++++++++++--
net/openvswitch/vport.c | 3 +++
2 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index d5b6e2002bc1f..2304c8e3be4f7 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2186,9 +2186,40 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
return err;
}
+static size_t ovs_vport_cmd_msg_size(void)
+{
+ size_t msgsize = NLMSG_ALIGN(sizeof(struct ovs_header));
+
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_PORT_NO */
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_TYPE */
+ msgsize += nla_total_size(IFNAMSIZ); /* OVS_VPORT_ATTR_NAME */
+ msgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_IFINDEX */
+ msgsize += nla_total_size(sizeof(s32)); /* OVS_VPORT_ATTR_NETNSID */
+
+ /* OVS_VPORT_ATTR_STATS */
+ msgsize += nla_total_size_64bit(sizeof(struct ovs_vport_stats));
+
+ /* OVS_VPORT_ATTR_UPCALL_STATS(OVS_VPORT_UPCALL_ATTR_SUCCESS +
+ * OVS_VPORT_UPCALL_ATTR_FAIL)
+ */
+ msgsize += nla_total_size(nla_total_size_64bit(sizeof(u64)) +
+ nla_total_size_64bit(sizeof(u64)));
+
+ /* OVS_VPORT_ATTR_UPCALL_PID */
+ msgsize += nla_total_size(nr_cpu_ids * sizeof(u32));
+
+ /* OVS_VPORT_ATTR_OPTIONS(OVS_TUNNEL_ATTR_DST_PORT +
+ * OVS_TUNNEL_ATTR_EXTENSION(OVS_VXLAN_EXT_GBP))
+ */
+ msgsize += nla_total_size(nla_total_size(sizeof(u16)) +
+ nla_total_size(nla_total_size(0)));
+
+ return msgsize;
+}
+
static struct sk_buff *ovs_vport_cmd_alloc_info(void)
{
- return nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ return genlmsg_new(ovs_vport_cmd_msg_size(), GFP_KERNEL);
}
/* Called with ovs_mutex, only via ovs_dp_notify_wq(). */
@@ -2198,7 +2229,7 @@ struct sk_buff *ovs_vport_cmd_build_info(struct vport *vport, struct net *net,
struct sk_buff *skb;
int retval;
- skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ skb = ovs_vport_cmd_alloc_info();
if (!skb)
return ERR_PTR(-ENOMEM);
diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c
index f0ce8ce1dce0e..1f0c86a9f43b0 100644
--- a/net/openvswitch/vport.c
+++ b/net/openvswitch/vport.c
@@ -407,6 +407,9 @@ int ovs_vport_set_upcall_portids(struct vport *vport, const struct nlattr *ids)
if (!nla_len(ids) || nla_len(ids) % sizeof(u32))
return -EINVAL;
+ if (nla_len(ids) / sizeof(u32) > nr_cpu_ids)
+ return -EINVAL;
+
old = ovsl_dereference(vport->upcall_portids);
vport_portids = kmalloc(sizeof(*vport_portids) + nla_len(ids),
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 659/957] net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (657 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 658/957] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 660/957] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
` (303 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit b94769eb2f30e61e86cd8551c084c34134290d89 ]
Since multiple net_device TX queues can share the same hw QDMA TX queue,
there is no guarantee we have inflight packets queued in hw belonging to a
net_device TX queue stopped in the xmit path because hw QDMA TX queue
can be full. In this corner case the net_device TX queue will never be
re-activated. In order to avoid any potential net_device TX queue stall,
we need to wake all the net_device TX queues feeding the same hw QDMA TX
queue in airoha_qdma_tx_napi_poll routine.
Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260416-airoha-txq-potential-stall-v2-1-42c732074540@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 37 ++++++++++++++++++++----
drivers/net/ethernet/airoha/airoha_eth.h | 1 +
2 files changed, 33 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index cbf21e15df6dd..f8db324b141fe 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -874,6 +874,21 @@ static int airoha_qdma_init_rx(struct airoha_qdma *qdma)
return 0;
}
+static void airoha_qdma_wake_netdev_txqs(struct airoha_queue *q)
+{
+ struct airoha_qdma *qdma = q->qdma;
+ struct airoha_eth *eth = qdma->eth;
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(eth->ports); i++) {
+ struct airoha_gdm_port *port = eth->ports[i];
+
+ if (port && port->qdma == qdma)
+ netif_tx_wake_all_queues(port->dev);
+ }
+ q->txq_stopped = false;
+}
+
static int airoha_qdma_tx_napi_poll(struct napi_struct *napi, int budget)
{
struct airoha_tx_irq_queue *irq_q;
@@ -956,12 +971,21 @@ static int airoha_qdma_tx_napi_poll(struct napi_struct *napi, int budget)
txq = netdev_get_tx_queue(skb->dev, queue);
netdev_tx_completed_queue(txq, 1, skb->len);
- if (netif_tx_queue_stopped(txq) &&
- q->ndesc - q->queued >= q->free_thr)
- netif_tx_wake_queue(txq);
-
dev_kfree_skb_any(skb);
}
+
+ if (q->txq_stopped && q->ndesc - q->queued >= q->free_thr) {
+ /* Since multiple net_device TX queues can share the
+ * same hw QDMA TX queue, there is no guarantee we have
+ * inflight packets queued in hw belonging to a
+ * net_device TX queue stopped in the xmit path.
+ * In order to avoid any potential net_device TX queue
+ * stall, we need to wake all the net_device TX queues
+ * feeding the same hw QDMA TX queue.
+ */
+ airoha_qdma_wake_netdev_txqs(q);
+ }
+
unlock:
spin_unlock_bh(&q->lock);
}
@@ -1978,6 +2002,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
if (airoha_dev_tx_queue_busy(q, nr_frags)) {
/* not enough space in the queue */
netif_tx_stop_queue(txq);
+ q->txq_stopped = true;
spin_unlock_bh(&q->lock);
return NETDEV_TX_BUSY;
}
@@ -2030,8 +2055,10 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
TX_RING_CPU_IDX_MASK,
FIELD_PREP(TX_RING_CPU_IDX_MASK, q->head));
- if (q->ndesc - q->queued < q->free_thr)
+ if (q->ndesc - q->queued < q->free_thr) {
netif_tx_stop_queue(txq);
+ q->txq_stopped = true;
+ }
spin_unlock_bh(&q->lock);
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index d76f71558f8c2..054fe86d67bd1 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -181,6 +181,7 @@ struct airoha_queue {
int ndesc;
int free_thr;
int buf_size;
+ bool txq_stopped;
struct napi_struct napi;
struct page_pool *page_pool;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 660/957] netfilter: nft_osf: restrict it to ipv4
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (658 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 659/957] net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 661/957] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
` (302 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit b336fdbb7103fb1484e1dcb6741151d4b5a41e35 ]
This expression only supports for ipv4, restrict it.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf")
Acked-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_osf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index 1c0b493ef0a99..bdc2f6c90e2f7 100644
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -28,6 +28,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
struct nf_osf_data data;
struct tcphdr _tcph;
+ if (nft_pf(pkt) != NFPROTO_IPV4) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+
if (pkt->tprot != IPPROTO_TCP) {
regs->verdict.code = NFT_BREAK;
return;
@@ -114,7 +119,6 @@ static int nft_osf_validate(const struct nft_ctx *ctx,
switch (ctx->family) {
case NFPROTO_IPV4:
- case NFPROTO_IPV6:
case NFPROTO_INET:
hooks = (1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_PRE_ROUTING) |
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 661/957] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (659 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 660/957] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 662/957] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
` (301 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Florian Westphal,
Pablo Neira Ayuso, Xiang Mei, Fernando Fernandez Mancera,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 2195574dc6d9017d32ac346987e12659f931d932 ]
nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".
Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 9fc9544d4bc53..2305c7d9761eb 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -320,6 +320,10 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
if (f->opt_num > ARRAY_SIZE(f->opt))
return -EINVAL;
+ if (f->wss.wc >= OSF_WSS_MAX ||
+ (f->wss.wc == OSF_WSS_MODULO && f->wss.val == 0))
+ return -EINVAL;
+
for (i = 0; i < f->opt_num; i++) {
if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
return -EINVAL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 662/957] netfilter: conntrack: remove sprintf usage
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (660 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 661/957] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 663/957] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
` (300 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 6e7066bdb481a87fe88c4fa563e348c03b2d373d ]
Replace it with scnprintf, the buffer sizes are expected to be large enough
to hold the result, no need for snprintf+overflow check.
Increase buffer size in mangle_content_len() while at it.
BUG: KASAN: stack-out-of-bounds in vsnprintf+0xea5/0x1270
Write of size 1 at addr [..]
vsnprintf+0xea5/0x1270
sprintf+0xb1/0xe0
mangle_content_len+0x1ac/0x280
nf_nat_sdp_session+0x1cc/0x240
process_sdp+0x8f8/0xb80
process_invite_request+0x108/0x2b0
process_sip_msg+0x5da/0xf50
sip_help_tcp+0x45e/0x780
nf_confirm+0x34d/0x990
[..]
Fixes: 9fafcd7b2032 ("[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_nat_amanda.c | 2 +-
net/netfilter/nf_nat_sip.c | 33 ++++++++++++++++++---------------
2 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c
index 98deef6cde694..8f1054920a857 100644
--- a/net/netfilter/nf_nat_amanda.c
+++ b/net/netfilter/nf_nat_amanda.c
@@ -50,7 +50,7 @@ static unsigned int help(struct sk_buff *skb,
return NF_DROP;
}
- sprintf(buffer, "%u", port);
+ snprintf(buffer, sizeof(buffer), "%u", port);
if (!nf_nat_mangle_udp_packet(skb, exp->master, ctinfo,
protoff, matchoff, matchlen,
buffer, strlen(buffer))) {
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index cf4aeb299bdef..c845b6d1a2bdf 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -68,25 +68,27 @@ static unsigned int mangle_packet(struct sk_buff *skb, unsigned int protoff,
}
static int sip_sprintf_addr(const struct nf_conn *ct, char *buffer,
+ size_t size,
const union nf_inet_addr *addr, bool delim)
{
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
- return sprintf(buffer, "%pI4", &addr->ip);
+ return scnprintf(buffer, size, "%pI4", &addr->ip);
else {
if (delim)
- return sprintf(buffer, "[%pI6c]", &addr->ip6);
+ return scnprintf(buffer, size, "[%pI6c]", &addr->ip6);
else
- return sprintf(buffer, "%pI6c", &addr->ip6);
+ return scnprintf(buffer, size, "%pI6c", &addr->ip6);
}
}
static int sip_sprintf_addr_port(const struct nf_conn *ct, char *buffer,
+ size_t size,
const union nf_inet_addr *addr, u16 port)
{
if (nf_ct_l3num(ct) == NFPROTO_IPV4)
- return sprintf(buffer, "%pI4:%u", &addr->ip, port);
+ return scnprintf(buffer, size, "%pI4:%u", &addr->ip, port);
else
- return sprintf(buffer, "[%pI6c]:%u", &addr->ip6, port);
+ return scnprintf(buffer, size, "[%pI6c]:%u", &addr->ip6, port);
}
static int map_addr(struct sk_buff *skb, unsigned int protoff,
@@ -119,7 +121,7 @@ static int map_addr(struct sk_buff *skb, unsigned int protoff,
if (nf_inet_addr_cmp(&newaddr, addr) && newport == port)
return 1;
- buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, ntohs(newport));
+ buflen = sip_sprintf_addr_port(ct, buffer, sizeof(buffer), &newaddr, ntohs(newport));
return mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen);
}
@@ -212,7 +214,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
&addr, true) > 0 &&
nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3) &&
!nf_inet_addr_cmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3)) {
- buflen = sip_sprintf_addr(ct, buffer,
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer),
&ct->tuplehash[!dir].tuple.dst.u3,
true);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
@@ -229,7 +231,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
&addr, false) > 0 &&
nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.dst.u3) &&
!nf_inet_addr_cmp(&addr, &ct->tuplehash[!dir].tuple.src.u3)) {
- buflen = sip_sprintf_addr(ct, buffer,
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer),
&ct->tuplehash[!dir].tuple.src.u3,
false);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
@@ -247,7 +249,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
__be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
- buflen = sprintf(buffer, "%u", ntohs(p));
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", ntohs(p));
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
poff, plen, buffer, buflen)) {
nf_ct_helper_log(skb, ct, "cannot mangle rport");
@@ -418,7 +420,8 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff,
if (!nf_inet_addr_cmp(&exp->tuple.dst.u3, &exp->saved_addr) ||
exp->tuple.dst.u.udp.port != exp->saved_proto.udp.port) {
- buflen = sip_sprintf_addr_port(ct, buffer, &newaddr, port);
+ buflen = sip_sprintf_addr_port(ct, buffer, sizeof(buffer),
+ &newaddr, port);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen)) {
nf_ct_helper_log(skb, ct, "cannot mangle packet");
@@ -438,8 +441,8 @@ static int mangle_content_len(struct sk_buff *skb, unsigned int protoff,
{
enum ip_conntrack_info ctinfo;
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+ char buffer[sizeof("4294967295")];
unsigned int matchoff, matchlen;
- char buffer[sizeof("65536")];
int buflen, c_len;
/* Get actual SDP length */
@@ -454,7 +457,7 @@ static int mangle_content_len(struct sk_buff *skb, unsigned int protoff,
&matchoff, &matchlen) <= 0)
return 0;
- buflen = sprintf(buffer, "%u", c_len);
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", c_len);
return mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen);
}
@@ -491,7 +494,7 @@ static unsigned int nf_nat_sdp_addr(struct sk_buff *skb, unsigned int protoff,
char buffer[INET6_ADDRSTRLEN];
unsigned int buflen;
- buflen = sip_sprintf_addr(ct, buffer, addr, false);
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer), addr, false);
if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen,
sdpoff, type, term, buffer, buflen))
return 0;
@@ -509,7 +512,7 @@ static unsigned int nf_nat_sdp_port(struct sk_buff *skb, unsigned int protoff,
char buffer[sizeof("nnnnn")];
unsigned int buflen;
- buflen = sprintf(buffer, "%u", port);
+ buflen = scnprintf(buffer, sizeof(buffer), "%u", port);
if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
matchoff, matchlen, buffer, buflen))
return 0;
@@ -529,7 +532,7 @@ static unsigned int nf_nat_sdp_session(struct sk_buff *skb, unsigned int protoff
unsigned int buflen;
/* Mangle session description owner and contact addresses */
- buflen = sip_sprintf_addr(ct, buffer, addr, false);
+ buflen = sip_sprintf_addr(ct, buffer, sizeof(buffer), addr, false);
if (mangle_sdp_packet(skb, protoff, dataoff, dptr, datalen, sdpoff,
SDP_HDR_OWNER, SDP_HDR_MEDIA, buffer, buflen))
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 663/957] netfilter: xtables: restrict several matches to inet family
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (661 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 662/957] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 664/957] netfilter: nat: use kfree_rcu to release ops Greg Kroah-Hartman
` (299 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501),
Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit b6fe26f86a1649f84e057f3f15605b08eda15497 ]
This is a partial revert of:
commit ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
to allow ipv4 and ipv6 only.
- xt_mac
- xt_owner
- xt_physdev
These extensions are not used by ebtables in userspace.
Moreover, xt_realm is only for ipv4, since dst->tclassid is ipv4
specific.
Fixes: ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")
Reported-by: "Kito Xu (veritas501)" <hxzene@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_mac.c | 34 +++++++++++++++++++++++-----------
net/netfilter/xt_owner.c | 37 +++++++++++++++++++++++++------------
net/netfilter/xt_physdev.c | 29 +++++++++++++++++++----------
net/netfilter/xt_realm.c | 2 +-
4 files changed, 68 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 81649da57ba5d..bd2354760895d 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -38,25 +38,37 @@ static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
return ret;
}
-static struct xt_match mac_mt_reg __read_mostly = {
- .name = "mac",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .match = mac_mt,
- .matchsize = sizeof(struct xt_mac_info),
- .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) |
- (1 << NF_INET_FORWARD),
- .me = THIS_MODULE,
+static struct xt_match mac_mt_reg[] __read_mostly = {
+ {
+ .name = "mac",
+ .family = NFPROTO_IPV4,
+ .match = mac_mt,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "mac",
+ .family = NFPROTO_IPV6,
+ .match = mac_mt,
+ .matchsize = sizeof(struct xt_mac_info),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD),
+ .me = THIS_MODULE,
+ },
};
static int __init mac_mt_init(void)
{
- return xt_register_match(&mac_mt_reg);
+ return xt_register_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));
}
static void __exit mac_mt_exit(void)
{
- xt_unregister_match(&mac_mt_reg);
+ xt_unregister_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));
}
module_init(mac_mt_init);
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 50332888c8d23..7be2fe22b067e 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -127,26 +127,39 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
return true;
}
-static struct xt_match owner_mt_reg __read_mostly = {
- .name = "owner",
- .revision = 1,
- .family = NFPROTO_UNSPEC,
- .checkentry = owner_check,
- .match = owner_mt,
- .matchsize = sizeof(struct xt_owner_match_info),
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
+static struct xt_match owner_mt_reg[] __read_mostly = {
+ {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .checkentry = owner_check,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .checkentry = owner_check,
+ .match = owner_mt,
+ .matchsize = sizeof(struct xt_owner_match_info),
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING),
+ .me = THIS_MODULE,
+ }
};
static int __init owner_mt_init(void)
{
- return xt_register_match(&owner_mt_reg);
+ return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
static void __exit owner_mt_exit(void)
{
- xt_unregister_match(&owner_mt_reg);
+ xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
}
module_init(owner_mt_init);
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 343e65f377d44..130842c35c6fa 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -115,24 +115,33 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
return 0;
}
-static struct xt_match physdev_mt_reg __read_mostly = {
- .name = "physdev",
- .revision = 0,
- .family = NFPROTO_UNSPEC,
- .checkentry = physdev_mt_check,
- .match = physdev_mt,
- .matchsize = sizeof(struct xt_physdev_info),
- .me = THIS_MODULE,
+static struct xt_match physdev_mt_reg[] __read_mostly = {
+ {
+ .name = "physdev",
+ .family = NFPROTO_IPV4,
+ .checkentry = physdev_mt_check,
+ .match = physdev_mt,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "physdev",
+ .family = NFPROTO_IPV6,
+ .checkentry = physdev_mt_check,
+ .match = physdev_mt,
+ .matchsize = sizeof(struct xt_physdev_info),
+ .me = THIS_MODULE,
+ },
};
static int __init physdev_mt_init(void)
{
- return xt_register_match(&physdev_mt_reg);
+ return xt_register_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
}
static void __exit physdev_mt_exit(void)
{
- xt_unregister_match(&physdev_mt_reg);
+ xt_unregister_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));
}
module_init(physdev_mt_init);
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 6df485f4403d0..61b2f1e58d150 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -33,7 +33,7 @@ static struct xt_match realm_mt_reg __read_mostly = {
.matchsize = sizeof(struct xt_realm_info),
.hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |
(1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),
- .family = NFPROTO_UNSPEC,
+ .family = NFPROTO_IPV4,
.me = THIS_MODULE
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 664/957] netfilter: nat: use kfree_rcu to release ops
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (662 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 663/957] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 665/957] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
` (298 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 6eda0d771f94267f73f57c94630aa47e90957915 ]
Florian Westphal says:
"Historically this is not an issue, even for normal base hooks: the data
path doesn't use the original nf_hook_ops that are used to register the
callbacks.
However, in v5.14 I added the ability to dump the active netfilter
hooks from userspace.
This code will peek back into the nf_hook_ops that are available
at the tail of the pointer-array blob used by the datapath.
The nat hooks are special, because they are called indirectly from
the central nat dispatcher hook. They are currently invisible to
the nfnl hook dump subsystem though.
But once that changes the nat ops structures have to be deferred too."
Update nf_nat_register_fn() to deal with partial exposition of the hooks
from error path which can be also an issue for nfnetlink_hook.
Fixes: e2cf17d3774c ("netfilter: add new hook nfnl subsystem")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/iptable_nat.c | 4 ++--
net/ipv6/netfilter/ip6table_nat.c | 4 ++--
net/netfilter/nf_nat_core.c | 10 ++++++----
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index a5db7c67d61be..625a1ca13b1ba 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -79,7 +79,7 @@ static int ipt_nat_register_lookups(struct net *net)
while (i)
nf_nat_ipv4_unregister_fn(net, &ops[--i]);
- kfree(ops);
+ kfree_rcu(ops, rcu);
return ret;
}
}
@@ -100,7 +100,7 @@ static void ipt_nat_unregister_lookups(struct net *net)
for (i = 0; i < ARRAY_SIZE(nf_nat_ipv4_ops); i++)
nf_nat_ipv4_unregister_fn(net, &ops[i]);
- kfree(ops);
+ kfree_rcu(ops, rcu);
}
static int iptable_nat_table_init(struct net *net)
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index e119d4f090cc8..5be723232df8f 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -81,7 +81,7 @@ static int ip6t_nat_register_lookups(struct net *net)
while (i)
nf_nat_ipv6_unregister_fn(net, &ops[--i]);
- kfree(ops);
+ kfree_rcu(ops, rcu);
return ret;
}
}
@@ -102,7 +102,7 @@ static void ip6t_nat_unregister_lookups(struct net *net)
for (i = 0; i < ARRAY_SIZE(nf_nat_ipv6_ops); i++)
nf_nat_ipv6_unregister_fn(net, &ops[i]);
- kfree(ops);
+ kfree_rcu(ops, rcu);
}
static int ip6table_nat_table_init(struct net *net)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index e6b24586d2fed..8e36b4e3e5c47 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -1228,9 +1228,11 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
ret = nf_register_net_hooks(net, nat_ops, ops_count);
if (ret < 0) {
mutex_unlock(&nf_nat_proto_mutex);
- for (i = 0; i < ops_count; i++)
- kfree(nat_ops[i].priv);
- kfree(nat_ops);
+ for (i = 0; i < ops_count; i++) {
+ priv = nat_ops[i].priv;
+ kfree_rcu(priv, rcu_head);
+ }
+ kfree_rcu(nat_ops, rcu);
return ret;
}
@@ -1294,7 +1296,7 @@ void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
}
nat_proto_net->nat_hook_ops = NULL;
- kfree(nat_ops);
+ kfree_rcu(nat_ops, rcu);
}
unlock:
mutex_unlock(&nf_nat_proto_mutex);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 665/957] ipvs: fix MTU check for GSO packets in tunnel mode
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (663 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 664/957] netfilter: nat: use kfree_rcu to release ops Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 666/957] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
` (297 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yingnan Zhang, Julian Anastasov,
Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yingnan Zhang <342144303@qq.com>
[ Upstream commit 67bf42cae41d847fd6e5749eb68278ca5d748b25 ]
Currently, IPVS skips MTU checks for GSO packets by excluding them with
the !skb_is_gso(skb) condition. This creates problems when IPVS tunnel
mode encapsulates GSO packets with IPIP headers.
The issue manifests in two ways:
1. MTU violation after encapsulation:
When a GSO packet passes through IPVS tunnel mode, the original MTU
check is bypassed. After adding the IPIP tunnel header, the packet
size may exceed the outgoing interface MTU, leading to unexpected
fragmentation at the IP layer.
2. Fragmentation with problematic IP IDs:
When net.ipv4.vs.pmtu_disc=1 and a GSO packet with multiple segments
is fragmented after encapsulation, each segment gets a sequentially
incremented IP ID (0, 1, 2, ...). This happens because:
a) The GSO packet bypasses MTU check and gets encapsulated
b) At __ip_finish_output, the oversized GSO packet is split into
separate SKBs (one per segment), with IP IDs incrementing
c) Each SKB is then fragmented again based on the actual MTU
This sequential IP ID allocation differs from the expected behavior
and can cause issues with fragment reassembly and packet tracking.
Fix this by properly validating GSO packets using
skb_gso_validate_network_len(). This function correctly validates
whether the GSO segments will fit within the MTU after segmentation. If
validation fails, send an ICMP Fragmentation Needed message to enable
proper PMTU discovery.
Fixes: 4cdd34084d53 ("netfilter: nf_conntrack_ipv6: improve fragmentation handling")
Signed-off-by: Yingnan Zhang <342144303@qq.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_xmit.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index ecbcdc43263d6..fc254d1f59de9 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -103,6 +103,18 @@ __ip_vs_dst_check(struct ip_vs_dest *dest)
return dest_dst;
}
+/* Based on ip_exceeds_mtu(). */
+static bool ip_vs_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
+{
+ if (skb->len <= mtu)
+ return false;
+
+ if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
+ return false;
+
+ return true;
+}
+
static inline bool
__mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
{
@@ -112,10 +124,9 @@ __mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
*/
if (IP6CB(skb)->frag_max_size > mtu)
return true; /* largest fragment violate MTU */
- }
- else if (skb->len > mtu && !skb_is_gso(skb)) {
+ } else if (ip_vs_exceeds_mtu(skb, mtu))
return true; /* Packet size violate MTU size */
- }
+
return false;
}
@@ -233,7 +244,7 @@ static inline bool ensure_mtu_is_adequate(struct netns_ipvs *ipvs, int skb_af,
return true;
if (unlikely(ip_hdr(skb)->frag_off & htons(IP_DF) &&
- skb->len > mtu && !skb_is_gso(skb) &&
+ ip_vs_exceeds_mtu(skb, mtu) &&
!ip_vs_iph_icmp(ipvsh))) {
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
htonl(mtu));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 666/957] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (664 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 665/957] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 667/957] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
` (296 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit f5ca450087c3baf3651055e7a6de92600f827af3 ]
In nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once
and passed by reference to nf_osf_match_one() for each fingerprint
checked. During TCP option parsing, nf_osf_match_one() advances the
shared ctx->optp pointer.
If a fingerprint perfectly matches, the function returns early without
restoring ctx->optp to its initial state. If the user has configured
NF_OSF_LOGLEVEL_ALL, the loop continues to the next fingerprint.
However, because ctx->optp was not restored, the next call to
nf_osf_match_one() starts parsing from the end of the options buffer.
This causes subsequent matches to read garbage data and fail
immediately, making it impossible to log more than one match or logging
incorrect matches.
Instead of using a shared ctx->optp pointer, pass the context as a
constant pointer and use a local pointer (optp) for TCP option
traversal. This makes nf_osf_match_one() strictly stateless from the
caller's perspective, ensuring every fingerprint check starts at the
correct option offset.
Fixes: 1a6a0951fc00 ("netfilter: nfnetlink_osf: add missing fmatch check")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 2305c7d9761eb..832a973c41777 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -64,9 +64,9 @@ struct nf_osf_hdr_ctx {
static bool nf_osf_match_one(const struct sk_buff *skb,
const struct nf_osf_user_finger *f,
int ttl_check,
- struct nf_osf_hdr_ctx *ctx)
+ const struct nf_osf_hdr_ctx *ctx)
{
- const __u8 *optpinit = ctx->optp;
+ const __u8 *optp = ctx->optp;
unsigned int check_WSS = 0;
int fmatch = FMATCH_WRONG;
int foptsize, optnum;
@@ -95,17 +95,17 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
check_WSS = f->wss.wc;
for (optnum = 0; optnum < f->opt_num; ++optnum) {
- if (f->opt[optnum].kind == *ctx->optp) {
+ if (f->opt[optnum].kind == *optp) {
__u32 len = f->opt[optnum].length;
- const __u8 *optend = ctx->optp + len;
+ const __u8 *optend = optp + len;
fmatch = FMATCH_OK;
- switch (*ctx->optp) {
+ switch (*optp) {
case OSFOPT_MSS:
- mss = ctx->optp[3];
+ mss = optp[3];
mss <<= 8;
- mss |= ctx->optp[2];
+ mss |= optp[2];
mss = ntohs((__force __be16)mss);
break;
@@ -113,7 +113,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
break;
}
- ctx->optp = optend;
+ optp = optend;
} else
fmatch = FMATCH_OPT_WRONG;
@@ -156,9 +156,6 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
}
}
- if (fmatch != FMATCH_OK)
- ctx->optp = optpinit;
-
return fmatch == FMATCH_OK;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 667/957] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (665 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 666/957] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 668/957] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
` (295 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501),
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 711987ba281fd806322a7cd244e98e2a81903114 ]
The nf_osf_ttl() function accessed skb->dev to perform a local interface
address lookup without verifying that the device pointer was valid.
Additionally, the implementation utilized an in_dev_for_each_ifa_rcu
loop to match the packet source address against local interface
addresses. It assumed that packets from the same subnet should not see a
decrement on the initial TTL. A packet might appear it is from the same
subnet but it actually isn't especially in modern environments with
containers and virtual switching.
Remove the device dereference and interface loop. Replace the logic with
a switch statement that evaluates the TTL according to the ttl_check.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Kito Xu (veritas501) <hxzene@gmail.com>
Closes: https://lore.kernel.org/netfilter-devel/20260414074556.2512750-1-hxzene@gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nfnetlink_osf.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 832a973c41777..c89efb951994a 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -31,26 +31,18 @@ EXPORT_SYMBOL_GPL(nf_osf_fingers);
static inline int nf_osf_ttl(const struct sk_buff *skb,
int ttl_check, unsigned char f_ttl)
{
- struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
const struct iphdr *ip = ip_hdr(skb);
- const struct in_ifaddr *ifa;
- int ret = 0;
- if (ttl_check == NF_OSF_TTL_TRUE)
+ switch (ttl_check) {
+ case NF_OSF_TTL_TRUE:
return ip->ttl == f_ttl;
- if (ttl_check == NF_OSF_TTL_NOCHECK)
- return 1;
- else if (ip->ttl <= f_ttl)
+ break;
+ case NF_OSF_TTL_NOCHECK:
return 1;
-
- in_dev_for_each_ifa_rcu(ifa, in_dev) {
- if (inet_ifa_match(ip->saddr, ifa)) {
- ret = (ip->ttl == f_ttl);
- break;
- }
+ case NF_OSF_TTL_LESS:
+ default:
+ return ip->ttl <= f_ttl;
}
-
- return ret;
}
struct nf_osf_hdr_ctx {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 668/957] slip: reject VJ receive packets on instances with no rstate array
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (666 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 667/957] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 669/957] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
` (294 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit e76607442d5b73e1ba6768f501ef815bb58c2c0e ]
slhc_init() accepts rslots == 0 as a valid configuration, with the
documented meaning of 'no receive compression'. In that case the
allocation loop in slhc_init() is skipped, so comp->rstate stays
NULL and comp->rslot_limit stays 0 (from the kzalloc of struct
slcompress).
The receive helpers do not defend against that configuration.
slhc_uncompress() dereferences comp->rstate[x] when the VJ header
carries an explicit connection ID, and slhc_remember() later assigns
cs = &comp->rstate[...] after only comparing the packet's slot number
to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the
range check, and the code dereferences a NULL rstate.
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID
stores its argument in a signed int, and (val >> 16) uses arithmetic
shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1
is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because
/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path
is reachable from an unprivileged user namespace. Once the malformed
VJ state is installed, any inbound VJ-compressed or VJ-uncompressed
frame that selects slot 0 crashes the kernel in softirq context:
Oops: general protection fault, probably for non-canonical
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)
Call Trace:
<TASK>
ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)
ppp_input (drivers/net/ppp/ppp_generic.c:2359)
ppp_async_process (drivers/net/ppp/ppp_async.c:492)
tasklet_action_common (kernel/softirq.c:926)
handle_softirqs (kernel/softirq.c:623)
run_ksoftirqd (kernel/softirq.c:1055)
smpboot_thread_fn (kernel/smpboot.c:160)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:164)
</TASK>
Reject the receive side on such instances instead of touching rstate.
slhc_uncompress() falls through to its existing 'bad' label, which
bumps sls_i_error and enters the toss state. slhc_remember() mirrors
that with an explicit sls_i_error increment followed by slhc_toss();
the sls_i_runt counter is not used here because a missing rstate is
an internal configuration state, not a runt packet.
The transmit path is unaffected: the only in-tree caller that picks
rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and
slip.c always calls slhc_init(16, 16), so comp->tstate remains valid
and slhc_compress() continues to work.
Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415204130.258866-2-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slhc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index ee9fd3a94b96f..fcb3eebe7311c 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -506,6 +506,8 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
comp->sls_i_error++;
return 0;
}
+ if (!comp->rstate)
+ goto bad;
changes = *cp++;
if(changes & NEW_C){
/* Make sure the state index is in range, then grab the state.
@@ -649,6 +651,10 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
struct cstate *cs;
unsigned int ihl;
+ if (!comp->rstate) {
+ comp->sls_i_error++;
+ return slhc_toss(comp);
+ }
/* The packet is shorter than a legal IP header.
* Also make sure isize is positive.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 669/957] slip: bound decode() reads against the compressed packet length
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (667 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 668/957] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 670/957] net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change() Greg Kroah-Hartman
` (293 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Weiming Shi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7 ]
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Simon Horman <horms@kernel.org>
Closes: https://lore.kernel.org/netdev/20260414134126.758795-2-horms@kernel.org/
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260416100147.531855-5-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/slip/slhc.c | 43 ++++++++++++++++++++++++-----------------
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index fcb3eebe7311c..daf086c283423 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -80,9 +80,9 @@
#include <linux/unaligned.h>
static unsigned char *encode(unsigned char *cp, unsigned short n);
-static long decode(unsigned char **cpp);
+static long decode(unsigned char **cpp, const unsigned char *end);
static unsigned char * put16(unsigned char *cp, unsigned short x);
-static unsigned short pull16(unsigned char **cpp);
+static long pull16(unsigned char **cpp, const unsigned char *end);
/* Allocate compression data structure
* slots must be in range 0 to 255 (zero meaning no compression)
@@ -190,30 +190,34 @@ encode(unsigned char *cp, unsigned short n)
return cp;
}
-/* Pull a 16-bit integer in host order from buffer in network byte order */
-static unsigned short
-pull16(unsigned char **cpp)
+/* Pull a 16-bit integer in host order from buffer in network byte order.
+ * Returns -1 if the buffer is exhausted, otherwise the 16-bit value.
+ */
+static long
+pull16(unsigned char **cpp, const unsigned char *end)
{
- short rval;
+ long rval;
+ if (*cpp + 2 > end)
+ return -1;
rval = *(*cpp)++;
rval <<= 8;
rval |= *(*cpp)++;
return rval;
}
-/* Decode a number */
+/* Decode a number. Returns -1 if the buffer is exhausted. */
static long
-decode(unsigned char **cpp)
+decode(unsigned char **cpp, const unsigned char *end)
{
int x;
+ if (*cpp >= end)
+ return -1;
x = *(*cpp)++;
- if(x == 0){
- return pull16(cpp) & 0xffff; /* pull16 returns -1 on error */
- } else {
- return x & 0xff; /* -1 if PULLCHAR returned error */
- }
+ if (x == 0)
+ return pull16(cpp, end);
+ return x & 0xff;
}
/*
@@ -499,6 +503,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
struct cstate *cs;
int len, hdrlen;
unsigned char *cp = icp;
+ const unsigned char *end = icp + isize;
/* We've got a compressed packet; read the change byte */
comp->sls_i_compressed++;
@@ -536,6 +541,8 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
thp = &cs->cs_tcp;
ip = &cs->cs_ip;
+ if (cp + 2 > end)
+ goto bad;
thp->check = *(__sum16 *)cp;
cp += 2;
@@ -566,26 +573,26 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
default:
if(changes & NEW_U){
thp->urg = 1;
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->urg_ptr = htons(x);
} else
thp->urg = 0;
if(changes & NEW_W){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->window = htons( ntohs(thp->window) + x);
}
if(changes & NEW_A){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->ack_seq = htonl( ntohl(thp->ack_seq) + x);
}
if(changes & NEW_S){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
thp->seq = htonl( ntohl(thp->seq) + x);
@@ -593,7 +600,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
break;
}
if(changes & NEW_I){
- if((x = decode(&cp)) == -1) {
+ if((x = decode(&cp, end)) == -1) {
goto bad;
}
ip->id = htons (ntohs (ip->id) + x);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 670/957] net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (668 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 669/957] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 671/957] arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0 Greg Kroah-Hartman
` (292 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501), Chia-Yu Chang,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Yu Chang <chia-yu.chang@nokia-bell-labs.com>
[ Upstream commit 478ed6b7d2577439c610f91fa8759a4c878a4264 ]
Fix dualpi2_change() to correctly enforce updated limit and memlimit
values after a configuration change of the dualpi2 qdisc.
Before this patch, dualpi2_change() always attempted to dequeue packets
via the root qdisc (C-queue) when reducing backlog or memory usage, and
unconditionally assumed that a valid skb will be returned. When traffic
classification results in packets being queued in the L-queue while the
C-queue is empty, this leads to a NULL skb dereference during limit or
memlimit enforcement.
This is fixed by first dequeuing from the C-queue path if it is
non-empty. Once the C-queue is empty, packets are dequeued directly from
the L-queue. Return values from qdisc_dequeue_internal() are checked for
both queues. When dequeuing from the L-queue, the parent qdisc qlen and
backlog counters are updated explicitly to keep overall qdisc statistics
consistent.
Fixes: 320d031ad6e4 ("sched: Struct definition and parsing of dualpi2 qdisc")
Reported-by: "Kito Xu (veritas501)" <hxzene@gmail.com>
Closes: https://lore.kernel.org/netdev/20260413075740.2234828-1-hxzene@gmail.com/
Signed-off-by: Chia-Yu Chang <chia-yu.chang@nokia-bell-labs.com>
Link: https://patch.msgid.link/20260417152551.71648-1-chia-yu.chang@nokia-bell-labs.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_dualpi2.c | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_dualpi2.c b/net/sched/sch_dualpi2.c
index 4b975feb52b1f..efa32240c5a95 100644
--- a/net/sched/sch_dualpi2.c
+++ b/net/sched/sch_dualpi2.c
@@ -871,11 +871,35 @@ static int dualpi2_change(struct Qdisc *sch, struct nlattr *opt,
old_backlog = sch->qstats.backlog;
while (qdisc_qlen(sch) > sch->limit ||
q->memory_used > q->memory_limit) {
- struct sk_buff *skb = qdisc_dequeue_internal(sch, true);
+ struct sk_buff *skb = NULL;
- q->memory_used -= skb->truesize;
- qdisc_qstats_backlog_dec(sch, skb);
- rtnl_qdisc_drop(skb, sch);
+ if (qdisc_qlen(sch) > qdisc_qlen(q->l_queue)) {
+ skb = qdisc_dequeue_internal(sch, true);
+ if (unlikely(!skb)) {
+ WARN_ON_ONCE(1);
+ break;
+ }
+ q->memory_used -= skb->truesize;
+ rtnl_qdisc_drop(skb, sch);
+ } else if (qdisc_qlen(q->l_queue)) {
+ skb = qdisc_dequeue_internal(q->l_queue, true);
+ if (unlikely(!skb)) {
+ WARN_ON_ONCE(1);
+ break;
+ }
+ /* L-queue packets are counted in both sch and
+ * l_queue on enqueue; qdisc_dequeue_internal()
+ * handled l_queue, so we further account for sch.
+ */
+ --sch->q.qlen;
+ qdisc_qstats_backlog_dec(sch, skb);
+ q->memory_used -= skb->truesize;
+ rtnl_qdisc_drop(skb, q->l_queue);
+ qdisc_qstats_drop(sch);
+ } else {
+ WARN_ON_ONCE(1);
+ break;
+ }
}
qdisc_tree_reduce_backlog(sch, old_qlen - qdisc_qlen(sch),
old_backlog - sch->qstats.backlog);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 671/957] arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (669 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 670/957] net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 672/957] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
` (291 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anand Moon, Neil Armstrong,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anand Moon <linux.amoon@gmail.com>
[ Upstream commit 918273be0885362a9a00615b46e03f15f8b55667 ]
Add missing L1 data and instruction cache parameters to the CPU node 0
for the Cortex-A53 caches on the Meson AXG SoC.
Fixes: 3b6ad2a43367 ("arm64: dts: amlogic: Add cache information to the Amlogic AXG SoCS")
Signed-off-by: Anand Moon <linux.amoon@gmail.com>
Link: https://patch.msgid.link/20260219103548.18392-1-linux.amoon@gmail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi
index bbf94a1f92a10..3058b60338dbf 100644
--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi
+++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi
@@ -72,6 +72,12 @@ cpu0: cpu@0 {
compatible = "arm,cortex-a53";
reg = <0x0 0x0>;
enable-method = "psci";
+ d-cache-line-size = <32>;
+ d-cache-size = <0x8000>;
+ d-cache-sets = <32>;
+ i-cache-line-size = <32>;
+ i-cache-size = <0x8000>;
+ i-cache-sets = <32>;
next-level-cache = <&l2>;
clocks = <&scpi_dvfs 0>;
dynamic-power-coefficient = <140>;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 672/957] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (670 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 671/957] arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0 Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 673/957] pwm: atmel-tcb: Cache clock rates and mark chip as atomic Greg Kroah-Hartman
` (290 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jun Yan, Martin Blumenstingl,
Neil Armstrong, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jun Yan <jerrysteve1101@gmail.com>
[ Upstream commit 174a0ef3b33434f475c87e66f37980e39b73805a ]
Correct the interrupt number assigned to the Realtek PHY in the p230
following the same logic as commit 3106507e1004 ("ARM64: dts: meson-gxm:
fix q200 interrupt number"),as reported in [PATCH 0/2] Ethernet PHY
interrupt improvements [1].
[1] https://lore.kernel.org/all/20171202214037.17017-1-martin.blumenstingl@googlemail.com/
Fixes: b94d22d94ad2 ("ARM64: dts: meson-gx: add external PHY interrupt on some platforms")
Signed-off-by: Jun Yan <jerrysteve1101@gmail.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://patch.msgid.link/20260330145111.115318-1-jerrysteve1101@gmail.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
index 7dffeb5931c9b..701de57ff0f37 100644
--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
+++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-p230.dts
@@ -84,7 +84,8 @@ external_phy: ethernet-phy@0 {
reset-gpios = <&gpio GPIOZ_14 GPIO_ACTIVE_LOW>;
interrupt-parent = <&gpio_intc>;
- interrupts = <29 IRQ_TYPE_LEVEL_LOW>;
+ /* MAC_INTR on GPIOZ_15 */
+ interrupts = <25 IRQ_TYPE_LEVEL_LOW>;
eee-broken-1000t;
};
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 673/957] pwm: atmel-tcb: Cache clock rates and mark chip as atomic
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (671 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 672/957] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 674/957] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
` (289 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sangyun Kim, Uwe Kleine-König,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sangyun Kim <sangyun.kim@snu.ac.kr>
[ Upstream commit 68637b68afcc3cb4d56aca14a3a1d1b47b879369 ]
atmel_tcb_pwm_apply() holds tcbpwmc->lock as a spinlock via
guard(spinlock)() and then calls atmel_tcb_pwm_config(), which calls
clk_get_rate() twice. clk_get_rate() acquires clk_prepare_lock (a
mutex), so this is a sleep-in-atomic-context violation.
On CONFIG_DEBUG_ATOMIC_SLEEP kernels every pwm_apply_state() that
enables or reconfigures the PWM triggers a "BUG: sleeping function
called from invalid context" warning.
Acquire exclusive control over the clock rates with
clk_rate_exclusive_get() at probe time and cache the rates in struct
atmel_tcb_pwm_chip, then read the cached rates from
atmel_tcb_pwm_config(). This keeps the spinlock-based mutual exclusion
introduced in commit 37f7707077f5 ("pwm: atmel-tcb: Fix race condition
and convert to guards") and removes the sleeping calls from the atomic
section.
With no sleeping calls left in .apply() and the regmap-mmio bus already
running with fast_io=true, also mark the chip as atomic so consumers
can use pwm_apply_atomic() from atomic context.
Fixes: 37f7707077f5 ("pwm: atmel-tcb: Fix race condition and convert to guards")
Signed-off-by: Sangyun Kim <sangyun.kim@snu.ac.kr>
Link: https://patch.msgid.link/20260419080838.3192357-1-sangyun.kim@snu.ac.kr
[ukleinek: Ensure .clk is enabled before calling clk_get_rate on it.]
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-atmel-tcb.c | 38 +++++++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/drivers/pwm/pwm-atmel-tcb.c b/drivers/pwm/pwm-atmel-tcb.c
index f9ff78ba122d4..3d30aeab507e0 100644
--- a/drivers/pwm/pwm-atmel-tcb.c
+++ b/drivers/pwm/pwm-atmel-tcb.c
@@ -50,6 +50,8 @@ struct atmel_tcb_pwm_chip {
spinlock_t lock;
u8 channel;
u8 width;
+ unsigned long rate;
+ unsigned long slow_rate;
struct regmap *regmap;
struct clk *clk;
struct clk *gclk;
@@ -266,7 +268,7 @@ static int atmel_tcb_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
int slowclk = 0;
unsigned period;
unsigned duty;
- unsigned rate = clk_get_rate(tcbpwmc->clk);
+ unsigned long rate = tcbpwmc->rate;
unsigned long long min;
unsigned long long max;
@@ -294,7 +296,7 @@ static int atmel_tcb_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
*/
if (i == ARRAY_SIZE(atmel_tcb_divisors)) {
i = slowclk;
- rate = clk_get_rate(tcbpwmc->slow_clk);
+ rate = tcbpwmc->slow_rate;
min = div_u64(NSEC_PER_SEC, rate);
max = min << tcbpwmc->width;
@@ -431,24 +433,49 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
}
chip->ops = &atmel_tcb_pwm_ops;
+ chip->atomic = true;
tcbpwmc->channel = channel;
tcbpwmc->width = config->counter_width;
- err = clk_prepare_enable(tcbpwmc->slow_clk);
+ err = clk_prepare_enable(tcbpwmc->clk);
if (err)
goto err_gclk;
+ err = clk_prepare_enable(tcbpwmc->slow_clk);
+ if (err)
+ goto err_disable_clk;;
+
+ err = clk_rate_exclusive_get(tcbpwmc->clk);
+ if (err)
+ goto err_disable_slow_clk;
+
+ err = clk_rate_exclusive_get(tcbpwmc->slow_clk);
+ if (err)
+ goto err_clk_unlock;
+
+ tcbpwmc->rate = clk_get_rate(tcbpwmc->clk);
+ tcbpwmc->slow_rate = clk_get_rate(tcbpwmc->slow_clk);
+
spin_lock_init(&tcbpwmc->lock);
err = pwmchip_add(chip);
if (err < 0)
- goto err_disable_clk;
+ goto err_slow_clk_unlock;
platform_set_drvdata(pdev, chip);
return 0;
+err_slow_clk_unlock:
+ clk_rate_exclusive_put(tcbpwmc->slow_clk);
+
+err_clk_unlock:
+ clk_rate_exclusive_put(tcbpwmc->clk);
+
err_disable_clk:
+ clk_disable_unprepare(tcbpwmc->clk);
+
+err_disable_slow_clk:
clk_disable_unprepare(tcbpwmc->slow_clk);
err_gclk:
@@ -470,6 +497,9 @@ static void atmel_tcb_pwm_remove(struct platform_device *pdev)
pwmchip_remove(chip);
+ clk_rate_exclusive_put(tcbpwmc->slow_clk);
+ clk_rate_exclusive_put(tcbpwmc->clk);
+ clk_disable_unprepare(tcbpwmc->clk);
clk_disable_unprepare(tcbpwmc->slow_clk);
clk_put(tcbpwmc->gclk);
clk_put(tcbpwmc->clk);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 674/957] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (672 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 673/957] pwm: atmel-tcb: Cache clock rates and mark chip as atomic Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 675/957] ksmbd: destroy async_ida in ksmbd_conn_free() Greg Kroah-Hartman
` (288 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit c049ee14eb4343b69b6f7755563f961f5e153423 ]
When per-session tree_conn_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from ksmbd_session_destroy() but no matching ida_destroy()
was added. The session is therefore freed with the IDA's backing
xarray still intact.
The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
enclosing session is freed.
Also move ida_init() to right after the session is allocated so that
it is always paired with the destroy call even on the early error
paths of __session_create() (ksmbd_init_file_table() or
__init_smb2_session() failures), both of which jump to the error
label and invoke ksmbd_session_destroy() on a partially initialised
session.
No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.
Fixes: d40012a83f87 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_session.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index ed343807660fa..afa0daa3f5d88 100644
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -170,6 +170,7 @@ void ksmbd_session_destroy(struct ksmbd_session *sess)
free_channel_list(sess);
kfree(sess->Preauth_HashValue);
ksmbd_release_id(&session_ida, sess->id);
+ ida_destroy(&sess->tree_conn_ida);
kfree(sess);
}
@@ -444,6 +445,8 @@ static struct ksmbd_session *__session_create(int protocol)
if (!sess)
return NULL;
+ ida_init(&sess->tree_conn_ida);
+
if (ksmbd_init_file_table(&sess->file_table))
goto error;
@@ -463,8 +466,6 @@ static struct ksmbd_session *__session_create(int protocol)
if (ret)
goto error;
- ida_init(&sess->tree_conn_ida);
-
down_write(&sessions_table_lock);
hash_add(sessions_table, &sess->hlist, sess->id);
up_write(&sessions_table_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 675/957] ksmbd: destroy async_ida in ksmbd_conn_free()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (673 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 674/957] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 676/957] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open Greg Kroah-Hartman
` (287 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit b32c8db48212a34998c36d0bbc05b29d5c407ef5 ]
When per-connection async_ida was converted from a dynamically
allocated ksmbd_ida to an embedded struct ida, ksmbd_ida_free() was
removed from the connection teardown path but no matching
ida_destroy() was added. The connection is therefore freed with the
IDA's backing xarray still intact.
The kernel IDA API expects ida_init() and ida_destroy() to be paired
over an object's lifetime, so add the missing cleanup before the
connection is freed.
No leak has been observed in testing; this is a pairing fix to match
the IDA lifetime rules, not a response to a reproduced regression.
Fixes: d40012a83f87 ("cifsd: declare ida statically")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/connection.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
index b4ef62b9e660c..a03132adcc1e5 100644
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -41,6 +41,15 @@ void ksmbd_conn_free(struct ksmbd_conn *conn)
kfree(conn->preauth_info);
kfree(conn->mechToken);
if (atomic_dec_and_test(&conn->refcnt)) {
+ /*
+ * async_ida is embedded in struct ksmbd_conn, so pair
+ * ida_destroy() with the final kfree() rather than with
+ * the unconditional field teardown above. This keeps
+ * the IDA valid for the entire lifetime of the struct,
+ * even while other refcount holders (oplock / vfs
+ * durable handles) still reference the connection.
+ */
+ ida_destroy(&conn->async_ida);
conn->transport->ops->free_transport(conn->transport);
kfree(conn);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 676/957] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (674 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 675/957] ksmbd: destroy async_ida in ksmbd_conn_free() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 677/957] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
` (286 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit 804054d19886ac6628883d82410f6ee42a818664 ]
ksmbd_lookup_fd_cguid() returns a ksmbd_file with its refcount
incremented via ksmbd_fp_get(). parse_durable_handle_context() in
the DURABLE_REQ_V2 case properly releases this reference on every
path inside the ClientGUID-match branch, either by calling
ksmbd_put_durable_fd() or by transferring ownership to dh_info->fp
for a successful reconnect. However, when an entry exists in the
global file table with the same CreateGuid but a different
ClientGUID, the code simply falls through to the new-open path
without dropping the reference obtained from ksmbd_lookup_fd_cguid().
Per MS-SMB2 section 3.3.5.9.10 ("Handling the
SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context"), the server
MUST locate an Open whose Open.CreateGuid matches the request's
CreateGuid AND whose Open.ClientGuid matches the ClientGuid of the
connection that received the request. If no such Open is found, the
server MUST continue with the normal open execution phase. A
CreateGuid hit with a ClientGUID mismatch is therefore the
"Open not found" case: proceeding with a new open is correct, but
the reference obtained purely as a side effect of the lookup must
not be leaked.
Repeated requests that hit this mismatch pin global_ft entries,
prevent __ksmbd_close_fd() from ever running for the corresponding
files, and defeat the durable scavenger, leading to long-lived
resource leaks.
Release the reference in the mismatch path and clear dh_info->fp so
subsequent logic does not mistake a non-matching lookup result for
a reconnect target.
Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 4bfbfe53aa4eb..756624b4e90e0 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2854,6 +2854,8 @@ static int parse_durable_handle_context(struct ksmbd_work *work,
dh_info->reconnected = true;
goto out;
}
+ ksmbd_put_durable_fd(dh_info->fp);
+ dh_info->fp = NULL;
}
if ((lc && (lc->req_state & SMB2_LEASE_HANDLE_CACHING_LE)) ||
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 677/957] ksmbd: scope conn->binding slowpath to bound sessions only
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (675 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 676/957] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 678/957] net: validate skb->napi_id in RX tracepoints Greg Kroah-Hartman
` (285 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Namjae Jeon,
Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit b0da97c034b6107d14e537e212d4ce8b22109a58 ]
When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.
Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.
The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/user_session.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
index afa0daa3f5d88..5bc2f18d68bbc 100644
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -327,8 +327,13 @@ struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn,
struct ksmbd_session *sess;
sess = ksmbd_session_lookup(conn, id);
- if (!sess && conn->binding)
+ if (!sess && conn->binding) {
sess = ksmbd_session_lookup_slowpath(id);
+ if (sess && !xa_load(&sess->ksmbd_chann_list, (long)conn)) {
+ ksmbd_user_session_put(sess);
+ sess = NULL;
+ }
+ }
if (sess && sess->state != SMB2_SESSION_VALID) {
ksmbd_user_session_put(sess);
sess = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 678/957] net: validate skb->napi_id in RX tracepoints
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (676 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 677/957] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 679/957] bnge: fix initial HWRM sequence Greg Kroah-Hartman
` (284 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Simon Horman,
Jiayuan Chen, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit 3bfcf396081ace536733b454ff128d53116581e5 ]
Since commit 2bd82484bb4c ("xps: fix xps for stacked devices"),
skb->napi_id shares storage with sender_cpu. RX tracepoints using
net_dev_rx_verbose_template read skb->napi_id directly and can therefore
report sender_cpu values as if they were NAPI IDs.
For example, on the loopback path this can report 1 as napi_id, where 1
comes from raw_smp_processor_id() + 1 in the XPS path:
# bpftrace -e 'tracepoint:net:netif_rx_entry{ print(args->napi_id); }'
# taskset -c 0 ping -c 1 ::1
Report only valid NAPI IDs in these tracepoints and use 0 otherwise.
Fixes: 2bd82484bb4c ("xps: fix xps for stacked devices")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260420105427.162816-1-kohei@enjuk.jp
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/net.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/trace/events/net.h b/include/trace/events/net.h
index d55162c12f90a..d3fe6acf85d28 100644
--- a/include/trace/events/net.h
+++ b/include/trace/events/net.h
@@ -10,6 +10,7 @@
#include <linux/if_vlan.h>
#include <linux/ip.h>
#include <linux/tracepoint.h>
+#include <net/busy_poll.h>
TRACE_EVENT(net_dev_start_xmit,
@@ -193,7 +194,8 @@ DECLARE_EVENT_CLASS(net_dev_rx_verbose_template,
TP_fast_assign(
__assign_str(name);
#ifdef CONFIG_NET_RX_BUSY_POLL
- __entry->napi_id = skb->napi_id;
+ __entry->napi_id = napi_id_valid(skb->napi_id) ?
+ skb->napi_id : 0;
#else
__entry->napi_id = 0;
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 679/957] bnge: fix initial HWRM sequence
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (677 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 678/957] net: validate skb->napi_id in RX tracepoints Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 680/957] bnge: remove unsupported backing store type Greg Kroah-Hartman
` (283 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikas Gupta, Rahul Gupta,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikas Gupta <vikas.gupta@broadcom.com>
[ Upstream commit 70d7c905a07ae8415b955569620bf2bf77423553 ]
Firmware may not advertize correct resources if backing store is not
enabled before resource information is queried.
Fix the initial sequence of HWRMs so that driver gets capabilities
and resource information correctly.
Fixes: 3fa9e977a0cd ("bng_en: Initialize default configuration")
Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
Reviewed-by: Rahul Gupta <rahul-rg.gupta@broadcom.com>
Link: https://patch.msgid.link/20260418023438.1597876-2-vikas.gupta@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/broadcom/bnge/bnge_core.c | 30 ++++++++++++++-----
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnge/bnge_core.c b/drivers/net/ethernet/broadcom/bnge/bnge_core.c
index 312a9db4d75d1..657cd7a880d29 100644
--- a/drivers/net/ethernet/broadcom/bnge/bnge_core.c
+++ b/drivers/net/ethernet/broadcom/bnge/bnge_core.c
@@ -68,6 +68,13 @@ static int bnge_func_qcaps(struct bnge_dev *bd)
return rc;
}
+ return 0;
+}
+
+static int bnge_func_qrcaps_qcfg(struct bnge_dev *bd)
+{
+ int rc;
+
rc = bnge_hwrm_func_resc_qcaps(bd);
if (rc) {
dev_err(bd->dev, "query resc caps failure rc: %d\n", rc);
@@ -127,23 +134,28 @@ static int bnge_fw_register_dev(struct bnge_dev *bd)
bnge_hwrm_fw_set_time(bd);
- rc = bnge_hwrm_func_drv_rgtr(bd);
+ /* Get the resources and configuration from firmware */
+ rc = bnge_func_qcaps(bd);
if (rc) {
- dev_err(bd->dev, "Failed to rgtr with firmware rc: %d\n", rc);
+ dev_err(bd->dev, "Failed querying caps rc: %d\n", rc);
return rc;
}
rc = bnge_alloc_ctx_mem(bd);
if (rc) {
dev_err(bd->dev, "Failed to allocate ctx mem rc: %d\n", rc);
- goto err_func_unrgtr;
+ goto err_free_ctx_mem;
}
- /* Get the resources and configuration from firmware */
- rc = bnge_func_qcaps(bd);
+ rc = bnge_hwrm_func_drv_rgtr(bd);
if (rc) {
- dev_err(bd->dev, "Failed initial configuration rc: %d\n", rc);
- rc = -ENODEV;
+ dev_err(bd->dev, "Failed to rgtr with firmware rc: %d\n", rc);
+ goto err_free_ctx_mem;
+ }
+
+ rc = bnge_func_qrcaps_qcfg(bd);
+ if (rc) {
+ dev_err(bd->dev, "Failed querying resources rc: %d\n", rc);
goto err_func_unrgtr;
}
@@ -152,7 +164,9 @@ static int bnge_fw_register_dev(struct bnge_dev *bd)
return 0;
err_func_unrgtr:
- bnge_fw_unregister_dev(bd);
+ bnge_hwrm_func_drv_unrgtr(bd);
+err_free_ctx_mem:
+ bnge_free_ctx_mem(bd);
return rc;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 680/957] bnge: remove unsupported backing store type
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (678 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 679/957] bnge: fix initial HWRM sequence Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 681/957] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
` (282 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vikas Gupta, Dharmender Garg,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vikas Gupta <vikas.gupta@broadcom.com>
[ Upstream commit c6b34add67a5402f53359580956b5c318965a893 ]
The backing store type, BNGE_CTX_MRAV, is not applicable in Thor Ultra
devices. Remove it from the backing store configuration, as the firmware
will not populate entities in this backing store type, due to which the
driver load fails.
Fixes: 29c5b358f385 ("bng_en: Add backing store support")
Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
Reviewed-by: Dharmender Garg <dharmender.garg@broadcom.com>
Link: https://patch.msgid.link/20260418023438.1597876-3-vikas.gupta@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnge/bnge_rmem.c | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c b/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c
index 79f5ce2e5d083..75d14e52a5bb2 100644
--- a/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c
+++ b/drivers/net/ethernet/broadcom/bnge/bnge_rmem.c
@@ -325,7 +325,6 @@ int bnge_alloc_ctx_mem(struct bnge_dev *bd)
u32 l2_qps, qp1_qps, max_qps;
u32 ena, entries_sp, entries;
u32 srqs, max_srqs, min;
- u32 num_mr, num_ah;
u32 extra_srqs = 0;
u32 extra_qps = 0;
u32 fast_qpmd_qps;
@@ -391,21 +390,6 @@ int bnge_alloc_ctx_mem(struct bnge_dev *bd)
if (!bnge_is_roce_en(bd))
goto skip_rdma;
- ctxm = &ctx->ctx_arr[BNGE_CTX_MRAV];
- /* 128K extra is needed to accommodate static AH context
- * allocation by f/w.
- */
- num_mr = min_t(u32, ctxm->max_entries / 2, 1024 * 256);
- num_ah = min_t(u32, num_mr, 1024 * 128);
- ctxm->split_entry_cnt = BNGE_CTX_MRAV_AV_SPLIT_ENTRY + 1;
- if (!ctxm->mrav_av_entries || ctxm->mrav_av_entries > num_ah)
- ctxm->mrav_av_entries = num_ah;
-
- rc = bnge_setup_ctxm_pg_tbls(bd, ctxm, num_mr + num_ah, 2);
- if (rc)
- return rc;
- ena |= FUNC_BACKING_STORE_CFG_REQ_ENABLES_MRAV;
-
ctxm = &ctx->ctx_arr[BNGE_CTX_TIM];
rc = bnge_setup_ctxm_pg_tbls(bd, ctxm, l2_qps + qp1_qps + extra_qps, 1);
if (rc)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 681/957] net/rds: zero per-item info buffer before handing it to visitors
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (679 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 680/957] bnge: remove unsupported backing store type Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 682/957] ice: fix timestamp interrupt configuration for E825C Greg Kroah-Hartman
` (281 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Sharath Srinivasan, Allison Henderson, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit c88eb7e8d8397a8c1db59c425332c5a30b2a1682 ]
rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a
caller-allocated on-stack u64 buffer to a per-connection visitor and
then copy the full item_len bytes back to user space via
rds_info_copy() regardless of how much of the buffer the visitor
actually wrote.
rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only
write a subset of their output struct when the underlying
rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl
and the two GIDs via explicit memsets). Several u32 fields
(max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size,
cache_allocs) and the 2-byte alignment hole between sl and
cache_allocs remain as whatever stack contents preceded the visitor
call and are then memcpy_to_user()'d out to user space.
struct rds_info_rdma_connection and struct rds6_info_rdma_connection
are the only rds_info_* structs in include/uapi/linux/rds.h that are
not marked __attribute__((packed)), so they have a real alignment
hole. The other info visitors (rds_conn_info_visitor,
rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of
their packed output struct today and are not known to be vulnerable,
but a future visitor that adds a conditional write-path would have
the same bug.
Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y:
a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB,
binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on
any netdev is sufficient), sendto()'s any peer on the same subnet
(fails cleanly but installs an rds_connection in the global hash in
RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS,
RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26
bytes of stack garbage including kernel text/data pointers:
0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2
8..39 00 ... gids (memset-zeroed)
40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr)
48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max)
56..59 01 00 08 00 rdma_mr_size (garbage)
60..61 00 00 tos, sl
62..63 00 00 alignment padding
64..67 18 00 00 00 cache_allocs (garbage)
Fix by zeroing the per-item buffer in both rds_for_each_conn_info()
and rds_walk_conn_path_info() before invoking the visitor. This
covers the IPv4/IPv6 IB visitors and hardens all current and future
visitors against the same class of bug.
No functional change for visitors that fully populate their output.
Changes in v2:
- retarget at the net tree (subject prefix "[PATCH net v2]",
net/rds: prefix in the title)
- pick up Reviewed-by tags from Sharath Srinivasan and
Allison Henderson
Fixes: ec16227e1414 ("RDS/IB: Infiniband transport")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Reviewed-by: Allison Henderson <achender@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Link: https://patch.msgid.link/20260418141047.3398203-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/connection.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/net/rds/connection.c b/net/rds/connection.c
index dbfea6fa11260..4764628fe12a3 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -674,6 +674,13 @@ void rds_for_each_conn_info(struct socket *sock, unsigned int len,
i++, head++) {
hlist_for_each_entry_rcu(conn, head, c_hash_node) {
+ /* Zero the per-item buffer before handing it to the
+ * visitor so any field the visitor does not write -
+ * including implicit alignment padding - cannot leak
+ * stack contents to user space via rds_info_copy().
+ */
+ memset(buffer, 0, item_len);
+
/* XXX no c_lock usage.. */
if (!visitor(conn, buffer))
continue;
@@ -723,6 +730,13 @@ static void rds_walk_conn_path_info(struct socket *sock, unsigned int len,
*/
cp = conn->c_path;
+ /* Zero the per-item buffer for the same reason as
+ * rds_for_each_conn_info(): any byte the visitor
+ * does not write (including alignment padding) must
+ * not leak stack contents via rds_info_copy().
+ */
+ memset(buffer, 0, item_len);
+
/* XXX no cp_lock usage.. */
if (!visitor(cp, buffer))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 682/957] ice: fix timestamp interrupt configuration for E825C
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (680 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 681/957] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 683/957] ice: perform PHY soft reset for E825C ports at initialization Greg Kroah-Hartman
` (280 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Grzegorz Nitka, Aleksandr Loktionov,
Petr Oros, Sunitha Mekala, Jacob Keller, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grzegorz Nitka <grzegorz.nitka@intel.com>
[ Upstream commit c0a575a801a2040eb1e0db54b488f8c548c8458a ]
The E825C ice_phy_cfg_intr_eth56g() function is responsible for programming
the PHY interrupt for a given port. This function writes to the
PHY_REG_TS_INT_CONFIG register of the port. The register is responsible for
configuring whether the port interrupt logic is enabled, as well as
programming the threshold of waiting timestamps that will trigger an
interrupt from this port.
This threshold value must not be programmed to zero while the interrupt is
enabled. Doing so puts the port in a misconfigured state where the PHY
timestamp interrupt for the quad of connected ports will become stuck.
This occurs, because a threshold of zero results in the timestamp interrupt
status for the port becoming stuck high. The four ports in the connected
quad have their timestamp status indicators muxed together. A new interrupt
cannot be generated until the timestamp status indicators return low for
all four ports.
Normally, the timestamp status for a port will clear once there are fewer
timestamps in that ports timestamp memory bank than the threshold. A
threshold of zero makes this impossible, so the timestamp status for the
port does not clear.
The ice driver never intentionally programs the threshold to zero, indeed
the driver always programs it to a value of 1, intending to get an
interrupt immediately as soon as even a single packet is waiting for a
timestamp.
However, there is a subtle flaw in the programming logic in the
ice_phy_cfg_intr_eth56g() function. Due to the way that the hardware
handles enabling the PHY interrupt. If the threshold value is modified at
the same time as the interrupt is enabled, the HW PHY state machine might
enable the interrupt before the new threshold value is actually updated.
This leaves a potential race condition caused by the hardware logic where
a PHY timestamp interrupt might be triggered before the non-zero threshold
is written, resulting in the PHY timestamp logic becoming stuck.
Once the PHY timestamp status is stuck high, it will remain stuck even
after attempting to reprogram the PHY block by changing its threshold or
disabling the interrupt. Even a typical PF or CORE reset will not reset the
particular block of the PHY that becomes stuck. Even a warm power cycle is
not guaranteed to cause the PHY block to reset, and a cold power cycle is
required.
Prevent this by always writing the PHY_REG_TS_INT_CONFIG in two stages.
First write the threshold value with the interrupt disabled, and only write
the enable bit after the threshold has been programmed. When disabling the
interrupt, leave the threshold unchanged. Additionally, re-read the
register after writing it to guarantee that the write to the PHY has been
flushed upon exit of the function.
While we're modifying this function implementation, explicitly reject
programming a threshold of 0 when enabling the interrupt. No caller does
this today, but the consequences of doing so are significant. An explicit
rejection in the code makes this clear.
Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products")
Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Petr Oros <poros@redhat.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260420-jk-iwl-net-2026-04-20-ptp-e825c-phy-interrupt-fixes-v1-1-bc2240f42251@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 36 ++++++++++++++++++---
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
index 161a0ae8599c1..0a20ae0c2901b 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
@@ -1847,6 +1847,8 @@ static int ice_phy_cfg_mac_eth56g(struct ice_hw *hw, u8 port)
* @ena: enable or disable interrupt
* @threshold: interrupt threshold
*
+ * The threshold cannot be 0 while the interrupt is enabled.
+ *
* Configure TX timestamp interrupt for the specified port
*
* Return:
@@ -1858,19 +1860,45 @@ int ice_phy_cfg_intr_eth56g(struct ice_hw *hw, u8 port, bool ena, u8 threshold)
int err;
u32 val;
+ if (ena && !threshold)
+ return -EINVAL;
+
err = ice_read_ptp_reg_eth56g(hw, port, PHY_REG_TS_INT_CONFIG, &val);
if (err)
return err;
+ val &= ~PHY_TS_INT_CONFIG_ENA_M;
if (ena) {
- val |= PHY_TS_INT_CONFIG_ENA_M;
val &= ~PHY_TS_INT_CONFIG_THRESHOLD_M;
val |= FIELD_PREP(PHY_TS_INT_CONFIG_THRESHOLD_M, threshold);
- } else {
- val &= ~PHY_TS_INT_CONFIG_ENA_M;
+ err = ice_write_ptp_reg_eth56g(hw, port, PHY_REG_TS_INT_CONFIG,
+ val);
+ if (err) {
+ ice_debug(hw, ICE_DBG_PTP,
+ "Failed to update 'threshold' PHY_REG_TS_INT_CONFIG port=%u ena=%u threshold=%u\n",
+ port, !!ena, threshold);
+ return err;
+ }
+ val |= PHY_TS_INT_CONFIG_ENA_M;
}
- return ice_write_ptp_reg_eth56g(hw, port, PHY_REG_TS_INT_CONFIG, val);
+ err = ice_write_ptp_reg_eth56g(hw, port, PHY_REG_TS_INT_CONFIG, val);
+ if (err) {
+ ice_debug(hw, ICE_DBG_PTP,
+ "Failed to update 'ena' PHY_REG_TS_INT_CONFIG port=%u ena=%u threshold=%u\n",
+ port, !!ena, threshold);
+ return err;
+ }
+
+ err = ice_read_ptp_reg_eth56g(hw, port, PHY_REG_TS_INT_CONFIG, &val);
+ if (err) {
+ ice_debug(hw, ICE_DBG_PTP,
+ "Failed to read PHY_REG_TS_INT_CONFIG port=%u ena=%u threshold=%u\n",
+ port, !!ena, threshold);
+ return err;
+ }
+
+ return 0;
}
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 683/957] ice: perform PHY soft reset for E825C ports at initialization
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (681 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 682/957] ice: fix timestamp interrupt configuration for E825C Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 684/957] ice: fix ready bitmap check for non-E822 devices Greg Kroah-Hartman
` (279 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timothy Miskell, Grzegorz Nitka,
Aleksandr Loktionov, Petr Oros, Sunitha Mekala, Jacob Keller,
Simon Horman, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grzegorz Nitka <grzegorz.nitka@intel.com>
[ Upstream commit 3ec46e157c7fa420c77dfc23f7030e61f2f3fd55 ]
In some cases the PHY timestamp block of the E825C can become stuck. This
is known to occur if the software writes 0 to the Tx timestamp threshold,
and with older versions of the ice driver the threshold configuration is
buggy and can race in such that hardware briefly operates with a zero
threshold enabled. There are no other known ways to trigger this behavior,
but once it occurs, the hardware is not recovered by normal reset, a driver
reload, or even a warm power cycle of the system. A cold power cycle is
sufficient to recover hardware, but this is extremely invasive and can
result in significant downtime on customer deployments.
The PHY for each port has a timestamping block which has its own reset
functionality accessible by programming the PHY_REG_GLOBAL register.
Writing to the PHY_REG_GLOBAL_SOFT_RESET_BIT triggers the hardware to
perform a complete reset of the timestamping block of the PHY. This
includes clearing the timestamp status for the port, clearing all
outstanding timestamps in the memory bank, and resetting the PHY timer.
The new ice_ptp_phy_soft_reset_eth56g() function toggles the
PHY_REG_GLOBAL soft reset bit with the required delays, ensuring the
PHY is properly reinitialized without requiring a full device reset.
The sequence clears the reset bit, asserts it, then clears it again,
with short waits between transitions to allow hardware stabilization.
Call this function in the new ice_ptp_init_phc_e825c(), implementing the
E825C device specific variant of the ice_ptp_init_phc(). Note that if
ice_ptp_init_phc() fails, PTP functionality may be disabled, but the driver
will still load to allow basic functionality to continue.
This causes the clock owning PF driver to perform a PHY soft reset for
every port during initialization. This ensures the driver begins life in a
known functional state regardless of how it was previously programmed.
This ensures that we properly reconfigure the hardware after a device reset
or when loading the driver, even if it was previously misconfigured with an
out-of-date or modified driver.
Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products")
Signed-off-by: Timothy Miskell <timothy.miskell@intel.com>
Signed-off-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Petr Oros <poros@redhat.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260420-jk-iwl-net-2026-04-20-ptp-e825c-phy-interrupt-fixes-v1-2-bc2240f42251@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 90 ++++++++++++++++++++-
drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 4 +
2 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
index 0a20ae0c2901b..1ae795405ac3c 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
@@ -377,6 +377,31 @@ static void ice_ptp_cfg_sync_delay(const struct ice_hw *hw, u32 delay)
* The following functions operate on devices with the ETH 56G PHY.
*/
+/**
+ * ice_ptp_init_phc_e825c - Perform E825C specific PHC initialization
+ * @hw: pointer to HW struct
+ *
+ * Perform E825C-specific PTP hardware clock initialization steps.
+ *
+ * Return: 0 on success, or a negative error value on failure.
+ */
+static int ice_ptp_init_phc_e825c(struct ice_hw *hw)
+{
+ int err;
+
+ /* Soft reset all ports, to ensure everything is at a clean state */
+ for (int port = 0; port < hw->ptp.num_lports; port++) {
+ err = ice_ptp_phy_soft_reset_eth56g(hw, port);
+ if (err) {
+ ice_debug(hw, ICE_DBG_PTP, "Failed to soft reset port %d, err %d\n",
+ port, err);
+ return err;
+ }
+ }
+
+ return 0;
+}
+
/**
* ice_ptp_get_dest_dev_e825 - get destination PHY for given port number
* @hw: pointer to the HW struct
@@ -2179,6 +2204,69 @@ int ice_ptp_read_tx_hwtstamp_status_eth56g(struct ice_hw *hw, u32 *ts_status)
return 0;
}
+/**
+ * ice_ptp_phy_soft_reset_eth56g - Perform a PHY soft reset on ETH56G
+ * @hw: pointer to the HW structure
+ * @port: PHY port number
+ *
+ * Trigger a soft reset of the ETH56G PHY by toggling the soft reset
+ * bit in the PHY global register. The reset sequence consists of:
+ * 1. Clearing the soft reset bit
+ * 2. Asserting the soft reset bit
+ * 3. Clearing the soft reset bit again
+ *
+ * Short delays are inserted between each step to allow the hardware
+ * to settle. This provides a controlled way to reinitialize the PHY
+ * without requiring a full device reset.
+ *
+ * Return: 0 on success, or a negative error code on failure when
+ * reading or writing the PHY register.
+ */
+int ice_ptp_phy_soft_reset_eth56g(struct ice_hw *hw, u8 port)
+{
+ u32 global_val;
+ int err;
+
+ err = ice_read_ptp_reg_eth56g(hw, port, PHY_REG_GLOBAL, &global_val);
+ if (err) {
+ ice_debug(hw, ICE_DBG_PTP, "Failed to read PHY_REG_GLOBAL for port %d, err %d\n",
+ port, err);
+ return err;
+ }
+
+ global_val &= ~PHY_REG_GLOBAL_SOFT_RESET_M;
+ ice_debug(hw, ICE_DBG_PTP, "Clearing soft reset bit for port %d, val: 0x%x\n",
+ port, global_val);
+ err = ice_write_ptp_reg_eth56g(hw, port, PHY_REG_GLOBAL, global_val);
+ if (err) {
+ ice_debug(hw, ICE_DBG_PTP, "Failed to write PHY_REG_GLOBAL for port %d, err %d\n",
+ port, err);
+ return err;
+ }
+
+ usleep_range(5000, 6000);
+
+ global_val |= PHY_REG_GLOBAL_SOFT_RESET_M;
+ ice_debug(hw, ICE_DBG_PTP, "Set soft reset bit for port %d, val: 0x%x\n",
+ port, global_val);
+ err = ice_write_ptp_reg_eth56g(hw, port, PHY_REG_GLOBAL, global_val);
+ if (err) {
+ ice_debug(hw, ICE_DBG_PTP, "Failed to write PHY_REG_GLOBAL for port %d, err %d\n",
+ port, err);
+ return err;
+ }
+ usleep_range(5000, 6000);
+
+ global_val &= ~PHY_REG_GLOBAL_SOFT_RESET_M;
+ ice_debug(hw, ICE_DBG_PTP, "Clear soft reset bit for port %d, val: 0x%x\n",
+ port, global_val);
+ err = ice_write_ptp_reg_eth56g(hw, port, PHY_REG_GLOBAL, global_val);
+ if (err)
+ ice_debug(hw, ICE_DBG_PTP, "Failed to write PHY_REG_GLOBAL for port %d, err %d\n",
+ port, err);
+ return err;
+}
+
/**
* ice_get_phy_tx_tstamp_ready_eth56g - Read the Tx memory status register
* @hw: pointer to the HW struct
@@ -5592,7 +5680,7 @@ int ice_ptp_init_phc(struct ice_hw *hw)
case ICE_MAC_GENERIC:
return ice_ptp_init_phc_e82x(hw);
case ICE_MAC_GENERIC_3K_E825:
- return 0;
+ return ice_ptp_init_phc_e825c(hw);
default:
return -EOPNOTSUPP;
}
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.h b/drivers/net/ethernet/intel/ice/ice_ptp_hw.h
index 5896b346e5790..9d7acc7eb2ceb 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.h
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.h
@@ -374,6 +374,7 @@ int ice_stop_phy_timer_eth56g(struct ice_hw *hw, u8 port, bool soft_reset);
int ice_start_phy_timer_eth56g(struct ice_hw *hw, u8 port);
int ice_phy_cfg_intr_eth56g(struct ice_hw *hw, u8 port, bool ena, u8 threshold);
int ice_phy_cfg_ptp_1step_eth56g(struct ice_hw *hw, u8 port);
+int ice_ptp_phy_soft_reset_eth56g(struct ice_hw *hw, u8 port);
#define ICE_ETH56G_NOMINAL_INCVAL 0x140000000ULL
#define ICE_ETH56G_NOMINAL_PCS_REF_TUS 0x100000000ULL
@@ -676,6 +677,9 @@ static inline u64 ice_get_base_incval(struct ice_hw *hw)
#define ICE_P0_GNSS_PRSNT_N BIT(4)
/* ETH56G PHY register addresses */
+#define PHY_REG_GLOBAL 0x0
+#define PHY_REG_GLOBAL_SOFT_RESET_M BIT(11)
+
/* Timestamp PHY incval registers */
#define PHY_REG_TIMETUS_L 0x8
#define PHY_REG_TIMETUS_U 0xC
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 684/957] ice: fix ready bitmap check for non-E822 devices
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (682 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 683/957] ice: perform PHY soft reset for E825C ports at initialization Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 685/957] ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g Greg Kroah-Hartman
` (278 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Petr Oros,
Sunitha Mekala, Jacob Keller, Simon Horman, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Keller <jacob.e.keller@intel.com>
[ Upstream commit 359dc1d41358c88955eeff1b75aee55da7a415d3 ]
The E800 hardware (apart from E810) has a ready bitmap for the PHY
indicating which timestamp slots currently have an outstanding timestamp
waiting to be read by software.
This bitmap is checked in multiple places using the
ice_get_phy_tx_tstamp_ready():
* ice_ptp_process_tx_tstamp() calls it to determine which timestamps to
attempt reading from the PHY
* ice_ptp_tx_tstamps_pending() calls it in a loop at the end of the
miscellaneous IRQ to check if new timestamps came in while the interrupt
handler was executing.
* ice_ptp_maybe_trigger_tx_interrupt() calls it in the auxiliary work task
to trigger a software interrupt in the event that the hardware logic
gets stuck.
For E82X devices, multiple PHYs share the same block, and the parameter
passed to the ready bitmap is a block number associated with the given
port. For E825-C devices, the PHYs have their own independent blocks and do
not share, so the parameter passed needs to be the port number. For E810
devices, the ice_get_phy_tx_tstamp_ready() always returns all 1s regardless
of what port, since this hardware does not have a ready bitmap. Finally,
for E830 devices, each PF has its own ready bitmap accessible via register,
and the block parameter is unused.
The first call correctly uses the Tx timestamp tracker block parameter to
check the appropriate timestamp block. This works because the tracker is
setup correctly for each timestamp device type.
The second two callers behave incorrectly for all device types other than
the older E822 devices. They both iterate in a loop using
ICE_GET_QUAD_NUM() which is a macro only used by E822 devices. This logic
is incorrect for devices other than the E822 devices.
For E810 the calls would always return true, causing E810 devices to always
attempt to trigger a software interrupt even when they have no reason to.
For E830, this results in duplicate work as the ready bitmap is checked
once per number of quads. Finally, for E825-C, this results in the pending
checks failing to detect timestamps on ports other than the first two.
Fix this by introducing a new hardware API function to ice_ptp_hw.c,
ice_check_phy_tx_tstamp_ready(). This function will check if any timestamps
are available and returns a positive value if any timestamps are pending.
For E810, the function always returns false, so that the re-trigger checks
never happen. For E830, check the ready bitmap just once. For E82x
hardware, check each quad. Finally, for E825-C, check every port.
The interface function returns an integer to enable reporting of error code
if the driver is unable read the ready bitmap. This enables callers to
handle this case properly. The previous implementation assumed that
timestamps are available if they failed to read the bitmap. This is
problematic as it could lead to continuous software IRQ triggering if the
PHY timestamp registers somehow become inaccessible.
This change is especially important for E825-C devices, as the missing
checks could leave a window open where a new timestamp could arrive while
the existing timestamps aren't completed. As a result, the hardware
threshold logic would not trigger a new interrupt. Without the check, the
timestamp is left unhandled, and new timestamps will not cause an interrupt
again until the timestamp is handled. Since both the interrupt check and
the backup check in the auxiliary task do not function properly, the device
may have Tx timestamps permanently stuck failing on a given port.
The faulty checks originate from commit d938a8cca88a ("ice: Auxbus devices
& driver for E822 TS") and commit 712e876371f8 ("ice: periodically kick Tx
timestamp interrupt"), however at the time of the original coding, both
functions only operated on E822 hardware. This is no longer the case, and
hasn't been since the introduction of the ETH56G PHY model in commit
7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products")
Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Petr Oros <poros@redhat.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260420-jk-iwl-net-2026-04-20-ptp-e825c-phy-interrupt-fixes-v1-3-bc2240f42251@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ptp.c | 44 +++-----
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 117 ++++++++++++++++++++
drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 1 +
3 files changed, 136 insertions(+), 26 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
index 02517772fb5f4..86eb3d0315a27 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
@@ -2669,7 +2669,7 @@ static bool ice_any_port_has_timestamps(struct ice_pf *pf)
bool ice_ptp_tx_tstamps_pending(struct ice_pf *pf)
{
struct ice_hw *hw = &pf->hw;
- unsigned int i;
+ int ret;
/* Check software indicator */
switch (pf->ptp.tx_interrupt_mode) {
@@ -2690,16 +2690,19 @@ bool ice_ptp_tx_tstamps_pending(struct ice_pf *pf)
}
/* Check hardware indicator */
- for (i = 0; i < ICE_GET_QUAD_NUM(hw->ptp.num_lports); i++) {
- u64 tstamp_ready = 0;
- int err;
-
- err = ice_get_phy_tx_tstamp_ready(&pf->hw, i, &tstamp_ready);
- if (err || tstamp_ready)
- return true;
+ ret = ice_check_phy_tx_tstamp_ready(hw);
+ if (ret < 0) {
+ dev_dbg(ice_pf_to_dev(pf), "Unable to read PHY Tx timestamp ready bitmap, err %d\n",
+ ret);
+ /* Stop triggering IRQs if we're unable to read PHY */
+ return false;
}
- return false;
+ /* ice_check_phy_tx_tstamp_ready() returns 1 if there are timestamps
+ * available, 0 if there are no waiting timestamps, and a negative
+ * value if there was an error (which we checked for above).
+ */
+ return ret > 0;
}
/**
@@ -2783,8 +2786,7 @@ static void ice_ptp_maybe_trigger_tx_interrupt(struct ice_pf *pf)
{
struct device *dev = ice_pf_to_dev(pf);
struct ice_hw *hw = &pf->hw;
- bool trigger_oicr = false;
- unsigned int i;
+ int ret;
if (!pf->ptp.port.tx.has_ready_bitmap)
return;
@@ -2792,21 +2794,11 @@ static void ice_ptp_maybe_trigger_tx_interrupt(struct ice_pf *pf)
if (!ice_pf_src_tmr_owned(pf))
return;
- for (i = 0; i < ICE_GET_QUAD_NUM(hw->ptp.num_lports); i++) {
- u64 tstamp_ready;
- int err;
-
- err = ice_get_phy_tx_tstamp_ready(&pf->hw, i, &tstamp_ready);
- if (!err && tstamp_ready) {
- trigger_oicr = true;
- break;
- }
- }
-
- if (trigger_oicr) {
- /* Trigger a software interrupt, to ensure this data
- * gets processed.
- */
+ ret = ice_check_phy_tx_tstamp_ready(hw);
+ if (ret < 0) {
+ dev_dbg(dev, "PTP periodic task unable to read PHY timestamp ready bitmap, err %d\n",
+ ret);
+ } else if (ret) {
dev_dbg(dev, "PTP periodic task detected waiting timestamps. Triggering Tx timestamp interrupt now.\n");
wr32(hw, PFINT_OICR, PFINT_OICR_TSYN_TX_M);
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
index 1ae795405ac3c..22d6df06b0bc7 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
@@ -2168,6 +2168,35 @@ int ice_start_phy_timer_eth56g(struct ice_hw *hw, u8 port)
return 0;
}
+/**
+ * ice_check_phy_tx_tstamp_ready_eth56g - Check Tx memory status for all ports
+ * @hw: pointer to the HW struct
+ *
+ * Check the PHY_REG_TX_MEMORY_STATUS for all ports. A set bit indicates
+ * a waiting timestamp.
+ *
+ * Return: 1 if any port has at least one timestamp ready bit set,
+ * 0 otherwise, and a negative error code if unable to read the bitmap.
+ */
+static int ice_check_phy_tx_tstamp_ready_eth56g(struct ice_hw *hw)
+{
+ int port;
+
+ for (port = 0; port < hw->ptp.num_lports; port++) {
+ u64 tstamp_ready;
+ int err;
+
+ err = ice_get_phy_tx_tstamp_ready(hw, port, &tstamp_ready);
+ if (err)
+ return err;
+
+ if (tstamp_ready)
+ return 1;
+ }
+
+ return 0;
+}
+
/**
* ice_ptp_read_tx_hwtstamp_status_eth56g - Get TX timestamp status
* @hw: pointer to the HW struct
@@ -4318,6 +4347,35 @@ ice_get_phy_tx_tstamp_ready_e82x(struct ice_hw *hw, u8 quad, u64 *tstamp_ready)
return 0;
}
+/**
+ * ice_check_phy_tx_tstamp_ready_e82x - Check Tx memory status for all quads
+ * @hw: pointer to the HW struct
+ *
+ * Check the Q_REG_TX_MEMORY_STATUS for all quads. A set bit indicates
+ * a waiting timestamp.
+ *
+ * Return: 1 if any quad has at least one timestamp ready bit set,
+ * 0 otherwise, and a negative error value if unable to read the bitmap.
+ */
+static int ice_check_phy_tx_tstamp_ready_e82x(struct ice_hw *hw)
+{
+ int quad;
+
+ for (quad = 0; quad < ICE_GET_QUAD_NUM(hw->ptp.num_lports); quad++) {
+ u64 tstamp_ready;
+ int err;
+
+ err = ice_get_phy_tx_tstamp_ready(hw, quad, &tstamp_ready);
+ if (err)
+ return err;
+
+ if (tstamp_ready)
+ return 1;
+ }
+
+ return 0;
+}
+
/**
* ice_phy_cfg_intr_e82x - Configure TX timestamp interrupt
* @hw: pointer to the HW struct
@@ -4871,6 +4929,23 @@ ice_get_phy_tx_tstamp_ready_e810(struct ice_hw *hw, u8 port, u64 *tstamp_ready)
return 0;
}
+/**
+ * ice_check_phy_tx_tstamp_ready_e810 - Check Tx memory status register
+ * @hw: pointer to the HW struct
+ *
+ * The E810 devices do not have a Tx memory status register. Note this is
+ * intentionally different behavior from ice_get_phy_tx_tstamp_ready_e810
+ * which always says that all bits are ready. This function is called in cases
+ * where code will trigger interrupts if timestamps are waiting, and should
+ * not be called for E810 hardware.
+ *
+ * Return: 0.
+ */
+static int ice_check_phy_tx_tstamp_ready_e810(struct ice_hw *hw)
+{
+ return 0;
+}
+
/* E810 SMA functions
*
* The following functions operate specifically on E810 hardware and are used
@@ -5125,6 +5200,21 @@ static void ice_get_phy_tx_tstamp_ready_e830(const struct ice_hw *hw, u8 port,
*tstamp_ready |= rd32(hw, E830_PRTMAC_TS_TX_MEM_VALID_L);
}
+/**
+ * ice_check_phy_tx_tstamp_ready_e830 - Check Tx memory status register
+ * @hw: pointer to the HW struct
+ *
+ * Return: 1 if the device has waiting timestamps, 0 otherwise.
+ */
+static int ice_check_phy_tx_tstamp_ready_e830(struct ice_hw *hw)
+{
+ u64 tstamp_ready;
+
+ ice_get_phy_tx_tstamp_ready_e830(hw, 0, &tstamp_ready);
+
+ return !!tstamp_ready;
+}
+
/**
* ice_ptp_init_phy_e830 - initialize PHY parameters
* @ptp: pointer to the PTP HW struct
@@ -5717,6 +5807,33 @@ int ice_get_phy_tx_tstamp_ready(struct ice_hw *hw, u8 block, u64 *tstamp_ready)
}
}
+/**
+ * ice_check_phy_tx_tstamp_ready - Check PHY Tx timestamp memory status
+ * @hw: pointer to the HW struct
+ *
+ * Check the PHY for Tx timestamp memory status on all ports. If you need to
+ * see individual timestamp status for each index, use
+ * ice_get_phy_tx_tstamp_ready() instead.
+ *
+ * Return: 1 if any port has timestamps available, 0 if there are no timestamps
+ * available, and a negative error code on failure.
+ */
+int ice_check_phy_tx_tstamp_ready(struct ice_hw *hw)
+{
+ switch (hw->mac_type) {
+ case ICE_MAC_E810:
+ return ice_check_phy_tx_tstamp_ready_e810(hw);
+ case ICE_MAC_E830:
+ return ice_check_phy_tx_tstamp_ready_e830(hw);
+ case ICE_MAC_GENERIC:
+ return ice_check_phy_tx_tstamp_ready_e82x(hw);
+ case ICE_MAC_GENERIC_3K_E825:
+ return ice_check_phy_tx_tstamp_ready_eth56g(hw);
+ default:
+ return -EOPNOTSUPP;
+ }
+}
+
/**
* ice_cgu_get_pin_desc_e823 - get pin description array
* @hw: pointer to the hw struct
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.h b/drivers/net/ethernet/intel/ice/ice_ptp_hw.h
index 9d7acc7eb2ceb..1b58b054f4a5b 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.h
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.h
@@ -300,6 +300,7 @@ void ice_ptp_reset_ts_memory(struct ice_hw *hw);
int ice_ptp_init_phc(struct ice_hw *hw);
void ice_ptp_init_hw(struct ice_hw *hw);
int ice_get_phy_tx_tstamp_ready(struct ice_hw *hw, u8 block, u64 *tstamp_ready);
+int ice_check_phy_tx_tstamp_ready(struct ice_hw *hw);
int ice_ptp_one_port_cmd(struct ice_hw *hw, u8 configured_port,
enum ice_ptp_tmr_cmd configured_cmd);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 685/957] ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (683 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 684/957] ice: fix ready bitmap check for non-E822 devices Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 686/957] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
` (277 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Petr Oros,
Sunitha Mekala, Jacob Keller, Simon Horman, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Keller <jacob.e.keller@intel.com>
[ Upstream commit 1f75dbc53f68f0fb2acd99f92315e426a3d0b446 ]
The ice_ptp_read_tx_hwtstamp_status_eth56g function calls
ice_read_phy_eth56g with a PHY index. However the function actually expects
a port index. This causes the function to read the wrong PHY_PTP_INT_STATUS
registers, and effectively makes the status wrong for the second set of
ports from 4 to 7.
The ice_read_phy_eth56g function uses the provided port index to determine
which PHY device to read. We could refactor the entire chain to take a PHY
index, but this would impact many code sites. Instead, multiply the PHY
index by the number of ports, so that we read from the first port of each
PHY.
Fixes: 7cab44f1c35f ("ice: Introduce ETH56G PHY model for E825C products")
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Petr Oros <poros@redhat.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260420-jk-iwl-net-2026-04-20-ptp-e825c-phy-interrupt-fixes-v1-4-bc2240f42251@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
index 22d6df06b0bc7..d461e00d15e9e 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp_hw.c
@@ -2219,13 +2219,19 @@ int ice_ptp_read_tx_hwtstamp_status_eth56g(struct ice_hw *hw, u32 *ts_status)
*ts_status = 0;
for (phy = 0; phy < params->num_phys; phy++) {
+ u8 port;
int err;
- err = ice_read_phy_eth56g(hw, phy, PHY_PTP_INT_STATUS, &status);
+ /* ice_read_phy_eth56g expects a port index, so use the first
+ * port of the PHY
+ */
+ port = phy * hw->ptp.ports_per_phy;
+
+ err = ice_read_phy_eth56g(hw, port, PHY_PTP_INT_STATUS, &status);
if (err)
return err;
- *ts_status |= (status & mask) << (phy * hw->ptp.ports_per_phy);
+ *ts_status |= (status & mask) << port;
}
ice_debug(hw, ICE_DBG_PTP, "PHY interrupt err: %x\n", *ts_status);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 686/957] net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (684 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 685/957] ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 687/957] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
` (276 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a6edf2cd4156b71e07258876b7626692e158f7e8 ]
hhf_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421143349.4052215-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_hhf.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c
index 2d4855e28a286..81c3a388c9437 100644
--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -198,7 +198,8 @@ static struct hh_flow_state *seek_list(const u32 hash,
return NULL;
list_del(&flow->flowchain);
kfree(flow);
- q->hh_flows_current_cnt--;
+ WRITE_ONCE(q->hh_flows_current_cnt,
+ q->hh_flows_current_cnt - 1);
} else if (flow->hash_id == hash) {
return flow;
}
@@ -226,7 +227,7 @@ static struct hh_flow_state *alloc_new_hh(struct list_head *head,
}
if (q->hh_flows_current_cnt >= q->hh_flows_limit) {
- q->hh_flows_overlimit++;
+ WRITE_ONCE(q->hh_flows_overlimit, q->hh_flows_overlimit + 1);
return NULL;
}
/* Create new entry. */
@@ -234,7 +235,7 @@ static struct hh_flow_state *alloc_new_hh(struct list_head *head,
if (!flow)
return NULL;
- q->hh_flows_current_cnt++;
+ WRITE_ONCE(q->hh_flows_current_cnt, q->hh_flows_current_cnt + 1);
INIT_LIST_HEAD(&flow->flowchain);
list_add_tail(&flow->flowchain, head);
@@ -309,7 +310,7 @@ static enum wdrr_bucket_idx hhf_classify(struct sk_buff *skb, struct Qdisc *sch)
return WDRR_BUCKET_FOR_NON_HH;
flow->hash_id = hash;
flow->hit_timestamp = now;
- q->hh_flows_total_cnt++;
+ WRITE_ONCE(q->hh_flows_total_cnt, q->hh_flows_total_cnt + 1);
/* By returning without updating counters in q->hhf_arrays,
* we implicitly implement "shielding" (see Optimization O1).
@@ -403,7 +404,7 @@ static int hhf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return NET_XMIT_SUCCESS;
prev_backlog = sch->qstats.backlog;
- q->drop_overlimit++;
+ WRITE_ONCE(q->drop_overlimit, q->drop_overlimit + 1);
/* Return Congestion Notification only if we dropped a packet from this
* bucket.
*/
@@ -687,10 +688,10 @@ static int hhf_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct hhf_sched_data *q = qdisc_priv(sch);
struct tc_hhf_xstats st = {
- .drop_overlimit = q->drop_overlimit,
- .hh_overlimit = q->hh_flows_overlimit,
- .hh_tot_count = q->hh_flows_total_cnt,
- .hh_cur_count = q->hh_flows_current_cnt,
+ .drop_overlimit = READ_ONCE(q->drop_overlimit),
+ .hh_overlimit = READ_ONCE(q->hh_flows_overlimit),
+ .hh_tot_count = READ_ONCE(q->hh_flows_total_cnt),
+ .hh_cur_count = READ_ONCE(q->hh_flows_current_cnt),
};
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 687/957] net/sched: sch_pie: annotate data-races in pie_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (685 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 686/957] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 688/957] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
` (275 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5154561d9b119f781249f8e845fecf059b38b483 ]
pie_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_pie_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142944.4009941-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/pie.h | 2 +-
net/sched/sch_pie.c | 38 +++++++++++++++++++-------------------
2 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/include/net/pie.h b/include/net/pie.h
index 01cbc66825a40..1f3db0c355149 100644
--- a/include/net/pie.h
+++ b/include/net/pie.h
@@ -104,7 +104,7 @@ static inline void pie_vars_init(struct pie_vars *vars)
vars->dq_tstamp = DTIME_INVALID;
vars->accu_prob = 0;
vars->dq_count = DQCOUNT_INVALID;
- vars->avg_dq_rate = 0;
+ WRITE_ONCE(vars->avg_dq_rate, 0);
}
static inline struct pie_skb_cb *get_pie_cb(const struct sk_buff *skb)
diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
index 0a377313b6a9d..73650200482f4 100644
--- a/net/sched/sch_pie.c
+++ b/net/sched/sch_pie.c
@@ -90,7 +90,7 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
bool enqueue = false;
if (unlikely(qdisc_qlen(sch) >= sch->limit)) {
- q->stats.overlimit++;
+ WRITE_ONCE(q->stats.overlimit, q->stats.overlimit + 1);
goto out;
}
@@ -104,7 +104,7 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* If packet is ecn capable, mark it if drop probability
* is lower than 10%, else drop it.
*/
- q->stats.ecn_mark++;
+ WRITE_ONCE(q->stats.ecn_mark, q->stats.ecn_mark + 1);
enqueue = true;
}
@@ -114,15 +114,15 @@ static int pie_qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (!q->params.dq_rate_estimator)
pie_set_enqueue_time(skb);
- q->stats.packets_in++;
+ WRITE_ONCE(q->stats.packets_in, q->stats.packets_in + 1);
if (qdisc_qlen(sch) > q->stats.maxq)
- q->stats.maxq = qdisc_qlen(sch);
+ WRITE_ONCE(q->stats.maxq, qdisc_qlen(sch));
return qdisc_enqueue_tail(skb, sch);
}
out:
- q->stats.dropped++;
+ WRITE_ONCE(q->stats.dropped, q->stats.dropped + 1);
q->vars.accu_prob = 0;
return qdisc_drop_reason(skb, sch, to_free, reason);
}
@@ -267,11 +267,11 @@ void pie_process_dequeue(struct sk_buff *skb, struct pie_params *params,
count = count / dtime;
if (vars->avg_dq_rate == 0)
- vars->avg_dq_rate = count;
+ WRITE_ONCE(vars->avg_dq_rate, count);
else
- vars->avg_dq_rate =
+ WRITE_ONCE(vars->avg_dq_rate,
(vars->avg_dq_rate -
- (vars->avg_dq_rate >> 3)) + (count >> 3);
+ (vars->avg_dq_rate >> 3)) + (count >> 3));
/* If the queue has receded below the threshold, we hold
* on to the last drain rate calculated, else we reset
@@ -381,7 +381,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (delta > 0) {
/* prevent overflow */
if (vars->prob < oldprob) {
- vars->prob = MAX_PROB;
+ WRITE_ONCE(vars->prob, MAX_PROB);
/* Prevent normalization error. If probability is at
* maximum value already, we normalize it here, and
* skip the check to do a non-linear drop in the next
@@ -392,7 +392,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
} else {
/* prevent underflow */
if (vars->prob > oldprob)
- vars->prob = 0;
+ WRITE_ONCE(vars->prob, 0);
}
/* Non-linear drop in probability: Reduce drop probability quickly if
@@ -403,7 +403,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
/* Reduce drop probability to 98.4% */
vars->prob -= vars->prob / 64;
- vars->qdelay = qdelay;
+ WRITE_ONCE(vars->qdelay, qdelay);
vars->backlog_old = backlog;
/* We restart the measurement cycle if the following conditions are met
@@ -502,21 +502,21 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
struct pie_sched_data *q = qdisc_priv(sch);
struct tc_pie_xstats st = {
.prob = q->vars.prob << BITS_PER_BYTE,
- .delay = ((u32)PSCHED_TICKS2NS(q->vars.qdelay)) /
+ .delay = ((u32)PSCHED_TICKS2NS(READ_ONCE(q->vars.qdelay))) /
NSEC_PER_USEC,
- .packets_in = q->stats.packets_in,
- .overlimit = q->stats.overlimit,
- .maxq = q->stats.maxq,
- .dropped = q->stats.dropped,
- .ecn_mark = q->stats.ecn_mark,
+ .packets_in = READ_ONCE(q->stats.packets_in),
+ .overlimit = READ_ONCE(q->stats.overlimit),
+ .maxq = READ_ONCE(q->stats.maxq),
+ .dropped = READ_ONCE(q->stats.dropped),
+ .ecn_mark = READ_ONCE(q->stats.ecn_mark),
};
/* avg_dq_rate is only valid if dq_rate_estimator is enabled */
st.dq_rate_estimating = q->params.dq_rate_estimator;
/* unscale and return dq_rate in bytes per sec */
- if (q->params.dq_rate_estimator)
- st.avg_dq_rate = q->vars.avg_dq_rate *
+ if (st.dq_rate_estimating)
+ st.avg_dq_rate = READ_ONCE(q->vars.avg_dq_rate) *
(PSCHED_TICKS_PER_SEC) >> PIE_SCALE;
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 688/957] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (686 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 687/957] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 689/957] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
` (274 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit bbfaa73ea6871db03dc05d7f05f00557a8981f25 ]
fq_codel_dump_stats() acquires the qdisc spinlock a bit too late.
Move this acquisition before we fill st.qdisc_stats with live data.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142509.3967231-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_fq_codel.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index a141423929394..90e1dfac6f594 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -584,6 +584,8 @@ static int fq_codel_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
};
struct list_head *pos;
+ sch_tree_lock(sch);
+
st.qdisc_stats.maxpacket = q->cstats.maxpacket;
st.qdisc_stats.drop_overlimit = q->drop_overlimit;
st.qdisc_stats.ecn_mark = q->cstats.ecn_mark;
@@ -592,7 +594,6 @@ static int fq_codel_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
st.qdisc_stats.memory_usage = q->memory_usage;
st.qdisc_stats.drop_overmemory = q->drop_overmemory;
- sch_tree_lock(sch);
list_for_each(pos, &q->new_flows)
st.qdisc_stats.new_flows_len++;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 689/957] net/sched: sch_red: annotate data-races in red_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (687 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 688/957] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 690/957] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
` (273 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a8f5192809caf636d05ba47c144f282cfd0e3839 ]
red_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_red_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260421142309.3964322-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_red.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 68ee41ce78c50..86651a68d4015 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -90,17 +90,20 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
case RED_PROB_MARK:
qdisc_qstats_overlimit(sch);
if (!red_use_ecn(q)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
if (INET_ECN_set_ce(skb)) {
- q->stats.prob_mark++;
+ WRITE_ONCE(q->stats.prob_mark,
+ q->stats.prob_mark + 1);
skb = tcf_qevent_handle(&q->qe_mark, sch, skb, to_free, &ret);
if (!skb)
return NET_XMIT_CN | ret;
} else if (!red_use_nodrop(q)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
@@ -111,17 +114,20 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
reason = SKB_DROP_REASON_QDISC_OVERLIMIT;
qdisc_qstats_overlimit(sch);
if (red_use_harddrop(q) || !red_use_ecn(q)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
if (INET_ECN_set_ce(skb)) {
- q->stats.forced_mark++;
+ WRITE_ONCE(q->stats.forced_mark,
+ q->stats.forced_mark + 1);
skb = tcf_qevent_handle(&q->qe_mark, sch, skb, to_free, &ret);
if (!skb)
return NET_XMIT_CN | ret;
} else if (!red_use_nodrop(q)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
@@ -135,7 +141,8 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
sch->qstats.backlog += len;
sch->q.qlen++;
} else if (net_xmit_drop_count(ret)) {
- q->stats.pdrop++;
+ WRITE_ONCE(q->stats.pdrop,
+ q->stats.pdrop + 1);
qdisc_qstats_drop(sch);
}
return ret;
@@ -463,9 +470,13 @@ static int red_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_QDISC_RED,
&hw_stats_request);
}
- st.early = q->stats.prob_drop + q->stats.forced_drop;
- st.pdrop = q->stats.pdrop;
- st.marked = q->stats.prob_mark + q->stats.forced_mark;
+ st.early = READ_ONCE(q->stats.prob_drop) +
+ READ_ONCE(q->stats.forced_drop);
+
+ st.pdrop = READ_ONCE(q->stats.pdrop);
+
+ st.marked = READ_ONCE(q->stats.prob_mark) +
+ READ_ONCE(q->stats.forced_mark);
return gnet_stats_copy_app(d, &st, sizeof(st));
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 690/957] net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (688 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 689/957] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 691/957] net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct Greg Kroah-Hartman
` (272 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ada03fdef82d3d7d2edb9dcd3acc91917675e48 ]
sfb_dump_stats() only runs with RTNL held,
reading fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Alternative would be to acquire the qdisc spinlock, but our long-term
goal is to make qdisc dump operations lockless as much as we can.
tc_sfb_xstats fields don't need to be latched atomically,
otherwise this bug would have been caught earlier.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260421141655.3953721-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 54 +++++++++++++++++++++++++++------------------
1 file changed, 32 insertions(+), 22 deletions(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index d2835f1168e1d..00286c930b8de 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -130,7 +130,7 @@ static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q)
sfbhash >>= SFB_BUCKET_SHIFT;
if (b[hash].qlen < 0xFFFF)
- b[hash].qlen++;
+ WRITE_ONCE(b[hash].qlen, b[hash].qlen + 1);
b += SFB_NUMBUCKETS; /* next level */
}
}
@@ -159,7 +159,7 @@ static void decrement_one_qlen(u32 sfbhash, u32 slot,
sfbhash >>= SFB_BUCKET_SHIFT;
if (b[hash].qlen > 0)
- b[hash].qlen--;
+ WRITE_ONCE(b[hash].qlen, b[hash].qlen - 1);
b += SFB_NUMBUCKETS; /* next level */
}
}
@@ -179,12 +179,12 @@ static void decrement_qlen(const struct sk_buff *skb, struct sfb_sched_data *q)
static void decrement_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
{
- b->p_mark = prob_minus(b->p_mark, q->decrement);
+ WRITE_ONCE(b->p_mark, prob_minus(b->p_mark, q->decrement));
}
static void increment_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
{
- b->p_mark = prob_plus(b->p_mark, q->increment);
+ WRITE_ONCE(b->p_mark, prob_plus(b->p_mark, q->increment));
}
static void sfb_zero_all_buckets(struct sfb_sched_data *q)
@@ -202,11 +202,14 @@ static u32 sfb_compute_qlen(u32 *prob_r, u32 *avgpm_r, const struct sfb_sched_da
const struct sfb_bucket *b = &q->bins[q->slot].bins[0][0];
for (i = 0; i < SFB_LEVELS * SFB_NUMBUCKETS; i++) {
- if (qlen < b->qlen)
- qlen = b->qlen;
- totalpm += b->p_mark;
- if (prob < b->p_mark)
- prob = b->p_mark;
+ u32 b_qlen = READ_ONCE(b->qlen);
+ u32 b_mark = READ_ONCE(b->p_mark);
+
+ if (qlen < b_qlen)
+ qlen = b_qlen;
+ totalpm += b_mark;
+ if (prob < b_mark)
+ prob = b_mark;
b++;
}
*prob_r = prob;
@@ -295,7 +298,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (unlikely(sch->q.qlen >= q->limit)) {
qdisc_qstats_overlimit(sch);
- q->stats.queuedrop++;
+ WRITE_ONCE(q->stats.queuedrop,
+ q->stats.queuedrop + 1);
goto drop;
}
@@ -348,7 +352,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (unlikely(minqlen >= q->max)) {
qdisc_qstats_overlimit(sch);
- q->stats.bucketdrop++;
+ WRITE_ONCE(q->stats.bucketdrop,
+ q->stats.bucketdrop + 1);
goto drop;
}
@@ -374,7 +379,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
}
if (sfb_rate_limit(skb, q)) {
qdisc_qstats_overlimit(sch);
- q->stats.penaltydrop++;
+ WRITE_ONCE(q->stats.penaltydrop,
+ q->stats.penaltydrop + 1);
goto drop;
}
goto enqueue;
@@ -390,14 +396,17 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
* In either case, we want to start dropping packets.
*/
if (r < (p_min - SFB_MAX_PROB / 2) * 2) {
- q->stats.earlydrop++;
+ WRITE_ONCE(q->stats.earlydrop,
+ q->stats.earlydrop + 1);
goto drop;
}
}
if (INET_ECN_set_ce(skb)) {
- q->stats.marked++;
+ WRITE_ONCE(q->stats.marked,
+ q->stats.marked + 1);
} else {
- q->stats.earlydrop++;
+ WRITE_ONCE(q->stats.earlydrop,
+ q->stats.earlydrop + 1);
goto drop;
}
}
@@ -410,7 +419,8 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
sch->q.qlen++;
increment_qlen(&cb, q);
} else if (net_xmit_drop_count(ret)) {
- q->stats.childdrop++;
+ WRITE_ONCE(q->stats.childdrop,
+ q->stats.childdrop + 1);
qdisc_qstats_drop(sch);
}
return ret;
@@ -599,12 +609,12 @@ static int sfb_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct sfb_sched_data *q = qdisc_priv(sch);
struct tc_sfb_xstats st = {
- .earlydrop = q->stats.earlydrop,
- .penaltydrop = q->stats.penaltydrop,
- .bucketdrop = q->stats.bucketdrop,
- .queuedrop = q->stats.queuedrop,
- .childdrop = q->stats.childdrop,
- .marked = q->stats.marked,
+ .earlydrop = READ_ONCE(q->stats.earlydrop),
+ .penaltydrop = READ_ONCE(q->stats.penaltydrop),
+ .bucketdrop = READ_ONCE(q->stats.bucketdrop),
+ .queuedrop = READ_ONCE(q->stats.queuedrop),
+ .childdrop = READ_ONCE(q->stats.childdrop),
+ .marked = READ_ONCE(q->stats.marked),
};
st.maxqlen = sfb_compute_qlen(&st.maxprob, &st.avgprob, q);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 691/957] net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (689 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 690/957] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 692/957] net: airoha: ppe: Move PPE memory info in airoha_eth_soc_data struct Greg Kroah-Hartman
` (271 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 6d5b601d52a27aafff555b480e538507901c672c ]
This is a preliminary patch to properly enable PPE support for AN7583
SoC.
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251017-an7583-eth-support-v3-2-f28319666667@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 3309965fe44c ("net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.h | 2 +-
drivers/net/ethernet/airoha/airoha_ppe.c | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 054fe86d67bd1..9929c44d84702 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -548,7 +548,7 @@ struct airoha_ppe {
struct rhashtable l2_flows;
struct hlist_head *foe_flow;
- u16 foe_check_time[PPE_NUM_ENTRIES];
+ u16 *foe_check_time;
struct airoha_foe_stats *foe_stats;
dma_addr_t foe_stats_dma;
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index e9994c794c703..072cc2dd50dda 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -1538,6 +1538,11 @@ int airoha_ppe_init(struct airoha_eth *eth)
return -ENOMEM;
}
+ ppe->foe_check_time = devm_kzalloc(eth->dev, PPE_NUM_ENTRIES,
+ GFP_KERNEL);
+ if (!ppe->foe_check_time)
+ return -ENOMEM;
+
err = rhashtable_init(ð->flow_table, &airoha_flow_table_params);
if (err)
return err;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 692/957] net: airoha: ppe: Move PPE memory info in airoha_eth_soc_data struct
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (690 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 691/957] net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 693/957] net: airoha: Refactor src port configuration in airhoha_set_gdm2_loopback Greg Kroah-Hartman
` (270 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 5bd1d1fd48ea9f8300b211540d946899c7f96480 ]
AN7583 SoC runs a single PPE device while EN7581 runs two of them.
Moreover PPE SRAM in AN7583 SoC is reduced to 8K (while SRAM is 16K on
EN7581). Take into account PPE memory layout during PPE configuration.
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251017-an7583-eth-support-v3-6-f28319666667@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 3309965fe44c ("net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.h | 10 +-
drivers/net/ethernet/airoha/airoha_ppe.c | 133 +++++++++---------
.../net/ethernet/airoha/airoha_ppe_debugfs.c | 3 +-
3 files changed, 70 insertions(+), 76 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 9929c44d84702..8d121d12dc120 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -47,14 +47,9 @@
#define QDMA_METER_IDX(_n) ((_n) & 0xff)
#define QDMA_METER_GROUP(_n) (((_n) >> 8) & 0x3)
-#define PPE_NUM 2
-#define PPE1_SRAM_NUM_ENTRIES (8 * 1024)
-#define PPE_SRAM_NUM_ENTRIES (PPE_NUM * PPE1_SRAM_NUM_ENTRIES)
-#define PPE1_STATS_NUM_ENTRIES (4 * 1024)
-#define PPE_STATS_NUM_ENTRIES (PPE_NUM * PPE1_STATS_NUM_ENTRIES)
+#define PPE_SRAM_NUM_ENTRIES (8 * 1024)
+#define PPE_STATS_NUM_ENTRIES (4 * 1024)
#define PPE_DRAM_NUM_ENTRIES (16 * 1024)
-#define PPE_NUM_ENTRIES (PPE_SRAM_NUM_ENTRIES + PPE_DRAM_NUM_ENTRIES)
-#define PPE_HASH_MASK (PPE_NUM_ENTRIES - 1)
#define PPE_ENTRY_SIZE 80
#define PPE_RAM_NUM_ENTRIES_SHIFT(_n) (__ffs((_n) >> 10))
@@ -635,6 +630,7 @@ int airoha_ppe_setup_tc_block_cb(struct airoha_ppe_dev *dev, void *type_data);
int airoha_ppe_init(struct airoha_eth *eth);
void airoha_ppe_deinit(struct airoha_eth *eth);
void airoha_ppe_init_upd_mem(struct airoha_gdm_port *port);
+u32 airoha_ppe_get_total_num_entries(struct airoha_ppe *ppe);
struct airoha_foe_entry *airoha_ppe_foe_get_entry(struct airoha_ppe *ppe,
u32 hash);
void airoha_ppe_foe_entry_get_stats(struct airoha_ppe *ppe, u32 hash,
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index 072cc2dd50dda..239c43248b4f4 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -37,19 +37,36 @@ static int airoha_ppe_get_num_stats_entries(struct airoha_ppe *ppe)
if (!IS_ENABLED(CONFIG_NET_AIROHA_FLOW_STATS))
return -EOPNOTSUPP;
- return PPE1_STATS_NUM_ENTRIES;
+ return PPE_STATS_NUM_ENTRIES;
}
static int airoha_ppe_get_total_num_stats_entries(struct airoha_ppe *ppe)
{
int num_stats = airoha_ppe_get_num_stats_entries(ppe);
- if (num_stats > 0)
- num_stats = num_stats * PPE_NUM;
+ if (num_stats > 0) {
+ struct airoha_eth *eth = ppe->eth;
+
+ num_stats = num_stats * eth->soc->num_ppe;
+ }
return num_stats;
}
+static u32 airoha_ppe_get_total_sram_num_entries(struct airoha_ppe *ppe)
+{
+ struct airoha_eth *eth = ppe->eth;
+
+ return PPE_SRAM_NUM_ENTRIES * eth->soc->num_ppe;
+}
+
+u32 airoha_ppe_get_total_num_entries(struct airoha_ppe *ppe)
+{
+ u32 sram_num_entries = airoha_ppe_get_total_sram_num_entries(ppe);
+
+ return sram_num_entries + PPE_DRAM_NUM_ENTRIES;
+}
+
bool airoha_ppe_is_enabled(struct airoha_eth *eth, int index)
{
if (index >= eth->soc->num_ppe)
@@ -67,14 +84,22 @@ static u32 airoha_ppe_get_timestamp(struct airoha_ppe *ppe)
static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
{
- u32 sram_tb_size, sram_num_entries, dram_num_entries;
+ u32 sram_ppe_num_data_entries = PPE_SRAM_NUM_ENTRIES, sram_num_entries;
+ u32 sram_tb_size, dram_num_entries;
struct airoha_eth *eth = ppe->eth;
int i, sram_num_stats_entries;
- sram_tb_size = PPE_SRAM_NUM_ENTRIES * sizeof(struct airoha_foe_entry);
+ sram_num_entries = airoha_ppe_get_total_sram_num_entries(ppe);
+ sram_tb_size = sram_num_entries * sizeof(struct airoha_foe_entry);
dram_num_entries = PPE_RAM_NUM_ENTRIES_SHIFT(PPE_DRAM_NUM_ENTRIES);
- for (i = 0; i < PPE_NUM; i++) {
+ sram_num_stats_entries = airoha_ppe_get_num_stats_entries(ppe);
+ if (sram_num_stats_entries > 0)
+ sram_ppe_num_data_entries -= sram_num_stats_entries;
+ sram_ppe_num_data_entries =
+ PPE_RAM_NUM_ENTRIES_SHIFT(sram_ppe_num_data_entries);
+
+ for (i = 0; i < eth->soc->num_ppe; i++) {
int p;
airoha_fe_wr(eth, REG_PPE_TB_BASE(i),
@@ -106,10 +131,16 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
airoha_fe_rmw(eth, REG_PPE_TB_CFG(i),
PPE_TB_CFG_SEARCH_MISS_MASK |
+ PPE_SRAM_TB_NUM_ENTRY_MASK |
+ PPE_DRAM_TB_NUM_ENTRY_MASK |
PPE_TB_CFG_KEEPALIVE_MASK |
PPE_TB_ENTRY_SIZE_MASK,
FIELD_PREP(PPE_TB_CFG_SEARCH_MISS_MASK, 3) |
- FIELD_PREP(PPE_TB_ENTRY_SIZE_MASK, 0));
+ FIELD_PREP(PPE_TB_ENTRY_SIZE_MASK, 0) |
+ FIELD_PREP(PPE_SRAM_TB_NUM_ENTRY_MASK,
+ sram_ppe_num_data_entries) |
+ FIELD_PREP(PPE_DRAM_TB_NUM_ENTRY_MASK,
+ dram_num_entries));
airoha_fe_rmw(eth, REG_PPE_BIND_RATE(i),
PPE_BIND_RATE_L2B_BIND_MASK |
@@ -130,45 +161,6 @@ static void airoha_ppe_hw_init(struct airoha_ppe *ppe)
FIELD_PREP(FP1_EGRESS_MTU_MASK,
AIROHA_MAX_MTU));
}
-
- if (airoha_ppe_is_enabled(eth, 1)) {
- sram_num_entries = PPE1_SRAM_NUM_ENTRIES;
- sram_num_stats_entries =
- airoha_ppe_get_num_stats_entries(ppe);
- if (sram_num_stats_entries > 0)
- sram_num_entries -= sram_num_stats_entries;
- sram_num_entries = PPE_RAM_NUM_ENTRIES_SHIFT(sram_num_entries);
-
- airoha_fe_rmw(eth, REG_PPE_TB_CFG(0),
- PPE_SRAM_TB_NUM_ENTRY_MASK |
- PPE_DRAM_TB_NUM_ENTRY_MASK,
- FIELD_PREP(PPE_SRAM_TB_NUM_ENTRY_MASK,
- sram_num_entries) |
- FIELD_PREP(PPE_DRAM_TB_NUM_ENTRY_MASK,
- dram_num_entries));
- airoha_fe_rmw(eth, REG_PPE_TB_CFG(1),
- PPE_SRAM_TB_NUM_ENTRY_MASK |
- PPE_DRAM_TB_NUM_ENTRY_MASK,
- FIELD_PREP(PPE_SRAM_TB_NUM_ENTRY_MASK,
- sram_num_entries) |
- FIELD_PREP(PPE_DRAM_TB_NUM_ENTRY_MASK,
- dram_num_entries));
- } else {
- sram_num_entries = PPE_SRAM_NUM_ENTRIES;
- sram_num_stats_entries =
- airoha_ppe_get_total_num_stats_entries(ppe);
- if (sram_num_stats_entries > 0)
- sram_num_entries -= sram_num_stats_entries;
- sram_num_entries = PPE_RAM_NUM_ENTRIES_SHIFT(sram_num_entries);
-
- airoha_fe_rmw(eth, REG_PPE_TB_CFG(0),
- PPE_SRAM_TB_NUM_ENTRY_MASK |
- PPE_DRAM_TB_NUM_ENTRY_MASK,
- FIELD_PREP(PPE_SRAM_TB_NUM_ENTRY_MASK,
- sram_num_entries) |
- FIELD_PREP(PPE_DRAM_TB_NUM_ENTRY_MASK,
- dram_num_entries));
- }
}
static void airoha_ppe_flow_mangle_eth(const struct flow_action_entry *act, void *eth)
@@ -469,9 +461,11 @@ static int airoha_ppe_foe_entry_set_ipv6_tuple(struct airoha_foe_entry *hwe,
return 0;
}
-static u32 airoha_ppe_foe_get_entry_hash(struct airoha_foe_entry *hwe)
+static u32 airoha_ppe_foe_get_entry_hash(struct airoha_ppe *ppe,
+ struct airoha_foe_entry *hwe)
{
int type = FIELD_GET(AIROHA_FOE_IB1_BIND_PACKET_TYPE, hwe->ib1);
+ u32 ppe_hash_mask = airoha_ppe_get_total_num_entries(ppe) - 1;
u32 hash, hv1, hv2, hv3;
switch (type) {
@@ -509,14 +503,14 @@ static u32 airoha_ppe_foe_get_entry_hash(struct airoha_foe_entry *hwe)
case PPE_PKT_TYPE_IPV6_6RD:
default:
WARN_ON_ONCE(1);
- return PPE_HASH_MASK;
+ return ppe_hash_mask;
}
hash = (hv1 & hv2) | ((~hv1) & hv3);
hash = (hash >> 24) | ((hash & 0xffffff) << 8);
hash ^= hv1 ^ hv2 ^ hv3;
hash ^= hash >> 16;
- hash &= PPE_NUM_ENTRIES - 1;
+ hash &= ppe_hash_mask;
return hash;
}
@@ -617,9 +611,11 @@ static void airoha_ppe_foe_flow_stats_update(struct airoha_ppe *ppe,
static struct airoha_foe_entry *
airoha_ppe_foe_get_entry_locked(struct airoha_ppe *ppe, u32 hash)
{
+ u32 sram_num_entries = airoha_ppe_get_total_sram_num_entries(ppe);
+
lockdep_assert_held(&ppe_lock);
- if (hash < PPE_SRAM_NUM_ENTRIES) {
+ if (hash < sram_num_entries) {
u32 *hwe = ppe->foe + hash * sizeof(struct airoha_foe_entry);
struct airoha_eth *eth = ppe->eth;
bool ppe2;
@@ -627,7 +623,7 @@ airoha_ppe_foe_get_entry_locked(struct airoha_ppe *ppe, u32 hash)
int i;
ppe2 = airoha_ppe_is_enabled(ppe->eth, 1) &&
- hash >= PPE1_SRAM_NUM_ENTRIES;
+ hash >= PPE_SRAM_NUM_ENTRIES;
airoha_fe_wr(ppe->eth, REG_PPE_RAM_CTRL(ppe2),
FIELD_PREP(PPE_SRAM_CTRL_ENTRY_MASK, hash) |
PPE_SRAM_CTRL_REQ_MASK);
@@ -678,6 +674,7 @@ static int airoha_ppe_foe_commit_entry(struct airoha_ppe *ppe,
struct airoha_foe_entry *e,
u32 hash, bool rx_wlan)
{
+ u32 sram_num_entries = airoha_ppe_get_total_sram_num_entries(ppe);
struct airoha_foe_entry *hwe = ppe->foe + hash * sizeof(*hwe);
u32 ts = airoha_ppe_get_timestamp(ppe);
struct airoha_eth *eth = ppe->eth;
@@ -702,10 +699,10 @@ static int airoha_ppe_foe_commit_entry(struct airoha_ppe *ppe,
if (!rx_wlan)
airoha_ppe_foe_flow_stats_update(ppe, npu, hwe, hash);
- if (hash < PPE_SRAM_NUM_ENTRIES) {
+ if (hash < sram_num_entries) {
dma_addr_t addr = ppe->foe_dma + hash * sizeof(*hwe);
bool ppe2 = airoha_ppe_is_enabled(eth, 1) &&
- hash >= PPE1_SRAM_NUM_ENTRIES;
+ hash >= PPE_SRAM_NUM_ENTRIES;
err = npu->ops.ppe_foe_commit_entry(npu, addr, sizeof(*hwe),
hash, ppe2);
@@ -832,7 +829,7 @@ static void airoha_ppe_foe_insert_entry(struct airoha_ppe *ppe,
if (state == AIROHA_FOE_STATE_BIND)
goto unlock;
- index = airoha_ppe_foe_get_entry_hash(hwe);
+ index = airoha_ppe_foe_get_entry_hash(ppe, hwe);
hlist_for_each_entry_safe(e, n, &ppe->foe_flow[index], list) {
if (e->type == FLOW_TYPE_L2_SUBFLOW) {
state = FIELD_GET(AIROHA_FOE_IB1_BIND_STATE, hwe->ib1);
@@ -892,7 +889,7 @@ static int airoha_ppe_foe_flow_commit_entry(struct airoha_ppe *ppe,
if (type == PPE_PKT_TYPE_BRIDGE)
return airoha_ppe_foe_l2_flow_commit_entry(ppe, e);
- hash = airoha_ppe_foe_get_entry_hash(&e->data);
+ hash = airoha_ppe_foe_get_entry_hash(ppe, &e->data);
e->type = FLOW_TYPE_L4;
e->hash = 0xffff;
@@ -1296,17 +1293,15 @@ static int airoha_ppe_flow_offload_cmd(struct airoha_eth *eth,
static int airoha_ppe_flush_sram_entries(struct airoha_ppe *ppe,
struct airoha_npu *npu)
{
- int i, sram_num_entries = PPE_SRAM_NUM_ENTRIES;
+ u32 sram_num_entries = airoha_ppe_get_total_sram_num_entries(ppe);
struct airoha_foe_entry *hwe = ppe->foe;
+ int i;
- if (airoha_ppe_is_enabled(ppe->eth, 1))
- sram_num_entries = sram_num_entries / 2;
-
- for (i = 0; i < sram_num_entries; i++)
+ for (i = 0; i < PPE_SRAM_NUM_ENTRIES; i++)
memset(&hwe[i], 0, sizeof(*hwe));
return npu->ops.ppe_flush_sram_entries(npu, ppe->foe_dma,
- PPE_SRAM_NUM_ENTRIES);
+ sram_num_entries);
}
static struct airoha_npu *airoha_ppe_npu_get(struct airoha_eth *eth)
@@ -1410,9 +1405,10 @@ void airoha_ppe_check_skb(struct airoha_ppe_dev *dev, struct sk_buff *skb,
u16 hash, bool rx_wlan)
{
struct airoha_ppe *ppe = dev->priv;
+ u32 ppe_hash_mask = airoha_ppe_get_total_num_entries(ppe) - 1;
u16 now, diff;
- if (hash > PPE_HASH_MASK)
+ if (hash > ppe_hash_mask)
return;
now = (u16)jiffies;
@@ -1503,6 +1499,7 @@ EXPORT_SYMBOL_GPL(airoha_ppe_put_dev);
int airoha_ppe_init(struct airoha_eth *eth)
{
int foe_size, err, ppe_num_stats_entries;
+ u32 ppe_num_entries;
struct airoha_ppe *ppe;
ppe = devm_kzalloc(eth->dev, sizeof(*ppe), GFP_KERNEL);
@@ -1512,18 +1509,18 @@ int airoha_ppe_init(struct airoha_eth *eth)
ppe->dev.ops.setup_tc_block_cb = airoha_ppe_setup_tc_block_cb;
ppe->dev.ops.check_skb = airoha_ppe_check_skb;
ppe->dev.priv = ppe;
+ ppe->eth = eth;
+ eth->ppe = ppe;
- foe_size = PPE_NUM_ENTRIES * sizeof(struct airoha_foe_entry);
+ ppe_num_entries = airoha_ppe_get_total_num_entries(ppe);
+ foe_size = ppe_num_entries * sizeof(struct airoha_foe_entry);
ppe->foe = dmam_alloc_coherent(eth->dev, foe_size, &ppe->foe_dma,
GFP_KERNEL);
if (!ppe->foe)
return -ENOMEM;
- ppe->eth = eth;
- eth->ppe = ppe;
-
ppe->foe_flow = devm_kzalloc(eth->dev,
- PPE_NUM_ENTRIES * sizeof(*ppe->foe_flow),
+ ppe_num_entries * sizeof(*ppe->foe_flow),
GFP_KERNEL);
if (!ppe->foe_flow)
return -ENOMEM;
@@ -1538,7 +1535,7 @@ int airoha_ppe_init(struct airoha_eth *eth)
return -ENOMEM;
}
- ppe->foe_check_time = devm_kzalloc(eth->dev, PPE_NUM_ENTRIES,
+ ppe->foe_check_time = devm_kzalloc(eth->dev, ppe_num_entries,
GFP_KERNEL);
if (!ppe->foe_check_time)
return -ENOMEM;
diff --git a/drivers/net/ethernet/airoha/airoha_ppe_debugfs.c b/drivers/net/ethernet/airoha/airoha_ppe_debugfs.c
index 05a756233f6a4..0112c41150bb0 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe_debugfs.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe_debugfs.c
@@ -53,9 +53,10 @@ static int airoha_ppe_debugfs_foe_show(struct seq_file *m, void *private,
[AIROHA_FOE_STATE_FIN] = "FIN",
};
struct airoha_ppe *ppe = m->private;
+ u32 ppe_num_entries = airoha_ppe_get_total_num_entries(ppe);
int i;
- for (i = 0; i < PPE_NUM_ENTRIES; i++) {
+ for (i = 0; i < ppe_num_entries; i++) {
const char *state_str, *type_str = "UNKNOWN";
void *src_addr = NULL, *dest_addr = NULL;
u16 *src_port = NULL, *dest_port = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 693/957] net: airoha: Refactor src port configuration in airhoha_set_gdm2_loopback
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (691 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 692/957] net: airoha: ppe: Move PPE memory info in airoha_eth_soc_data struct Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 694/957] net: airoha: Add AN7583 SoC support Greg Kroah-Hartman
` (269 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 9d5b5219f672c80bed4d4e15f0068e648cdca43b ]
AN7583 chipset relies on different definitions for source-port
identifier used for hw offloading. In order to support hw offloading
in AN7583 controller, refactor src port configuration in
airhoha_set_gdm2_loopback routine and introduce get_src_port_id
callback.
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251017-an7583-eth-support-v3-11-f28319666667@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 3309965fe44c ("net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 82 ++++++++++++++++-------
drivers/net/ethernet/airoha/airoha_eth.h | 18 +++--
drivers/net/ethernet/airoha/airoha_regs.h | 6 +-
3 files changed, 73 insertions(+), 33 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index f8db324b141fe..6e7f816cd7edb 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1751,13 +1751,17 @@ static int airoha_dev_set_macaddr(struct net_device *dev, void *p)
return 0;
}
-static void airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
+static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
{
- u32 pse_port = port->id == 3 ? FE_PSE_PORT_GDM3 : FE_PSE_PORT_GDM4;
+ u32 val, pse_port, chan = port->id == AIROHA_GDM3_IDX ? 4 : 0;
struct airoha_eth *eth = port->qdma->eth;
- u32 chan = port->id == 3 ? 4 : 0;
+ /* XXX: handle XSI_USB_PORT and XSI_PCE1_PORT */
+ u32 nbq = port->id == AIROHA_GDM3_IDX ? 4 : 0;
+ int src_port;
/* Forward the traffic to the proper GDM port */
+ pse_port = port->id == AIROHA_GDM3_IDX ? FE_PSE_PORT_GDM3
+ : FE_PSE_PORT_GDM4;
airoha_set_gdm_port_fwd_cfg(eth, REG_GDM_FWD_CFG(2), pse_port);
airoha_fe_clear(eth, REG_GDM_FWD_CFG(2), GDM_STRIP_CRC);
@@ -1778,29 +1782,25 @@ static void airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
airoha_fe_clear(eth, REG_FE_VIP_PORT_EN, BIT(2));
airoha_fe_clear(eth, REG_FE_IFC_PORT_EN, BIT(2));
- if (port->id == 3) {
- /* FIXME: handle XSI_PCE1_PORT */
- airoha_fe_rmw(eth, REG_FE_WAN_PORT,
- WAN1_EN_MASK | WAN1_MASK | WAN0_MASK,
- FIELD_PREP(WAN0_MASK, HSGMII_LAN_PCIE0_SRCPORT));
- airoha_fe_rmw(eth,
- REG_SP_DFT_CPORT(HSGMII_LAN_PCIE0_SRCPORT >> 3),
- SP_CPORT_PCIE0_MASK,
- FIELD_PREP(SP_CPORT_PCIE0_MASK,
- FE_PSE_PORT_CDM2));
- } else {
- /* FIXME: handle XSI_USB_PORT */
+ src_port = eth->soc->ops.get_src_port_id(port, nbq);
+ if (src_port < 0)
+ return src_port;
+
+ airoha_fe_rmw(eth, REG_FE_WAN_PORT,
+ WAN1_EN_MASK | WAN1_MASK | WAN0_MASK,
+ FIELD_PREP(WAN0_MASK, src_port));
+ val = src_port & SP_CPORT_DFT_MASK;
+ airoha_fe_rmw(eth,
+ REG_SP_DFT_CPORT(src_port >> fls(SP_CPORT_DFT_MASK)),
+ SP_CPORT_MASK(val),
+ FE_PSE_PORT_CDM2 << __ffs(SP_CPORT_MASK(val)));
+
+ if (port->id != AIROHA_GDM3_IDX)
airoha_fe_rmw(eth, REG_SRC_PORT_FC_MAP6,
FC_ID_OF_SRC_PORT24_MASK,
FIELD_PREP(FC_ID_OF_SRC_PORT24_MASK, 2));
- airoha_fe_rmw(eth, REG_FE_WAN_PORT,
- WAN1_EN_MASK | WAN1_MASK | WAN0_MASK,
- FIELD_PREP(WAN0_MASK, HSGMII_LAN_ETH_SRCPORT));
- airoha_fe_rmw(eth,
- REG_SP_DFT_CPORT(HSGMII_LAN_ETH_SRCPORT >> 3),
- SP_CPORT_ETH_MASK,
- FIELD_PREP(SP_CPORT_ETH_MASK, FE_PSE_PORT_CDM2));
- }
+
+ return 0;
}
static int airoha_dev_init(struct net_device *dev)
@@ -1815,8 +1815,13 @@ static int airoha_dev_init(struct net_device *dev)
case 3:
case 4:
/* If GDM2 is active we can't enable loopback */
- if (!eth->ports[1])
- airhoha_set_gdm2_loopback(port);
+ if (!eth->ports[1]) {
+ int err;
+
+ err = airhoha_set_gdm2_loopback(port);
+ if (err)
+ return err;
+ }
fallthrough;
case 2:
if (airoha_ppe_is_enabled(eth, 1)) {
@@ -3135,11 +3140,38 @@ static const char * const en7581_xsi_rsts_names[] = {
"xfp-mac",
};
+static int airoha_en7581_get_src_port_id(struct airoha_gdm_port *port, int nbq)
+{
+ switch (port->id) {
+ case 3:
+ /* 7581 SoC supports PCIe serdes on GDM3 port */
+ if (nbq == 4)
+ return HSGMII_LAN_7581_PCIE0_SRCPORT;
+ if (nbq == 5)
+ return HSGMII_LAN_7581_PCIE1_SRCPORT;
+ break;
+ case 4:
+ /* 7581 SoC supports eth and usb serdes on GDM4 port */
+ if (!nbq)
+ return HSGMII_LAN_7581_ETH_SRCPORT;
+ if (nbq == 1)
+ return HSGMII_LAN_7581_USB_SRCPORT;
+ break;
+ default:
+ break;
+ }
+
+ return -EINVAL;
+}
+
static const struct airoha_eth_soc_data en7581_soc_data = {
.version = 0x7581,
.xsi_rsts_names = en7581_xsi_rsts_names,
.num_xsi_rsts = ARRAY_SIZE(en7581_xsi_rsts_names),
.num_ppe = 2,
+ .ops = {
+ .get_src_port_id = airoha_en7581_get_src_port_id,
+ },
};
static const struct of_device_id of_airoha_match[] = {
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 8d121d12dc120..8a2c68781e94b 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -67,10 +67,10 @@ enum {
};
enum {
- HSGMII_LAN_PCIE0_SRCPORT = 0x16,
- HSGMII_LAN_PCIE1_SRCPORT,
- HSGMII_LAN_ETH_SRCPORT,
- HSGMII_LAN_USB_SRCPORT,
+ HSGMII_LAN_7581_PCIE0_SRCPORT = 0x16,
+ HSGMII_LAN_7581_PCIE1_SRCPORT,
+ HSGMII_LAN_7581_ETH_SRCPORT,
+ HSGMII_LAN_7581_USB_SRCPORT,
};
enum {
@@ -99,6 +99,13 @@ enum {
CRSN_25 = 0x19,
};
+enum airoha_gdm_index {
+ AIROHA_GDM1_IDX = 1,
+ AIROHA_GDM2_IDX = 2,
+ AIROHA_GDM3_IDX = 3,
+ AIROHA_GDM4_IDX = 4,
+};
+
enum {
FE_PSE_PORT_CDM1,
FE_PSE_PORT_GDM1,
@@ -556,6 +563,9 @@ struct airoha_eth_soc_data {
const char * const *xsi_rsts_names;
int num_xsi_rsts;
int num_ppe;
+ struct {
+ int (*get_src_port_id)(struct airoha_gdm_port *port, int nbq);
+ } ops;
};
struct airoha_eth {
diff --git a/drivers/net/ethernet/airoha/airoha_regs.h b/drivers/net/ethernet/airoha/airoha_regs.h
index 69c5a143db8c0..ebcce00d9bc6f 100644
--- a/drivers/net/ethernet/airoha/airoha_regs.h
+++ b/drivers/net/ethernet/airoha/airoha_regs.h
@@ -383,10 +383,8 @@
#define REG_MC_VLAN_DATA 0x2108
#define REG_SP_DFT_CPORT(_n) (0x20e0 + ((_n) << 2))
-#define SP_CPORT_PCIE1_MASK GENMASK(31, 28)
-#define SP_CPORT_PCIE0_MASK GENMASK(27, 24)
-#define SP_CPORT_USB_MASK GENMASK(7, 4)
-#define SP_CPORT_ETH_MASK GENMASK(7, 4)
+#define SP_CPORT_DFT_MASK GENMASK(2, 0)
+#define SP_CPORT_MASK(_n) GENMASK(3 + ((_n) << 2), ((_n) << 2))
#define REG_SRC_PORT_FC_MAP6 0x2298
#define FC_ID_OF_SRC_PORT27_MASK GENMASK(28, 24)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 694/957] net: airoha: Add AN7583 SoC support
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (692 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 693/957] net: airoha: Refactor src port configuration in airhoha_set_gdm2_loopback Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 695/957] net: airoha: Add the capability to consume out-of-order DMA tx descriptors Greg Kroah-Hartman
` (268 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit e4e5ce823bdd4601bd75ae7c206ae35e7c2fa60b ]
Introduce support for AN7583 ethernet controller to airoha-eth dirver.
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251017-an7583-eth-support-v3-13-f28319666667@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 3309965fe44c ("net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 68 ++++++++++++++++++++++--
drivers/net/ethernet/airoha/airoha_eth.h | 11 ++++
drivers/net/ethernet/airoha/airoha_ppe.c | 3 ++
3 files changed, 77 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 6e7f816cd7edb..55de295e3acf2 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1753,10 +1753,8 @@ static int airoha_dev_set_macaddr(struct net_device *dev, void *p)
static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
{
- u32 val, pse_port, chan = port->id == AIROHA_GDM3_IDX ? 4 : 0;
struct airoha_eth *eth = port->qdma->eth;
- /* XXX: handle XSI_USB_PORT and XSI_PCE1_PORT */
- u32 nbq = port->id == AIROHA_GDM3_IDX ? 4 : 0;
+ u32 val, pse_port, chan, nbq;
int src_port;
/* Forward the traffic to the proper GDM port */
@@ -1768,6 +1766,8 @@ static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
/* Enable GDM2 loopback */
airoha_fe_wr(eth, REG_GDM_TXCHN_EN(2), 0xffffffff);
airoha_fe_wr(eth, REG_GDM_RXCHN_EN(2), 0xffff);
+
+ chan = port->id == AIROHA_GDM3_IDX ? airoha_is_7581(eth) ? 4 : 3 : 0;
airoha_fe_rmw(eth, REG_GDM_LPBK_CFG(2),
LPBK_CHAN_MASK | LPBK_MODE_MASK | LPBK_EN_MASK,
FIELD_PREP(LPBK_CHAN_MASK, chan) |
@@ -1782,6 +1782,8 @@ static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
airoha_fe_clear(eth, REG_FE_VIP_PORT_EN, BIT(2));
airoha_fe_clear(eth, REG_FE_IFC_PORT_EN, BIT(2));
+ /* XXX: handle XSI_USB_PORT and XSI_PCE1_PORT */
+ nbq = port->id == AIROHA_GDM3_IDX && airoha_is_7581(eth) ? 4 : 0;
src_port = eth->soc->ops.get_src_port_id(port, nbq);
if (src_port < 0)
return src_port;
@@ -1795,7 +1797,7 @@ static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
SP_CPORT_MASK(val),
FE_PSE_PORT_CDM2 << __ffs(SP_CPORT_MASK(val)));
- if (port->id != AIROHA_GDM3_IDX)
+ if (port->id != AIROHA_GDM3_IDX && airoha_is_7581(eth))
airoha_fe_rmw(eth, REG_SRC_PORT_FC_MAP6,
FC_ID_OF_SRC_PORT24_MASK,
FIELD_PREP(FC_ID_OF_SRC_PORT24_MASK, 2));
@@ -1951,6 +1953,22 @@ static bool airoha_dev_tx_queue_busy(struct airoha_queue *q, u32 nr_frags)
return index >= tail;
}
+static int airoha_get_fe_port(struct airoha_gdm_port *port)
+{
+ struct airoha_qdma *qdma = port->qdma;
+ struct airoha_eth *eth = qdma->eth;
+
+ switch (eth->soc->version) {
+ case 0x7583:
+ return port->id == AIROHA_GDM3_IDX ? FE_PSE_PORT_GDM3
+ : port->id;
+ case 0x7581:
+ default:
+ return port->id == AIROHA_GDM4_IDX ? FE_PSE_PORT_GDM4
+ : port->id;
+ }
+}
+
static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
struct net_device *dev)
{
@@ -1991,7 +2009,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
}
}
- fport = port->id == 4 ? FE_PSE_PORT_GDM4 : port->id;
+ fport = airoha_get_fe_port(port);
msg1 = FIELD_PREP(QDMA_ETH_TXMSG_FPORT_MASK, fport) |
FIELD_PREP(QDMA_ETH_TXMSG_METER_MASK, 0x7f);
@@ -3164,6 +3182,35 @@ static int airoha_en7581_get_src_port_id(struct airoha_gdm_port *port, int nbq)
return -EINVAL;
}
+static const char * const an7583_xsi_rsts_names[] = {
+ "xsi-mac",
+ "hsi0-mac",
+ "hsi1-mac",
+ "xfp-mac",
+};
+
+static int airoha_an7583_get_src_port_id(struct airoha_gdm_port *port, int nbq)
+{
+ switch (port->id) {
+ case 3:
+ /* 7583 SoC supports eth serdes on GDM3 port */
+ if (!nbq)
+ return HSGMII_LAN_7583_ETH_SRCPORT;
+ break;
+ case 4:
+ /* 7583 SoC supports PCIe and USB serdes on GDM4 port */
+ if (!nbq)
+ return HSGMII_LAN_7583_PCIE_SRCPORT;
+ if (nbq == 1)
+ return HSGMII_LAN_7583_USB_SRCPORT;
+ break;
+ default:
+ break;
+ }
+
+ return -EINVAL;
+}
+
static const struct airoha_eth_soc_data en7581_soc_data = {
.version = 0x7581,
.xsi_rsts_names = en7581_xsi_rsts_names,
@@ -3174,8 +3221,19 @@ static const struct airoha_eth_soc_data en7581_soc_data = {
},
};
+static const struct airoha_eth_soc_data an7583_soc_data = {
+ .version = 0x7583,
+ .xsi_rsts_names = an7583_xsi_rsts_names,
+ .num_xsi_rsts = ARRAY_SIZE(an7583_xsi_rsts_names),
+ .num_ppe = 1,
+ .ops = {
+ .get_src_port_id = airoha_an7583_get_src_port_id,
+ },
+};
+
static const struct of_device_id of_airoha_match[] = {
{ .compatible = "airoha,en7581-eth", .data = &en7581_soc_data },
+ { .compatible = "airoha,an7583-eth", .data = &an7583_soc_data },
{ /* sentinel */ }
};
MODULE_DEVICE_TABLE(of, of_airoha_match);
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 8a2c68781e94b..203e6ce29dbe0 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -73,6 +73,12 @@ enum {
HSGMII_LAN_7581_USB_SRCPORT,
};
+enum {
+ HSGMII_LAN_7583_ETH_SRCPORT = 0x16,
+ HSGMII_LAN_7583_PCIE_SRCPORT = 0x18,
+ HSGMII_LAN_7583_USB_SRCPORT,
+};
+
enum {
XSI_PCIE0_VIP_PORT_MASK = BIT(22),
XSI_PCIE1_VIP_PORT_MASK = BIT(23),
@@ -630,6 +636,11 @@ static inline bool airoha_is_7581(struct airoha_eth *eth)
return eth->soc->version == 0x7581;
}
+static inline bool airoha_is_7583(struct airoha_eth *eth)
+{
+ return eth->soc->version == 0x7583;
+}
+
bool airoha_is_valid_gdm_port(struct airoha_eth *eth,
struct airoha_gdm_port *port);
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index 239c43248b4f4..6cd5febce6b59 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -37,6 +37,9 @@ static int airoha_ppe_get_num_stats_entries(struct airoha_ppe *ppe)
if (!IS_ENABLED(CONFIG_NET_AIROHA_FLOW_STATS))
return -EOPNOTSUPP;
+ if (airoha_is_7583(ppe->eth))
+ return -EOPNOTSUPP;
+
return PPE_STATS_NUM_ENTRIES;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 695/957] net: airoha: Add the capability to consume out-of-order DMA tx descriptors
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (693 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 694/957] net: airoha: Add AN7583 SoC support Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 696/957] net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue() Greg Kroah-Hartman
` (267 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xuegang Lu, Jacob Keller,
Lorenzo Bianconi, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 3f47e67dff1f7266e112c50313d63824f6f17102 ]
EN7581 and AN7583 SoCs are capable of DMA mapping non-linear tx skbs on
non-consecutive DMA descriptors. This feature is useful when multiple
flows are queued on the same hw tx queue since it allows to fully utilize
the available tx DMA descriptors and to avoid the starvation of
high-priority flow we have in the current codebase due to head-of-line
blocking introduced by low-priority flows.
Tested-by: Xuegang Lu <xuegang.lu@airoha.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251106-airoha-tx-linked-list-v2-1-0706d4a322bd@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 3309965fe44c ("net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 85 +++++++++++-------------
drivers/net/ethernet/airoha/airoha_eth.h | 7 +-
2 files changed, 45 insertions(+), 47 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 55de295e3acf2..9f6f517b5fdf9 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -952,19 +952,13 @@ static int airoha_qdma_tx_napi_poll(struct napi_struct *napi, int budget)
dma_unmap_single(eth->dev, e->dma_addr, e->dma_len,
DMA_TO_DEVICE);
- memset(e, 0, sizeof(*e));
+ e->dma_addr = 0;
+ list_add_tail(&e->list, &q->tx_list);
+
WRITE_ONCE(desc->msg0, 0);
WRITE_ONCE(desc->msg1, 0);
q->queued--;
- /* completion ring can report out-of-order indexes if hw QoS
- * is enabled and packets with different priority are queued
- * to same DMA ring. Take into account possible out-of-order
- * reports incrementing DMA ring tail pointer
- */
- while (q->tail != q->head && !q->entry[q->tail].dma_addr)
- q->tail = (q->tail + 1) % q->ndesc;
-
if (skb) {
u16 queue = skb_get_queue_mapping(skb);
struct netdev_queue *txq;
@@ -1018,6 +1012,7 @@ static int airoha_qdma_init_tx_queue(struct airoha_queue *q,
q->ndesc = size;
q->qdma = qdma;
q->free_thr = 1 + MAX_SKB_FRAGS;
+ INIT_LIST_HEAD(&q->tx_list);
q->entry = devm_kzalloc(eth->dev, q->ndesc * sizeof(*q->entry),
GFP_KERNEL);
@@ -1030,9 +1025,9 @@ static int airoha_qdma_init_tx_queue(struct airoha_queue *q,
return -ENOMEM;
for (i = 0; i < q->ndesc; i++) {
- u32 val;
+ u32 val = FIELD_PREP(QDMA_DESC_DONE_MASK, 1);
- val = FIELD_PREP(QDMA_DESC_DONE_MASK, 1);
+ list_add_tail(&q->entry[i].list, &q->tx_list);
WRITE_ONCE(q->desc[i].ctrl, cpu_to_le32(val));
}
@@ -1042,9 +1037,9 @@ static int airoha_qdma_init_tx_queue(struct airoha_queue *q,
airoha_qdma_wr(qdma, REG_TX_RING_BASE(qid), dma_addr);
airoha_qdma_rmw(qdma, REG_TX_CPU_IDX(qid), TX_RING_CPU_IDX_MASK,
- FIELD_PREP(TX_RING_CPU_IDX_MASK, q->head));
+ FIELD_PREP(TX_RING_CPU_IDX_MASK, 0));
airoha_qdma_rmw(qdma, REG_TX_DMA_IDX(qid), TX_RING_DMA_IDX_MASK,
- FIELD_PREP(TX_RING_DMA_IDX_MASK, q->head));
+ FIELD_PREP(TX_RING_DMA_IDX_MASK, 0));
return 0;
}
@@ -1100,17 +1095,21 @@ static int airoha_qdma_init_tx(struct airoha_qdma *qdma)
static void airoha_qdma_cleanup_tx_queue(struct airoha_queue *q)
{
struct airoha_eth *eth = q->qdma->eth;
+ int i;
spin_lock_bh(&q->lock);
- while (q->queued) {
- struct airoha_queue_entry *e = &q->entry[q->tail];
+ for (i = 0; i < q->ndesc; i++) {
+ struct airoha_queue_entry *e = &q->entry[i];
+
+ if (!e->dma_addr)
+ continue;
dma_unmap_single(eth->dev, e->dma_addr, e->dma_len,
DMA_TO_DEVICE);
dev_kfree_skb_any(e->skb);
+ e->dma_addr = 0;
e->skb = NULL;
-
- q->tail = (q->tail + 1) % q->ndesc;
+ list_add_tail(&e->list, &q->tx_list);
q->queued--;
}
spin_unlock_bh(&q->lock);
@@ -1939,20 +1938,6 @@ static u32 airoha_get_dsa_tag(struct sk_buff *skb, struct net_device *dev)
#endif
}
-static bool airoha_dev_tx_queue_busy(struct airoha_queue *q, u32 nr_frags)
-{
- u32 tail = q->tail <= q->head ? q->tail + q->ndesc : q->tail;
- u32 index = q->head + nr_frags;
-
- /* completion napi can free out-of-order tx descriptors if hw QoS is
- * enabled and packets with different priorities are queued to the same
- * DMA ring. Take into account possible out-of-order reports checking
- * if the tx queue is full using circular buffer head/tail pointers
- * instead of the number of queued packets.
- */
- return index >= tail;
-}
-
static int airoha_get_fe_port(struct airoha_gdm_port *port)
{
struct airoha_qdma *qdma = port->qdma;
@@ -1975,8 +1960,10 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
struct airoha_gdm_port *port = netdev_priv(dev);
struct airoha_qdma *qdma = port->qdma;
u32 nr_frags, tag, msg0, msg1, len;
+ struct airoha_queue_entry *e;
struct netdev_queue *txq;
struct airoha_queue *q;
+ LIST_HEAD(tx_list);
void *data;
int i, qid;
u16 index;
@@ -2022,7 +2009,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
txq = netdev_get_tx_queue(dev, qid);
nr_frags = 1 + skb_shinfo(skb)->nr_frags;
- if (airoha_dev_tx_queue_busy(q, nr_frags)) {
+ if (q->queued + nr_frags >= q->ndesc) {
/* not enough space in the queue */
netif_tx_stop_queue(txq);
q->txq_stopped = true;
@@ -2032,11 +2019,13 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
len = skb_headlen(skb);
data = skb->data;
- index = q->head;
+
+ e = list_first_entry(&q->tx_list, struct airoha_queue_entry,
+ list);
+ index = e - q->entry;
for (i = 0; i < nr_frags; i++) {
struct airoha_qdma_desc *desc = &q->desc[index];
- struct airoha_queue_entry *e = &q->entry[index];
skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
dma_addr_t addr;
u32 val;
@@ -2046,7 +2035,14 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
if (unlikely(dma_mapping_error(dev->dev.parent, addr)))
goto error_unmap;
- index = (index + 1) % q->ndesc;
+ list_move_tail(&e->list, &tx_list);
+ e->skb = i ? NULL : skb;
+ e->dma_addr = addr;
+ e->dma_len = len;
+
+ e = list_first_entry(&q->tx_list, struct airoha_queue_entry,
+ list);
+ index = e - q->entry;
val = FIELD_PREP(QDMA_DESC_LEN_MASK, len);
if (i < nr_frags - 1)
@@ -2059,15 +2055,9 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
WRITE_ONCE(desc->msg1, cpu_to_le32(msg1));
WRITE_ONCE(desc->msg2, cpu_to_le32(0xffff));
- e->skb = i ? NULL : skb;
- e->dma_addr = addr;
- e->dma_len = len;
-
data = skb_frag_address(frag);
len = skb_frag_size(frag);
}
-
- q->head = index;
q->queued += i;
skb_tx_timestamp(skb);
@@ -2076,7 +2066,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
if (netif_xmit_stopped(txq) || !netdev_xmit_more())
airoha_qdma_rmw(qdma, REG_TX_CPU_IDX(qid),
TX_RING_CPU_IDX_MASK,
- FIELD_PREP(TX_RING_CPU_IDX_MASK, q->head));
+ FIELD_PREP(TX_RING_CPU_IDX_MASK, index));
if (q->ndesc - q->queued < q->free_thr) {
netif_tx_stop_queue(txq);
@@ -2088,10 +2078,13 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
return NETDEV_TX_OK;
error_unmap:
- for (i--; i >= 0; i--) {
- index = (q->head + i) % q->ndesc;
- dma_unmap_single(dev->dev.parent, q->entry[index].dma_addr,
- q->entry[index].dma_len, DMA_TO_DEVICE);
+ while (!list_empty(&tx_list)) {
+ e = list_first_entry(&tx_list, struct airoha_queue_entry,
+ list);
+ dma_unmap_single(dev->dev.parent, e->dma_addr, e->dma_len,
+ DMA_TO_DEVICE);
+ e->dma_addr = 0;
+ list_move_tail(&e->list, &q->tx_list);
}
spin_unlock_bh(&q->lock);
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 203e6ce29dbe0..28dfa35a3abed 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -169,7 +169,10 @@ enum trtcm_param {
struct airoha_queue_entry {
union {
void *buf;
- struct sk_buff *skb;
+ struct {
+ struct list_head list;
+ struct sk_buff *skb;
+ };
};
dma_addr_t dma_addr;
u16 dma_len;
@@ -194,6 +197,8 @@ struct airoha_queue {
struct napi_struct napi;
struct page_pool *page_pool;
struct sk_buff *skb;
+
+ struct list_head tx_list;
};
struct airoha_tx_irq_queue {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 696/957] net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (694 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 695/957] net: airoha: Add the capability to consume out-of-order DMA tx descriptors Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 697/957] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
` (266 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 3309965fe44c00fd65af7cef5016e9e782c021a7 ]
Similar to airoha_qdma_cleanup_rx_queue(), reset DMA TX descriptors in
airoha_qdma_cleanup_tx_queue routine. Moreover, reset TX_DMA_IDX to
TX_CPU_IDX to notify the NIC the QDMA TX ring is empty.
Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260417-airoha_qdma_cleanup_tx_queue-fix-net-v4-2-e04bcc2c9642@kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 32 ++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 9f6f517b5fdf9..f088f25128eb4 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1094,12 +1094,15 @@ static int airoha_qdma_init_tx(struct airoha_qdma *qdma)
static void airoha_qdma_cleanup_tx_queue(struct airoha_queue *q)
{
- struct airoha_eth *eth = q->qdma->eth;
- int i;
+ struct airoha_qdma *qdma = q->qdma;
+ struct airoha_eth *eth = qdma->eth;
+ int i, qid = q - &qdma->q_tx[0];
+ u16 index = 0;
spin_lock_bh(&q->lock);
for (i = 0; i < q->ndesc; i++) {
struct airoha_queue_entry *e = &q->entry[i];
+ struct airoha_qdma_desc *desc = &q->desc[i];
if (!e->dma_addr)
continue;
@@ -1110,8 +1113,33 @@ static void airoha_qdma_cleanup_tx_queue(struct airoha_queue *q)
e->dma_addr = 0;
e->skb = NULL;
list_add_tail(&e->list, &q->tx_list);
+
+ /* Reset DMA descriptor */
+ WRITE_ONCE(desc->ctrl, 0);
+ WRITE_ONCE(desc->addr, 0);
+ WRITE_ONCE(desc->data, 0);
+ WRITE_ONCE(desc->msg0, 0);
+ WRITE_ONCE(desc->msg1, 0);
+ WRITE_ONCE(desc->msg2, 0);
+
q->queued--;
}
+
+ if (!list_empty(&q->tx_list)) {
+ struct airoha_queue_entry *e;
+
+ e = list_first_entry(&q->tx_list, struct airoha_queue_entry,
+ list);
+ index = e - q->entry;
+ }
+ /* Set TX_DMA_IDX to TX_CPU_IDX to notify the hw the QDMA TX ring is
+ * empty.
+ */
+ airoha_qdma_rmw(qdma, REG_TX_CPU_IDX(qid), TX_RING_CPU_IDX_MASK,
+ FIELD_PREP(TX_RING_CPU_IDX_MASK, index));
+ airoha_qdma_rmw(qdma, REG_TX_DMA_IDX(qid), TX_RING_DMA_IDX_MASK,
+ FIELD_PREP(TX_RING_DMA_IDX_MASK, index));
+
spin_unlock_bh(&q->lock);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 697/957] net: dsa: realtek: rtl8365mb: fix mode mask calculation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (695 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 696/957] net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 698/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() Greg Kroah-Hartman
` (265 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdulkader Alrezej,
Mieczyslaw Nalewaj, Luiz Angelo Daros de Luca, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mieczyslaw Nalewaj <namiltd@yahoo.com>
[ Upstream commit 0c078021d3861966614d5e594ee03587f0c9e74d ]
The RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_MASK macro was shifting
the 4-bit mask (0xF) by only (_extint % 2) bits instead of
(_extint % 2) * 4. This caused the mask to overlap with the adjacent
nibble when configuring odd-numbered external interfaces, selecting
the wrong bits entirely.
Align the shift calculation with the existing ...MODE_OFFSET macro.
Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
Signed-off-by: Abdulkader Alrezej <alrazj.abdulkader@gmail.com>
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Reviewed-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Link: https://patch.msgid.link/400a6387-a444-4576-af6d-26be5410bce3@yahoo.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/realtek/rtl8365mb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c
index 3a48db295e7e4..e10a789e22022 100644
--- a/drivers/net/dsa/realtek/rtl8365mb.c
+++ b/drivers/net/dsa/realtek/rtl8365mb.c
@@ -216,7 +216,7 @@
(_extint) == 2 ? RTL8365MB_DIGITAL_INTERFACE_SELECT_REG1 : \
0x0)
#define RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_MASK(_extint) \
- (0xF << (((_extint) % 2)))
+ (0xF << (((_extint) % 2) * 4))
#define RTL8365MB_DIGITAL_INTERFACE_SELECT_MODE_OFFSET(_extint) \
(((_extint) % 2) * 4)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 698/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (696 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 697/957] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 699/957] net: airoha: Rework the code flow in airoha_remove() and in airoha_probe() error path Greg Kroah-Hartman
` (264 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 379050947a1828826ad7ea50c95245a56929b35a ]
If queue entry or DMA descriptor list allocation fails in
airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a
NULL pointer dereference running netif_napi_del() for RX queue NAPIs
since netif_napi_add() has never been executed to this particular RX NAPI.
The issue is due to the early ndesc initialization in
airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc
value to check if the queue is properly initialized. Fix the issue moving
ndesc initialization at end of airoha_qdma_init_tx routine.
Move page_pool allocation after descriptor list allocation in order to
avoid memory leaks if desc allocation fails.
Fixes: 23020f049327 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260420-airoha_qdma_init_rx_queue-fix-v2-1-d99347e5c18d@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index f088f25128eb4..1d5447684ecab 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -776,14 +776,18 @@ static int airoha_qdma_init_rx_queue(struct airoha_queue *q,
dma_addr_t dma_addr;
q->buf_size = PAGE_SIZE / 2;
- q->ndesc = ndesc;
q->qdma = qdma;
- q->entry = devm_kzalloc(eth->dev, q->ndesc * sizeof(*q->entry),
+ q->entry = devm_kzalloc(eth->dev, ndesc * sizeof(*q->entry),
GFP_KERNEL);
if (!q->entry)
return -ENOMEM;
+ q->desc = dmam_alloc_coherent(eth->dev, ndesc * sizeof(*q->desc),
+ &dma_addr, GFP_KERNEL);
+ if (!q->desc)
+ return -ENOMEM;
+
q->page_pool = page_pool_create(&pp_params);
if (IS_ERR(q->page_pool)) {
int err = PTR_ERR(q->page_pool);
@@ -792,11 +796,7 @@ static int airoha_qdma_init_rx_queue(struct airoha_queue *q,
return err;
}
- q->desc = dmam_alloc_coherent(eth->dev, q->ndesc * sizeof(*q->desc),
- &dma_addr, GFP_KERNEL);
- if (!q->desc)
- return -ENOMEM;
-
+ q->ndesc = ndesc;
netif_napi_add(eth->napi_dev, &q->napi, airoha_qdma_rx_napi_poll);
airoha_qdma_wr(qdma, REG_RX_RING_BASE(qid), dma_addr);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 699/957] net: airoha: Rework the code flow in airoha_remove() and in airoha_probe() error path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (697 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 698/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 700/957] net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup() Greg Kroah-Hartman
` (263 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit b1c803d5c8167026791abfaed96fd3e6a1fcd750 ]
As suggested by Simon in [0], rework the code flow in airoha_remove()
and in the airoha_probe() error path in order to rely on a more common
approach un-registering configured net-devices first and destroying the
hw resources at the end of the code.
Introduce airoha_qdma_cleanup routine to release QDMA resources.
[0] https://lore.kernel.org/netdev/20251214-airoha-fix-dev-registration-v1-1-860e027ad4c6@kernel.org/
Suggested-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260321-airoha-remove-rework-v2-1-16c7bade5fe5@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 4b91cb65789b ("net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 76 ++++++++++++++----------
1 file changed, 44 insertions(+), 32 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 1d5447684ecab..8416451f4786a 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1465,6 +1465,33 @@ static int airoha_qdma_init(struct platform_device *pdev,
return airoha_qdma_hw_init(qdma);
}
+static void airoha_qdma_cleanup(struct airoha_qdma *qdma)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(qdma->q_rx); i++) {
+ if (!qdma->q_rx[i].ndesc)
+ continue;
+
+ netif_napi_del(&qdma->q_rx[i].napi);
+ airoha_qdma_cleanup_rx_queue(&qdma->q_rx[i]);
+ if (qdma->q_rx[i].page_pool) {
+ page_pool_destroy(qdma->q_rx[i].page_pool);
+ qdma->q_rx[i].page_pool = NULL;
+ }
+ }
+
+ for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++)
+ netif_napi_del(&qdma->q_tx_irq[i].napi);
+
+ for (i = 0; i < ARRAY_SIZE(qdma->q_tx); i++) {
+ if (!qdma->q_tx[i].ndesc)
+ continue;
+
+ airoha_qdma_cleanup_tx_queue(&qdma->q_tx[i]);
+ }
+}
+
static int airoha_hw_init(struct platform_device *pdev,
struct airoha_eth *eth)
{
@@ -1492,41 +1519,30 @@ static int airoha_hw_init(struct platform_device *pdev,
for (i = 0; i < ARRAY_SIZE(eth->qdma); i++) {
err = airoha_qdma_init(pdev, eth, ð->qdma[i]);
if (err)
- return err;
+ goto error;
}
err = airoha_ppe_init(eth);
if (err)
- return err;
+ goto error;
set_bit(DEV_STATE_INITIALIZED, ð->state);
return 0;
+error:
+ for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
+ airoha_qdma_cleanup(ð->qdma[i]);
+
+ return err;
}
-static void airoha_hw_cleanup(struct airoha_qdma *qdma)
+static void airoha_hw_cleanup(struct airoha_eth *eth)
{
int i;
- for (i = 0; i < ARRAY_SIZE(qdma->q_rx); i++) {
- if (!qdma->q_rx[i].ndesc)
- continue;
-
- netif_napi_del(&qdma->q_rx[i].napi);
- airoha_qdma_cleanup_rx_queue(&qdma->q_rx[i]);
- if (qdma->q_rx[i].page_pool)
- page_pool_destroy(qdma->q_rx[i].page_pool);
- }
-
- for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++)
- netif_napi_del(&qdma->q_tx_irq[i].napi);
-
- for (i = 0; i < ARRAY_SIZE(qdma->q_tx); i++) {
- if (!qdma->q_tx[i].ndesc)
- continue;
-
- airoha_qdma_cleanup_tx_queue(&qdma->q_tx[i]);
- }
+ for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
+ airoha_qdma_cleanup(ð->qdma[i]);
+ airoha_ppe_deinit(eth);
}
static void airoha_qdma_start_napi(struct airoha_qdma *qdma)
@@ -3096,7 +3112,7 @@ static int airoha_probe(struct platform_device *pdev)
err = airoha_hw_init(pdev, eth);
if (err)
- goto error_hw_cleanup;
+ goto error_netdev_free;
for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
airoha_qdma_start_napi(ð->qdma[i]);
@@ -3125,10 +3141,6 @@ static int airoha_probe(struct platform_device *pdev)
error_napi_stop:
for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
airoha_qdma_stop_napi(ð->qdma[i]);
- airoha_ppe_deinit(eth);
-error_hw_cleanup:
- for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
- airoha_hw_cleanup(ð->qdma[i]);
for (i = 0; i < ARRAY_SIZE(eth->ports); i++) {
struct airoha_gdm_port *port = eth->ports[i];
@@ -3140,6 +3152,8 @@ static int airoha_probe(struct platform_device *pdev)
unregister_netdev(port->dev);
airoha_metadata_dst_free(port);
}
+ airoha_hw_cleanup(eth);
+error_netdev_free:
free_netdev(eth->napi_dev);
platform_set_drvdata(pdev, NULL);
@@ -3151,10 +3165,8 @@ static void airoha_remove(struct platform_device *pdev)
struct airoha_eth *eth = platform_get_drvdata(pdev);
int i;
- for (i = 0; i < ARRAY_SIZE(eth->qdma); i++) {
+ for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
airoha_qdma_stop_napi(ð->qdma[i]);
- airoha_hw_cleanup(ð->qdma[i]);
- }
for (i = 0; i < ARRAY_SIZE(eth->ports); i++) {
struct airoha_gdm_port *port = eth->ports[i];
@@ -3165,9 +3177,9 @@ static void airoha_remove(struct platform_device *pdev)
unregister_netdev(port->dev);
airoha_metadata_dst_free(port);
}
- free_netdev(eth->napi_dev);
+ airoha_hw_cleanup(eth);
- airoha_ppe_deinit(eth);
+ free_netdev(eth->napi_dev);
platform_set_drvdata(pdev, NULL);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 700/957] net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (698 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 699/957] net: airoha: Rework the code flow in airoha_remove() and in airoha_probe() error path Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 701/957] net: mana: Init link_change_work before potential error paths in probe Greg Kroah-Hartman
` (262 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 4b91cb65789b794bfc8d50554b8994f8e0f16309 ]
If airoha_qdma_init routine fails before airoha_qdma_tx_irq_init() runs
successfully for all TX NAPIs, airoha_qdma_cleanup() will
unconditionally runs netif_napi_del() on TX NAPIs, triggering a NULL
pointer dereference. Fix the issue relying on q_tx_irq size value to
check if the TX NAPIs is properly initialized in airoha_qdma_cleanup().
Moreover, run netif_napi_add_tx() just if irq_q queue is properly
allocated.
Fixes: 23020f049327 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260420-airoha_qdma_init_rx_queue-fix-v2-2-d99347e5c18d@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 8416451f4786a..865b854bd4afc 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1051,8 +1051,6 @@ static int airoha_qdma_tx_irq_init(struct airoha_tx_irq_queue *irq_q,
struct airoha_eth *eth = qdma->eth;
dma_addr_t dma_addr;
- netif_napi_add_tx(eth->napi_dev, &irq_q->napi,
- airoha_qdma_tx_napi_poll);
irq_q->q = dmam_alloc_coherent(eth->dev, size * sizeof(u32),
&dma_addr, GFP_KERNEL);
if (!irq_q->q)
@@ -1062,6 +1060,9 @@ static int airoha_qdma_tx_irq_init(struct airoha_tx_irq_queue *irq_q,
irq_q->size = size;
irq_q->qdma = qdma;
+ netif_napi_add_tx(eth->napi_dev, &irq_q->napi,
+ airoha_qdma_tx_napi_poll);
+
airoha_qdma_wr(qdma, REG_TX_IRQ_BASE(id), dma_addr);
airoha_qdma_rmw(qdma, REG_TX_IRQ_CFG(id), TX_IRQ_DEPTH_MASK,
FIELD_PREP(TX_IRQ_DEPTH_MASK, size));
@@ -1481,8 +1482,12 @@ static void airoha_qdma_cleanup(struct airoha_qdma *qdma)
}
}
- for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++)
+ for (i = 0; i < ARRAY_SIZE(qdma->q_tx_irq); i++) {
+ if (!qdma->q_tx_irq[i].size)
+ continue;
+
netif_napi_del(&qdma->q_tx_irq[i].napi);
+ }
for (i = 0; i < ARRAY_SIZE(qdma->q_tx); i++) {
if (!qdma->q_tx[i].ndesc)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 701/957] net: mana: Init link_change_work before potential error paths in probe
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (699 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 700/957] net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 702/957] net: mana: Guard mana_remove against double invocation Greg Kroah-Hartman
` (261 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit cb4a90744bcd1adf12f0d0c7c4f0dd2647444ec5 ]
Move INIT_WORK(link_change_work) to right after the mana_context
allocation, before any error path that could reach mana_remove().
Previously, if mana_create_eq() or mana_query_device_cfg() failed,
mana_probe() would jump to the error path which calls mana_remove().
mana_remove() unconditionally calls disable_work_sync(link_change_work),
but the work struct had not been initialized yet. This can trigger
CONFIG_DEBUG_OBJECTS_WORK enabled.
Fixes: 54133f9b4b53 ("net: mana: Support HW link state events")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260420124741.1056179-2-ernis@linux.microsoft.com
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index c770fb86fd2d3..cd3a435485a19 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3483,6 +3483,8 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
ac->gdma_dev = gd;
gd->driver_data = ac;
+
+ INIT_WORK(&ac->link_change_work, mana_link_state_handle);
}
err = mana_create_eq(ac);
@@ -3500,8 +3502,6 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
if (!resuming) {
ac->num_ports = num_ports;
-
- INIT_WORK(&ac->link_change_work, mana_link_state_handle);
} else {
if (ac->num_ports != num_ports) {
dev_err(dev, "The number of vPorts changed: %d->%d\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 702/957] net: mana: Guard mana_remove against double invocation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (700 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 701/957] net: mana: Init link_change_work before potential error paths in probe Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 703/957] net: mana: Move hardware counter stats from per-port to per-VF context Greg Kroah-Hartman
` (260 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit 50271d7ec95144d26808025b508f463780517d3c ]
If PM resume fails (e.g., mana_attach() returns an error), mana_probe()
calls mana_remove(), which tears down the device and sets
gd->gdma_context = NULL and gd->driver_data = NULL.
However, a failed resume callback does not automatically unbind the
driver. When the device is eventually unbound, mana_remove() is invoked
a second time. Without a NULL check, it dereferences gc->dev with
gc == NULL, causing a kernel panic.
Add an early return if gdma_context or driver_data is NULL so the second
invocation is harmless. Move the dev = gc->dev assignment after the
guard so it cannot dereference NULL.
Fixes: 635096a86edb ("net: mana: Support hibernation and kexec")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260420124741.1056179-4-ernis@linux.microsoft.com
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index cd3a435485a19..d90be4142e257 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3568,11 +3568,16 @@ void mana_remove(struct gdma_dev *gd, bool suspending)
struct gdma_context *gc = gd->gdma_context;
struct mana_context *ac = gd->driver_data;
struct mana_port_context *apc;
- struct device *dev = gc->dev;
+ struct device *dev;
struct net_device *ndev;
int err;
int i;
+ if (!gc || !ac)
+ return;
+
+ dev = gc->dev;
+
disable_work_sync(&ac->link_change_work);
/* adev currently doesn't support suspending, always remove it */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 703/957] net: mana: Move hardware counter stats from per-port to per-VF context
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (701 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 702/957] net: mana: Guard mana_remove against double invocation Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 704/957] net: mana: Add standard counter rx_missed_errors Greg Kroah-Hartman
` (259 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela,
Haiyang Zhang, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit e275d9091c01b3b46f3ec534ce4ac77cffc9e3ae ]
Move hardware counter (HC) statistics from mana_port_context to
mana_context to enable sharing stats across multiple network ports
on the same MANA VF. Previously, each network port queried
hardware counters independently using MANA_QUERY_GF_STAT command
(GF = Generic Function stats from GDMA hardware), resulting in
redundant queries when multiple ports existed on the same device.
Isolate hardware counter stats by introducing mana_ethtool_hc_stats
in mana_context and update the code to ensure all stats are properly
reported via ethtool -S <interface>, maintaining consistency with
previous behavior.
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1763120599-6331-2-git-send-email-ernis@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a7fdaf069bd0 ("net: mana: Don't overwrite port probe error with add_adev result")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 67 ++++++++-------
.../ethernet/microsoft/mana/mana_ethtool.c | 85 ++++++++++---------
include/net/mana/mana.h | 14 +--
3 files changed, 90 insertions(+), 76 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index d90be4142e257..2e5efc03cacec 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -2836,11 +2836,12 @@ int mana_config_rss(struct mana_port_context *apc, enum TRI_STATE rx,
return 0;
}
-void mana_query_gf_stats(struct mana_port_context *apc)
+void mana_query_gf_stats(struct mana_context *ac)
{
+ struct gdma_context *gc = ac->gdma_dev->gdma_context;
struct mana_query_gf_stat_resp resp = {};
struct mana_query_gf_stat_req req = {};
- struct net_device *ndev = apc->ndev;
+ struct device *dev = gc->dev;
int err;
mana_gd_init_req_hdr(&req.hdr, MANA_QUERY_GF_STAT,
@@ -2874,52 +2875,52 @@ void mana_query_gf_stats(struct mana_port_context *apc)
STATISTICS_FLAGS_HC_TX_BCAST_BYTES |
STATISTICS_FLAGS_TX_ERRORS_GDMA_ERROR;
- err = mana_send_request(apc->ac, &req, sizeof(req), &resp,
+ err = mana_send_request(ac, &req, sizeof(req), &resp,
sizeof(resp));
if (err) {
- netdev_err(ndev, "Failed to query GF stats: %d\n", err);
+ dev_err(dev, "Failed to query GF stats: %d\n", err);
return;
}
err = mana_verify_resp_hdr(&resp.hdr, MANA_QUERY_GF_STAT,
sizeof(resp));
if (err || resp.hdr.status) {
- netdev_err(ndev, "Failed to query GF stats: %d, 0x%x\n", err,
- resp.hdr.status);
+ dev_err(dev, "Failed to query GF stats: %d, 0x%x\n", err,
+ resp.hdr.status);
return;
}
- apc->eth_stats.hc_rx_discards_no_wqe = resp.rx_discards_nowqe;
- apc->eth_stats.hc_rx_err_vport_disabled = resp.rx_err_vport_disabled;
- apc->eth_stats.hc_rx_bytes = resp.hc_rx_bytes;
- apc->eth_stats.hc_rx_ucast_pkts = resp.hc_rx_ucast_pkts;
- apc->eth_stats.hc_rx_ucast_bytes = resp.hc_rx_ucast_bytes;
- apc->eth_stats.hc_rx_bcast_pkts = resp.hc_rx_bcast_pkts;
- apc->eth_stats.hc_rx_bcast_bytes = resp.hc_rx_bcast_bytes;
- apc->eth_stats.hc_rx_mcast_pkts = resp.hc_rx_mcast_pkts;
- apc->eth_stats.hc_rx_mcast_bytes = resp.hc_rx_mcast_bytes;
- apc->eth_stats.hc_tx_err_gf_disabled = resp.tx_err_gf_disabled;
- apc->eth_stats.hc_tx_err_vport_disabled = resp.tx_err_vport_disabled;
- apc->eth_stats.hc_tx_err_inval_vportoffset_pkt =
+ ac->hc_stats.hc_rx_discards_no_wqe = resp.rx_discards_nowqe;
+ ac->hc_stats.hc_rx_err_vport_disabled = resp.rx_err_vport_disabled;
+ ac->hc_stats.hc_rx_bytes = resp.hc_rx_bytes;
+ ac->hc_stats.hc_rx_ucast_pkts = resp.hc_rx_ucast_pkts;
+ ac->hc_stats.hc_rx_ucast_bytes = resp.hc_rx_ucast_bytes;
+ ac->hc_stats.hc_rx_bcast_pkts = resp.hc_rx_bcast_pkts;
+ ac->hc_stats.hc_rx_bcast_bytes = resp.hc_rx_bcast_bytes;
+ ac->hc_stats.hc_rx_mcast_pkts = resp.hc_rx_mcast_pkts;
+ ac->hc_stats.hc_rx_mcast_bytes = resp.hc_rx_mcast_bytes;
+ ac->hc_stats.hc_tx_err_gf_disabled = resp.tx_err_gf_disabled;
+ ac->hc_stats.hc_tx_err_vport_disabled = resp.tx_err_vport_disabled;
+ ac->hc_stats.hc_tx_err_inval_vportoffset_pkt =
resp.tx_err_inval_vport_offset_pkt;
- apc->eth_stats.hc_tx_err_vlan_enforcement =
+ ac->hc_stats.hc_tx_err_vlan_enforcement =
resp.tx_err_vlan_enforcement;
- apc->eth_stats.hc_tx_err_eth_type_enforcement =
+ ac->hc_stats.hc_tx_err_eth_type_enforcement =
resp.tx_err_ethtype_enforcement;
- apc->eth_stats.hc_tx_err_sa_enforcement = resp.tx_err_SA_enforcement;
- apc->eth_stats.hc_tx_err_sqpdid_enforcement =
+ ac->hc_stats.hc_tx_err_sa_enforcement = resp.tx_err_SA_enforcement;
+ ac->hc_stats.hc_tx_err_sqpdid_enforcement =
resp.tx_err_SQPDID_enforcement;
- apc->eth_stats.hc_tx_err_cqpdid_enforcement =
+ ac->hc_stats.hc_tx_err_cqpdid_enforcement =
resp.tx_err_CQPDID_enforcement;
- apc->eth_stats.hc_tx_err_mtu_violation = resp.tx_err_mtu_violation;
- apc->eth_stats.hc_tx_err_inval_oob = resp.tx_err_inval_oob;
- apc->eth_stats.hc_tx_bytes = resp.hc_tx_bytes;
- apc->eth_stats.hc_tx_ucast_pkts = resp.hc_tx_ucast_pkts;
- apc->eth_stats.hc_tx_ucast_bytes = resp.hc_tx_ucast_bytes;
- apc->eth_stats.hc_tx_bcast_pkts = resp.hc_tx_bcast_pkts;
- apc->eth_stats.hc_tx_bcast_bytes = resp.hc_tx_bcast_bytes;
- apc->eth_stats.hc_tx_mcast_pkts = resp.hc_tx_mcast_pkts;
- apc->eth_stats.hc_tx_mcast_bytes = resp.hc_tx_mcast_bytes;
- apc->eth_stats.hc_tx_err_gdma = resp.tx_err_gdma;
+ ac->hc_stats.hc_tx_err_mtu_violation = resp.tx_err_mtu_violation;
+ ac->hc_stats.hc_tx_err_inval_oob = resp.tx_err_inval_oob;
+ ac->hc_stats.hc_tx_bytes = resp.hc_tx_bytes;
+ ac->hc_stats.hc_tx_ucast_pkts = resp.hc_tx_ucast_pkts;
+ ac->hc_stats.hc_tx_ucast_bytes = resp.hc_tx_ucast_bytes;
+ ac->hc_stats.hc_tx_bcast_pkts = resp.hc_tx_bcast_pkts;
+ ac->hc_stats.hc_tx_bcast_bytes = resp.hc_tx_bcast_bytes;
+ ac->hc_stats.hc_tx_mcast_pkts = resp.hc_tx_mcast_pkts;
+ ac->hc_stats.hc_tx_mcast_bytes = resp.hc_tx_mcast_bytes;
+ ac->hc_stats.hc_tx_err_gdma = resp.tx_err_gdma;
}
void mana_query_phy_stats(struct mana_port_context *apc)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
index a1afa75a94631..3dfd96146424e 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
@@ -15,66 +15,69 @@ struct mana_stats_desc {
static const struct mana_stats_desc mana_eth_stats[] = {
{"stop_queue", offsetof(struct mana_ethtool_stats, stop_queue)},
{"wake_queue", offsetof(struct mana_ethtool_stats, wake_queue)},
- {"hc_rx_discards_no_wqe", offsetof(struct mana_ethtool_stats,
+ {"tx_cq_err", offsetof(struct mana_ethtool_stats, tx_cqe_err)},
+ {"tx_cqe_unknown_type", offsetof(struct mana_ethtool_stats,
+ tx_cqe_unknown_type)},
+ {"rx_coalesced_err", offsetof(struct mana_ethtool_stats,
+ rx_coalesced_err)},
+ {"rx_cqe_unknown_type", offsetof(struct mana_ethtool_stats,
+ rx_cqe_unknown_type)},
+};
+
+static const struct mana_stats_desc mana_hc_stats[] = {
+ {"hc_rx_discards_no_wqe", offsetof(struct mana_ethtool_hc_stats,
hc_rx_discards_no_wqe)},
- {"hc_rx_err_vport_disabled", offsetof(struct mana_ethtool_stats,
+ {"hc_rx_err_vport_disabled", offsetof(struct mana_ethtool_hc_stats,
hc_rx_err_vport_disabled)},
- {"hc_rx_bytes", offsetof(struct mana_ethtool_stats, hc_rx_bytes)},
- {"hc_rx_ucast_pkts", offsetof(struct mana_ethtool_stats,
+ {"hc_rx_bytes", offsetof(struct mana_ethtool_hc_stats, hc_rx_bytes)},
+ {"hc_rx_ucast_pkts", offsetof(struct mana_ethtool_hc_stats,
hc_rx_ucast_pkts)},
- {"hc_rx_ucast_bytes", offsetof(struct mana_ethtool_stats,
+ {"hc_rx_ucast_bytes", offsetof(struct mana_ethtool_hc_stats,
hc_rx_ucast_bytes)},
- {"hc_rx_bcast_pkts", offsetof(struct mana_ethtool_stats,
+ {"hc_rx_bcast_pkts", offsetof(struct mana_ethtool_hc_stats,
hc_rx_bcast_pkts)},
- {"hc_rx_bcast_bytes", offsetof(struct mana_ethtool_stats,
+ {"hc_rx_bcast_bytes", offsetof(struct mana_ethtool_hc_stats,
hc_rx_bcast_bytes)},
- {"hc_rx_mcast_pkts", offsetof(struct mana_ethtool_stats,
- hc_rx_mcast_pkts)},
- {"hc_rx_mcast_bytes", offsetof(struct mana_ethtool_stats,
+ {"hc_rx_mcast_pkts", offsetof(struct mana_ethtool_hc_stats,
+ hc_rx_mcast_pkts)},
+ {"hc_rx_mcast_bytes", offsetof(struct mana_ethtool_hc_stats,
hc_rx_mcast_bytes)},
- {"hc_tx_err_gf_disabled", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_err_gf_disabled", offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_gf_disabled)},
- {"hc_tx_err_vport_disabled", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_err_vport_disabled", offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_vport_disabled)},
{"hc_tx_err_inval_vportoffset_pkt",
- offsetof(struct mana_ethtool_stats,
+ offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_inval_vportoffset_pkt)},
- {"hc_tx_err_vlan_enforcement", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_err_vlan_enforcement", offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_vlan_enforcement)},
{"hc_tx_err_eth_type_enforcement",
- offsetof(struct mana_ethtool_stats, hc_tx_err_eth_type_enforcement)},
- {"hc_tx_err_sa_enforcement", offsetof(struct mana_ethtool_stats,
+ offsetof(struct mana_ethtool_hc_stats, hc_tx_err_eth_type_enforcement)},
+ {"hc_tx_err_sa_enforcement", offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_sa_enforcement)},
{"hc_tx_err_sqpdid_enforcement",
- offsetof(struct mana_ethtool_stats, hc_tx_err_sqpdid_enforcement)},
+ offsetof(struct mana_ethtool_hc_stats, hc_tx_err_sqpdid_enforcement)},
{"hc_tx_err_cqpdid_enforcement",
- offsetof(struct mana_ethtool_stats, hc_tx_err_cqpdid_enforcement)},
- {"hc_tx_err_mtu_violation", offsetof(struct mana_ethtool_stats,
+ offsetof(struct mana_ethtool_hc_stats, hc_tx_err_cqpdid_enforcement)},
+ {"hc_tx_err_mtu_violation", offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_mtu_violation)},
- {"hc_tx_err_inval_oob", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_err_inval_oob", offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_inval_oob)},
- {"hc_tx_err_gdma", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_err_gdma", offsetof(struct mana_ethtool_hc_stats,
hc_tx_err_gdma)},
- {"hc_tx_bytes", offsetof(struct mana_ethtool_stats, hc_tx_bytes)},
- {"hc_tx_ucast_pkts", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_bytes", offsetof(struct mana_ethtool_hc_stats, hc_tx_bytes)},
+ {"hc_tx_ucast_pkts", offsetof(struct mana_ethtool_hc_stats,
hc_tx_ucast_pkts)},
- {"hc_tx_ucast_bytes", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_ucast_bytes", offsetof(struct mana_ethtool_hc_stats,
hc_tx_ucast_bytes)},
- {"hc_tx_bcast_pkts", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_bcast_pkts", offsetof(struct mana_ethtool_hc_stats,
hc_tx_bcast_pkts)},
- {"hc_tx_bcast_bytes", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_bcast_bytes", offsetof(struct mana_ethtool_hc_stats,
hc_tx_bcast_bytes)},
- {"hc_tx_mcast_pkts", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_mcast_pkts", offsetof(struct mana_ethtool_hc_stats,
hc_tx_mcast_pkts)},
- {"hc_tx_mcast_bytes", offsetof(struct mana_ethtool_stats,
+ {"hc_tx_mcast_bytes", offsetof(struct mana_ethtool_hc_stats,
hc_tx_mcast_bytes)},
- {"tx_cq_err", offsetof(struct mana_ethtool_stats, tx_cqe_err)},
- {"tx_cqe_unknown_type", offsetof(struct mana_ethtool_stats,
- tx_cqe_unknown_type)},
- {"rx_coalesced_err", offsetof(struct mana_ethtool_stats,
- rx_coalesced_err)},
- {"rx_cqe_unknown_type", offsetof(struct mana_ethtool_stats,
- rx_cqe_unknown_type)},
};
static const struct mana_stats_desc mana_phy_stats[] = {
@@ -138,7 +141,7 @@ static int mana_get_sset_count(struct net_device *ndev, int stringset)
if (stringset != ETH_SS_STATS)
return -EINVAL;
- return ARRAY_SIZE(mana_eth_stats) + ARRAY_SIZE(mana_phy_stats) +
+ return ARRAY_SIZE(mana_eth_stats) + ARRAY_SIZE(mana_phy_stats) + ARRAY_SIZE(mana_hc_stats) +
num_queues * (MANA_STATS_RX_COUNT + MANA_STATS_TX_COUNT);
}
@@ -150,10 +153,12 @@ static void mana_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
if (stringset != ETH_SS_STATS)
return;
-
for (i = 0; i < ARRAY_SIZE(mana_eth_stats); i++)
ethtool_puts(&data, mana_eth_stats[i].name);
+ for (i = 0; i < ARRAY_SIZE(mana_hc_stats); i++)
+ ethtool_puts(&data, mana_hc_stats[i].name);
+
for (i = 0; i < ARRAY_SIZE(mana_phy_stats); i++)
ethtool_puts(&data, mana_phy_stats[i].name);
@@ -186,6 +191,7 @@ static void mana_get_ethtool_stats(struct net_device *ndev,
struct mana_port_context *apc = netdev_priv(ndev);
unsigned int num_queues = apc->num_queues;
void *eth_stats = &apc->eth_stats;
+ void *hc_stats = &apc->ac->hc_stats;
void *phy_stats = &apc->phy_stats;
struct mana_stats_rx *rx_stats;
struct mana_stats_tx *tx_stats;
@@ -208,7 +214,7 @@ static void mana_get_ethtool_stats(struct net_device *ndev,
if (!apc->port_is_up)
return;
/* we call mana function to update stats from GDMA */
- mana_query_gf_stats(apc);
+ mana_query_gf_stats(apc->ac);
/* We call this mana function to get the phy stats from GDMA and includes
* aggregate tx/rx drop counters, Per-TC(Traffic Channel) tx/rx and pause
@@ -219,6 +225,9 @@ static void mana_get_ethtool_stats(struct net_device *ndev,
for (q = 0; q < ARRAY_SIZE(mana_eth_stats); q++)
data[i++] = *(u64 *)(eth_stats + mana_eth_stats[q].offset);
+ for (q = 0; q < ARRAY_SIZE(mana_hc_stats); q++)
+ data[i++] = *(u64 *)(hc_stats + mana_hc_stats[q].offset);
+
for (q = 0; q < ARRAY_SIZE(mana_phy_stats); q++)
data[i++] = *(u64 *)(phy_stats + mana_phy_stats[q].offset);
diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h
index f9f264385405c..265f2d90027d6 100644
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -375,6 +375,13 @@ struct mana_tx_qp {
struct mana_ethtool_stats {
u64 stop_queue;
u64 wake_queue;
+ u64 tx_cqe_err;
+ u64 tx_cqe_unknown_type;
+ u64 rx_coalesced_err;
+ u64 rx_cqe_unknown_type;
+};
+
+struct mana_ethtool_hc_stats {
u64 hc_rx_discards_no_wqe;
u64 hc_rx_err_vport_disabled;
u64 hc_rx_bytes;
@@ -402,10 +409,6 @@ struct mana_ethtool_stats {
u64 hc_tx_mcast_pkts;
u64 hc_tx_mcast_bytes;
u64 hc_tx_err_gdma;
- u64 tx_cqe_err;
- u64 tx_cqe_unknown_type;
- u64 rx_coalesced_err;
- u64 rx_cqe_unknown_type;
};
struct mana_ethtool_phy_stats {
@@ -473,6 +476,7 @@ struct mana_context {
u16 num_ports;
u8 bm_hostmode;
+ struct mana_ethtool_hc_stats hc_stats;
struct mana_eq *eqs;
struct dentry *mana_eqs_debugfs;
@@ -578,7 +582,7 @@ u32 mana_run_xdp(struct net_device *ndev, struct mana_rxq *rxq,
struct bpf_prog *mana_xdp_get(struct mana_port_context *apc);
void mana_chn_setxdp(struct mana_port_context *apc, struct bpf_prog *prog);
int mana_bpf(struct net_device *ndev, struct netdev_bpf *bpf);
-void mana_query_gf_stats(struct mana_port_context *apc);
+void mana_query_gf_stats(struct mana_context *ac);
int mana_query_link_cfg(struct mana_port_context *apc);
int mana_set_bw_clamp(struct mana_port_context *apc, u32 speed,
int enable_clamping);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 704/957] net: mana: Add standard counter rx_missed_errors
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (702 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 703/957] net: mana: Move hardware counter stats from per-port to per-VF context Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 705/957] net: mana: Dont overwrite port probe error with add_adev result Greg Kroah-Hartman
` (258 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela,
Haiyang Zhang, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit be4f1d67ec56f23f37714ac73c01094e63c7ff28 ]
Report standard counter stats->rx_missed_errors
using hc_rx_discards_no_wqe from the hardware.
Add a global workqueue to periodically run
mana_query_gf_stats every 2 seconds to get the latest
info in eth_stats and define a driver capability flag
to notify hardware of the periodic queries.
To avoid repeated failures and log flooding, the workqueue
is not rescheduled if mana_query_gf_stats fails on HWC timeout
error and the stats are reset to 0. Other errors are transient
which will not need a VF reset for recovery.
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1763120599-6331-3-git-send-email-ernis@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: a7fdaf069bd0 ("net: mana: Don't overwrite port probe error with add_adev result")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 36 +++++++++++++++++--
.../ethernet/microsoft/mana/mana_ethtool.c | 2 --
include/net/mana/gdma.h | 6 +++-
include/net/mana/mana.h | 6 +++-
4 files changed, 43 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 2e5efc03cacec..b0d411ab1067f 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -534,6 +534,11 @@ static void mana_get_stats64(struct net_device *ndev,
netdev_stats_to_stats64(st, &ndev->stats);
+ if (apc->ac->hwc_timeout_occurred)
+ netdev_warn_once(ndev, "HWC timeout occurred\n");
+
+ st->rx_missed_errors = apc->ac->hc_stats.hc_rx_discards_no_wqe;
+
for (q = 0; q < num_queues; q++) {
rx_stats = &apc->rxqs[q]->stats;
@@ -2836,7 +2841,7 @@ int mana_config_rss(struct mana_port_context *apc, enum TRI_STATE rx,
return 0;
}
-void mana_query_gf_stats(struct mana_context *ac)
+int mana_query_gf_stats(struct mana_context *ac)
{
struct gdma_context *gc = ac->gdma_dev->gdma_context;
struct mana_query_gf_stat_resp resp = {};
@@ -2879,14 +2884,14 @@ void mana_query_gf_stats(struct mana_context *ac)
sizeof(resp));
if (err) {
dev_err(dev, "Failed to query GF stats: %d\n", err);
- return;
+ return err;
}
err = mana_verify_resp_hdr(&resp.hdr, MANA_QUERY_GF_STAT,
sizeof(resp));
if (err || resp.hdr.status) {
dev_err(dev, "Failed to query GF stats: %d, 0x%x\n", err,
resp.hdr.status);
- return;
+ return err;
}
ac->hc_stats.hc_rx_discards_no_wqe = resp.rx_discards_nowqe;
@@ -2921,6 +2926,8 @@ void mana_query_gf_stats(struct mana_context *ac)
ac->hc_stats.hc_tx_mcast_pkts = resp.hc_tx_mcast_pkts;
ac->hc_stats.hc_tx_mcast_bytes = resp.hc_tx_mcast_bytes;
ac->hc_stats.hc_tx_err_gdma = resp.tx_err_gdma;
+
+ return 0;
}
void mana_query_phy_stats(struct mana_port_context *apc)
@@ -3459,6 +3466,24 @@ int mana_rdma_service_event(struct gdma_context *gc, enum gdma_service_type even
return 0;
}
+#define MANA_GF_STATS_PERIOD (2 * HZ)
+
+static void mana_gf_stats_work_handler(struct work_struct *work)
+{
+ struct mana_context *ac =
+ container_of(to_delayed_work(work), struct mana_context, gf_stats_work);
+ int err;
+
+ err = mana_query_gf_stats(ac);
+ if (err == -ETIMEDOUT) {
+ /* HWC timeout detected - reset stats and stop rescheduling */
+ ac->hwc_timeout_occurred = true;
+ memset(&ac->hc_stats, 0, sizeof(ac->hc_stats));
+ return;
+ }
+ schedule_delayed_work(&ac->gf_stats_work, MANA_GF_STATS_PERIOD);
+}
+
int mana_probe(struct gdma_dev *gd, bool resuming)
{
struct gdma_context *gc = gd->gdma_context;
@@ -3551,6 +3576,10 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
}
err = add_adev(gd, "eth");
+
+ INIT_DELAYED_WORK(&ac->gf_stats_work, mana_gf_stats_work_handler);
+ schedule_delayed_work(&ac->gf_stats_work, MANA_GF_STATS_PERIOD);
+
out:
if (err) {
mana_remove(gd, false);
@@ -3580,6 +3609,7 @@ void mana_remove(struct gdma_dev *gd, bool suspending)
dev = gc->dev;
disable_work_sync(&ac->link_change_work);
+ cancel_delayed_work_sync(&ac->gf_stats_work);
/* adev currently doesn't support suspending, always remove it */
if (gd->adev)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
index 3dfd96146424e..99e8112086833 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
@@ -213,8 +213,6 @@ static void mana_get_ethtool_stats(struct net_device *ndev,
if (!apc->port_is_up)
return;
- /* we call mana function to update stats from GDMA */
- mana_query_gf_stats(apc->ac);
/* We call this mana function to get the phy stats from GDMA and includes
* aggregate tx/rx drop counters, Per-TC(Traffic Channel) tx/rx and pause
diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
index 637f42485dba6..2e4f2f3175e55 100644
--- a/include/net/mana/gdma.h
+++ b/include/net/mana/gdma.h
@@ -592,6 +592,9 @@ enum {
#define GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE BIT(17)
#define GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE BIT(6)
+/* Driver can send HWC periodically to query stats */
+#define GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY BIT(21)
+
#define GDMA_DRV_CAP_FLAGS1 \
(GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \
GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX | \
@@ -601,7 +604,8 @@ enum {
GDMA_DRV_CAP_FLAG_1_DYNAMIC_IRQ_ALLOC_SUPPORT | \
GDMA_DRV_CAP_FLAG_1_SELF_RESET_ON_EQE | \
GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE | \
- GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE)
+ GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE | \
+ GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY)
#define GDMA_DRV_CAP_FLAGS2 0
diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h
index 265f2d90027d6..7e946239effa9 100644
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -480,6 +480,10 @@ struct mana_context {
struct mana_eq *eqs;
struct dentry *mana_eqs_debugfs;
+ /* Workqueue for querying hardware stats */
+ struct delayed_work gf_stats_work;
+ bool hwc_timeout_occurred;
+
struct net_device *ports[MAX_PORTS_IN_MANA_DEV];
/* Link state change work */
@@ -582,7 +586,7 @@ u32 mana_run_xdp(struct net_device *ndev, struct mana_rxq *rxq,
struct bpf_prog *mana_xdp_get(struct mana_port_context *apc);
void mana_chn_setxdp(struct mana_port_context *apc, struct bpf_prog *prog);
int mana_bpf(struct net_device *ndev, struct netdev_bpf *bpf);
-void mana_query_gf_stats(struct mana_context *ac);
+int mana_query_gf_stats(struct mana_context *ac);
int mana_query_link_cfg(struct mana_port_context *apc);
int mana_set_bw_clamp(struct mana_port_context *apc, u32 speed,
int enable_clamping);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 705/957] net: mana: Dont overwrite port probe error with add_adev result
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (703 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 704/957] net: mana: Add standard counter rx_missed_errors Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 706/957] net: mana: Handle SKB if TX SGEs exceed hardware limit Greg Kroah-Hartman
` (257 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit a7fdaf069bd031fcc234581fa6a580be11bf2175 ]
In mana_probe(), if mana_probe_port() fails for any port, the error
is stored in 'err' and the loop breaks. However, the subsequent
unconditional 'err = add_adev(gd, "eth")' overwrites this error.
If add_adev() succeeds, mana_probe() returns success despite ports
being left in a partially initialized state (ac->ports[i] == NULL).
Only call add_adev() when there is no prior error, so the probe
correctly fails and triggers mana_remove() cleanup.
Fixes: a69839d4327d ("net: mana: Add support for auxiliary device")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260420124741.1056179-5-ernis@linux.microsoft.com
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index b0d411ab1067f..02090edbd103f 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3548,10 +3548,9 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
if (!resuming) {
for (i = 0; i < ac->num_ports; i++) {
err = mana_probe_port(ac, i, &ac->ports[i]);
- /* we log the port for which the probe failed and stop
- * probes for subsequent ports.
- * Note that we keep running ports, for which the probes
- * were successful, unless add_adev fails too
+ /* Log the port for which the probe failed, stop probing
+ * subsequent ports, and skip add_adev.
+ * mana_remove() will clean up already-probed ports.
*/
if (err) {
dev_err(dev, "Probe Failed for port %d\n", i);
@@ -3563,10 +3562,9 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
rtnl_lock();
err = mana_attach(ac->ports[i]);
rtnl_unlock();
- /* we log the port for which the attach failed and stop
- * attach for subsequent ports
- * Note that we keep running ports, for which the attach
- * were successful, unless add_adev fails too
+ /* Log the port for which the attach failed, stop
+ * attaching subsequent ports, and skip add_adev.
+ * mana_remove() will clean up already-attached ports.
*/
if (err) {
dev_err(dev, "Attach Failed for port %d\n", i);
@@ -3575,7 +3573,8 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
}
}
- err = add_adev(gd, "eth");
+ if (!err)
+ err = add_adev(gd, "eth");
INIT_DELAYED_WORK(&ac->gf_stats_work, mana_gf_stats_work_handler);
schedule_delayed_work(&ac->gf_stats_work, MANA_GF_STATS_PERIOD);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 706/957] net: mana: Handle SKB if TX SGEs exceed hardware limit
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (704 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 705/957] net: mana: Dont overwrite port probe error with add_adev result Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 707/957] net: mana: Handle hardware recovery events when probing the device Greg Kroah-Hartman
` (256 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dipayaan Roy, Aditya Garg,
Eric Dumazet, Haiyang Zhang, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Garg <gargaditya@linux.microsoft.com>
[ Upstream commit 934fa943b53795339486cc0026b3ab7ad39dc600 ]
The MANA hardware supports a maximum of 30 scatter-gather entries (SGEs)
per TX WQE. Exceeding this limit can cause TX failures.
Add ndo_features_check() callback to validate SKB layout before
transmission. For GSO SKBs that would exceed the hardware SGE limit, clear
NETIF_F_GSO_MASK to enforce software segmentation in the stack.
Add a fallback in mana_start_xmit() to linearize non-GSO SKBs that still
exceed the SGE limit.
Also, Add ethtool counter for SKBs linearized
Co-developed-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1763464269-10431-2-git-send-email-gargaditya@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 65267c9c4f28 ("net: mana: Fix EQ leak in mana_remove on NULL port")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 40 ++++++++++++++++++-
.../ethernet/microsoft/mana/mana_ethtool.c | 2 +
include/net/mana/gdma.h | 8 +++-
include/net/mana/mana.h | 1 +
4 files changed, 48 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 02090edbd103f..b9cab61d0afe2 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -11,6 +11,7 @@
#include <linux/mm.h>
#include <linux/pci.h>
#include <linux/export.h>
+#include <linux/skbuff.h>
#include <net/checksum.h>
#include <net/ip6_checksum.h>
@@ -329,6 +330,21 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
cq = &apc->tx_qp[txq_idx].tx_cq;
tx_stats = &txq->stats;
+ BUILD_BUG_ON(MAX_TX_WQE_SGL_ENTRIES != MANA_MAX_TX_WQE_SGL_ENTRIES);
+ if (MAX_SKB_FRAGS + 2 > MAX_TX_WQE_SGL_ENTRIES &&
+ skb_shinfo(skb)->nr_frags + 2 > MAX_TX_WQE_SGL_ENTRIES) {
+ /* GSO skb with Hardware SGE limit exceeded is not expected here
+ * as they are handled in mana_features_check() callback
+ */
+ if (skb_linearize(skb)) {
+ netdev_warn_once(ndev, "Failed to linearize skb with nr_frags=%d and is_gso=%d\n",
+ skb_shinfo(skb)->nr_frags,
+ skb_is_gso(skb));
+ goto tx_drop_count;
+ }
+ apc->eth_stats.tx_linear_pkt_cnt++;
+ }
+
pkg.tx_oob.s_oob.vcq_num = cq->gdma_id;
pkg.tx_oob.s_oob.vsq_frame = txq->vsq_frame;
@@ -442,8 +458,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
}
}
- WARN_ON_ONCE(pkg.wqe_req.num_sge > MAX_TX_WQE_SGL_ENTRIES);
-
if (pkg.wqe_req.num_sge <= ARRAY_SIZE(pkg.sgl_array)) {
pkg.wqe_req.sgl = pkg.sgl_array;
} else {
@@ -518,6 +532,25 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
return NETDEV_TX_OK;
}
+#if (MAX_SKB_FRAGS + 2 > MANA_MAX_TX_WQE_SGL_ENTRIES)
+static netdev_features_t mana_features_check(struct sk_buff *skb,
+ struct net_device *ndev,
+ netdev_features_t features)
+{
+ if (skb_shinfo(skb)->nr_frags + 2 > MAX_TX_WQE_SGL_ENTRIES) {
+ /* Exceeds HW SGE limit.
+ * GSO case:
+ * Disable GSO so the stack will software-segment the skb
+ * into smaller skbs that fit the SGE budget.
+ * Non-GSO case:
+ * The xmit path will attempt skb_linearize() as a fallback.
+ */
+ features &= ~NETIF_F_GSO_MASK;
+ }
+ return features;
+}
+#endif
+
static void mana_get_stats64(struct net_device *ndev,
struct rtnl_link_stats64 *st)
{
@@ -890,6 +923,9 @@ static const struct net_device_ops mana_devops = {
.ndo_open = mana_open,
.ndo_stop = mana_close,
.ndo_select_queue = mana_select_queue,
+#if (MAX_SKB_FRAGS + 2 > MANA_MAX_TX_WQE_SGL_ENTRIES)
+ .ndo_features_check = mana_features_check,
+#endif
.ndo_start_xmit = mana_start_xmit,
.ndo_validate_addr = eth_validate_addr,
.ndo_get_stats64 = mana_get_stats64,
diff --git a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
index 99e8112086833..0e2f4343ac67f 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_ethtool.c
@@ -18,6 +18,8 @@ static const struct mana_stats_desc mana_eth_stats[] = {
{"tx_cq_err", offsetof(struct mana_ethtool_stats, tx_cqe_err)},
{"tx_cqe_unknown_type", offsetof(struct mana_ethtool_stats,
tx_cqe_unknown_type)},
+ {"tx_linear_pkt_cnt", offsetof(struct mana_ethtool_stats,
+ tx_linear_pkt_cnt)},
{"rx_coalesced_err", offsetof(struct mana_ethtool_stats,
rx_coalesced_err)},
{"rx_cqe_unknown_type", offsetof(struct mana_ethtool_stats,
diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
index 2e4f2f3175e55..a4cf307859f85 100644
--- a/include/net/mana/gdma.h
+++ b/include/net/mana/gdma.h
@@ -486,6 +486,8 @@ struct gdma_wqe {
#define INLINE_OOB_SMALL_SIZE 8
#define INLINE_OOB_LARGE_SIZE 24
+#define MANA_MAX_TX_WQE_SGL_ENTRIES 30
+
#define MAX_TX_WQE_SIZE 512
#define MAX_RX_WQE_SIZE 256
@@ -592,6 +594,9 @@ enum {
#define GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE BIT(17)
#define GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE BIT(6)
+/* Driver supports linearizing the skb when num_sge exceeds hardware limit */
+#define GDMA_DRV_CAP_FLAG_1_SKB_LINEARIZE BIT(20)
+
/* Driver can send HWC periodically to query stats */
#define GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY BIT(21)
@@ -605,7 +610,8 @@ enum {
GDMA_DRV_CAP_FLAG_1_SELF_RESET_ON_EQE | \
GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE | \
GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE | \
- GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY)
+ GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY | \
+ GDMA_DRV_CAP_FLAG_1_SKB_LINEARIZE)
#define GDMA_DRV_CAP_FLAGS2 0
diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h
index 7e946239effa9..9fadff78568ea 100644
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -377,6 +377,7 @@ struct mana_ethtool_stats {
u64 wake_queue;
u64 tx_cqe_err;
u64 tx_cqe_unknown_type;
+ u64 tx_linear_pkt_cnt;
u64 rx_coalesced_err;
u64 rx_cqe_unknown_type;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 707/957] net: mana: Handle hardware recovery events when probing the device
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (705 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 706/957] net: mana: Handle SKB if TX SGEs exceed hardware limit Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 708/957] net: mana: Implement ndo_tx_timeout and serialize queue resets per port Greg Kroah-Hartman
` (255 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Haiyang Zhang,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
[ Upstream commit 9bf66036d686b9a67000ba22bd94be13a4ea79ac ]
When MANA is being probed, it's possible that hardware is in recovery
mode and the device may get GDMA_EQE_HWC_RESET_REQUEST over HWC in the
middle of the probe. Detect such condition and go through the recovery
service procedure.
Signed-off-by: Long Li <longli@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1764193552-9712-1-git-send-email-longli@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 65267c9c4f28 ("net: mana: Fix EQ leak in mana_remove on NULL port")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/microsoft/mana/gdma_main.c | 176 ++++++++++++++++--
include/net/mana/gdma.h | 12 +-
2 files changed, 170 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index d93cfb7f4e788..0ad082b566f5e 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -15,6 +15,20 @@
struct dentry *mana_debugfs_root;
+struct mana_dev_recovery {
+ struct list_head list;
+ struct pci_dev *pdev;
+ enum gdma_eqe_type type;
+};
+
+static struct mana_dev_recovery_work {
+ struct list_head dev_list;
+ struct delayed_work work;
+
+ /* Lock for dev_list above */
+ spinlock_t lock;
+} mana_dev_recovery_work;
+
static u32 mana_gd_r32(struct gdma_context *g, u64 offset)
{
return readl(g->bar0_va + offset);
@@ -387,6 +401,25 @@ EXPORT_SYMBOL_NS(mana_gd_ring_cq, "NET_MANA");
#define MANA_SERVICE_PERIOD 10
+static void mana_serv_rescan(struct pci_dev *pdev)
+{
+ struct pci_bus *parent;
+
+ pci_lock_rescan_remove();
+
+ parent = pdev->bus;
+ if (!parent) {
+ dev_err(&pdev->dev, "MANA service: no parent bus\n");
+ goto out;
+ }
+
+ pci_stop_and_remove_bus_device(pdev);
+ pci_rescan_bus(parent);
+
+out:
+ pci_unlock_rescan_remove();
+}
+
static void mana_serv_fpga(struct pci_dev *pdev)
{
struct pci_bus *bus, *parent;
@@ -419,9 +452,12 @@ static void mana_serv_reset(struct pci_dev *pdev)
{
struct gdma_context *gc = pci_get_drvdata(pdev);
struct hw_channel_context *hwc;
+ int ret;
if (!gc) {
- dev_err(&pdev->dev, "MANA service: no GC\n");
+ /* Perform PCI rescan on device if GC is not set up */
+ dev_err(&pdev->dev, "MANA service: GC not setup, rescanning\n");
+ mana_serv_rescan(pdev);
return;
}
@@ -440,9 +476,18 @@ static void mana_serv_reset(struct pci_dev *pdev)
msleep(MANA_SERVICE_PERIOD * 1000);
- mana_gd_resume(pdev);
+ ret = mana_gd_resume(pdev);
+ if (ret == -ETIMEDOUT || ret == -EPROTO) {
+ /* Perform PCI rescan on device if we failed on HWC */
+ dev_err(&pdev->dev, "MANA service: resume failed, rescanning\n");
+ mana_serv_rescan(pdev);
+ goto out;
+ }
- dev_info(&pdev->dev, "MANA reset cycle completed\n");
+ if (ret)
+ dev_info(&pdev->dev, "MANA reset cycle failed err %d\n", ret);
+ else
+ dev_info(&pdev->dev, "MANA reset cycle completed\n");
out:
gc->in_service = false;
@@ -454,18 +499,9 @@ struct mana_serv_work {
enum gdma_eqe_type type;
};
-static void mana_serv_func(struct work_struct *w)
+static void mana_do_service(enum gdma_eqe_type type, struct pci_dev *pdev)
{
- struct mana_serv_work *mns_wk;
- struct pci_dev *pdev;
-
- mns_wk = container_of(w, struct mana_serv_work, serv_work);
- pdev = mns_wk->pdev;
-
- if (!pdev)
- goto out;
-
- switch (mns_wk->type) {
+ switch (type) {
case GDMA_EQE_HWC_FPGA_RECONFIG:
mana_serv_fpga(pdev);
break;
@@ -475,12 +511,48 @@ static void mana_serv_func(struct work_struct *w)
break;
default:
- dev_err(&pdev->dev, "MANA service: unknown type %d\n",
- mns_wk->type);
+ dev_err(&pdev->dev, "MANA service: unknown type %d\n", type);
break;
}
+}
+
+static void mana_recovery_delayed_func(struct work_struct *w)
+{
+ struct mana_dev_recovery_work *work;
+ struct mana_dev_recovery *dev;
+ unsigned long flags;
+
+ work = container_of(w, struct mana_dev_recovery_work, work.work);
+
+ spin_lock_irqsave(&work->lock, flags);
+
+ while (!list_empty(&work->dev_list)) {
+ dev = list_first_entry(&work->dev_list,
+ struct mana_dev_recovery, list);
+ list_del(&dev->list);
+ spin_unlock_irqrestore(&work->lock, flags);
+
+ mana_do_service(dev->type, dev->pdev);
+ pci_dev_put(dev->pdev);
+ kfree(dev);
+
+ spin_lock_irqsave(&work->lock, flags);
+ }
+
+ spin_unlock_irqrestore(&work->lock, flags);
+}
+
+static void mana_serv_func(struct work_struct *w)
+{
+ struct mana_serv_work *mns_wk;
+ struct pci_dev *pdev;
+
+ mns_wk = container_of(w, struct mana_serv_work, serv_work);
+ pdev = mns_wk->pdev;
+
+ if (pdev)
+ mana_do_service(mns_wk->type, pdev);
-out:
pci_dev_put(pdev);
kfree(mns_wk);
module_put(THIS_MODULE);
@@ -541,6 +613,17 @@ static void mana_gd_process_eqe(struct gdma_queue *eq)
case GDMA_EQE_HWC_RESET_REQUEST:
dev_info(gc->dev, "Recv MANA service type:%d\n", type);
+ if (!test_and_set_bit(GC_PROBE_SUCCEEDED, &gc->flags)) {
+ /*
+ * Device is in probe and we received a hardware reset
+ * event, the probe function will detect that the flag
+ * has changed and perform service procedure.
+ */
+ dev_info(gc->dev,
+ "Service is to be processed in probe\n");
+ break;
+ }
+
if (gc->in_service) {
dev_info(gc->dev, "Already in service\n");
break;
@@ -1943,8 +2026,19 @@ static int mana_gd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
if (err)
goto cleanup_mana;
+ /*
+ * If a hardware reset event has occurred over HWC during probe,
+ * rollback and perform hardware reset procedure.
+ */
+ if (test_and_set_bit(GC_PROBE_SUCCEEDED, &gc->flags)) {
+ err = -EPROTO;
+ goto cleanup_mana_rdma;
+ }
+
return 0;
+cleanup_mana_rdma:
+ mana_rdma_remove(&gc->mana_ib);
cleanup_mana:
mana_remove(&gc->mana, false);
cleanup_gd:
@@ -1968,6 +2062,35 @@ static int mana_gd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
disable_dev:
pci_disable_device(pdev);
dev_err(&pdev->dev, "gdma probe failed: err = %d\n", err);
+
+ /*
+ * Hardware could be in recovery mode and the HWC returns TIMEDOUT or
+ * EPROTO from mana_gd_setup(), mana_probe() or mana_rdma_probe(), or
+ * we received a hardware reset event over HWC interrupt. In this case,
+ * perform the device recovery procedure after MANA_SERVICE_PERIOD
+ * seconds.
+ */
+ if (err == -ETIMEDOUT || err == -EPROTO) {
+ struct mana_dev_recovery *dev;
+ unsigned long flags;
+
+ dev_info(&pdev->dev, "Start MANA recovery mode\n");
+
+ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (!dev)
+ return err;
+
+ dev->pdev = pci_dev_get(pdev);
+ dev->type = GDMA_EQE_HWC_RESET_REQUEST;
+
+ spin_lock_irqsave(&mana_dev_recovery_work.lock, flags);
+ list_add_tail(&dev->list, &mana_dev_recovery_work.dev_list);
+ spin_unlock_irqrestore(&mana_dev_recovery_work.lock, flags);
+
+ schedule_delayed_work(&mana_dev_recovery_work.work,
+ secs_to_jiffies(MANA_SERVICE_PERIOD));
+ }
+
return err;
}
@@ -2072,6 +2195,10 @@ static int __init mana_driver_init(void)
{
int err;
+ INIT_LIST_HEAD(&mana_dev_recovery_work.dev_list);
+ spin_lock_init(&mana_dev_recovery_work.lock);
+ INIT_DELAYED_WORK(&mana_dev_recovery_work.work, mana_recovery_delayed_func);
+
mana_debugfs_root = debugfs_create_dir("mana", NULL);
err = pci_register_driver(&mana_driver);
@@ -2085,6 +2212,21 @@ static int __init mana_driver_init(void)
static void __exit mana_driver_exit(void)
{
+ struct mana_dev_recovery *dev;
+ unsigned long flags;
+
+ disable_delayed_work_sync(&mana_dev_recovery_work.work);
+
+ spin_lock_irqsave(&mana_dev_recovery_work.lock, flags);
+ while (!list_empty(&mana_dev_recovery_work.dev_list)) {
+ dev = list_first_entry(&mana_dev_recovery_work.dev_list,
+ struct mana_dev_recovery, list);
+ list_del(&dev->list);
+ pci_dev_put(dev->pdev);
+ kfree(dev);
+ }
+ spin_unlock_irqrestore(&mana_dev_recovery_work.lock, flags);
+
pci_unregister_driver(&mana_driver);
debugfs_remove(mana_debugfs_root);
diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
index a4cf307859f85..eaa27483f99b2 100644
--- a/include/net/mana/gdma.h
+++ b/include/net/mana/gdma.h
@@ -382,6 +382,10 @@ struct gdma_irq_context {
char name[MANA_IRQ_NAME_SZ];
};
+enum gdma_context_flags {
+ GC_PROBE_SUCCEEDED = 0,
+};
+
struct gdma_context {
struct device *dev;
struct dentry *mana_pci_debugfs;
@@ -430,6 +434,8 @@ struct gdma_context {
u64 pf_cap_flags1;
struct workqueue_struct *service_wq;
+
+ unsigned long flags;
};
static inline bool mana_gd_is_mana(struct gdma_dev *gd)
@@ -600,6 +606,9 @@ enum {
/* Driver can send HWC periodically to query stats */
#define GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY BIT(21)
+/* Driver can handle hardware recovery events during probe */
+#define GDMA_DRV_CAP_FLAG_1_PROBE_RECOVERY BIT(22)
+
#define GDMA_DRV_CAP_FLAGS1 \
(GDMA_DRV_CAP_FLAG_1_EQ_SHARING_MULTI_VPORT | \
GDMA_DRV_CAP_FLAG_1_NAPI_WKDONE_FIX | \
@@ -611,7 +620,8 @@ enum {
GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE | \
GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE | \
GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY | \
- GDMA_DRV_CAP_FLAG_1_SKB_LINEARIZE)
+ GDMA_DRV_CAP_FLAG_1_SKB_LINEARIZE | \
+ GDMA_DRV_CAP_FLAG_1_PROBE_RECOVERY)
#define GDMA_DRV_CAP_FLAGS2 0
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 708/957] net: mana: Implement ndo_tx_timeout and serialize queue resets per port.
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (706 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 707/957] net: mana: Handle hardware recovery events when probing the device Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 709/957] net: mana: Fix EQ leak in mana_remove on NULL port Greg Kroah-Hartman
` (254 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavan Chebbi, Haiyang Zhang,
Dipayaan Roy, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
[ Upstream commit 3b194343c25084a8d2fa0c0f2c9e80f3080fd732 ]
Implement .ndo_tx_timeout for MANA so any stalled TX queue can be detected
and a device-controlled port reset for all queues can be scheduled to a
ordered workqueue. The reset for all queues on stall detection is
recomended by hardware team.
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Link: https://patch.msgid.link/20260112130552.GA11785@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 65267c9c4f28 ("net: mana: Fix EQ leak in mana_remove on NULL port")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 77 ++++++++++++++++++-
include/net/mana/gdma.h | 7 +-
include/net/mana/mana.h | 3 +-
3 files changed, 84 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index b9cab61d0afe2..12952f7273eb6 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -299,6 +299,39 @@ static int mana_get_gso_hs(struct sk_buff *skb)
return gso_hs;
}
+static void mana_per_port_queue_reset_work_handler(struct work_struct *work)
+{
+ struct mana_port_context *apc = container_of(work,
+ struct mana_port_context,
+ queue_reset_work);
+ struct net_device *ndev = apc->ndev;
+ int err;
+
+ rtnl_lock();
+
+ /* Pre-allocate buffers to prevent failure in mana_attach later */
+ err = mana_pre_alloc_rxbufs(apc, ndev->mtu, apc->num_queues);
+ if (err) {
+ netdev_err(ndev, "Insufficient memory for reset post tx stall detection\n");
+ goto out;
+ }
+
+ err = mana_detach(ndev, false);
+ if (err) {
+ netdev_err(ndev, "mana_detach failed: %d\n", err);
+ goto dealloc_pre_rxbufs;
+ }
+
+ err = mana_attach(ndev);
+ if (err)
+ netdev_err(ndev, "mana_attach failed: %d\n", err);
+
+dealloc_pre_rxbufs:
+ mana_pre_dealloc_rxbufs(apc);
+out:
+ rtnl_unlock();
+}
+
netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
{
enum mana_tx_pkt_format pkt_fmt = MANA_SHORT_PKT_FMT;
@@ -847,6 +880,23 @@ static int mana_change_mtu(struct net_device *ndev, int new_mtu)
return err;
}
+static void mana_tx_timeout(struct net_device *netdev, unsigned int txqueue)
+{
+ struct mana_port_context *apc = netdev_priv(netdev);
+ struct mana_context *ac = apc->ac;
+ struct gdma_context *gc = ac->gdma_dev->gdma_context;
+
+ /* Already in service, hence tx queue reset is not required.*/
+ if (gc->in_service)
+ return;
+
+ /* Note: If there are pending queue reset work for this port(apc),
+ * subsequent request queued up from here are ignored. This is because
+ * we are using the same work instance per port(apc).
+ */
+ queue_work(ac->per_port_queue_reset_wq, &apc->queue_reset_work);
+}
+
static int mana_shaper_set(struct net_shaper_binding *binding,
const struct net_shaper *shaper,
struct netlink_ext_ack *extack)
@@ -932,6 +982,7 @@ static const struct net_device_ops mana_devops = {
.ndo_bpf = mana_bpf,
.ndo_xdp_xmit = mana_xdp_xmit,
.ndo_change_mtu = mana_change_mtu,
+ .ndo_tx_timeout = mana_tx_timeout,
.net_shaper_ops = &mana_shaper_ops,
};
@@ -3319,6 +3370,8 @@ static int mana_probe_port(struct mana_context *ac, int port_idx,
ndev->min_mtu = ETH_MIN_MTU;
ndev->needed_headroom = MANA_HEADROOM;
ndev->dev_port = port_idx;
+ /* Recommended timeout based on HW FPGA re-config scenario. */
+ ndev->watchdog_timeo = 15 * HZ;
SET_NETDEV_DEV(ndev, gc->dev);
netif_set_tso_max_size(ndev, GSO_MAX_SIZE);
@@ -3335,6 +3388,10 @@ static int mana_probe_port(struct mana_context *ac, int port_idx,
if (err)
goto reset_apc;
+ /* Initialize the per port queue reset work.*/
+ INIT_WORK(&apc->queue_reset_work,
+ mana_per_port_queue_reset_work_handler);
+
netdev_lockdep_set_classes(ndev);
ndev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM;
@@ -3524,6 +3581,7 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
{
struct gdma_context *gc = gd->gdma_context;
struct mana_context *ac = gd->driver_data;
+ struct mana_port_context *apc = NULL;
struct device *dev = gc->dev;
u8 bm_hostmode = 0;
u16 num_ports = 0;
@@ -3581,6 +3639,14 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
if (ac->num_ports > MAX_PORTS_IN_MANA_DEV)
ac->num_ports = MAX_PORTS_IN_MANA_DEV;
+ ac->per_port_queue_reset_wq =
+ create_singlethread_workqueue("mana_per_port_queue_reset_wq");
+ if (!ac->per_port_queue_reset_wq) {
+ dev_err(dev, "Failed to allocate per port queue reset workqueue\n");
+ err = -ENOMEM;
+ goto out;
+ }
+
if (!resuming) {
for (i = 0; i < ac->num_ports; i++) {
err = mana_probe_port(ac, i, &ac->ports[i]);
@@ -3596,6 +3662,8 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
} else {
for (i = 0; i < ac->num_ports; i++) {
rtnl_lock();
+ apc = netdev_priv(ac->ports[i]);
+ enable_work(&apc->queue_reset_work);
err = mana_attach(ac->ports[i]);
rtnl_unlock();
/* Log the port for which the attach failed, stop
@@ -3652,13 +3720,15 @@ void mana_remove(struct gdma_dev *gd, bool suspending)
for (i = 0; i < ac->num_ports; i++) {
ndev = ac->ports[i];
- apc = netdev_priv(ndev);
if (!ndev) {
if (i == 0)
dev_err(dev, "No net device to remove\n");
goto out;
}
+ apc = netdev_priv(ndev);
+ disable_work_sync(&apc->queue_reset_work);
+
/* All cleanup actions should stay after rtnl_lock(), otherwise
* other functions may access partially cleaned up data.
*/
@@ -3685,6 +3755,11 @@ void mana_remove(struct gdma_dev *gd, bool suspending)
mana_destroy_eq(ac);
out:
+ if (ac->per_port_queue_reset_wq) {
+ destroy_workqueue(ac->per_port_queue_reset_wq);
+ ac->per_port_queue_reset_wq = NULL;
+ }
+
mana_gd_deregister_device(gd);
if (suspending)
diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
index eaa27483f99b2..a59bd4035a992 100644
--- a/include/net/mana/gdma.h
+++ b/include/net/mana/gdma.h
@@ -598,6 +598,10 @@ enum {
/* Driver can self reset on FPGA Reconfig EQE notification */
#define GDMA_DRV_CAP_FLAG_1_HANDLE_RECONFIG_EQE BIT(17)
+
+/* Driver detects stalled send queues and recovers them */
+#define GDMA_DRV_CAP_FLAG_1_HANDLE_STALL_SQ_RECOVERY BIT(18)
+
#define GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE BIT(6)
/* Driver supports linearizing the skb when num_sge exceeds hardware limit */
@@ -621,7 +625,8 @@ enum {
GDMA_DRV_CAP_FLAG_1_HW_VPORT_LINK_AWARE | \
GDMA_DRV_CAP_FLAG_1_PERIODIC_STATS_QUERY | \
GDMA_DRV_CAP_FLAG_1_SKB_LINEARIZE | \
- GDMA_DRV_CAP_FLAG_1_PROBE_RECOVERY)
+ GDMA_DRV_CAP_FLAG_1_PROBE_RECOVERY | \
+ GDMA_DRV_CAP_FLAG_1_HANDLE_STALL_SQ_RECOVERY)
#define GDMA_DRV_CAP_FLAGS2 0
diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h
index 9fadff78568ea..e199f1d44c8e3 100644
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -480,7 +480,7 @@ struct mana_context {
struct mana_ethtool_hc_stats hc_stats;
struct mana_eq *eqs;
struct dentry *mana_eqs_debugfs;
-
+ struct workqueue_struct *per_port_queue_reset_wq;
/* Workqueue for querying hardware stats */
struct delayed_work gf_stats_work;
bool hwc_timeout_occurred;
@@ -495,6 +495,7 @@ struct mana_context {
struct mana_port_context {
struct mana_context *ac;
struct net_device *ndev;
+ struct work_struct queue_reset_work;
u8 mac_addr[ETH_ALEN];
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 709/957] net: mana: Fix EQ leak in mana_remove on NULL port
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (707 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 708/957] net: mana: Implement ndo_tx_timeout and serialize queue resets per port Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 710/957] vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting Greg Kroah-Hartman
` (253 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit 65267c9c4f28199985505977bc2c628c82fc50ef ]
In mana_remove(), when a NULL port is encountered in the port iteration
loop, 'goto out' skips the mana_destroy_eq(ac) call, leaking the event
queues allocated earlier by mana_create_eq().
This can happen when mana_probe_port() fails for port 0, leaving
ac->ports[0] as NULL. On driver unload or error cleanup, mana_remove()
hits the NULL entry and jumps past mana_destroy_eq().
Change 'goto out' to 'break' so the for-loop exits normally and
mana_destroy_eq() is always reached. Remove the now-unreferenced out:
label.
Fixes: 1e2d0824a9c3 ("net: mana: Add support for EQ sharing")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260420124741.1056179-6-ernis@linux.microsoft.com
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 12952f7273eb6..4b7e5acba7f76 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3723,7 +3723,7 @@ void mana_remove(struct gdma_dev *gd, bool suspending)
if (!ndev) {
if (i == 0)
dev_err(dev, "No net device to remove\n");
- goto out;
+ break;
}
apc = netdev_priv(ndev);
@@ -3754,7 +3754,7 @@ void mana_remove(struct gdma_dev *gd, bool suspending)
}
mana_destroy_eq(ac);
-out:
+
if (ac->per_port_queue_reset_wq) {
destroy_workqueue(ac->per_port_queue_reset_wq);
ac->per_port_queue_reset_wq = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 710/957] vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (708 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 709/957] net: mana: Fix EQ leak in mana_remove on NULL port Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 711/957] virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET Greg Kroah-Hartman
` (252 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Stefano Garzarella,
Bobby Eshleman, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit 1cb36e252211506f51095fe7ced8286cc77b4c80 ]
virtio_transport_init_zcopy_skb() uses iter->count as the size argument
for msg_zerocopy_realloc(), which in turn passes it to
mm_account_pinned_pages() for RLIMIT_MEMLOCK accounting. However, this
function is called after virtio_transport_fill_skb() has already consumed
the iterator via __zerocopy_sg_from_iter(), so on the last skb, iter->count
will be 0, skipping the RLIMIT_MEMLOCK enforcement.
Pass pkt_len (the total bytes being sent) as an explicit parameter to
virtio_transport_init_zcopy_skb() instead of reading the already-consumed
iter->count.
This matches TCP and UDP, which both call msg_zerocopy_realloc() with
the original message size.
Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Link: https://patch.msgid.link/20260420132051.217589-1-sgarzare@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/virtio_transport_common.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index 41be06c4bd7ff..495c93cddcdc0 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -75,6 +75,7 @@ static bool virtio_transport_can_zcopy(const struct virtio_transport *t_ops,
static int virtio_transport_init_zcopy_skb(struct vsock_sock *vsk,
struct sk_buff *skb,
struct msghdr *msg,
+ size_t pkt_len,
bool zerocopy)
{
struct ubuf_info *uarg;
@@ -83,12 +84,10 @@ static int virtio_transport_init_zcopy_skb(struct vsock_sock *vsk,
uarg = msg->msg_ubuf;
net_zcopy_get(uarg);
} else {
- struct iov_iter *iter = &msg->msg_iter;
struct ubuf_info_msgzc *uarg_zc;
uarg = msg_zerocopy_realloc(sk_vsock(vsk),
- iter->count,
- NULL, false);
+ pkt_len, NULL, false);
if (!uarg)
return -1;
@@ -385,11 +384,17 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
* each iteration. If this is last skb for this buffer
* and MSG_ZEROCOPY mode is in use - we must allocate
* completion for the current syscall.
+ *
+ * Pass pkt_len because msg iter is already consumed
+ * by virtio_transport_fill_skb(), so iter->count
+ * can not be used for RLIMIT_MEMLOCK pinned-pages
+ * accounting done by msg_zerocopy_realloc().
*/
if (info->msg && info->msg->msg_flags & MSG_ZEROCOPY &&
skb_len == rest_len && info->op == VIRTIO_VSOCK_OP_RW) {
if (virtio_transport_init_zcopy_skb(vsk, skb,
info->msg,
+ pkt_len,
can_zcopy)) {
kfree_skb(skb);
ret = -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 711/957] virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (709 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 710/957] vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 712/957] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
` (251 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brett Creeley, Michael S. Tsirkin,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brett Creeley <brett.creeley@amd.com>
[ Upstream commit 3bc06da858ef17cfe94b49efc0d9713727012835 ]
When netif_is_rxfh_configured() is true (i.e., the user has explicitly
configured the RSS indirection table), virtnet_set_queues() skips the
RSS update path and falls through to the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET
command to change the number of queue pairs. However, it does not update
vi->rss_trailer.max_tx_vq to reflect the new queue_pairs value.
This causes a mismatch between vi->curr_queue_pairs and
vi->rss_trailer.max_tx_vq. Any subsequent RSS reconfiguration (e.g.,
via ethtool -X) calls virtnet_commit_rss_command(), which sends the
stale max_tx_vq to the device, silently reverting the queue count.
Reproduction:
1. User configured RSS
ethtool -X eth0 equal 8
2. VQ_PAIRS_SET path; max_tx_vq stays 16
ethtool -L eth0 combined 12
3. RSS commit uses max_tx_vq=16 instead of 12
ethtool -X eth0 equal 4
Fix this by updating vi->rss_trailer.max_tx_vq after a successful
VQ_PAIRS_SET command when RSS is enabled, keeping it in sync with
curr_queue_pairs.
Fixes: 50bfcaedd78e ("virtio_net: Update rss when set queue")
Signed-off-by: Brett Creeley <brett.creeley@amd.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20260416212121.29073-1-brett.creeley@amd.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/virtio_net.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 0cfe7ab59412c..aed65dbf3fca0 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3828,6 +3828,12 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs)
queue_pairs);
return -EINVAL;
}
+
+ /* Keep max_tx_vq in sync so that a later RSS command does not
+ * revert queue_pairs to a stale value.
+ */
+ if (vi->has_rss)
+ vi->rss_trailer.max_tx_vq = cpu_to_le16(queue_pairs);
succ:
vi->curr_queue_pairs = queue_pairs;
if (dev->flags & IFF_UP) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 712/957] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (710 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 711/957] virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 713/957] tcp: send a challenge ACK on SEG.ACK > SND.NXT Greg Kroah-Hartman
` (250 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit 4078c5611d7585548b249377ebd60c272e410490 ]
There is a mismatch between the passed arguments and the actual
nfp_encode_basic_qdr() function parameter names:
static int nfp_encode_basic_qdr(u64 addr, int dest_island, int cpp_tgt,
int mode, bool addr40, int isld1,
int isld0)
{
...
But "dest_island" and "cpp_tgt" are swapped at every call-site.
For example:
return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
mode, addr40, isld1, isld0);
As a result, nfp_encode_basic_qdr() receives "dest_island" as CPP target
type, which is always NFP_CPP_TARGET_QDR(2) for these calls, and "cpp_tgt"
as the destination island ID, which can accidentally match or be outside
the valid NFP_CPP_TARGET_* types (e.g. '-1' for any destination).
Since code already worked for years, also add extra pr_warn() to error
paths in nfp_encode_basic_qdr() to help identify any potential address
verification failures.
Detected using the static analysis tool - Svace.
Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Link: https://patch.msgid.link/20260422160536.61855-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/netronome/nfp/nfpcore/nfp_target.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
index 79470f198a62a..9cf19446657c6 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_target.c
@@ -435,12 +435,17 @@ static int nfp_encode_basic_qdr(u64 addr, int dest_island, int cpp_tgt,
/* Full Island ID and channel bits overlap? */
ret = nfp_decode_basic(addr, &v, cpp_tgt, mode, addr40, isld1, isld0);
- if (ret)
+ if (ret) {
+ pr_warn("%s: decode dest_island failed: %d\n", __func__, ret);
return ret;
+ }
/* The current address won't go where expected? */
- if (dest_island != -1 && dest_island != v)
+ if (dest_island != -1 && dest_island != v) {
+ pr_warn("%s: dest_island mismatch: current (%d) != decoded (%d)\n",
+ __func__, dest_island, v);
return -EINVAL;
+ }
/* If dest_island was -1, we don't care where it goes. */
return 0;
@@ -493,7 +498,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* the address but we can verify if the existing
* contents will point to a valid island.
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
iid_lsb = addr40 ? 34 : 26;
@@ -504,7 +509,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
return 0;
case 1:
if (cpp_tgt == NFP_CPP_TARGET_QDR && !addr40)
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
idx_lsb = addr40 ? 39 : 31;
@@ -530,7 +535,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* be set before hand and with them select an island.
* So we need to confirm that it's at least plausible.
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
/* Make sure we compare against isldN values
@@ -551,7 +556,7 @@ static int nfp_encode_basic(u64 *addr, int dest_island, int cpp_tgt,
* iid<1> = addr<30> = channel<0>
* channel<1> = addr<31> = Index
*/
- return nfp_encode_basic_qdr(*addr, cpp_tgt, dest_island,
+ return nfp_encode_basic_qdr(*addr, dest_island, cpp_tgt,
mode, addr40, isld1, isld0);
isld[0] &= ~3;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 713/957] tcp: send a challenge ACK on SEG.ACK > SND.NXT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (711 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 712/957] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 714/957] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
` (249 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 42726ec644cbdde0035c3e0417fee8ed9547e120 ]
RFC 5961 Section 5.2 validates an incoming segment's ACK value
against the range [SND.UNA - MAX.SND.WND, SND.NXT] and states:
"All incoming segments whose ACK value doesn't satisfy the above
condition MUST be discarded and an ACK sent back."
Commit 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack
Mitigation") opted Linux into this mitigation and implements the
challenge ACK on the lower side (SEG.ACK < SND.UNA - MAX.SND.WND),
but the symmetric upper side (SEG.ACK > SND.NXT) still takes the
pre-RFC-5961 path and silently returns
SKB_DROP_REASON_TCP_ACK_UNSENT_DATA, even though RFC 793 Section 3.9
(now RFC 9293 Section 3.10.7.4) has always required:
"If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT)
then send an ACK, drop the segment, and return."
Complete the mitigation by sending a challenge ACK on that branch,
reusing the existing tcp_send_challenge_ack() path which already
enforces the per-socket RFC 5961 Section 7 rate limit via
__tcp_oow_rate_limited(). FLAG_NO_CHALLENGE_ACK is honoured for
symmetry with the lower-edge case.
Update the existing tcp_ts_recent_invalid_ack.pkt selftest, which
drives this exact path, to consume the new challenge ACK.
Fixes: 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260422123605.320000-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 10 +++++++---
.../net/packetdrill/tcp_ts_recent_invalid_ack.pkt | 4 +++-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 5fb5f3f6393c1..b5cf32a56c04a 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4025,11 +4025,15 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
goto old_ack;
}
- /* If the ack includes data we haven't sent yet, discard
- * this segment (RFC793 Section 3.9).
+ /* If the ack includes data we haven't sent yet, drop the
+ * segment. RFC 793 Section 3.9 and RFC 5961 Section 5.2
+ * require us to send an ACK back in that case.
*/
- if (after(ack, tp->snd_nxt))
+ if (after(ack, tp->snd_nxt)) {
+ if (!(flag & FLAG_NO_CHALLENGE_ACK))
+ tcp_send_challenge_ack(sk, false);
return -SKB_DROP_REASON_TCP_ACK_UNSENT_DATA;
+ }
if (after(ack, prior_snd_una)) {
flag |= FLAG_SND_UNA_ADVANCED;
diff --git a/tools/testing/selftests/net/packetdrill/tcp_ts_recent_invalid_ack.pkt b/tools/testing/selftests/net/packetdrill/tcp_ts_recent_invalid_ack.pkt
index 174ce9a1bfc07..ee6baf7c36cfa 100644
--- a/tools/testing/selftests/net/packetdrill/tcp_ts_recent_invalid_ack.pkt
+++ b/tools/testing/selftests/net/packetdrill/tcp_ts_recent_invalid_ack.pkt
@@ -19,7 +19,9 @@
// bad packet with high tsval (its ACK sequence is above our sndnxt)
+0 < F. 1:1(0) ack 9999 win 20000 <nop,nop,TS val 200000 ecr 100>
-
+// Challenge ACK for SEG.ACK > SND.NXT (RFC 5961 5.2 / RFC 793 3.9).
+// ecr=200 (not 200000) proves ts_recent was not updated from the bad packet.
+ +0 > . 1:1(0) ack 1 <nop,nop,TS val 200 ecr 200>
+0 < . 1:1001(1000) ack 1 win 20000 <nop,nop,TS val 201 ecr 100>
+0 > . 1:1(0) ack 1001 <nop,nop,TS val 200 ecr 201>
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 714/957] tipc: fix double-free in tipc_buf_append()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (712 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 713/957] tcp: send a challenge ACK on SEG.ACK > SND.NXT Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 715/957] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
` (248 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tung Nguyen, Lee Jones,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a ]
tipc_msg_validate() can potentially reallocate the skb it is validating,
freeing the old one. In tipc_buf_append(), it was being called with a
pointer to a local variable which was a copy of the caller's skb
pointer.
If the skb was reallocated and validation subsequently failed, the error
handling path would free the original skb pointer, which had already
been freed, leading to double-free.
Fix this by checking if head now points to a newly allocated reassembled
skb. If it does, reassign *headbuf for later freeing operations.
Fixes: d618d09a68e4 ("tipc: enforce valid ratio between skb truesize and contents")
Suggested-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/msg.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 76284fc538ebd..b0bba0feef564 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -177,8 +177,20 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
if (fragid == LAST_FRAGMENT) {
TIPC_SKB_CB(head)->validated = 0;
- if (unlikely(!tipc_msg_validate(&head)))
+
+ /* If the reassembled skb has been freed in
+ * tipc_msg_validate() because of an invalid truesize,
+ * then head will point to a newly allocated reassembled
+ * skb, while *headbuf points to freed reassembled skb.
+ * In such cases, correct *headbuf for freeing the newly
+ * allocated reassembled skb later.
+ */
+ if (unlikely(!tipc_msg_validate(&head))) {
+ if (head != *headbuf)
+ *headbuf = head;
goto err;
+ }
+
*buf = head;
TIPC_SKB_CB(head)->tail = NULL;
*headbuf = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 715/957] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (713 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 714/957] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 716/957] nstree: fix func. parameter kernel-doc warnings Greg Kroah-Hartman
` (247 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6985cb8e543ea90ba8ee,
Kohei Enju, Michael S. Tsirkin, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <kohei@enjuk.jp>
[ Upstream commit e08a9fac5cf8c3fecf4755e7e3ac059f78b8f83d ]
syzbot reported "sleeping function called from invalid context" in
vhost_net_busy_poll().
Commit 030881372460 ("vhost_net: basic polling support") introduced a
busy-poll loop and preempt_{disable,enable}() around it, where each
iteration calls a sleepable function inside the loop.
The purpose of disabling preemption was to keep local_clock()-based
timeout accounting on a single CPU, rather than as a requirement of
busy-poll itself:
https://lore.kernel.org/1448435489-5949-4-git-send-email-jasowang@redhat.com
>From this perspective, migrate_disable() is sufficient here, so replace
preempt_disable() with migrate_disable(), avoiding sleepable accesses
from a preempt-disabled context.
Fixes: 030881372460 ("vhost_net: basic polling support")
Tested-by: syzbot+6985cb8e543ea90ba8ee@syzkaller.appspotmail.com
Reported-by: syzbot+6985cb8e543ea90ba8ee@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e6a414.050a0220.24bfd3.002d.GAE@google.com/T/
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/net.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 1e77c0482b849..e11b46a1c9374 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -562,7 +562,7 @@ static void vhost_net_busy_poll(struct vhost_net *net,
busyloop_timeout = poll_rx ? rvq->busyloop_timeout:
tvq->busyloop_timeout;
- preempt_disable();
+ migrate_disable();
endtime = busy_clock() + busyloop_timeout;
while (vhost_can_busy_poll(endtime)) {
@@ -579,7 +579,7 @@ static void vhost_net_busy_poll(struct vhost_net *net,
cpu_relax();
}
- preempt_enable();
+ migrate_enable();
if (poll_rx || sock_has_rx_data(sock))
vhost_net_busy_poll_try_queue(net, vq);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 716/957] nstree: fix func. parameter kernel-doc warnings
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (714 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 715/957] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
@ 2026-05-20 16:19 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 717/957] eventpoll: use hlist_is_singular_node() in __ep_remove() Greg Kroah-Hartman
` (246 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Christian Brauner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 43eb354ecb471426e97b0ce6a0c922ec20f82027 ]
Use the correct parameter name ("__ns") for function parameter kernel-doc
to avoid 3 warnings:
Warning: include/linux/nstree.h:68 function parameter '__ns' not described in 'ns_tree_add_raw'
Warning: include/linux/nstree.h:77 function parameter '__ns' not described in 'ns_tree_add'
Warning: include/linux/nstree.h:88 function parameter '__ns' not described in 'ns_tree_remove'
Fixes: 885fc8ac0a4d ("nstree: make iterator generic")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260416215429.948898-1-rdunlap@infradead.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/nstree.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/linux/nstree.h b/include/linux/nstree.h
index 8b86366904739..4e2af7a973684 100644
--- a/include/linux/nstree.h
+++ b/include/linux/nstree.h
@@ -45,7 +45,7 @@ static inline void __ns_tree_add(struct ns_common *ns, struct ns_tree *ns_tree)
/**
* ns_tree_add_raw - Add a namespace to a namespace
- * @ns: Namespace to add
+ * @__ns: Namespace to add
*
* This function adds a namespace to the appropriate namespace tree
* without assigning a id.
@@ -54,7 +54,7 @@ static inline void __ns_tree_add(struct ns_common *ns, struct ns_tree *ns_tree)
/**
* ns_tree_add - Add a namespace to a namespace tree
- * @ns: Namespace to add
+ * @__ns: Namespace to add
*
* This function assigns a new id to the namespace and adds it to the
* appropriate namespace tree and list.
@@ -63,7 +63,7 @@ static inline void __ns_tree_add(struct ns_common *ns, struct ns_tree *ns_tree)
/**
* ns_tree_remove - Remove a namespace from a namespace tree
- * @ns: Namespace to remove
+ * @__ns: Namespace to remove
*
* This function removes a namespace from the appropriate namespace
* tree and list.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 717/957] eventpoll: use hlist_is_singular_node() in __ep_remove()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (715 preceding siblings ...)
2026-05-20 16:19 ` [PATCH 6.18 716/957] nstree: fix func. parameter kernel-doc warnings Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 718/957] eventpoll: split __ep_remove() Greg Kroah-Hartman
` (245 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner (Amutable),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit 3d9fd0abc94d8cd430cc7cd7d37ce5e5aae2cd2b ]
Replace the open-coded "epi is the only entry in file->f_ep" check
with hlist_is_singular_node(). Same semantics, and the helper avoids
the head-cacheline access in the common false case.
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-1-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Stable-dep-of: a6dc643c6931 ("eventpoll: fix ep_remove struct eventpoll / struct file UAF")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a8e30414d996c..23602de08fed2 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -856,7 +856,7 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
to_free = NULL;
head = file->f_ep;
- if (head->first == &epi->fllink && !epi->fllink.next) {
+ if (hlist_is_singular_node(&epi->fllink, head)) {
/* See eventpoll_release() for details. */
WRITE_ONCE(file->f_ep, NULL);
if (!is_file_epoll(file)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 718/957] eventpoll: split __ep_remove()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (716 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 717/957] eventpoll: use hlist_is_singular_node() in __ep_remove() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 719/957] eventpoll: kill __ep_remove() Greg Kroah-Hartman
` (244 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Torvalds,
Christian Brauner (Amutable), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit 0f7bdfd413000985de09fc39eb9efa1e091a3ce0 ]
Split __ep_remove() to delineate file removal from epoll item removal.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-2-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Stable-dep-of: a6dc643c6931 ("eventpoll: fix ep_remove struct eventpoll / struct file UAF")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 23602de08fed2..36f3545a71bfa 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -826,6 +826,9 @@ static void ep_free(struct eventpoll *ep)
kfree_rcu(ep, rcu);
}
+static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file);
+static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi);
+
/*
* Removes a "struct epitem" from the eventpoll RB tree and deallocates
* all the associated resources. Must be called with "mtx" held.
@@ -837,8 +840,6 @@ static void ep_free(struct eventpoll *ep)
static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
{
struct file *file = epi->ffd.file;
- struct epitems_head *to_free;
- struct hlist_head *head;
lockdep_assert_irqs_enabled();
@@ -854,8 +855,21 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
return false;
}
- to_free = NULL;
- head = file->f_ep;
+ __ep_remove_file(ep, epi, file);
+ return __ep_remove_epi(ep, epi);
+}
+
+/*
+ * Called with &file->f_lock held,
+ * returns with it released
+ */
+static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file)
+{
+ struct epitems_head *to_free = NULL;
+ struct hlist_head *head = file->f_ep;
+
+ lockdep_assert_held(&ep->mtx);
+
if (hlist_is_singular_node(&epi->fllink, head)) {
/* See eventpoll_release() for details. */
WRITE_ONCE(file->f_ep, NULL);
@@ -869,6 +883,11 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
hlist_del_rcu(&epi->fllink);
spin_unlock(&file->f_lock);
free_ephead(to_free);
+}
+
+static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
+{
+ lockdep_assert_held(&ep->mtx);
rb_erase_cached(&epi->rbn, &ep->rbr);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 719/957] eventpoll: kill __ep_remove()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (717 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 718/957] eventpoll: split __ep_remove() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 720/957] eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}() Greg Kroah-Hartman
` (243 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner (Amutable),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit e9e5cd40d7c403e19f21d0f7b8b8ba3a76b58330 ]
Remove the boolean conditional in __ep_remove() and restructure the code
so the check for racing with eventpoll_release_file() are only done in
the ep_remove_safe() path where they belong.
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-3-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Stable-dep-of: a6dc643c6931 ("eventpoll: fix ep_remove struct eventpoll / struct file UAF")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 67 ++++++++++++++++++++++----------------------------
1 file changed, 30 insertions(+), 37 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 36f3545a71bfa..5d982c2503d68 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -826,49 +826,18 @@ static void ep_free(struct eventpoll *ep)
kfree_rcu(ep, rcu);
}
-static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file);
-static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi);
-
-/*
- * Removes a "struct epitem" from the eventpoll RB tree and deallocates
- * all the associated resources. Must be called with "mtx" held.
- * If the dying flag is set, do the removal only if force is true.
- * This prevents ep_clear_and_put() from dropping all the ep references
- * while running concurrently with eventpoll_release_file().
- * Returns true if the eventpoll can be disposed.
- */
-static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force)
-{
- struct file *file = epi->ffd.file;
-
- lockdep_assert_irqs_enabled();
-
- /*
- * Removes poll wait queue hooks.
- */
- ep_unregister_pollwait(ep, epi);
-
- /* Remove the current item from the list of epoll hooks */
- spin_lock(&file->f_lock);
- if (epi->dying && !force) {
- spin_unlock(&file->f_lock);
- return false;
- }
-
- __ep_remove_file(ep, epi, file);
- return __ep_remove_epi(ep, epi);
-}
-
/*
* Called with &file->f_lock held,
* returns with it released
*/
-static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi, struct file *file)
+static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi,
+ struct file *file)
{
struct epitems_head *to_free = NULL;
struct hlist_head *head = file->f_ep;
lockdep_assert_held(&ep->mtx);
+ lockdep_assert_held(&file->f_lock);
if (hlist_is_singular_node(&epi->fllink, head)) {
/* See eventpoll_release() for details. */
@@ -915,7 +884,25 @@ static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
*/
static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
{
- if (__ep_remove(ep, epi, false))
+ struct file *file = epi->ffd.file;
+
+ lockdep_assert_irqs_enabled();
+ lockdep_assert_held(&ep->mtx);
+
+ ep_unregister_pollwait(ep, epi);
+
+ /* sync with eventpoll_release_file() */
+ if (unlikely(READ_ONCE(epi->dying)))
+ return;
+
+ spin_lock(&file->f_lock);
+ if (epi->dying) {
+ spin_unlock(&file->f_lock);
+ return;
+ }
+ __ep_remove_file(ep, epi, file);
+
+ if (__ep_remove_epi(ep, epi))
WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
}
@@ -1147,7 +1134,7 @@ void eventpoll_release_file(struct file *file)
spin_lock(&file->f_lock);
if (file->f_ep && file->f_ep->first) {
epi = hlist_entry(file->f_ep->first, struct epitem, fllink);
- epi->dying = true;
+ WRITE_ONCE(epi->dying, true);
spin_unlock(&file->f_lock);
/*
@@ -1156,7 +1143,13 @@ void eventpoll_release_file(struct file *file)
*/
ep = epi->ep;
mutex_lock(&ep->mtx);
- dispose = __ep_remove(ep, epi, true);
+
+ ep_unregister_pollwait(ep, epi);
+
+ spin_lock(&file->f_lock);
+ __ep_remove_file(ep, epi, file);
+ dispose = __ep_remove_epi(ep, epi);
+
mutex_unlock(&ep->mtx);
if (dispose && ep_refcount_dec_and_test(ep))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 720/957] eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (718 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 719/957] eventpoll: kill __ep_remove() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 721/957] eventpoll: move epi_fget() up Greg Kroah-Hartman
` (242 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner (Amutable),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit 0feaf644f7180c4a91b6b405a881afbfd958f1cf ]
With __ep_remove() gone, the double-underscore on __ep_remove_file()
and __ep_remove_epi() no longer contrasts with a __-less parent and
just reads as noise. Rename both to ep_remove_file() and
ep_remove_epi(). No functional change.
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Stable-dep-of: a6dc643c6931 ("eventpoll: fix ep_remove struct eventpoll / struct file UAF")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 5d982c2503d68..68607634a60df 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -830,7 +830,7 @@ static void ep_free(struct eventpoll *ep)
* Called with &file->f_lock held,
* returns with it released
*/
-static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi,
+static void ep_remove_file(struct eventpoll *ep, struct epitem *epi,
struct file *file)
{
struct epitems_head *to_free = NULL;
@@ -854,7 +854,7 @@ static void __ep_remove_file(struct eventpoll *ep, struct epitem *epi,
free_ephead(to_free);
}
-static bool __ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
+static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
{
lockdep_assert_held(&ep->mtx);
@@ -900,9 +900,9 @@ static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
spin_unlock(&file->f_lock);
return;
}
- __ep_remove_file(ep, epi, file);
+ ep_remove_file(ep, epi, file);
- if (__ep_remove_epi(ep, epi))
+ if (ep_remove_epi(ep, epi))
WARN_ON_ONCE(ep_refcount_dec_and_test(ep));
}
@@ -1147,8 +1147,8 @@ void eventpoll_release_file(struct file *file)
ep_unregister_pollwait(ep, epi);
spin_lock(&file->f_lock);
- __ep_remove_file(ep, epi, file);
- dispose = __ep_remove_epi(ep, epi);
+ ep_remove_file(ep, epi, file);
+ dispose = ep_remove_epi(ep, epi);
mutex_unlock(&ep->mtx);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 721/957] eventpoll: move epi_fget() up
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (719 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 720/957] eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 722/957] eventpoll: fix ep_remove struct eventpoll / struct file UAF Greg Kroah-Hartman
` (241 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner (Amutable),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit 86e87059e6d1fd5115a31949726450ed03c1073b ]
We'll need it when removing files so move it up. No functional change.
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-5-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Stable-dep-of: a6dc643c6931 ("eventpoll: fix ep_remove struct eventpoll / struct file UAF")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 56 +++++++++++++++++++++++++-------------------------
1 file changed, 28 insertions(+), 28 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 68607634a60df..df6994943e59f 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -826,6 +826,34 @@ static void ep_free(struct eventpoll *ep)
kfree_rcu(ep, rcu);
}
+/*
+ * The ffd.file pointer may be in the process of being torn down due to
+ * being closed, but we may not have finished eventpoll_release() yet.
+ *
+ * Normally, even with the atomic_long_inc_not_zero, the file may have
+ * been free'd and then gotten re-allocated to something else (since
+ * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
+ *
+ * But for epoll, users hold the ep->mtx mutex, and as such any file in
+ * the process of being free'd will block in eventpoll_release_file()
+ * and thus the underlying file allocation will not be free'd, and the
+ * file re-use cannot happen.
+ *
+ * For the same reason we can avoid a rcu_read_lock() around the
+ * operation - 'ffd.file' cannot go away even if the refcount has
+ * reached zero (but we must still not call out to ->poll() functions
+ * etc).
+ */
+static struct file *epi_fget(const struct epitem *epi)
+{
+ struct file *file;
+
+ file = epi->ffd.file;
+ if (!file_ref_get(&file->f_ref))
+ file = NULL;
+ return file;
+}
+
/*
* Called with &file->f_lock held,
* returns with it released
@@ -1018,34 +1046,6 @@ static __poll_t __ep_eventpoll_poll(struct file *file, poll_table *wait, int dep
return res;
}
-/*
- * The ffd.file pointer may be in the process of being torn down due to
- * being closed, but we may not have finished eventpoll_release() yet.
- *
- * Normally, even with the atomic_long_inc_not_zero, the file may have
- * been free'd and then gotten re-allocated to something else (since
- * files are not RCU-delayed, they are SLAB_TYPESAFE_BY_RCU).
- *
- * But for epoll, users hold the ep->mtx mutex, and as such any file in
- * the process of being free'd will block in eventpoll_release_file()
- * and thus the underlying file allocation will not be free'd, and the
- * file re-use cannot happen.
- *
- * For the same reason we can avoid a rcu_read_lock() around the
- * operation - 'ffd.file' cannot go away even if the refcount has
- * reached zero (but we must still not call out to ->poll() functions
- * etc).
- */
-static struct file *epi_fget(const struct epitem *epi)
-{
- struct file *file;
-
- file = epi->ffd.file;
- if (!file_ref_get(&file->f_ref))
- file = NULL;
- return file;
-}
-
/*
* Differs from ep_eventpoll_poll() in that internal callers already have
* the ep->mtx so we need to start from depth=1, such that mutex_lock_nested()
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 722/957] eventpoll: fix ep_remove struct eventpoll / struct file UAF
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (720 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 721/957] eventpoll: move epi_fget() up Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 723/957] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
` (240 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jaeyoung Chung,
Christian Brauner (Amutable), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit a6dc643c69311677c574a0f17a3f4d66a5f3744b ]
ep_remove() (via ep_remove_file()) cleared file->f_ep under
file->f_lock but then kept using @file inside the critical section
(is_file_epoll(), hlist_del_rcu() through the head, spin_unlock).
A concurrent __fput() taking the eventpoll_release() fastpath in
that window observed the transient NULL, skipped
eventpoll_release_file() and ran to f_op->release / file_free().
For the epoll-watches-epoll case, f_op->release is
ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which
kfree()s the watched struct eventpoll. Its embedded ->refs
hlist_head is exactly where epi->fllink.pprev points, so the
subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed
kmalloc-192 memory.
In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot
backing @file could be recycled by alloc_empty_file() --
reinitializing f_lock and f_ep -- while ep_remove() is still
nominally inside that lock. The upshot is an attacker-controllable
kmem_cache_free() against the wrong slab cache.
Pin @file via epi_fget() at the top of ep_remove() and gate the
critical section on the pin succeeding. With the pin held @file
cannot reach refcount zero, which holds __fput() off and
transitively keeps the watched struct eventpoll alive across the
hlist_del_rcu() and the f_lock use, closing both UAFs.
If the pin fails @file has already reached refcount zero and its
__fput() is in flight. Because we bailed before clearing f_ep,
that path takes the eventpoll_release() slow path into
eventpoll_release_file() and blocks on ep->mtx until the waiter
side's ep_clear_and_put() drops it. The bailed epi's share of
ep->refcount stays intact, so the trailing ep_refcount_dec_and_test()
in ep_clear_and_put() cannot free the eventpoll out from under
eventpoll_release_file(); the orphaned epi is then cleaned up
there.
A successful pin also proves we are not racing
eventpoll_release_file() on this epi, so drop the now-redundant
re-check of epi->dying under f_lock. The cheap lockless
READ_ONCE(epi->dying) fast-path bailout stays.
Fixes: 58c9b016e128 ("epoll: use refcount to reduce ep_mutex contention")
Reported-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Link: https://patch.msgid.link/20260423-work-epoll-uaf-v1-6-2470f9eec0f5@kernel.org
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/eventpoll.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index df6994943e59f..e9e6938f7184a 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -912,22 +912,26 @@ static bool ep_remove_epi(struct eventpoll *ep, struct epitem *epi)
*/
static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi)
{
- struct file *file = epi->ffd.file;
+ struct file *file __free(fput) = NULL;
lockdep_assert_irqs_enabled();
lockdep_assert_held(&ep->mtx);
ep_unregister_pollwait(ep, epi);
- /* sync with eventpoll_release_file() */
+ /* cheap sync with eventpoll_release_file() */
if (unlikely(READ_ONCE(epi->dying)))
return;
- spin_lock(&file->f_lock);
- if (epi->dying) {
- spin_unlock(&file->f_lock);
+ /*
+ * If we manage to grab a reference it means we're not in
+ * eventpoll_release_file() and aren't going to be.
+ */
+ file = epi_fget(epi);
+ if (!file)
return;
- }
+
+ spin_lock(&file->f_lock);
ep_remove_file(ep, epi, file);
if (ep_remove_epi(ep, epi))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 723/957] fs/adfs: validate nzones in adfs_validate_bblk()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (721 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 722/957] eventpoll: fix ep_remove struct eventpoll / struct file UAF Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 724/957] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
` (239 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bae Yeonju, Russell King (Oracle),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bae Yeonju <iwasbaeyz@gmail.com>
[ Upstream commit dd9d3e16c2d5fa166e13dce07413be51f42c8f5d ]
Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.
When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.
adfs_validate_dr0() already rejects nzones != 1 for old-format
images. Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.
Found by syzkaller.
Fixes: f6f14a0d71b0 ("fs/adfs: map: move map-specific sb initialisation to map.c")
Signed-off-by: Bae Yeonju <iwasbaeyz@gmail.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/adfs/super.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index fdccdbbfc2130..4f5279cd456fe 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -317,6 +317,9 @@ static int adfs_validate_bblk(struct super_block *sb, struct buffer_head *bh,
if (adfs_checkdiscrecord(dr))
return -EILSEQ;
+ if ((dr->nzones | dr->nzones_high << 8) == 0)
+ return -EILSEQ;
+
*drp = dr;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 724/957] rtc: abx80x: Disable alarm feature if no interrupt attached
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (722 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 723/957] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 725/957] kbuild: builddeb - avoid recompiles for non-cross-compiles Greg Kroah-Hartman
` (238 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthony Pighin, Alexandre Belloni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Pighin (Nokia) <anthony.pighin@nokia.com>
[ Upstream commit 0fedce7244e4b85c049ce579c87e298a1b0b811d ]
Commit 795cda8338ea ("rtc: interface: Fix long-standing race when setting
alarm") exposed an issue where the rtc-abx80x driver does not clear the
alarm feature bit, but instead relies on the set_alarm operation to return
invalid.
For example, when a RTC_UIE_ON ioctl is handled, it should abort at the
feature validation. Instead, it proceeds to the rtc_timer_enqueue(),
which used to return an error from the set_alarm call. However,
following the race condition handling, which likely should not be
discarding predecing errors, a success condition is returned to the
ioctl() caller. This results in (for example):
hwclock: select() to /dev/rtc0 to wait for clock tick timed out
Notwithstanding the validity of the race condition handling, if an interrupt
wasn't specified, or could not be attached, the driver should clear the
alarm feature bit.
Fixes: 718a820a303c ("rtc: abx80x: add alarm support")
Signed-off-by: Anthony Pighin <anthony.pighin@nokia.com>
Link: https://patch.msgid.link/BN0PR08MB69510928028C933749F4139383D1A@BN0PR08MB6951.namprd08.prod.outlook.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-abx80x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/rtc/rtc-abx80x.c b/drivers/rtc/rtc-abx80x.c
index 3fee27914ba80..5f3a3e60a19d0 100644
--- a/drivers/rtc/rtc-abx80x.c
+++ b/drivers/rtc/rtc-abx80x.c
@@ -933,6 +933,8 @@ static int abx80x_probe(struct i2c_client *client)
client->irq = 0;
}
}
+ if (client->irq <= 0)
+ clear_bit(RTC_FEATURE_ALARM, priv->rtc->features);
err = rtc_add_group(priv->rtc, &rtc_calib_attr_group);
if (err) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 725/957] kbuild: builddeb - avoid recompiles for non-cross-compiles
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (723 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 724/957] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 726/957] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
` (237 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathias Krause, Masahiro Yamada,
Nathan Chancellor, Nicolas Schier, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@grsecurity.net>
[ Upstream commit 2452dcf4d740effff5aa71b7f6529ee8c04fd8f6 ]
Commit e2c318225ac1 ("kbuild: deb-pkg: add
pkg.linux-upstream.nokernelheaders build profile") changed how
install-extmod-build gets called, making it always rebuild the host
programs below scripts/ if HOSTCC wasn't specified with its full triplet
on the make command line. That is, apparently, needed to fix up commit
f1d87664b82a ("kbuild: cross-compile linux-headers package when
possible") for cross-compiles. However, in the much more common case of
non-cross-compile builds this will lead to unnecessary rebuilding of
host tools including gcc plugins. This, in turn, will lead to a full
kernel rebuild on the next 'make bindeb-pkg' which is unfortunate.
Avoid that by only triggering the rebuild of host tools for actual
cross-compile builds.
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Fixes: e2c318225ac1 ("kbuild: deb-pkg: add pkg.linux-upstream.nokernelheaders build profile")
Cc: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20260402145116.1010901-1-minipli@grsecurity.net
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/package/builddeb | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
index 3627ca227e5a5..ba1defc616524 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -139,7 +139,13 @@ install_kernel_headers () {
pdir=debian/$1
version=${1#linux-headers-}
- CC="${DEB_HOST_GNU_TYPE}-gcc" "${srctree}/scripts/package/install-extmod-build" "${pdir}/usr/src/linux-headers-${version}"
+ # Override $CC only for cross-compiles, to not unnecessarily rebuild
+ # scripts/ including plugins, which may lead to a full kernel rebuild.
+ if [ -n "${CROSS_COMPILE}" ]; then
+ CC="${DEB_HOST_GNU_TYPE}-gcc" "${srctree}/scripts/package/install-extmod-build" "${pdir}/usr/src/linux-headers-${version}"
+ else
+ "${srctree}/scripts/package/install-extmod-build" "${pdir}/usr/src/linux-headers-${version}"
+ fi
mkdir -p $pdir/lib/modules/$version/
ln -s /usr/src/linux-headers-$version $pdir/lib/modules/$version/build
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 726/957] fbdev: offb: fix PCI device reference leak on probe failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (724 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 725/957] kbuild: builddeb - avoid recompiles for non-cross-compiles Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 727/957] tools/power turbostat.8: Document the "--force" option Greg Kroah-Hartman
` (236 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Ijae Kim, Taegyu Kim,
Yuho Choi, Helge Deller, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
[ Upstream commit 869b93ba04088713596e68453c1146f52f713290 ]
offb_init_nodriver() gets a referenced PCI device with pci_get_device().
If pci_enable_device() fails, the function returns without dropping that
reference.
Release the PCI device reference before returning from the
pci_enable_device() failure path.
Fixes: 5bda8f7b5468 ("video: fbdev: offb: Call pci_enable_device() before using the PCI VGA device")
Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/offb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
index f85428e13996b..166b2dff36f59 100644
--- a/drivers/video/fbdev/offb.c
+++ b/drivers/video/fbdev/offb.c
@@ -640,8 +640,13 @@ static void offb_init_nodriver(struct platform_device *parent, struct device_nod
vid = be32_to_cpup(vidp);
did = be32_to_cpup(didp);
pdev = pci_get_device(vid, did, NULL);
- if (!pdev || pci_enable_device(pdev))
+ if (!pdev)
return;
+
+ if (pci_enable_device(pdev)) {
+ pci_dev_put(pdev);
+ return;
+ }
}
#endif
/* kludge for valkyrie */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 727/957] tools/power turbostat.8: Document the "--force" option
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (725 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 726/957] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 728/957] tools/power turbostat: Use strtoul() for iteration parsing Greg Kroah-Hartman
` (235 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Len Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Len Brown <len.brown@intel.com>
[ Upstream commit 785953cf6e63aa5a9fcdfa9577b1411e0281c4bc ]
Starting in turbostat v2025.01.14, turbostat refused to run
on unsupported hardware, pointing to "RUN THE LATEST VERSION"
on turbostat(8).
At that time, turbostat supported and advertised the "--force"
parameter to run anyway (with unsupported results).
Also document "--force" on turbostat.8.
Signed-off-by: Len Brown <len.brown@intel.com>
Stable-dep-of: ce012c966b51 ("tools/power turbostat: Fix unrecognized option '-P'")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/x86/turbostat/turbostat.8 | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8
index 3340def58d015..6c9428f98cd2b 100644
--- a/tools/power/x86/turbostat/turbostat.8
+++ b/tools/power/x86/turbostat/turbostat.8
@@ -111,6 +111,8 @@ The column name "all" can be used to enable all disabled-by-default built-in cou
.PP
\fB--no-perf\fP Disable all the uses of the perf API.
.PP
+\fB--force\fPForce turbostat to run on an unsupported platform (minimal defaults).
+.PP
\fB--interval seconds\fP overrides the default 5.0 second measurement interval.
.PP
\fB--num_iterations num\fP number of the measurement iterations.
@@ -161,9 +163,9 @@ The system configuration dump (if --quiet is not used) is followed by statistics
.PP
\fBC1, C2, C3...\fP The number times Linux requested the C1, C2, C3 idle state during the measurement interval. The system summary line shows the sum for all CPUs. These are C-state names as exported in /sys/devices/system/cpu/cpu*/cpuidle/state*/name. While their names are generic, their attributes are processor specific. They the system description section of output shows what MWAIT sub-states they are mapped to on each system. These counters are in the "cpuidle" group, which is disabled, by default.
.PP
-\fBC1+, C2+, C3+...\fP The idle governor idle state misprediction statistics. Inidcates the number times Linux requested the C1, C2, C3 idle state during the measurement interval, but should have requested a deeper idle state (if it exists and enabled). These statistics come from the /sys/devices/system/cpu/cpu*/cpuidle/state*/below file. These counters are in the "cpuidle" group, which is disabled, by default.
+\fBC1+, C2+, C3+...\fP The idle governor idle state misprediction statistics. Indicates the number times Linux requested the C1, C2, C3 idle state during the measurement interval, but should have requested a deeper idle state (if it exists and enabled). These statistics come from the /sys/devices/system/cpu/cpu*/cpuidle/state*/below file. These counters are in the "cpuidle" group, which is disabled, by default.
.PP
-\fBC1-, C2-, C3-...\fP The idle governor idle state misprediction statistics. Inidcates the number times Linux requested the C1, C2, C3 idle state during the measurement interval, but should have requested a shallower idle state (if it exists and enabled). These statistics come from the /sys/devices/system/cpu/cpu*/cpuidle/state*/above file. These counters are in the "cpuidle" group, which is disabled, by default.
+\fBC1-, C2-, C3-...\fP The idle governor idle state misprediction statistics. Indicates the number times Linux requested the C1, C2, C3 idle state during the measurement interval, but should have requested a shallower idle state (if it exists and enabled). These statistics come from the /sys/devices/system/cpu/cpu*/cpuidle/state*/above file. These counters are in the "cpuidle" group, which is disabled, by default.
.PP
\fBC1%, C2%, C3%\fP The residency percentage that Linux requested C1, C2, C3.... The system summary is the average of all CPUs in the system. Note that these are software, reflecting what was requested. The hardware counters reflect what was actually achieved. These counters are in the "pct_idle" group, which is enabled by default.
.PP
@@ -193,7 +195,7 @@ The system configuration dump (if --quiet is not used) is followed by statistics
.PP
\fBGFX%C0\fP Percentage of time that at least one GFX compute engine is busy.
.PP
-\fBCPUGFX%\fP Percentage of time that at least one CPU is busy at the same time as at least one Graphics compute enginer is busy.
+\fBCPUGFX%\fP Percentage of time that at least one CPU is busy at the same time as at least one Graphics compute engine is busy.
.PP
\fBPkg%pc2, Pkg%pc3, Pkg%pc6, Pkg%pc7\fP percentage residency in hardware package idle states. These numbers are from hardware residency counters.
.PP
@@ -556,6 +558,8 @@ If the upstream version isn't new enough, the development tree can be found here
If the development tree doesn't work, please contact the author via chat,
or via email with the word "turbostat" on the Subject line.
+An old turbostat binary may run on unknown hardware by using "--force",
+but results are unsupported.
.SH FILES
.ta
.nf
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 728/957] tools/power turbostat: Use strtoul() for iteration parsing
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (726 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 727/957] tools/power turbostat.8: Document the "--force" option Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 729/957] tools/power turbostat: Fix and document --header_iterations Greg Kroah-Hartman
` (234 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaushlendra Kumar, Len Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
[ Upstream commit 8e5c0cc326f2e95a71bb6e6063e65caa60c8f951 ]
Replace strtod() with strtoul() and check errno for -n/-N options, since
num_iterations and header_iterations are unsigned long counters. Reject
zero and conversion errors; negative inputs wrap to large positive values
per standard unsigned semantics.
Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Stable-dep-of: ce012c966b51 ("tools/power turbostat: Fix unrecognized option '-P'")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/x86/turbostat/turbostat.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
index 48677f1846347..29441e3c711d9 100644
--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -11133,18 +11133,20 @@ void cmdline(int argc, char **argv)
/* Parsed earlier */
break;
case 'n':
- num_iterations = strtod(optarg, NULL);
+ num_iterations = strtoul(optarg, NULL, 0);
+ errno = 0;
- if (num_iterations <= 0) {
- fprintf(outf, "iterations %d should be positive number\n", num_iterations);
+ if (errno || num_iterations == 0) {
+ fprintf(outf, "invalid iteration count: %s\n", optarg);
exit(2);
}
break;
case 'N':
- header_iterations = strtod(optarg, NULL);
+ header_iterations = strtoul(optarg, NULL, 0);
+ errno = 0;
- if (header_iterations <= 0) {
- fprintf(outf, "iterations %d should be positive number\n", header_iterations);
+ if (errno || header_iterations == 0) {
+ fprintf(outf, "invalid header iteration count: %s\n", optarg);
exit(2);
}
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 729/957] tools/power turbostat: Fix and document --header_iterations
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (727 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 728/957] tools/power turbostat: Use strtoul() for iteration parsing Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 730/957] tools/power turbostat: Fix unrecognized option -P Greg Kroah-Hartman
` (233 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Len Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Len Brown <len.brown@intel.com>
[ Upstream commit 96718ad296af4a6d984b3a09276b165ab6a3b0c8 ]
The "header_iterations" option is commonly used to de-clutter
the screen of redundant header label rows in an interactive session:
Eg. every 10 rows:
$ sudo turbostat --header_iterations 10 -S -q -i 1
But --header_iterations was missing from turbostat.8
Also turbostat help advertised the "-N" short option
that did not actually work:
$ turbostat --help
-N, --header_iterations num
print header every num iterations
Repair "-N"
Document "--header_iterations" on turbostat.8
Signed-off-by: Len Brown <len.brown@intel.com>
Stable-dep-of: ce012c966b51 ("tools/power turbostat: Fix unrecognized option '-P'")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/x86/turbostat/turbostat.8 | 4 +++-
tools/power/x86/turbostat/turbostat.c | 20 +++++++++-----------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8
index 6c9428f98cd2b..3e0487cd6451e 100644
--- a/tools/power/x86/turbostat/turbostat.8
+++ b/tools/power/x86/turbostat/turbostat.8
@@ -111,12 +111,14 @@ The column name "all" can be used to enable all disabled-by-default built-in cou
.PP
\fB--no-perf\fP Disable all the uses of the perf API.
.PP
-\fB--force\fPForce turbostat to run on an unsupported platform (minimal defaults).
+\fB--force\fP Force turbostat to run on an unsupported platform (minimal defaults).
.PP
\fB--interval seconds\fP overrides the default 5.0 second measurement interval.
.PP
\fB--num_iterations num\fP number of the measurement iterations.
.PP
+\fB--header_iterations num\fP print header every num iterations.
+.PP
\fB--out output_file\fP turbostat output is written to the specified output_file.
The file is truncated if it already exists, and it is created if it does not exist.
.PP
diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
index 29441e3c711d9..ec4b7ff8810b1 100644
--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -11040,7 +11040,7 @@ void cmdline(int argc, char **argv)
* Parse some options early, because they may make other options invalid,
* like adding the MSR counter with --add and at the same time using --no-msr.
*/
- while ((opt = getopt_long_only(argc, argv, "+MPn:", long_options, &option_index)) != -1) {
+ while ((opt = getopt_long_only(argc, argv, "+:MP", long_options, &option_index)) != -1) {
switch (opt) {
case 'M':
no_msr = 1;
@@ -11054,7 +11054,7 @@ void cmdline(int argc, char **argv)
}
optind = 0;
- while ((opt = getopt_long_only(argc, argv, "+C:c:Dde:hi:Jn:o:qMST:v", long_options, &option_index)) != -1) {
+ while ((opt = getopt_long_only(argc, argv, "+C:c:Dde:hi:Jn:N:o:qMST:v", long_options, &option_index)) != -1) {
switch (opt) {
case 'a':
parse_add_command(optarg);
@@ -11097,7 +11097,6 @@ void cmdline(int argc, char **argv)
}
break;
case 'h':
- default:
help();
exit(1);
case 'i':
@@ -11136,19 +11135,15 @@ void cmdline(int argc, char **argv)
num_iterations = strtoul(optarg, NULL, 0);
errno = 0;
- if (errno || num_iterations == 0) {
- fprintf(outf, "invalid iteration count: %s\n", optarg);
- exit(2);
- }
+ if (errno || num_iterations == 0)
+ errx(-1, "invalid iteration count: %s", optarg);
break;
case 'N':
header_iterations = strtoul(optarg, NULL, 0);
errno = 0;
- if (errno || header_iterations == 0) {
- fprintf(outf, "invalid header iteration count: %s\n", optarg);
- exit(2);
- }
+ if (errno || header_iterations == 0)
+ errx(-1, "invalid header iteration count: %s", optarg);
break;
case 's':
/*
@@ -11171,6 +11166,9 @@ void cmdline(int argc, char **argv)
print_version();
exit(0);
break;
+ default:
+ help();
+ exit(1);
}
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 730/957] tools/power turbostat: Fix unrecognized option -P
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (728 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 729/957] tools/power turbostat: Fix and document --header_iterations Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 731/957] kbuild: Never respect CONFIG_WERROR / W=e to fixdep Greg Kroah-Hartman
` (232 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Arcari, Len Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Arcari <darcari@redhat.com>
[ Upstream commit ce012c966b518c53475ba9a4e979242d7322d819 ]
The '-P' short option (shorthand for --no-perf) is not present in the
optstring of the second call to getopt_long_only(). This results in
the "unrecognized option" error when the tool reaches the main parsing
loop.
Add 'P' to the second getopt_long_only() call to ensure it is
consistently recognized.
Fixes: a0e86c90b83c ("tools/power turbostat: Add --no-perf option")
Signed-off-by: David Arcari <darcari@redhat.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/x86/turbostat/turbostat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
index ec4b7ff8810b1..313872f64a9a9 100644
--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -11054,7 +11054,7 @@ void cmdline(int argc, char **argv)
}
optind = 0;
- while ((opt = getopt_long_only(argc, argv, "+C:c:Dde:hi:Jn:N:o:qMST:v", long_options, &option_index)) != -1) {
+ while ((opt = getopt_long_only(argc, argv, "+C:c:Dde:hi:Jn:N:o:qMPST:v", long_options, &option_index)) != -1) {
switch (opt) {
case 'a':
parse_add_command(optarg);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 731/957] kbuild: Never respect CONFIG_WERROR / W=e to fixdep
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (729 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 730/957] tools/power turbostat: Fix unrecognized option -P Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 732/957] mailbox: mtk-cmdq: Fix CURR and END addr for task insert case Greg Kroah-Hartman
` (231 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Nathan Chancellor, Nicolas Schier, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 75f7c47ccd78c947cf1b6ddb18ea453ff0555716 ]
The fixdep hostprog may be built multiple times during a single build.
Once during the configuration phase and later during the regular phase.
As only the regular build phase respects CONFIG_WERROR / W=e, the
compiler flags might change between the phases, leading to rebuilds.
Example, the rebuilds will happen twice on each invocation of the build:
$ make allyesconfig prepare
make[1]: Entering directory '/tmp/deleteme'
HOSTCC scripts/basic/fixdep
#
# No change to .config
#
HOSTCC scripts/basic/fixdep
DESCEND objtool
INSTALL libsubcmd_headers
make[1]: Leaving directory '/tmp/deleteme'
Fix the compilation flags used for scripts/basic/ before
scripts/Makefile.warn is evaluated to stop CONFIG_WERROR / W=e
influencing the fixdep build to avoid the spurious rebuilds.
Fixes: 7ded7d37e5f5 ("scripts/Makefile.extrawarn: Respect CONFIG_WERROR / W=e for hostprogs")
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://patch.msgid.link/20260422-kbuild-scripts-basic-werror-v1-1-8c6912ff22e0@weissschuh.net
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile b/Makefile
index d1fcec7cf9568..70e10b29b3859 100644
--- a/Makefile
+++ b/Makefile
@@ -655,6 +655,8 @@ export RCS_FIND_IGNORE := \( -name SCCS -o -name BitKeeper -o -name .svn -o \
# Basic helpers built in scripts/basic/
PHONY += scripts_basic
+scripts_basic: KBUILD_HOSTCFLAGS := $(KBUILD_HOSTCFLAGS)
+scripts_basic: KBUILD_HOSTLDFLAGS := $(KBUILD_HOSTLDFLAGS)
scripts_basic:
$(Q)$(MAKE) $(build)=scripts/basic
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 732/957] mailbox: mtk-cmdq: Fix CURR and END addr for task insert case
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (730 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 731/957] kbuild: Never respect CONFIG_WERROR / W=e to fixdep Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 733/957] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
` (230 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason-JH Lin, Jassi Brar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason-JH Lin <jason-jh.lin@mediatek.com>
[ Upstream commit d2591db9c8ef19fbb4d24ed15e0c6edfa6bc7917 ]
Fix CURR and END address calculation for inserting a cmdq task into the
task list by using cmdq_reg_shift_addr() for proper address converting.
This ensures both CURR and END addresses are set correctly when
enabling the thread.
Fixes: a195c7ccfb7a ("mailbox: mtk-cmdq: Refine DMA address handling for the command buffer")
Signed-off-by: Jason-JH Lin <jason-jh.lin@mediatek.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mtk-cmdq-mailbox.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c
index 5791f80f995ab..a1360b70b83fb 100644
--- a/drivers/mailbox/mtk-cmdq-mailbox.c
+++ b/drivers/mailbox/mtk-cmdq-mailbox.c
@@ -434,14 +434,14 @@ static int cmdq_mbox_send_data(struct mbox_chan *chan, void *data)
if (curr_pa == end_pa - CMDQ_INST_SIZE ||
curr_pa == end_pa) {
/* set to this task directly */
- writel(task->pa_base >> cmdq->pdata->shift,
- thread->base + CMDQ_THR_CURR_ADDR);
+ gce_addr = cmdq_convert_gce_addr(task->pa_base, cmdq->pdata);
+ writel(gce_addr, thread->base + CMDQ_THR_CURR_ADDR);
} else {
cmdq_task_insert_into_thread(task);
smp_mb(); /* modify jump before enable thread */
}
- writel((task->pa_base + pkt->cmd_buf_size) >> cmdq->pdata->shift,
- thread->base + CMDQ_THR_END_ADDR);
+ gce_addr = cmdq_convert_gce_addr(task->pa_base + pkt->cmd_buf_size, cmdq->pdata);
+ writel(gce_addr, thread->base + CMDQ_THR_END_ADDR);
cmdq_thread_resume(thread);
}
list_move_tail(&task->list_entry, &thread->task_busy_list);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 733/957] mailbox: mailbox-test: free channels on probe error
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (731 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 732/957] mailbox: mtk-cmdq: Fix CURR and END addr for task insert case Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 734/957] sched/psi: fix race between file release and pressure write Greg Kroah-Hartman
` (229 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c02053a9055d5fdfd32432287cca8958db1d5bc5 ]
On probe error, free the previously obtained channels. This not only
prevents a leak, but also UAF scenarios because the client structure
will be removed nonetheless because it was allocated with devm.
Link: https://sashiko.dev/#/patchset/20260327151217.5327-2-wsa%2Brenesas%40sang-engineering.com
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 3a28ab5c42e57..197cad7b3d401 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -404,18 +404,27 @@ static int mbox_test_probe(struct platform_device *pdev)
if (tdev->rx_channel) {
tdev->rx_buffer = devm_kzalloc(&pdev->dev,
MBOX_MAX_MSG_LEN, GFP_KERNEL);
- if (!tdev->rx_buffer)
- return -ENOMEM;
+ if (!tdev->rx_buffer) {
+ ret = -ENOMEM;
+ goto err_free_chans;
+ }
}
ret = mbox_test_add_debugfs(pdev, tdev);
if (ret)
- return ret;
+ goto err_free_chans;
init_waitqueue_head(&tdev->waitq);
dev_info(&pdev->dev, "Successfully registered\n");
return 0;
+
+err_free_chans:
+ if (tdev->tx_channel)
+ mbox_free_channel(tdev->tx_channel);
+ if (tdev->rx_channel)
+ mbox_free_channel(tdev->rx_channel);
+ return ret;
}
static void mbox_test_remove(struct platform_device *pdev)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 734/957] sched/psi: fix race between file release and pressure write
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (732 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 733/957] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 735/957] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
` (228 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+33e571025d88efd1312c,
Edward Adam Davis, Chen Ridong, Tejun Heo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit a5b98009f16d8a5fb4a8ff9a193f5735515c38fa ]
A potential race condition exists between pressure write and cgroup file
release regarding the priv member of struct kernfs_open_file, which
triggers the uaf reported in [1].
Consider the following scenario involving execution on two separate CPUs:
CPU0 CPU1
==== ====
vfs_rmdir()
kernfs_iop_rmdir()
cgroup_rmdir()
cgroup_kn_lock_live()
cgroup_destroy_locked()
cgroup_addrm_files()
cgroup_rm_file()
kernfs_remove_by_name()
kernfs_remove_by_name_ns()
vfs_write() __kernfs_remove()
new_sync_write() kernfs_drain()
kernfs_fop_write_iter() kernfs_drain_open_files()
cgroup_file_write() kernfs_release_file()
pressure_write() cgroup_file_release()
ctx = of->priv;
kfree(ctx);
of->priv = NULL;
cgroup_kn_unlock()
cgroup_kn_lock_live()
cgroup_get(cgrp)
cgroup_kn_unlock()
if (ctx->psi.trigger) // here, trigger uaf for ctx, that is of->priv
The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
the memory deallocation of of->priv performed within cgroup_file_release().
However, the operations involving of->priv executed within pressure_write()
are not entirely covered by the protection of cgroup_mutex. Consequently,
if the code in pressure_write(), specifically the section handling the
ctx variable executes after cgroup_file_release() has completed, a uaf
vulnerability involving of->priv is triggered.
Therefore, the issue can be resolved by extending the scope of the
cgroup_mutex lock within pressure_write() to encompass all code paths
involving of->priv, thereby properly synchronizing the race condition
occurring between cgroup_file_release() and pressure_write().
And, if an live kn lock can be successfully acquired while executing
the pressure write operation, it indicates that the cgroup deletion
process has not yet reached its final stage; consequently, the priv
pointer within open_file cannot be NULL. Therefore, the operation to
retrieve the ctx value must be moved to a point *after* the live kn
lock has been successfully acquired.
In another situation, specifically after entering cgroup_kn_lock_live()
but before acquiring cgroup_mutex, there exists a different class of
race condition:
CPU0: write memory.pressure CPU1: write cgroup.pressure=0
=========================== =============================
kernfs_fop_write_iter()
kernfs_get_active_of(of)
pressure_write()
cgroup_kn_lock_live(memory.pressure)
cgroup_tryget(cgrp)
kernfs_break_active_protection(kn)
... blocks on cgroup_mutex
cgroup_pressure_write()
cgroup_kn_lock_live(cgroup.pressure)
cgroup_file_show(memory.pressure, false)
kernfs_show(false)
kernfs_drain_open_files()
cgroup_file_release(of)
kfree(ctx)
of->priv = NULL
cgroup_kn_unlock()
... acquires cgroup_mutex
ctx = of->priv; // may now be NULL
if (ctx->psi.trigger) // NULL dereference
Consequently, there is a possibility that of->priv is NULL, the pressure
write needs to check for this.
Now that the scope of the cgroup_mutex has been expanded, the original
explicit cgroup_get/put operations are no longer necessary, this is
because acquiring/releasing the live kn lock inherently executes a
cgroup get/put operation.
[1]
BUG: KASAN: slab-use-after-free in pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
Call Trace:
pressure_write+0xa4/0x210 kernel/cgroup/cgroup.c:4011
cgroup_file_write+0x36f/0x790 kernel/cgroup/cgroup.c:4311
kernfs_fop_write_iter+0x3b0/0x540 fs/kernfs/file.c:352
Allocated by task 9352:
cgroup_file_open+0x90/0x3a0 kernel/cgroup/cgroup.c:4256
kernfs_fop_open+0x9eb/0xcb0 fs/kernfs/file.c:724
do_dentry_open+0x83d/0x13e0 fs/open.c:949
Freed by task 9353:
cgroup_file_release+0xd6/0x100 kernel/cgroup/cgroup.c:4283
kernfs_release_file fs/kernfs/file.c:764 [inline]
kernfs_drain_open_files+0x392/0x720 fs/kernfs/file.c:834
kernfs_drain+0x470/0x600 fs/kernfs/dir.c:525
Fixes: 0e94682b73bf ("psi: introduce psi monitor")
Reported-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=33e571025d88efd1312c
Tested-by: syzbot+33e571025d88efd1312c@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cgroup.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index da5f6f5400afa..b60fc0b2c6036 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -3997,33 +3997,41 @@ static int cgroup_cpu_pressure_show(struct seq_file *seq, void *v)
static ssize_t pressure_write(struct kernfs_open_file *of, char *buf,
size_t nbytes, enum psi_res res)
{
- struct cgroup_file_ctx *ctx = of->priv;
+ struct cgroup_file_ctx *ctx;
struct psi_trigger *new;
struct cgroup *cgrp;
struct psi_group *psi;
+ ssize_t ret = 0;
cgrp = cgroup_kn_lock_live(of->kn, false);
if (!cgrp)
return -ENODEV;
- cgroup_get(cgrp);
- cgroup_kn_unlock(of->kn);
+ ctx = of->priv;
+ if (!ctx) {
+ ret = -ENODEV;
+ goto out_unlock;
+ }
/* Allow only one trigger per file descriptor */
if (ctx->psi.trigger) {
- cgroup_put(cgrp);
- return -EBUSY;
+ ret = -EBUSY;
+ goto out_unlock;
}
psi = cgroup_psi(cgrp);
new = psi_trigger_create(psi, buf, res, of->file, of);
if (IS_ERR(new)) {
- cgroup_put(cgrp);
- return PTR_ERR(new);
+ ret = PTR_ERR(new);
+ goto out_unlock;
}
smp_store_release(&ctx->psi.trigger, new);
- cgroup_put(cgrp);
+
+out_unlock:
+ cgroup_kn_unlock(of->kn);
+ if (ret)
+ return ret;
return nbytes;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 735/957] cgroup/rdma: fix integer overflow in rdmacg_try_charge()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (733 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 734/957] sched/psi: fix race between file release and pressure write Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 736/957] mailbox: add sanity check for channel array Greg Kroah-Hartman
` (227 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, cuitao, Michal Koutný,
Tejun Heo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: cuitao <cuitao@kylinos.cn>
[ Upstream commit c802f460dd485c1332b5a35e7adcfb2bc22536a2 ]
The expression `rpool->resources[index].usage + 1` is computed in int
arithmetic before being assigned to s64 variable `new`. When usage equals
INT_MAX (the default "max" value), the addition overflows to INT_MIN.
This negative value then passes the `new > max` check incorrectly,
allowing a charge that should be rejected and corrupting usage to
negative.
Fix by casting usage to s64 before the addition so the arithmetic is
done in 64-bit.
Fixes: 39d3e7584a68 ("rdmacg: Added rdma cgroup controller")
Signed-off-by: cuitao <cuitao@kylinos.cn>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/rdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/rdma.c b/kernel/cgroup/rdma.c
index ef5878fb20057..d544a747f3954 100644
--- a/kernel/cgroup/rdma.c
+++ b/kernel/cgroup/rdma.c
@@ -283,7 +283,7 @@ int rdmacg_try_charge(struct rdma_cgroup **rdmacg,
ret = PTR_ERR(rpool);
goto err;
} else {
- new = rpool->resources[index].usage + 1;
+ new = (s64)rpool->resources[index].usage + 1;
if (new > rpool->resources[index].max) {
ret = -EAGAIN;
goto err;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 736/957] mailbox: add sanity check for channel array
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (734 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 735/957] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 737/957] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
` (226 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Geert Uytterhoeven,
Jassi Brar, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit c1aad75595fb67edc7fda8af249d3b886efa1be9 ]
Fail gracefully if there is no channel array attached to the mailbox
controller. Otherwise the later dereference will cause an OOPS which
might not be seen because mailbox controllers might instantiate very
early. Remove the comment explaining the obvious while here.
Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 617ba505691d3..b77162db509f2 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -505,8 +505,7 @@ int mbox_controller_register(struct mbox_controller *mbox)
{
int i, txdone;
- /* Sanity check */
- if (!mbox || !mbox->dev || !mbox->ops || !mbox->num_chans)
+ if (!mbox || !mbox->dev || !mbox->ops || !mbox->chans || !mbox->num_chans)
return -EINVAL;
if (mbox->txdone_irq)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 737/957] mailbox: mailbox-test: dont free the reused channel
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (735 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 736/957] mailbox: add sanity check for channel array Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 738/957] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
` (225 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 88ebadbf0deefdaccdab868b44ff70a0a257f473 ]
The RX channel can be aliased to the TX channel if it has a different
MMIO. This special case needs to be handled when freeing the channels
otherwise a double-free occurs.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 197cad7b3d401..210f6077f475c 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -422,7 +422,7 @@ static int mbox_test_probe(struct platform_device *pdev)
err_free_chans:
if (tdev->tx_channel)
mbox_free_channel(tdev->tx_channel);
- if (tdev->rx_channel)
+ if (tdev->rx_channel && tdev->rx_channel != tdev->tx_channel)
mbox_free_channel(tdev->rx_channel);
return ret;
}
@@ -435,7 +435,7 @@ static void mbox_test_remove(struct platform_device *pdev)
if (tdev->tx_channel)
mbox_free_channel(tdev->tx_channel);
- if (tdev->rx_channel)
+ if (tdev->rx_channel && tdev->rx_channel != tdev->tx_channel)
mbox_free_channel(tdev->rx_channel);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 738/957] mailbox: mailbox-test: initialize struct earlier
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (736 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 737/957] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 739/957] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
` (224 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit bbcf9af68bfedb3d9cc3c7eae62f5c844d8b78b9 ]
The waitqueue must be initialized before the debugfs files are created
because from that time, requests from userspace can already be made.
Similarily, drvdata and spinlock needs to be initialized before we
request the channel, otherwise dangling irqs might run into problems
like a NULL pointer exception.
Fixes: 8ea4484d0c2b ("mailbox: Add generic mechanism for testing Mailbox Controllers")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index 210f6077f475c..a0a7908c9cc26 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -366,6 +366,12 @@ static int mbox_test_probe(struct platform_device *pdev)
if (!tdev)
return -ENOMEM;
+ tdev->dev = &pdev->dev;
+ spin_lock_init(&tdev->lock);
+ mutex_init(&tdev->mutex);
+ init_waitqueue_head(&tdev->waitq);
+ platform_set_drvdata(pdev, tdev);
+
/* It's okay for MMIO to be NULL */
tdev->tx_mmio = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
if (PTR_ERR(tdev->tx_mmio) == -EBUSY) {
@@ -395,12 +401,6 @@ static int mbox_test_probe(struct platform_device *pdev)
if (!tdev->rx_channel && (tdev->rx_mmio != tdev->tx_mmio))
tdev->rx_channel = tdev->tx_channel;
- tdev->dev = &pdev->dev;
- platform_set_drvdata(pdev, tdev);
-
- spin_lock_init(&tdev->lock);
- mutex_init(&tdev->mutex);
-
if (tdev->rx_channel) {
tdev->rx_buffer = devm_kzalloc(&pdev->dev,
MBOX_MAX_MSG_LEN, GFP_KERNEL);
@@ -414,7 +414,6 @@ static int mbox_test_probe(struct platform_device *pdev)
if (ret)
goto err_free_chans;
- init_waitqueue_head(&tdev->waitq);
dev_info(&pdev->dev, "Successfully registered\n");
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 739/957] mailbox: mailbox-test: make data_ready a per-instance variable
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (737 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 738/957] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 740/957] fsnotify: fix inode reference leak in fsnotify_recalc_mask() Greg Kroah-Hartman
` (223 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jassi Brar,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 6e937f4e769e60947909e3525965f0137b9039e8 ]
While not the default case, multiple tests can be run simultaneously.
Then, data_ready being a global variable will be overwritten and the
per-instance lock will not help. Turn the global variable into a
per-instance one to avoid this problem.
Fixes: e339c80af95e ("mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/mailbox-test.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c
index a0a7908c9cc26..c429acd3af87c 100644
--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -28,8 +28,6 @@
#define MBOX_HEXDUMP_MAX_LEN (MBOX_HEXDUMP_LINE_LEN * \
(MBOX_MAX_MSG_LEN / MBOX_BYTES_PER_LINE))
-static bool mbox_data_ready;
-
struct mbox_test_device {
struct device *dev;
void __iomem *tx_mmio;
@@ -42,6 +40,7 @@ struct mbox_test_device {
spinlock_t lock;
struct mutex mutex;
wait_queue_head_t waitq;
+ bool data_ready;
struct fasync_struct *async_queue;
struct dentry *root_debugfs_dir;
};
@@ -162,7 +161,7 @@ static bool mbox_test_message_data_ready(struct mbox_test_device *tdev)
unsigned long flags;
spin_lock_irqsave(&tdev->lock, flags);
- data_ready = mbox_data_ready;
+ data_ready = tdev->data_ready;
spin_unlock_irqrestore(&tdev->lock, flags);
return data_ready;
@@ -227,7 +226,7 @@ static ssize_t mbox_test_message_read(struct file *filp, char __user *userbuf,
*(touser + l) = '\0';
memset(tdev->rx_buffer, 0, MBOX_MAX_MSG_LEN);
- mbox_data_ready = false;
+ tdev->data_ready = false;
spin_unlock_irqrestore(&tdev->lock, flags);
@@ -297,7 +296,7 @@ static void mbox_test_receive_message(struct mbox_client *client, void *message)
message, MBOX_MAX_MSG_LEN);
memcpy(tdev->rx_buffer, message, MBOX_MAX_MSG_LEN);
}
- mbox_data_ready = true;
+ tdev->data_ready = true;
spin_unlock_irqrestore(&tdev->lock, flags);
wake_up_interruptible(&tdev->waitq);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 740/957] fsnotify: fix inode reference leak in fsnotify_recalc_mask()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (738 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 739/957] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 741/957] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
` (222 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Yin, Amir Goldstein, Jan Kara,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
[ Upstream commit 4aca914ac152f5d055ddcb36704d1e539ac08977 ]
fsnotify_recalc_mask() fails to handle the return value of
__fsnotify_recalc_mask(), which may return an inode pointer that needs
to be released via fsnotify_drop_object() when the connector's HAS_IREF
flag transitions from set to cleared.
This manifests as a hung task with the following call trace:
INFO: task umount:1234 blocked for more than 120 seconds.
Call Trace:
__schedule
schedule
fsnotify_sb_delete
generic_shutdown_super
kill_anon_super
cleanup_mnt
task_work_run
do_exit
do_group_exit
The race window that triggers the iref leak:
Thread A (adding mark) Thread B (removing mark)
────────────────────── ────────────────────────
fsnotify_add_mark_locked():
fsnotify_add_mark_list():
spin_lock(conn->lock)
add mark_B(evictable) to list
spin_unlock(conn->lock)
return
/* ---- gap: no lock held ---- */
fsnotify_detach_mark(mark_A):
spin_lock(mark_A->lock)
clear ATTACHED flag on mark_A
spin_unlock(mark_A->lock)
fsnotify_put_mark(mark_A)
fsnotify_recalc_mask():
spin_lock(conn->lock)
__fsnotify_recalc_mask():
/* mark_A skipped: ATTACHED cleared */
/* only mark_B(evictable) remains */
want_iref = false
has_iref = true /* not yet cleared */
-> HAS_IREF transitions true -> false
-> returns inode pointer
spin_unlock(conn->lock)
/* BUG: return value discarded!
* iput() and fsnotify_put_sb_watched_objects()
* are never called */
Fix this by deferring the transition true -> false of HAS_IREF flag from
fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).
Fixes: c3638b5b1374 ("fsnotify: allow adding an inode mark without pinning inode")
Signed-off-by: Xin Yin <yinxin.x@bytedance.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Link: https://patch.msgid.link/CAOQ4uxiPsbHb0o5voUKyPFMvBsDkG914FYDcs4C5UpBMNm0Vcg@mail.gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/notify/mark.c | 39 ++++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/fs/notify/mark.c b/fs/notify/mark.c
index cedd84afbede5..78338075f08a1 100644
--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
@@ -237,7 +237,12 @@ static struct inode *fsnotify_update_iref(struct fsnotify_mark_connector *conn,
return inode;
}
-static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
+/*
+ * Calculate mask of events for a list of marks.
+ *
+ * Return true if any of the attached marks want to hold an inode reference.
+ */
+static bool __fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
{
u32 new_mask = 0;
bool want_iref = false;
@@ -261,6 +266,34 @@ static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
*/
WRITE_ONCE(*fsnotify_conn_mask_p(conn), new_mask);
+ return want_iref;
+}
+
+/*
+ * Calculate mask of events for a list of marks after attach/modify mark
+ * and get an inode reference for the connector if needed.
+ *
+ * A concurrent add of evictable mark and detach of non-evictable mark can
+ * lead to __fsnotify_recalc_mask() returning false want_iref, but in this
+ * case we defer clearing iref to fsnotify_recalc_mask_clear_iref() called
+ * from fsnotify_put_mark().
+ */
+static void fsnotify_recalc_mask_set_iref(struct fsnotify_mark_connector *conn)
+{
+ bool has_iref = conn->flags & FSNOTIFY_CONN_FLAG_HAS_IREF;
+ bool want_iref = __fsnotify_recalc_mask(conn) || has_iref;
+
+ (void) fsnotify_update_iref(conn, want_iref);
+}
+
+/*
+ * Calculate mask of events for a list of marks after detach mark
+ * and return the inode object if its reference is no longer needed.
+ */
+static void *fsnotify_recalc_mask_clear_iref(struct fsnotify_mark_connector *conn)
+{
+ bool want_iref = __fsnotify_recalc_mask(conn);
+
return fsnotify_update_iref(conn, want_iref);
}
@@ -297,7 +330,7 @@ void fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
spin_lock(&conn->lock);
update_children = !fsnotify_conn_watches_children(conn);
- __fsnotify_recalc_mask(conn);
+ fsnotify_recalc_mask_set_iref(conn);
update_children &= fsnotify_conn_watches_children(conn);
spin_unlock(&conn->lock);
/*
@@ -415,7 +448,7 @@ void fsnotify_put_mark(struct fsnotify_mark *mark)
/* Update watched objects after detaching mark */
if (sb)
fsnotify_update_sb_watchers(sb, conn);
- objp = __fsnotify_recalc_mask(conn);
+ objp = fsnotify_recalc_mask_clear_iref(conn);
type = conn->type;
}
WRITE_ONCE(mark->connector, NULL);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 741/957] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (739 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 740/957] fsnotify: fix inode reference leak in fsnotify_recalc_mask() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 742/957] cgroup: Increment nr_dying_subsys_* from rmdir context Greg Kroah-Hartman
` (221 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Mark Harmstone,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Harmstone <mark@harmstone.com>
[ Upstream commit 82323b1a7088b7a5c3e528a5d634bff447fa286f ]
submit_one_async_extent() calls btrfs_reserve_extent(), which decrements
bytes_may_use. If the call btrfs_create_io_em() fails, we jump to
out_free_reserve, which calls extent_clear_unlock_delalloc().
Because we're specifying EXTENT_DO_ACCOUNTING, i.e.
EXTENT_CLEAR_META_RESV | EXTENT_CLEAR_DATA_RESV, this decreases
bytes_may_use again. This can lead to problems later on, as an initial
write can fail only for the writeback to silently ENOSPC.
Fix this by replacing EXTENT_DO_ACCOUNTING with EXTENT_CLEAR_META_RESV.
This parallels a4fe134fc1d8eb ("btrfs: fix a double release on reserved
extents in cow_one_range()"), which is the same fix in cow_one_range().
Fixes: 151a41bc46df ("Btrfs: fix what bits we clear when erroring out from delalloc")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Mark Harmstone <mark@harmstone.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index feaa6de8a90f2..5b99f2941f577 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1208,7 +1208,7 @@ static void submit_one_async_extent(struct async_chunk *async_chunk,
NULL, &cached,
EXTENT_LOCKED | EXTENT_DELALLOC |
EXTENT_DELALLOC_NEW |
- EXTENT_DEFRAG | EXTENT_DO_ACCOUNTING,
+ EXTENT_DEFRAG | EXTENT_CLEAR_META_RESV,
PAGE_UNLOCK | PAGE_START_WRITEBACK |
PAGE_END_WRITEBACK);
free_async_extent_pages(async_extent);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 742/957] cgroup: Increment nr_dying_subsys_* from rmdir context
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (740 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 741/957] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 743/957] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
` (220 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Malat, Tejun Heo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Malat <oss@malat.biz>
[ Upstream commit 13e786b64bd3fd81c7eb22aa32bf8305c32f2ccf ]
Incrementing nr_dying_subsys_* in offline_css(), which is executed by
cgroup_offline_wq worker, leads to a race where user can see the value
to be 0 if he reads cgroup.stat after calling rmdir and before the worker
executes. This makes the user wrongly expect resources released by the
removed cgroup to be available for a new assignment.
Increment nr_dying_subsys_* from kill_css(), which is called from the
cgroup_rmdir() context.
Fixes: ab0312526867 ("cgroup: Show # of subsystem CSSes in cgroup.stat")
Signed-off-by: Petr Malat <oss@malat.biz>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cgroup.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index b60fc0b2c6036..1239bff9a994c 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5773,16 +5773,6 @@ static void offline_css(struct cgroup_subsys_state *css)
RCU_INIT_POINTER(css->cgroup->subsys[ss->id], NULL);
wake_up_all(&css->cgroup->offline_waitq);
-
- css->cgroup->nr_dying_subsys[ss->id]++;
- /*
- * Parent css and cgroup cannot be freed until after the freeing
- * of child css, see css_free_rwork_fn().
- */
- while ((css = css->parent)) {
- css->nr_descendants--;
- css->cgroup->nr_dying_subsys[ss->id]++;
- }
}
/**
@@ -6094,6 +6084,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
*/
static void kill_css(struct cgroup_subsys_state *css)
{
+ struct cgroup_subsys *ss = css->ss;
+
lockdep_assert_held(&cgroup_mutex);
if (css->flags & CSS_DYING)
@@ -6130,6 +6122,16 @@ static void kill_css(struct cgroup_subsys_state *css)
* css is confirmed to be seen as killed on all CPUs.
*/
percpu_ref_kill_and_confirm(&css->refcnt, css_killed_ref_fn);
+
+ css->cgroup->nr_dying_subsys[ss->id]++;
+ /*
+ * Parent css and cgroup cannot be freed until after the freeing
+ * of child css, see css_free_rwork_fn().
+ */
+ while ((css = css->parent)) {
+ css->nr_descendants--;
+ css->cgroup->nr_dying_subsys[ss->id]++;
+ }
}
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 743/957] tracing: branch: Fix inverted check on stat tracer registration
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (741 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 742/957] cgroup: Increment nr_dying_subsys_* from rmdir context Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 744/957] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
` (219 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers, Ingo Molnar,
Frederic Weisbecker, Breno Leitao, Masami Hiramatsu (Google),
Steven Rostedt, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3b75dd76e64a04771861bb5647951c264919e563 ]
init_annotated_branch_stats() and all_annotated_branch_stats() check the
return value of register_stat_tracer() with "if (!ret)", but
register_stat_tracer() returns 0 on success and a negative errno on
failure. The inverted check causes the warning to be printed on every
successful registration, e.g.:
Warning: could not register annotated branches stats
while leaving real failures silent. The initcall also returned a
hard-coded 1 instead of the actual error.
Invert the check and propagate ret so that the warning fires on real
errors and the initcall reports the correct status.
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Link: https://patch.msgid.link/20260420-tracing-v1-1-d8f4cd0d6af1@debian.org
Fixes: 002bb86d8d42 ("tracing/ftrace: separate events tracing and stats tracing engine")
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_branch.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace_branch.c b/kernel/trace/trace_branch.c
index 6809b370e991d..d1564db95a8f5 100644
--- a/kernel/trace/trace_branch.c
+++ b/kernel/trace/trace_branch.c
@@ -373,10 +373,10 @@ __init static int init_annotated_branch_stats(void)
int ret;
ret = register_stat_tracer(&annotated_branch_stats);
- if (!ret) {
+ if (ret) {
printk(KERN_WARNING "Warning: could not register "
"annotated branches stats\n");
- return 1;
+ return ret;
}
return 0;
}
@@ -438,10 +438,10 @@ __init static int all_annotated_branch_stats(void)
int ret;
ret = register_stat_tracer(&all_branch_stats);
- if (!ret) {
+ if (ret) {
printk(KERN_WARNING "Warning: could not register "
"all branches stats\n");
- return 1;
+ return ret;
}
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 744/957] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (742 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 743/957] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 745/957] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
` (218 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Yunje Shin,
Chaitanya Kulkarni, Maurizio Lombardi, Keith Busch, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
[ Upstream commit ea8e356acb165cb1fd75537a52e1f66e5e76c538 ]
Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds
PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)
and returns early. However, because the function returns void, the
callers are entirely unaware that a fatal error has occurred and
that the cmd->recv_msg.msg_iter was left uninitialized.
Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly
overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA
Consequently, the socket receiving loop may attempt to read incoming
network data into the uninitialized iterator.
Fix this by shifting the error handling responsibility to the callers.
Fixes: 52a0a9854934 ("nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec")
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Yunje Shin <ioerts@kookmin.ac.kr>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/tcp.c | 51 ++++++++++++++++++++++-----------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 3d8810b42e9dc..97d8c1d3545b0 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -351,7 +351,7 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd)
static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);
-static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
+static int nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
{
struct bio_vec *iov = cmd->iov;
struct scatterlist *sg;
@@ -364,22 +364,19 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
offset = cmd->rbytes_done;
cmd->sg_idx = offset / PAGE_SIZE;
sg_offset = offset % PAGE_SIZE;
- if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
+ if (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt)
+ return -EPROTO;
+
sg = &cmd->req.sg[cmd->sg_idx];
sg_remaining = cmd->req.sg_cnt - cmd->sg_idx;
while (length) {
- if (!sg_remaining) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
- if (!sg->length || sg->length <= sg_offset) {
- nvmet_tcp_fatal_error(cmd->queue);
- return;
- }
+ if (!sg_remaining)
+ return -EPROTO;
+
+ if (!sg->length || sg->length <= sg_offset)
+ return -EPROTO;
+
u32 iov_len = min_t(u32, length, sg->length - sg_offset);
bvec_set_page(iov, sg_page(sg), iov_len,
@@ -394,6 +391,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)
iov_iter_bvec(&cmd->recv_msg.msg_iter, ITER_DEST, cmd->iov,
nr_pages, cmd->pdu_len);
+ return 0;
}
static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue)
@@ -958,7 +956,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
return 0;
}
-static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
+static int nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
struct nvmet_tcp_cmd *cmd, struct nvmet_req *req)
{
size_t data_len = le32_to_cpu(req->cmd->common.dptr.sgl.length);
@@ -974,19 +972,23 @@ static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
if (!nvme_is_write(cmd->req.cmd) || !data_len ||
data_len > cmd->req.port->inline_data_size) {
nvmet_prepare_receive_pdu(queue);
- return;
+ return 0;
}
ret = nvmet_tcp_map_data(cmd);
if (unlikely(ret)) {
pr_err("queue %d: failed to map data\n", queue->idx);
nvmet_tcp_fatal_error(queue);
- return;
+ return -EPROTO;
}
queue->rcv_state = NVMET_TCP_RECV_DATA;
- nvmet_tcp_build_pdu_iovec(cmd);
cmd->flags |= NVMET_TCP_F_INIT_FAILED;
+ ret = nvmet_tcp_build_pdu_iovec(cmd);
+ if (unlikely(ret))
+ pr_err("queue %d: failed to build PDU iovec\n", queue->idx);
+
+ return ret;
}
static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
@@ -1038,7 +1040,10 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
goto err_proto;
}
cmd->pdu_recv = 0;
- nvmet_tcp_build_pdu_iovec(cmd);
+ if (unlikely(nvmet_tcp_build_pdu_iovec(cmd))) {
+ pr_err("queue %d: failed to build PDU iovec\n", queue->idx);
+ goto err_proto;
+ }
queue->cmd = cmd;
queue->rcv_state = NVMET_TCP_RECV_DATA;
@@ -1101,8 +1106,7 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
le32_to_cpu(req->cmd->common.dptr.sgl.length),
le16_to_cpu(req->cqe->status));
- nvmet_tcp_handle_req_failure(queue, queue->cmd, req);
- return 0;
+ return nvmet_tcp_handle_req_failure(queue, queue->cmd, req);
}
ret = nvmet_tcp_map_data(queue->cmd);
@@ -1119,8 +1123,11 @@ static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue)
if (nvmet_tcp_need_data_in(queue->cmd)) {
if (nvmet_tcp_has_inline_data(queue->cmd)) {
queue->rcv_state = NVMET_TCP_RECV_DATA;
- nvmet_tcp_build_pdu_iovec(queue->cmd);
- return 0;
+ ret = nvmet_tcp_build_pdu_iovec(queue->cmd);
+ if (unlikely(ret))
+ pr_err("queue %d: failed to build PDU iovec\n",
+ queue->idx);
+ return ret;
}
/* send back R2T */
nvmet_tcp_queue_response(&queue->cmd->req);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 745/957] netfilter: arp_tables: fix IEEE1394 ARP payload parsing
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (743 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 744/957] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 746/957] netfilter: nf_tables: use list_del_rcu for netlink hooks Greg Kroah-Hartman
` (217 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Pablo Neira Ayuso,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 1e8e3f449b1e73b73a843257635b9c50f0cc0f0a ]
Weiming Shi says:
"arp_packet_match() unconditionally parses the ARP payload assuming two
hardware addresses are present (source and target). However,
IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address
field, and arp_hdr_len() already accounts for this by returning a
shorter length for ARPHRD_IEEE1394 devices.
As a result, on IEEE1394 interfaces arp_packet_match() advances past a
nonexistent target hardware address and reads the wrong bytes for both
the target device address comparison and the target IP address. This
causes arptables rules to match against garbage data, leading to
incorrect filtering decisions: packets that should be accepted may be
dropped and vice versa.
The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already
handles this correctly by skipping the target hardware address for
ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()."
Mangle the original patch to always return 0 (no match) in case user
matches on the target hardware address which is never present in
IEEE1394.
Note that this returns 0 (no match) for either normal and inverse match
because matching in the target hardware address in ARPHRD_IEEE1394 has
never been supported by arptables. This is intentional, matching on the
target hardware address should never evaluate true for ARPHRD_IEEE1394.
Moreover, adjust arpt_mangle to drop the packet too as AI suggests:
In arpt_mangle, the logic assumes a standard ARP layout. Because
IEEE1394 (FireWire) omits the target hardware address, the linear
pointer arithmetic miscalculates the offset for the target IP address.
This causes mangling operations to write to the wrong location, leading
to packet corruption. To ensure safety, this patch drops packets
(NF_DROP) when mangling is requested for these fields on IEEE1394
devices, as the current implementation cannot correctly map the FireWire
ARP payload.
This omits both mangling target hardware and IP address. Even if IP
address mangling should be possible in IEEE1394, this would require
to adjust arpt_mangle offset calculation, which has never been
supported.
Based on patch from Weiming Shi <bestswngs@gmail.com>.
Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arp_tables.c | 18 +++++++++++++++---
net/ipv4/netfilter/arpt_mangle.c | 8 ++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 1cdd9c28ab2da..97ead883e4a13 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -110,13 +110,25 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
arpptr += dev->addr_len;
memcpy(&src_ipaddr, arpptr, sizeof(u32));
arpptr += sizeof(u32);
- tgt_devaddr = arpptr;
- arpptr += dev->addr_len;
+
+ if (IS_ENABLED(CONFIG_FIREWIRE_NET) && dev->type == ARPHRD_IEEE1394) {
+ if (unlikely(memchr_inv(arpinfo->tgt_devaddr.mask, 0,
+ sizeof(arpinfo->tgt_devaddr.mask))))
+ return 0;
+
+ tgt_devaddr = NULL;
+ } else {
+ tgt_devaddr = arpptr;
+ arpptr += dev->addr_len;
+ }
memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
- dev->addr_len)) ||
+ dev->addr_len)))
+ return 0;
+
+ if (tgt_devaddr &&
NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
dev->addr_len)))
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index a4e07e5e9c118..f65dd339208e8 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -40,6 +40,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
}
arpptr += pln;
if (mangle->flags & ARPT_MANGLE_TDEV) {
+ if (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&
+ skb->dev->type == ARPHRD_IEEE1394))
+ return NF_DROP;
+
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
return NF_DROP;
@@ -47,6 +51,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
}
arpptr += hln;
if (mangle->flags & ARPT_MANGLE_TIP) {
+ if (unlikely(IS_ENABLED(CONFIG_FIREWIRE_NET) &&
+ skb->dev->type == ARPHRD_IEEE1394))
+ return NF_DROP;
+
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
return NF_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 746/957] netfilter: nf_tables: use list_del_rcu for netlink hooks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (744 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 745/957] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 747/957] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
` (216 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit f3224ee463f8f6f6ced7dcdf6081add4f8128527 ]
nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need
to use list_del_rcu(), this list can be walked by concurrent dumpers.
Add a new helper and use it consistently.
Fixes: f9a43007d3f7 ("netfilter: nf_tables: double hook unregistration in netns path")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 44 ++++++++++++++---------------------
1 file changed, 18 insertions(+), 26 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5b25b032e285d..64e6a95439abd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -373,6 +373,12 @@ static void nft_netdev_hook_free_rcu(struct nft_hook *hook)
call_rcu(&hook->rcu, __nft_netdev_hook_free_rcu);
}
+static void nft_netdev_hook_unlink_free_rcu(struct nft_hook *hook)
+{
+ list_del_rcu(&hook->list);
+ nft_netdev_hook_free_rcu(hook);
+}
+
static void nft_netdev_unregister_hooks(struct net *net,
struct list_head *hook_list,
bool release_netdev)
@@ -383,10 +389,8 @@ static void nft_netdev_unregister_hooks(struct net *net,
list_for_each_entry_safe(hook, next, hook_list, list) {
list_for_each_entry(ops, &hook->ops_list, list)
nf_unregister_net_hook(net, ops);
- if (release_netdev) {
- list_del(&hook->list);
- nft_netdev_hook_free_rcu(hook);
- }
+ if (release_netdev)
+ nft_netdev_hook_unlink_free_rcu(hook);
}
}
@@ -2322,10 +2326,8 @@ void nf_tables_chain_destroy(struct nft_chain *chain)
if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
list_for_each_entry_safe(hook, next,
- &basechain->hook_list, list) {
- list_del_rcu(&hook->list);
- nft_netdev_hook_free_rcu(hook);
- }
+ &basechain->hook_list, list)
+ nft_netdev_hook_unlink_free_rcu(hook);
}
module_put(basechain->type->owner);
if (rcu_access_pointer(basechain->stats)) {
@@ -3025,6 +3027,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
list_for_each_entry(ops, &h->ops_list, list)
nf_unregister_net_hook(ctx->net, ops);
}
+ /* hook.list is on stack, no need for list_del_rcu() */
list_del(&h->list);
nft_netdev_hook_free_rcu(h);
}
@@ -9069,10 +9072,8 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net,
list_for_each_entry_safe(hook, next, hook_list, list) {
list_for_each_entry(ops, &hook->ops_list, list)
nft_unregister_flowtable_ops(net, flowtable, ops);
- if (release_netdev) {
- list_del(&hook->list);
- nft_netdev_hook_free_rcu(hook);
- }
+ if (release_netdev)
+ nft_netdev_hook_unlink_free_rcu(hook);
}
}
@@ -9143,8 +9144,7 @@ static int nft_register_flowtable_net_hooks(struct net *net,
nft_unregister_flowtable_ops(net, flowtable, ops);
}
- list_del_rcu(&hook->list);
- nft_netdev_hook_free_rcu(hook);
+ nft_netdev_hook_unlink_free_rcu(hook);
}
return err;
@@ -9154,10 +9154,8 @@ static void nft_hooks_destroy(struct list_head *hook_list)
{
struct nft_hook *hook, *next;
- list_for_each_entry_safe(hook, next, hook_list, list) {
- list_del_rcu(&hook->list);
- nft_netdev_hook_free_rcu(hook);
- }
+ list_for_each_entry_safe(hook, next, hook_list, list)
+ nft_netdev_hook_unlink_free_rcu(hook);
}
static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
@@ -9245,8 +9243,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
nft_unregister_flowtable_ops(ctx->net,
flowtable, ops);
}
- list_del_rcu(&hook->list);
- nft_netdev_hook_free_rcu(hook);
+ nft_netdev_hook_unlink_free_rcu(hook);
}
return err;
@@ -9752,13 +9749,8 @@ static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
{
- struct nft_hook *hook, *next;
-
flowtable->data.type->free(&flowtable->data);
- list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
- list_del_rcu(&hook->list);
- nft_netdev_hook_free_rcu(hook);
- }
+ nft_hooks_destroy(&flowtable->hook_list);
kfree(flowtable->name);
module_put(flowtable->data.type->owner);
kfree(flowtable);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 747/957] nvme-pci: fix missed admin queue sq doorbell write
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (745 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 746/957] netfilter: nf_tables: use list_del_rcu for netlink hooks Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 748/957] drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM Greg Kroah-Hartman
` (215 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Kanchan Joshi,
Keith Busch, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 1cc4cdae2a3b7730d462d69e30f213fd2efe7807 ]
We can batch admin commands submitted through io_uring_cmd passthrough,
which means bd->last may be false and skips the doorbell write to
aggregate multiple commands per write. If a subsequent command can't be
dispatched for whatever reason, we have to provide the blk-mq ops'
commit_rqs callback in order to ensure we properly update the doorbell.
Fixes: 58e5bdeb9c2b ("nvme: enable uring-passthrough for admin commands")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 8875855e45352..2e32242bed67c 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -2028,6 +2028,7 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid, bool polled)
static const struct blk_mq_ops nvme_mq_admin_ops = {
.queue_rq = nvme_queue_rq,
.complete = nvme_pci_complete_rq,
+ .commit_rqs = nvme_commit_rqs,
.init_hctx = nvme_admin_init_hctx,
.init_request = nvme_pci_init_request,
.timeout = nvme_timeout,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 748/957] drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (746 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 747/957] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 749/957] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG Greg Kroah-Hartman
` (214 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 36d65da7570bf72ce28504fa9a81abfc728e6d96 ]
When the GART placement is set to AMDGPU_GART_PLACEMENT_LOW:
Make sure that GART does not overlap with VRAM when
VRAM is configured to be in the low address space.
Solve this according to the following logic:
- When GART fits before VRAM, use zero address for GART
- Otherwise, put GART after the end of VRAM, aligned to 4 GiB
Previously, I had assumed this was not possible
so it was OK to not handle it, but now we got a report
from a user who has a board that is configured this way.
Fixes: 917f91d8d8e8 ("drm/amdgpu/gmc: add a way to force a particular placement for GART")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3d9de5d86a1658cadb311461b001eb1df67263ad)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
index b8613888c5c33..6d5f90512a74e 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
@@ -313,7 +313,10 @@ void amdgpu_gmc_gart_location(struct amdgpu_device *adev, struct amdgpu_gmc *mc,
mc->gart_start = max_mc_address - mc->gart_size + 1;
break;
case AMDGPU_GART_PLACEMENT_LOW:
- mc->gart_start = 0;
+ if (size_bf >= mc->gart_size)
+ mc->gart_start = 0;
+ else
+ mc->gart_start = ALIGN(mc->fb_end, four_gb);
break;
case AMDGPU_GART_PLACEMENT_BEST_FIT:
default:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 749/957] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (747 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 748/957] drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 750/957] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
` (213 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
[ Upstream commit 0ef196a208385b7d7da79f411c161b04e97283e2 ]
There were multiple issues in that code.
First of all the order between the reset semaphore and the mm_lock was
wrong (e.g. copy_to_user) was called while holding the lock.
Then we allocated memory while holding the reset semaphore which is also
a pretty big bug and can deadlock.
Then we used down_read_trylock() instead of waiting for the reset to
finish.
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 9e823f307074 ("drm/amdgpu: Block MMR_READ IOCTL in reset")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 361b6e6b303d4b691f6c5974d3eaab67ca6dd90e)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 57 +++++++++++--------------
1 file changed, 24 insertions(+), 33 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
index d8c0154c5297d..915406ab9730d 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -837,68 +837,59 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp)
? -EFAULT : 0;
}
case AMDGPU_INFO_READ_MMR_REG: {
- int ret = 0;
- unsigned int n, alloc_size;
- uint32_t *regs;
unsigned int se_num = (info->read_mmr_reg.instance >>
AMDGPU_INFO_MMR_SE_INDEX_SHIFT) &
AMDGPU_INFO_MMR_SE_INDEX_MASK;
unsigned int sh_num = (info->read_mmr_reg.instance >>
AMDGPU_INFO_MMR_SH_INDEX_SHIFT) &
AMDGPU_INFO_MMR_SH_INDEX_MASK;
-
- if (!down_read_trylock(&adev->reset_domain->sem))
- return -ENOENT;
+ unsigned int alloc_size;
+ uint32_t *regs;
+ int ret;
/* set full masks if the userspace set all bits
* in the bitfields
*/
- if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK) {
+ if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK)
se_num = 0xffffffff;
- } else if (se_num >= AMDGPU_GFX_MAX_SE) {
- ret = -EINVAL;
- goto out;
- }
+ else if (se_num >= AMDGPU_GFX_MAX_SE)
+ return -EINVAL;
- if (sh_num == AMDGPU_INFO_MMR_SH_INDEX_MASK) {
+ if (sh_num == AMDGPU_INFO_MMR_SH_INDEX_MASK)
sh_num = 0xffffffff;
- } else if (sh_num >= AMDGPU_GFX_MAX_SH_PER_SE) {
- ret = -EINVAL;
- goto out;
- }
+ else if (sh_num >= AMDGPU_GFX_MAX_SH_PER_SE)
+ return -EINVAL;
- if (info->read_mmr_reg.count > 128) {
- ret = -EINVAL;
- goto out;
- }
+ if (info->read_mmr_reg.count > 128)
+ return -EINVAL;
- regs = kmalloc_array(info->read_mmr_reg.count, sizeof(*regs), GFP_KERNEL);
- if (!regs) {
- ret = -ENOMEM;
- goto out;
- }
+ regs = kmalloc_array(info->read_mmr_reg.count, sizeof(*regs),
+ GFP_KERNEL);
+ if (!regs)
+ return -ENOMEM;
+ down_read(&adev->reset_domain->sem);
alloc_size = info->read_mmr_reg.count * sizeof(*regs);
-
amdgpu_gfx_off_ctrl(adev, false);
+ ret = 0;
for (i = 0; i < info->read_mmr_reg.count; i++) {
if (amdgpu_asic_read_register(adev, se_num, sh_num,
info->read_mmr_reg.dword_offset + i,
®s[i])) {
DRM_DEBUG_KMS("unallowed offset %#x\n",
info->read_mmr_reg.dword_offset + i);
- kfree(regs);
- amdgpu_gfx_off_ctrl(adev, true);
ret = -EFAULT;
- goto out;
+ break;
}
}
amdgpu_gfx_off_ctrl(adev, true);
- n = copy_to_user(out, regs, min(size, alloc_size));
- kfree(regs);
- ret = (n ? -EFAULT : 0);
-out:
up_read(&adev->reset_domain->sem);
+
+ if (!ret) {
+ ret = copy_to_user(out, regs, min(size, alloc_size))
+ ? -EFAULT : 0;
+ }
+ kfree(regs);
return ret;
}
case AMDGPU_INFO_DEV_INFO: {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 750/957] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (748 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 749/957] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 751/957] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
` (212 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 13e4cf116dbf7a1fb8123a59bea2c098f30d3736 ]
UVD 3.1 firmware validation seems to always fail after
attempting it when it had already been validated.
(This works similarly with the VCE 1.0 as well.)
Don't attempt repeating the validation when it's already done.
This caused issues in situations when the system isn't able
to suspend the GPU properly and so the GPU isn't actually
powered down. Then amdgpu would fail when calling the IP
block resume function.
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/2887
Fixes: bb7978111dd3 ("drm/amdgpu: fix SI UVD firmware validate resume fail")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 889a2cfd889c4a4dd9d0c89ce9a8e60b78be71dd)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
index 2e79a3afc7748..1df45633e8120 100644
--- a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c
@@ -242,6 +242,10 @@ static void uvd_v3_1_mc_resume(struct amdgpu_device *adev)
uint64_t addr;
uint32_t size;
+ /* When the keyselect is already set, don't perturb it. */
+ if (RREG32(mmUVD_FW_START))
+ return;
+
/* program the VCPU memory controller bits 0-27 */
addr = (adev->uvd.inst->gpu_addr + AMDGPU_UVD_FIRMWARE_OFFSET) >> 3;
size = AMDGPU_UVD_FIRMWARE_SIZE(adev) >> 3;
@@ -284,6 +288,12 @@ static int uvd_v3_1_fw_validate(struct amdgpu_device *adev)
int i;
uint32_t keysel = adev->uvd.keyselect;
+ if (RREG32(mmUVD_FW_START) & UVD_FW_STATUS__PASS_MASK) {
+ dev_dbg(adev->dev, "UVD keyselect already set: 0x%x (on CPU: 0x%x)\n",
+ RREG32(mmUVD_FW_START), adev->uvd.keyselect);
+ return 0;
+ }
+
WREG32(mmUVD_FW_START, keysel);
for (i = 0; i < 10; ++i) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 751/957] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (749 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 750/957] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 752/957] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
` (211 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf,
Christian König, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit fe2b84f9228e2a0903221a4d0d8c350b018e9c0c ]
This commit fixes amdgpu to work on the Radeon HD 7870 XT
which has never worked with the Linux open source drivers before.
Some boards have "harvested" chips, meaning that some parts of
the chip are disabled and fused, and it's sold for cheaper and
under a different marketing name.
On a harvested chip, any of the following can be disabled:
- CUs (Compute Units)
- RBs (Render Backend, aka. ROP)
- Memory channels (ie. the chip has a lower bandwidth)
- TCCs (ie. less L2 cache)
Handle chips with harvested TCCs by patching the registers
that configure how TCCs are mapped.
If some TCCs are disabled, we need to make sure that
the disabled TCCs are not used, and the remaining TCCs
are used optimally.
TCP_CHAN_STEER_LO/HI control which TCC is used by TCP channels.
TCP_ADDR_CONFIG.NUM_TCC_BANKS controls how many channels are used.
Note that the TCC configuration is highly relevant to performance.
Suboptimal configuration (eg. CHAN_STEER=0) can significantly
reduce gaming performance.
For optimal performance:
- Rely on the CHAN_STEER from the golden registers table,
only skip disabled TCCs but keep the mapping order.
- Limit NUM_TCC_BANKS to number of active TCCs to avoid thrashing,
which performs better than using the same TCC twice.
v2:
- Also consider CGTS_USER_TCC_DISABLE for disabled TCCs.
Link: https://bugs.freedesktop.org/show_bug.cgi?id=60879
Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/2664
Fixes: 2cd46ad22383 ("drm/amdgpu: add graphic pipeline implementation for si v8")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 00218d15528fab9f6b31241fe5904eea4fcaa30d)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 66 +++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
index 80565392313f1..066cdf6863e11 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
@@ -1571,6 +1571,71 @@ static void gfx_v6_0_setup_spi(struct amdgpu_device *adev)
mutex_unlock(&adev->grbm_idx_mutex);
}
+/**
+ * gfx_v6_0_setup_tcc() - setup which TCCs are used
+ *
+ * @adev: amdgpu_device pointer
+ *
+ * Verify whether the current GPU has any TCCs disabled,
+ * which can happen when the GPU is harvested and some
+ * memory channels are disabled, reducing the memory bus width.
+ * For example, on the Radeon HD 7870 XT (Tahiti LE).
+ *
+ * If some TCCs are disabled, we need to make sure that
+ * the disabled TCCs are not used, and the remaining TCCs
+ * are used optimally.
+ *
+ * TCP_CHAN_STEER_LO/HI control which TCC is used by TCP channels.
+ * TCP_ADDR_CONFIG.NUM_TCC_BANKS controls how many channels are used.
+ *
+ * For optimal performance:
+ * - Rely on the CHAN_STEER from the golden registers table,
+ * only skip disabled TCCs but keep the mapping order.
+ * - Limit NUM_TCC_BANKS to number of active TCCs to avoid thrashing,
+ * which performs better than using the same TCC twice.
+ */
+static void gfx_v6_0_setup_tcc(struct amdgpu_device *adev)
+{
+ u32 i, tcc, tcp_addr_config, num_active_tcc = 0;
+ u64 chan_steer, patched_chan_steer = 0;
+ const u32 num_max_tcc = adev->gfx.config.max_texture_channel_caches;
+ const u32 dis_tcc_mask =
+ amdgpu_gfx_create_bitmask(num_max_tcc) &
+ (REG_GET_FIELD(RREG32(mmCGTS_TCC_DISABLE),
+ CGTS_TCC_DISABLE, TCC_DISABLE) |
+ REG_GET_FIELD(RREG32(mmCGTS_USER_TCC_DISABLE),
+ CGTS_USER_TCC_DISABLE, TCC_DISABLE));
+
+ /* When no TCC is disabled, the golden registers table already has optimal TCC setup */
+ if (!dis_tcc_mask)
+ return;
+
+ /* Each 4-bit nibble contains the index of a TCC used by all TCPs */
+ chan_steer = RREG32(mmTCP_CHAN_STEER_LO) | ((u64)RREG32(mmTCP_CHAN_STEER_HI) << 32ull);
+
+ /* Patch the TCP to TCC mapping to skip disabled TCCs */
+ for (i = 0; i < num_max_tcc; ++i) {
+ tcc = (chan_steer >> (u64)(4 * i)) & 0xf;
+
+ if (!((1 << tcc) & dis_tcc_mask)) {
+ /* Copy enabled TCC indices to the patched register value. */
+ patched_chan_steer |= (u64)tcc << (u64)(4 * num_active_tcc);
+ ++num_active_tcc;
+ }
+ }
+
+ WARN_ON(num_active_tcc != num_max_tcc - hweight32(dis_tcc_mask));
+
+ /* Patch number of TCCs used by TCPs */
+ tcp_addr_config = REG_SET_FIELD(RREG32(mmTCP_ADDR_CONFIG),
+ TCP_ADDR_CONFIG, NUM_TCC_BANKS,
+ num_active_tcc - 1);
+
+ WREG32(mmTCP_ADDR_CONFIG, tcp_addr_config);
+ WREG32(mmTCP_CHAN_STEER_HI, upper_32_bits(patched_chan_steer));
+ WREG32(mmTCP_CHAN_STEER_LO, lower_32_bits(patched_chan_steer));
+}
+
static void gfx_v6_0_config_init(struct amdgpu_device *adev)
{
adev->gfx.config.double_offchip_lds_buf = 0;
@@ -1729,6 +1794,7 @@ static void gfx_v6_0_constants_init(struct amdgpu_device *adev)
gfx_v6_0_tiling_mode_table_init(adev);
gfx_v6_0_setup_rb(adev);
+ gfx_v6_0_setup_tcc(adev);
gfx_v6_0_setup_spi(adev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 752/957] netfilter: xt_policy: fix strict mode inbound policy matching
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (750 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 751/957] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 753/957] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
` (210 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Jiexun Wang, Ren Wei, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
[ Upstream commit 4b2b4d7d4e203c92db8966b163edfacb1f0e1e29 ]
match_policy_in() walks sec_path entries from the last transform to the
first one, but strict policy matching needs to consume info->pol[] in
the same forward order as the rule layout.
Derive the strict-match policy position from the number of transforms
already consumed so that multi-element inbound rules are matched
consistently.
Fixes: c4b885139203 ("[NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index cb6e8279010a4..b5fa65558318f 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -63,7 +63,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
return 0;
for (i = sp->len - 1; i >= 0; i--) {
- pos = strict ? i - sp->len + 1 : 0;
+ pos = strict ? sp->len - i - 1 : 0;
if (pos >= info->len)
return 0;
e = &info->pol[pos];
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 753/957] netfilter: nf_conntrack_sip: dont use simple_strtoul
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (751 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 752/957] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 754/957] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED Greg Kroah-Hartman
` (209 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Klaudia Kloc, Dawid Moczadło,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin, Jenny Guanni Qu
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8cf6809cddcbe301aedfc6b51bcd4944d45795f6 ]
Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(),
and ct_sip_parse_request() with a new sip_parse_port() helper that
validates each digit against the buffer limit, eliminating the use of
simple_strtoul() which assumes NUL-terminated strings.
The previous code dereferenced pointers without bounds checks after
sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated
skb data. A port that reaches the buffer limit without a trailing
character is also rejected as malformed.
Also get rid of all simple_strtoul() usage in conntrack, prefer a
stricter version instead. There are intentional changes:
- Bail out if number is > UINT_MAX and indicate a failure, same for
too long sequences.
While we do accept 05535 as port 5535, we will not accept e.g.
'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261,
we should restrict this to not waste cycles when presented with
malformed packets with 64k '0' characters.
- Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch
'expire=' and 'rports='; both are expected to use base-10.
- In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k
range.
- epaddr_len now returns 0 if the port is invalid, as it already does
for invalid ip addresses. This is intentional. nf_conntrack_sip
performs lots of guesswork to find the right parts of the message
to parse. Being stricter could break existing setups.
Connection tracking helpers are designed to allow traffic to
pass, not to block it.
Based on an earlier patch from Jenny Guanni Qu <qguanni@gmail.com>.
Fixes: 05e3ced297fe ("[NETFILTER]: nf_conntrack_sip: introduce SIP-URI parsing helper")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_sip.c | 152 ++++++++++++++++++++++++-------
net/netfilter/nf_nat_sip.c | 1 +
2 files changed, 119 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 939502ff7c871..6eb39285fbd6c 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -181,6 +181,57 @@ static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
return 1;
}
+/* Parse optional port number after IP address.
+ * Returns false on malformed input, true otherwise.
+ * If port is non-NULL, stores parsed port in network byte order.
+ * If no port is present, sets *port to default SIP port.
+ */
+static bool sip_parse_port(const char *dptr, const char **endp,
+ const char *limit, __be16 *port)
+{
+ unsigned int p = 0;
+ int len = 0;
+
+ if (dptr >= limit)
+ return false;
+
+ if (*dptr != ':') {
+ if (port)
+ *port = htons(SIP_PORT);
+ if (endp)
+ *endp = dptr;
+ return true;
+ }
+
+ dptr++; /* skip ':' */
+
+ while (dptr < limit && isdigit(*dptr)) {
+ p = p * 10 + (*dptr - '0');
+ dptr++;
+ len++;
+ if (len > 5) /* max "65535" */
+ return false;
+ }
+
+ if (len == 0)
+ return false;
+
+ /* reached limit while parsing port */
+ if (dptr >= limit)
+ return false;
+
+ if (p < 1024 || p > 65535)
+ return false;
+
+ if (port)
+ *port = htons(p);
+
+ if (endp)
+ *endp = dptr;
+
+ return true;
+}
+
/* skip ip address. returns its length. */
static int epaddr_len(const struct nf_conn *ct, const char *dptr,
const char *limit, int *shift)
@@ -193,11 +244,8 @@ static int epaddr_len(const struct nf_conn *ct, const char *dptr,
return 0;
}
- /* Port number */
- if (*dptr == ':') {
- dptr++;
- dptr += digits_len(ct, dptr, limit, shift);
- }
+ if (!sip_parse_port(dptr, &dptr, limit, NULL))
+ return 0;
return dptr - aux;
}
@@ -228,6 +276,51 @@ static int skp_epaddr_len(const struct nf_conn *ct, const char *dptr,
return epaddr_len(ct, dptr, limit, shift);
}
+/* simple_strtoul stops after first non-number character.
+ * But as we're not dealing with c-strings, we can't rely on
+ * hitting \r,\n,\0 etc. before moving past end of buffer.
+ *
+ * This is a variant of simple_strtoul, but doesn't require
+ * a c-string.
+ *
+ * If value exceeds UINT_MAX, 0 is returned.
+ */
+static unsigned int sip_strtouint(const char *cp, unsigned int len, char **endp)
+{
+ const unsigned int max = sizeof("4294967295");
+ unsigned int olen = len;
+ const char *s = cp;
+ u64 result = 0;
+
+ if (len > max)
+ len = max;
+
+ while (olen > 0 && isdigit(*s)) {
+ unsigned int value;
+
+ if (len == 0)
+ goto err;
+
+ value = *s - '0';
+ result = result * 10 + value;
+
+ if (result > UINT_MAX)
+ goto err;
+ s++;
+ len--;
+ olen--;
+ }
+
+ if (endp)
+ *endp = (char *)s;
+
+ return result;
+err:
+ if (endp)
+ *endp = (char *)cp;
+ return 0;
+}
+
/* Parse a SIP request line of the form:
*
* Request-Line = Method SP Request-URI SP SIP-Version CRLF
@@ -241,7 +334,6 @@ int ct_sip_parse_request(const struct nf_conn *ct,
{
const char *start = dptr, *limit = dptr + datalen, *end;
unsigned int mlen;
- unsigned int p;
int shift = 0;
/* Skip method and following whitespace */
@@ -267,14 +359,8 @@ int ct_sip_parse_request(const struct nf_conn *ct,
if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
return -1;
- if (end < limit && *end == ':') {
- end++;
- p = simple_strtoul(end, (char **)&end, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
+ if (!sip_parse_port(end, &end, limit, port))
+ return -1;
if (end == dptr)
return 0;
@@ -509,7 +595,6 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
union nf_inet_addr *addr, __be16 *port)
{
const char *c, *limit = dptr + datalen;
- unsigned int p;
int ret;
ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
@@ -520,14 +605,8 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
return -1;
- if (*c == ':') {
- c++;
- p = simple_strtoul(c, (char **)&c, 10);
- if (p < 1024 || p > 65535)
- return -1;
- *port = htons(p);
- } else
- *port = htons(SIP_PORT);
+ if (!sip_parse_port(c, &c, limit, port))
+ return -1;
if (dataoff)
*dataoff = c - dptr;
@@ -609,7 +688,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
return 0;
start += strlen(name);
- *val = simple_strtoul(start, &end, 0);
+ *val = sip_strtouint(start, limit - start, (char **)&end);
if (start == end)
return -1;
if (matchoff && matchlen) {
@@ -1065,6 +1144,8 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
mediaoff = sdpoff;
for (i = 0; i < ARRAY_SIZE(sdp_media_types); ) {
+ char *end;
+
if (ct_sip_get_sdp_header(ct, *dptr, mediaoff, *datalen,
SDP_HDR_MEDIA, SDP_HDR_UNSPEC,
&mediaoff, &medialen) <= 0)
@@ -1080,8 +1161,8 @@ static int process_sdp(struct sk_buff *skb, unsigned int protoff,
mediaoff += t->len;
medialen -= t->len;
- port = simple_strtoul(*dptr + mediaoff, NULL, 10);
- if (port == 0)
+ port = sip_strtouint(*dptr + mediaoff, *datalen - mediaoff, (char **)&end);
+ if (port == 0 || *dptr + mediaoff == end)
continue;
if (port < 1024 || port > 65535) {
nf_ct_helper_log(skb, ct, "wrong port %u", port);
@@ -1255,7 +1336,7 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
*/
if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
&matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+ expires = sip_strtouint(*dptr + matchoff, *datalen - matchoff, NULL);
ret = ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
SIP_HDR_CONTACT, NULL,
@@ -1359,7 +1440,7 @@ static int process_register_response(struct sk_buff *skb, unsigned int protoff,
if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_EXPIRES,
&matchoff, &matchlen) > 0)
- expires = simple_strtoul(*dptr + matchoff, NULL, 10);
+ expires = sip_strtouint(*dptr + matchoff, *datalen - matchoff, NULL);
while (1) {
unsigned int c_expires = expires;
@@ -1419,10 +1500,12 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
unsigned int matchoff, matchlen, matchend;
unsigned int code, cseq, i;
+ char *end;
if (*datalen < strlen("SIP/2.0 200"))
return NF_ACCEPT;
- code = simple_strtoul(*dptr + strlen("SIP/2.0 "), NULL, 10);
+ code = sip_strtouint(*dptr + strlen("SIP/2.0 "),
+ *datalen - strlen("SIP/2.0 "), NULL);
if (!code) {
nf_ct_helper_log(skb, ct, "cannot get code");
return NF_DROP;
@@ -1433,8 +1516,8 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
nf_ct_helper_log(skb, ct, "cannot parse cseq");
return NF_DROP;
}
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq && *(*dptr + matchoff) != '0') {
+ cseq = sip_strtouint(*dptr + matchoff, *datalen - matchoff, (char **)&end);
+ if (*dptr + matchoff == end) {
nf_ct_helper_log(skb, ct, "cannot get cseq");
return NF_DROP;
}
@@ -1483,6 +1566,7 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) {
const struct sip_handler *handler;
+ char *end;
handler = &sip_handlers[i];
if (handler->request == NULL)
@@ -1499,8 +1583,8 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
nf_ct_helper_log(skb, ct, "cannot parse cseq");
return NF_DROP;
}
- cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
- if (!cseq && *(*dptr + matchoff) != '0') {
+ cseq = sip_strtouint(*dptr + matchoff, *datalen - matchoff, (char **)&end);
+ if (*dptr + matchoff == end) {
nf_ct_helper_log(skb, ct, "cannot get cseq");
return NF_DROP;
}
@@ -1576,7 +1660,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
&matchoff, &matchlen) <= 0)
break;
- clen = simple_strtoul(dptr + matchoff, (char **)&end, 10);
+ clen = sip_strtouint(dptr + matchoff, datalen - matchoff, (char **)&end);
if (dptr + matchoff == end)
break;
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index c845b6d1a2bdf..9fbfc6bff0c22 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -246,6 +246,7 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
if (ct_sip_parse_numerical_param(ct, *dptr, matchend, *datalen,
"rport=", &poff, &plen,
&n) > 0 &&
+ n >= 1024 && n <= 65535 &&
htons(n) == ct->tuplehash[dir].tuple.dst.u.udp.port &&
htons(n) != ct->tuplehash[!dir].tuple.src.u.udp.port) {
__be16 p = ct->tuplehash[!dir].tuple.src.u.udp.port;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 754/957] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (752 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 753/957] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 755/957] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
` (208 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Brown, Robert Beckett,
Umang Jain, Cristian Ciocaltea, Mario Limonciello, Melissa Wen,
Guilherme G. Piccoli, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guilherme G. Piccoli <gpiccoli@igalia.com>
[ Upstream commit b0f6f4ac7d5d04fe2adcdd63ed1cd1ad505b8958 ]
Commit 671dd2ffbd8b ("ASoC: amd: acp: Add new cpu dai and dailink creation for I2S BT instance")
introduced a change that "broke" Steam Deck's audio probe, in the OLED
model, as observed in the following dmesg snippet:
[...]
snd_sof_amd_vangogh 0000:04:00.5: Topology: ABI 3:26:0 Kernel ABI 3:23:1
sof_mach nau8821-max: ASoC: physical link acp-bt-codec (id 2) not exist
sof_mach nau8821-max: ASoC: topology: could not load header: -22
snd_sof_amd_vangogh 0000:04:00.5: tplg amd/sof-tplg/sof-vangogh-nau8821-max.tplg component load failed -22
snd_sof_amd_vangogh 0000:04:00.5: error: failed to load DSP topology -22
snd_sof_amd_vangogh 0000:04:00.5: ASoC error (-22): at snd_soc_component_probe() on 0000:04:00.5
sof_mach nau8821-max: ASoC: failed to instantiate card -22
sof_mach nau8821-max: error -EINVAL: Failed to register card(sof-nau8821-max)
sof_mach nau8821-max: probe with driver sof_mach failed with error -22
[...]
Notice the quotes in "broke": it's not really a bug in such commit,
but instead a problem with a topology file from Steam Deck OLED. This
was discussed to great extent in [1], and Cristian proposed a pretty
simple and functional change that resolved the issue for the Deck's
issue. That change, though, would break other devices, so it wasn't
accepted upstream. And the proper suggested solution (fix the topology)
was never implemented, so Valve's kernel (and anyone that wants to boot
the mainline on Steam Deck OLED) is carrying that fix downstream.
So, we propose hereby a different approach: a DMI quirk, as many already
present in the sound drivers, to address this issue solely on Steam Deck
OLED, not breaking other devices and as a bonus, allowing simple patch
up in case eventually the topology file gets fixed (we'd just need to
check against any DMI info reflecting that or the topology/FW versions).
The motivation of such upstream quirk is related to users that want
to test latest kernel trees on their devices and get no only non-working
sound device, but seems some games (like Ori and the Blind Forest)
can't properly work without a proper functional audio device.
Example of such report can be seen at [2].
Cc: Mark Brown <broonie@kernel.org>
Cc: Robert Beckett <bob.beckett@collabora.com>
Cc: Umang Jain <uajain@igalia.com>
Fixes: 671dd2ffbd8b ("ASoC: amd: acp: Add new cpu dai and dailink creation for I2S BT instance")
Link: https://lore.kernel.org/r/20231209205351.880797-11-cristian.ciocaltea@collabora.com/ [1]
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218677 [2]
Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Tested-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
Link: https://patch.msgid.link/20260423183505.116445-1-gpiccoli@igalia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp/acp-legacy-mach.c | 2 +-
sound/soc/amd/acp/acp-mach-common.c | 22 +++++++++++++++++++---
sound/soc/amd/acp/acp-mach.h | 4 ++++
sound/soc/amd/acp/acp-sof-mach.c | 2 +-
4 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/sound/soc/amd/acp/acp-legacy-mach.c b/sound/soc/amd/acp/acp-legacy-mach.c
index a7a551366a409..235d6cc83fa98 100644
--- a/sound/soc/amd/acp/acp-legacy-mach.c
+++ b/sound/soc/amd/acp/acp-legacy-mach.c
@@ -174,7 +174,7 @@ static int acp_asoc_probe(struct platform_device *pdev)
acp_card_drvdata->acp_rev = mach->mach_params.subsystem_rev;
dmi_id = dmi_first_match(acp_quirk_table);
- if (dmi_id && dmi_id->driver_data)
+ if (dmi_id && dmi_id->driver_data == (void *)QUIRK_TDM_MODE_ENABLE)
acp_card_drvdata->tdm_mode = dmi_id->driver_data;
ret = acp_legacy_dai_links_create(card);
diff --git a/sound/soc/amd/acp/acp-mach-common.c b/sound/soc/amd/acp/acp-mach-common.c
index c4bc8e849284c..a2031e7f61424 100644
--- a/sound/soc/amd/acp/acp-mach-common.c
+++ b/sound/soc/amd/acp/acp-mach-common.c
@@ -20,6 +20,7 @@
#include <sound/soc.h>
#include <linux/input.h>
#include <linux/module.h>
+#include <linux/dmi.h>
#include "../../codecs/rt5682.h"
#include "../../codecs/rt1019.h"
@@ -37,15 +38,21 @@
#define NAU8821_FREQ_OUT 12288000
#define MAX98388_CODEC_DAI "max98388-aif1"
-#define TDM_MODE_ENABLE 1
-
const struct dmi_system_id acp_quirk_table[] = {
{
/* Google skyrim proto-0 */
.matches = {
DMI_EXACT_MATCH(DMI_PRODUCT_FAMILY, "Google_Skyrim"),
},
- .driver_data = (void *)TDM_MODE_ENABLE,
+ .driver_data = (void *)QUIRK_TDM_MODE_ENABLE,
+ },
+ {
+ /* Valve Steam Deck OLED */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Valve"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Galileo"),
+ },
+ .driver_data = (void *)QUIRK_REMAP_DMIC_BT,
},
{}
};
@@ -1385,6 +1392,7 @@ int acp_sofdsp_dai_links_create(struct snd_soc_card *card)
struct snd_soc_dai_link *links;
struct device *dev = card->dev;
struct acp_card_drvdata *drv_data = card->drvdata;
+ const struct dmi_system_id *dmi_id = dmi_first_match(acp_quirk_table);
int i = 0, num_links = 0;
if (drv_data->hs_cpu_id)
@@ -1556,6 +1564,9 @@ int acp_sofdsp_dai_links_create(struct snd_soc_card *card)
links[i].codecs = &snd_soc_dummy_dlc;
links[i].num_codecs = 1;
}
+
+ if (dmi_id && dmi_id->driver_data == (void *)QUIRK_REMAP_DMIC_BT)
+ links[i].id = DMIC_BE_ID;
i++;
}
@@ -1571,6 +1582,11 @@ int acp_sofdsp_dai_links_create(struct snd_soc_card *card)
links[i].capture_only = 1;
links[i].nonatomic = true;
links[i].no_pcm = 1;
+
+ if (dmi_id && dmi_id->driver_data == (void *)QUIRK_REMAP_DMIC_BT) {
+ links[i].id = BT_BE_ID;
+ dev_dbg(dev, "quirk REMAP_DMIC_BT enabled\n");
+ }
}
card->dai_link = links;
diff --git a/sound/soc/amd/acp/acp-mach.h b/sound/soc/amd/acp/acp-mach.h
index f94c30c20f20b..7177d3fd96192 100644
--- a/sound/soc/amd/acp/acp-mach.h
+++ b/sound/soc/amd/acp/acp-mach.h
@@ -26,6 +26,10 @@
#define acp_get_drvdata(card) ((struct acp_card_drvdata *)(card)->drvdata)
+/* List of DMI quirks - check acp-mach-common.c for usage. */
+#define QUIRK_TDM_MODE_ENABLE 1
+#define QUIRK_REMAP_DMIC_BT 2
+
enum be_id {
HEADSET_BE_ID = 0,
AMP_BE_ID,
diff --git a/sound/soc/amd/acp/acp-sof-mach.c b/sound/soc/amd/acp/acp-sof-mach.c
index 6215e31eceddf..36ecef7013b9c 100644
--- a/sound/soc/amd/acp/acp-sof-mach.c
+++ b/sound/soc/amd/acp/acp-sof-mach.c
@@ -110,7 +110,7 @@ static int acp_sof_probe(struct platform_device *pdev)
acp_card_drvdata = card->drvdata;
dmi_id = dmi_first_match(acp_quirk_table);
- if (dmi_id && dmi_id->driver_data)
+ if (dmi_id && dmi_id->driver_data == (void *)QUIRK_TDM_MODE_ENABLE)
acp_card_drvdata->tdm_mode = dmi_id->driver_data;
acp_card_drvdata->acp_rev = mach->mach_params.subsystem_rev;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 755/957] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (753 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 754/957] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 756/957] ASoC: tas2764: Mark die temp register as volatile Greg Kroah-Hartman
` (207 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Madieu, Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Madieu <john.madieu@gmail.com>
[ Upstream commit b4683a239a409d65f88052f5630c748a8ba070cd ]
rockchip_spi_isr() decides whether the current interrupt was the
cs-inactive event by reading IMR:
if (rs->cs_inactive &&
readl_relaxed(rs->regs + ROCKCHIP_SPI_IMR) & INT_CS_INACTIVE)
ctlr->target_abort(ctlr);
IMR is the interrupt mask register: it tells which sources are enabled,
not which one fired. In the PIO path, rockchip_spi_prepare_irq() enables
both INT_RF_FULL and INT_CS_INACTIVE in IMR when rs->cs_inactive is true:
if (rs->cs_inactive)
writel_relaxed(INT_RF_FULL | INT_CS_INACTIVE,
rs->regs + ROCKCHIP_SPI_IMR);
so the IMR check is always true once cs_inactive is enabled, and every
PIO interrupt - including normal RF_FULL completions - is dispatched to
ctlr->target_abort(), aborting the transfer. The bug is reachable on
ROCKCHIP_SPI_VER2_TYPE2 in target mode with a DMA-capable controller
when the transfer is short enough to fall back to PIO
(rockchip_spi_can_dma() returns false below fifo_len).
Read ISR (which is RISR masked by IMR) so the check actually reflects
which interrupt fired, and parenthesise the expression for clarity while
at it.
Fixes: 869f2c94db92 ("spi: rockchip: Stop spi slave dma receiver when cs inactive")
Signed-off-by: John Madieu <john.madieu@gmail.com>
Link: https://patch.msgid.link/20260425092936.2590132-2-john.madieu@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rockchip.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c
index 45b1ad40a7efc..f7001c7bbe109 100644
--- a/drivers/spi/spi-rockchip.c
+++ b/drivers/spi/spi-rockchip.c
@@ -357,7 +357,8 @@ static irqreturn_t rockchip_spi_isr(int irq, void *dev_id)
struct rockchip_spi *rs = spi_controller_get_devdata(ctlr);
/* When int_cs_inactive comes, spi target abort */
- if (rs->cs_inactive && readl_relaxed(rs->regs + ROCKCHIP_SPI_IMR) & INT_CS_INACTIVE) {
+ if (rs->cs_inactive &&
+ (readl_relaxed(rs->regs + ROCKCHIP_SPI_ISR) & INT_CS_INACTIVE)) {
ctlr->target_abort(ctlr);
writel_relaxed(0, rs->regs + ROCKCHIP_SPI_IMR);
writel_relaxed(0xffffffff, rs->regs + ROCKCHIP_SPI_ICR);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 756/957] ASoC: tas2764: Mark die temp register as volatile
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (754 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 755/957] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 757/957] ASoC: tas2770: Fix order of operations for temperature calculation Greg Kroah-Hartman
` (206 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Calligeros, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Calligeros <jcalligeros99@gmail.com>
[ Upstream commit 4cfb5971c2fbfac061c23fb4224a3a008199de81 ]
Reading the temperature register always returns the first value
read from the chip due to regcache.
Mark TAS2764_TEMP as volatile to prevent returning stale, cached
values when reading the die temp.
Fixes: 186dfc85f9a8 ("ASoC: tas2764: expose die temp to hwmon")
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20260425-tas27xx-hwmon-fixes-v1-1-83c13b8e8f54@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2764.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
index 36e25e48b3546..9f351565dc82d 100644
--- a/sound/soc/codecs/tas2764.c
+++ b/sound/soc/codecs/tas2764.c
@@ -809,6 +809,7 @@ static bool tas2764_volatile_register(struct device *dev, unsigned int reg)
{
switch (reg) {
case TAS2764_SW_RST:
+ case TAS2764_TEMP:
case TAS2764_INT_LTCH0 ... TAS2764_INT_LTCH4:
case TAS2764_INT_CLK_CFG:
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 757/957] ASoC: tas2770: Fix order of operations for temperature calculation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (755 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 756/957] ASoC: tas2764: Mark die temp register as volatile Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 758/957] drm/sysfb: ofdrm: fix PCI device reference leaks Greg Kroah-Hartman
` (205 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Calligeros, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Calligeros <jcalligeros99@gmail.com>
[ Upstream commit c7ecb6a61908c2604dda6e42da66724d256de7b9 ]
The order of operations to derive the temperature from the temp
register values was wrong, since 1000 / 16 is not an integer. This
resulted in the calculated temperature value deviating from the
value represented by the registers slightly, which was most obvious
when the registers were zeroed (-92.265 *C vs the expected -93.000 *C).
Scale the reading before dividing the whole thing by 16 to correct
this.
Fixes: ff73e2780169 ("ASoC: tas2770: expose die temp to hwmon")
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Link: https://patch.msgid.link/20260425-tas27xx-hwmon-fixes-v1-3-83c13b8e8f54@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tas2770.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c
index 6f878b01716f7..2ce3011119bdb 100644
--- a/sound/soc/codecs/tas2770.c
+++ b/sound/soc/codecs/tas2770.c
@@ -549,7 +549,7 @@ static int tas2770_read_die_temp(struct tas2770_priv *tas2770, long *result)
/*
* As per datasheet: divide register by 16 and subtract 93 to get
* degrees Celsius. hwmon requires millidegrees. Let's avoid rounding
- * errors by subtracting 93 * 16 then multiplying by 1000 / 16.
+ * errors by subtracting 93 * 16 and scaling before dividing.
*
* NOTE: The ADC registers are initialised to 0 on reset. This means
* that the temperature will read -93 *C until the chip is brought out
@@ -558,7 +558,7 @@ static int tas2770_read_die_temp(struct tas2770_priv *tas2770, long *result)
* value read back from its registers will be the last value sampled
* before entering software shutdown.
*/
- *result = (reading - (93 * 16)) * (1000 / 16);
+ *result = (reading - (93 * 16)) * 1000 / 16;
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 758/957] drm/sysfb: ofdrm: fix PCI device reference leaks
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (756 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 757/957] ASoC: tas2770: Fix order of operations for temperature calculation Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 759/957] drm/color-mgmt: Typo s/R332/RGB332/ Greg Kroah-Hartman
` (204 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Myeonghun Pak, Ijae Kim, Taegyu Kim,
Yuho Choi, Thomas Zimmermann, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
[ Upstream commit 4aa8110000b0d215deef8eed283565dd0c1def88 ]
display_get_pci_dev_of() gets a referenced PCI device via
pci_get_device(). Drop that reference when pci_enable_device() fails and
release it during the managed teardown path after pci_disable_device().
Without that, ofdrm leaks the pci_dev reference on both the error path
and the normal cleanup path.
Fixes: c8a17756c425 ("drm/ofdrm: Add ofdrm for Open Firmware framebuffers")
Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260420002513.216-1-dbgh9129@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sysfb/ofdrm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/sysfb/ofdrm.c b/drivers/gpu/drm/sysfb/ofdrm.c
index 8d8ab39c5f363..f94fddea897a5 100644
--- a/drivers/gpu/drm/sysfb/ofdrm.c
+++ b/drivers/gpu/drm/sysfb/ofdrm.c
@@ -349,6 +349,7 @@ static void ofdrm_pci_release(void *data)
struct pci_dev *pcidev = data;
pci_disable_device(pcidev);
+ pci_dev_put(pcidev);
}
static int ofdrm_device_init_pci(struct ofdrm_device *odev)
@@ -374,6 +375,7 @@ static int ofdrm_device_init_pci(struct ofdrm_device *odev)
if (ret) {
drm_err(dev, "pci_enable_device(%s) failed: %d\n",
dev_name(&pcidev->dev), ret);
+ pci_dev_put(pcidev);
return ret;
}
ret = devm_add_action_or_reset(&pdev->dev, ofdrm_pci_release, pcidev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 759/957] drm/color-mgmt: Typo s/R332/RGB332/
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (757 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 758/957] drm/sysfb: ofdrm: fix PCI device reference leaks Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 760/957] arm64/scs: Fix potential sign extension issue of advance_loc4 Greg Kroah-Hartman
` (203 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Javier Martinez Canillas, Thomas Zimmermann, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 9d5a2b8f6281f6090002517fb9272ea07038afe8 ]
Fix a typo of "RGB332" in kerneldoc for the drm_crtc_fill_palette_332()
helper.
Fixes: 7ff61177b7116825 ("drm/color-mgmt: Prepare for RGB332 palettes")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/c413e45c8f752a532a4ff377f7a8b9eaab4a082a.1776757681.git.geert+renesas@glider.be
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_color_mgmt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_color_mgmt.c b/drivers/gpu/drm/drm_color_mgmt.c
index 131c1c9ae92fc..302a32d050a6d 100644
--- a/drivers/gpu/drm/drm_color_mgmt.c
+++ b/drivers/gpu/drm/drm_color_mgmt.c
@@ -831,7 +831,7 @@ static void fill_palette_332(struct drm_crtc *crtc, u16 r, u16 g, u16 b,
}
/**
- * drm_crtc_fill_palette_332 - Programs a default palette for R332-like formats
+ * drm_crtc_fill_palette_332 - Programs a default palette for RGB332-like formats
* @crtc: The displaying CRTC
* @set_palette: Callback for programming the hardware gamma LUT
*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 760/957] arm64/scs: Fix potential sign extension issue of advance_loc4
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (758 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 759/957] drm/color-mgmt: Typo s/R332/RGB332/ Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 761/957] ACPICA: Provide #defines for EINJV2 error types Greg Kroah-Hartman
` (202 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Guan, Catalin Marinas,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 4023b7424ecd5d38cc75b650d6c1bf630ef8cb40 ]
The expression (*opcode++ << 24) and exp * code_alignment_factor
may overflow signed int and becomes negative.
Fix this by casting each byte to u64 before shifting. Also fix
the misaligned break statement while we are here.
Example of the result can be seen here:
Link: https://godbolt.org/z/zhY8d3595
It maybe not a real problem, but could be a issue in future.
Fixes: d499e9627d70 ("arm64/scs: Fix handling of advance_loc4")
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/pi/patch-scs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kernel/pi/patch-scs.c b/arch/arm64/kernel/pi/patch-scs.c
index dac568e4a54f2..3944ad899021c 100644
--- a/arch/arm64/kernel/pi/patch-scs.c
+++ b/arch/arm64/kernel/pi/patch-scs.c
@@ -196,9 +196,9 @@ static int scs_handle_fde_frame(const struct eh_frame *frame,
loc += *opcode++ * code_alignment_factor;
loc += (*opcode++ << 8) * code_alignment_factor;
loc += (*opcode++ << 16) * code_alignment_factor;
- loc += (*opcode++ << 24) * code_alignment_factor;
+ loc += ((u64)*opcode++ << 24) * code_alignment_factor;
size -= 4;
- break;
+ break;
case DW_CFA_def_cfa:
case DW_CFA_offset_extended:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 761/957] ACPICA: Provide #defines for EINJV2 error types
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (759 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 760/957] arm64/scs: Fix potential sign extension issue of advance_loc4 Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 762/957] ACPI: APEI: EINJ: Fix EINJV2 memory error injection Greg Kroah-Hartman
` (201 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Luck, Rafael J. Wysocki,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Luck <tony.luck@intel.com>
[ Upstream commit 1f6008538384453eb4c13a3d7ff9e37ee8aee6b9 ]
EINJV2 defined new error types by moving the severity (correctable,
uncorrectable non-fatal, uncorrectable fatal) out of the "type".
ACPI 6.5 introduced EINJV2 and defined a vendor defined error type
using bit 31. This was dropped in ACPI 6.6.
Link: https://github.com/acpica/acpica/commit/e82d2d2fd145
Signed-off-by: Tony Luck <tony.luck@intel.com>
Link: https://patch.msgid.link/20260421150216.11666-2-tony.luck@intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Stable-dep-of: 0c00cfbcfcff ("ACPI: APEI: EINJ: Fix EINJV2 memory error injection")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/acpi/actbl1.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/acpi/actbl1.h b/include/acpi/actbl1.h
index 7f35eb0e84586..b074244cbdcbf 100644
--- a/include/acpi/actbl1.h
+++ b/include/acpi/actbl1.h
@@ -1129,6 +1129,12 @@ enum acpi_einj_command_status {
#define ACPI_EINJ_CXL_MEM_FATAL (1<<17)
#define ACPI_EINJ_VENDOR_DEFINED (1<<31)
+/* EINJV2 error types from EINJV2_GET_ERROR_TYPE (ACPI 6.6) */
+
+#define ACPI_EINJV2_PROCESSOR (1)
+#define ACPI_EINJV2_MEMORY (1<<1)
+#define ACPI_EINJV2_PCIE (1<<2)
+
/*******************************************************************************
*
* ERST - Error Record Serialization Table (ACPI 4.0)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 762/957] ACPI: APEI: EINJ: Fix EINJV2 memory error injection
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (760 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 761/957] ACPICA: Provide #defines for EINJV2 error types Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 763/957] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
` (200 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sashiko, Herman Li, Tony Luck,
Lai, Yi1, Jiaqi Yan, Zaid Alali, Rafael J. Wysocki, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Luck <tony.luck@intel.com>
[ Upstream commit 0c00cfbcfcffa7085e4f0c7fd7a4caada4e7a90f ]
Error types in EINJV2 use different bit positions for each flavor of
injection from legacy EINJ.
Two issues:
1) The address sanity checks in einj_error_inject() were skipped for
EINJV2 injections. Noted by sashiko[1]
2) __einj_error_trigger() failed to drop the entry of the target
physical address from the list of resources that need to be
requested.
Add a helper function that checks if an injection is to memory and use it
to solve each of these issues.
Note that the old test in __einj_error_trigger() checked that param2 was
not zero. This isn't needed because the sanity checks in einj_error_inject()
reject memory injections with param2 == 0.
Fixes: b47610296d17 ("ACPI: APEI: EINJ: Enable EINJv2 error injections")
Reported-by: sashiko <sashiko@sashiko.dev>
Reported-by: Herman Li <herman.li@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Tested-by: "Lai, Yi1" <yi1.lai@intel.com>
Link: https://sashiko.dev/#/patchset/20260415163620.12957-1-tony.luck%40intel.com # [1]
Reviewed-by: Jiaqi Yan <jiaqiyan@google.com>
Reviewed-by: Zaid Alali <zaidal@os.amperecomputing.com>
Link: https://patch.msgid.link/20260421150216.11666-3-tony.luck@intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/einj-core.c | 45 +++++++++++++++++++----------------
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
index 305c240a303f6..02b81b7b5a2e2 100644
--- a/drivers/acpi/apei/einj-core.c
+++ b/drivers/acpi/apei/einj-core.c
@@ -401,8 +401,18 @@ static struct acpi_generic_address *einj_get_trigger_parameter_region(
return NULL;
}
+
+static bool is_memory_injection(u32 type, u32 flags)
+{
+ if (flags & SETWA_FLAGS_EINJV2)
+ return !!(type & ACPI_EINJV2_MEMORY);
+ if (type & ACPI5_VENDOR_BIT)
+ return !!(vendor_flags & SETWA_FLAGS_MEM);
+ return !!(type & MEM_ERROR_MASK) || !!(flags & SETWA_FLAGS_MEM);
+}
+
/* Execute instructions in trigger error action table */
-static int __einj_error_trigger(u64 trigger_paddr, u32 type,
+static int __einj_error_trigger(u64 trigger_paddr, u32 type, u32 flags,
u64 param1, u64 param2)
{
struct acpi_einj_trigger trigger_tab;
@@ -480,7 +490,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
* This will cause resource conflict with regular memory. So
* remove it from trigger table resources.
*/
- if ((param_extension || acpi5) && (type & MEM_ERROR_MASK) && param2) {
+ if ((param_extension || acpi5) && is_memory_injection(type, flags)) {
struct apei_resources addr_resources;
apei_resources_init(&addr_resources);
@@ -660,7 +670,7 @@ static int __einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
return rc;
trigger_paddr = apei_exec_ctx_get_output(&ctx);
if (notrigger == 0) {
- rc = __einj_error_trigger(trigger_paddr, type, param1, param2);
+ rc = __einj_error_trigger(trigger_paddr, type, flags, param1, param2);
if (rc)
return rc;
}
@@ -718,35 +728,30 @@ int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, u64 param3,
SETWA_FLAGS_PCIE_SBDF | SETWA_FLAGS_EINJV2)))
return -EINVAL;
+ /*
+ * Injections targeting a CXL 1.0/1.1 port have to be injected
+ * via the einj_cxl_rch_error_inject() path as that does the proper
+ * validation of the given RCRB base (MMIO) address.
+ */
+ if (einj_is_cxl_error_type(type) && (flags & SETWA_FLAGS_MEM))
+ return -EINVAL;
+
/* check if type is a valid EINJv2 error type */
if (is_v2) {
if (!(type & available_error_type_v2))
return -EINVAL;
}
- /*
- * We need extra sanity checks for memory errors.
- * Other types leap directly to injection.
- */
/* ensure param1/param2 existed */
if (!(param_extension || acpi5))
goto inject;
- /* ensure injection is memory related */
- if (type & ACPI5_VENDOR_BIT) {
- if (vendor_flags != SETWA_FLAGS_MEM)
- goto inject;
- } else if (!(type & MEM_ERROR_MASK) && !(flags & SETWA_FLAGS_MEM)) {
- goto inject;
- }
-
/*
- * Injections targeting a CXL 1.0/1.1 port have to be injected
- * via the einj_cxl_rch_error_inject() path as that does the proper
- * validation of the given RCRB base (MMIO) address.
+ * We need extra sanity checks for memory errors.
+ * Other types leap directly to injection.
*/
- if (einj_is_cxl_error_type(type) && (flags & SETWA_FLAGS_MEM))
- return -EINVAL;
+ if (!is_memory_injection(type, flags))
+ goto inject;
/*
* Disallow crazy address masks that give BIOS leeway to pick
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 763/957] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (761 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 762/957] ACPI: APEI: EINJ: Fix EINJV2 memory error injection Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 764/957] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
` (199 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daan De Meyer, Phillip Potter,
Martin K. Petersen, Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daan De Meyer <daan@amutable.com>
[ Upstream commit 0898a817621a2f0cddca8122d9b974003fe5036d ]
The cdrom core never calls set_disk_ro() for a registered device, so
BLKROGET on a CD-ROM device always returns 0 (writable), even when the
drive has no write capabilities and writes will inevitably fail. This
causes problems for userspace that relies on BLKROGET to determine
whether a block device is read-only. For example, systemd's loop device
setup uses BLKROGET to decide whether to create a loop device with
LO_FLAGS_READ_ONLY. Without the read-only flag, writes pass through the
loop device to the CD-ROM and fail with I/O errors. systemd-fsck
similarly checks BLKROGET to decide whether to run fsck in no-repair
mode (-n).
The write-capability bits in cdi->mask come from two different sources:
CDC_DVD_RAM and CDC_CD_RW are populated by the driver from the MODE
SENSE capabilities page (page 0x2A) before register_cdrom() is called,
while CDC_MRW_W and CDC_RAM require the MMC GET CONFIGURATION command
and were only probed by cdrom_open_write() at device open time. This
meant that any attempt to compute the writable state from the full
mask at probe time was incorrect, because the GET CONFIGURATION bits
were still unset (and cdi->mask is initialized such that capabilities
are assumed present).
Fix this by factoring the GET CONFIGURATION probing out of
cdrom_open_write() into a new exported helper,
cdrom_probe_write_features(), and having sr call it from sr_probe()
right after get_capabilities() has populated the MODE SENSE bits.
register_cdrom() then calls set_disk_ro() based on the full
write-capability mask (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)
so the block layer reflects the drive's actual write support. The
feature queries used (CDF_MRW and CDF_RWRT via GET CONFIGURATION with
RT=00) report drive-level capabilities that are persistent across
media, so a single probe before register_cdrom() is sufficient and the
redundant probe at open time is dropped.
With set_disk_ro() now accurate, the long-vestigial cd->writeable flag
in sr can go: get_capabilities() used to set cd->writeable based on
the same four mask bits, but because CDC_MRW_W and CDC_RAM default to
"capability present" in cdi->mask and aren't touched by MODE SENSE,
the condition that gated cd->writeable was always true, making it
unconditionally 1. Replace the corresponding gate in sr_init_command()
with get_disk_ro(cd->disk), which turns a previously no-op check into
a real one and also catches kernel-internal bio writers that bypass
blkdev_write_iter()'s bdev_read_only() check.
The sd driver (SCSI disks) does not have this problem because it
checks the MODE SENSE Write Protect bit and calls set_disk_ro()
accordingly. The sr driver cannot use the same approach because the
MMC specification does not define the WP bit in the MODE SENSE
device-specific parameter byte for CD-ROM devices.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Daan De Meyer <daan@amutable.com>
Reviewed-by: Phillip Potter <phil@philpotter.co.uk>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
Link: https://patch.msgid.link/20260427210139.1400-2-phil@philpotter.co.uk
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cdrom/cdrom.c | 73 ++++++++++++++++++++++++++++---------------
drivers/scsi/sr.c | 11 ++-----
drivers/scsi/sr.h | 1 -
include/linux/cdrom.h | 1 +
4 files changed, 51 insertions(+), 35 deletions(-)
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 31ba1f8c1f786..e30414f0d4560 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -631,6 +631,16 @@ int register_cdrom(struct gendisk *disk, struct cdrom_device_info *cdi)
WARN_ON(!cdo->generic_packet);
+ /*
+ * Propagate the drive's write support to the block layer so BLKROGET
+ * reflects actual write capability. Drivers that use GET CONFIGURATION
+ * features (CDC_MRW_W, CDC_RAM) must have called
+ * cdrom_probe_write_features() before register_cdrom() so the mask is
+ * complete here.
+ */
+ set_disk_ro(disk, !CDROM_CAN(CDC_DVD_RAM | CDC_MRW_W | CDC_RAM |
+ CDC_CD_RW));
+
cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name);
mutex_lock(&cdrom_mutex);
list_add(&cdi->list, &cdrom_list);
@@ -742,6 +752,44 @@ static int cdrom_is_random_writable(struct cdrom_device_info *cdi, int *write)
return 0;
}
+/*
+ * Probe write-related MMC features via GET CONFIGURATION and update
+ * cdi->mask accordingly. Drivers that populate cdi->mask from the MODE SENSE
+ * capabilities page (e.g. sr) should call this after those MODE SENSE bits
+ * have been set but before register_cdrom(), so that the full set of
+ * write-capability bits is known by the time register_cdrom() decides on the
+ * initial read-only state of the disk.
+ */
+void cdrom_probe_write_features(struct cdrom_device_info *cdi)
+{
+ int mrw, mrw_write, ram_write;
+
+ mrw = 0;
+ if (!cdrom_is_mrw(cdi, &mrw_write))
+ mrw = 1;
+
+ if (CDROM_CAN(CDC_MO_DRIVE))
+ ram_write = 1;
+ else
+ (void) cdrom_is_random_writable(cdi, &ram_write);
+
+ if (mrw)
+ cdi->mask &= ~CDC_MRW;
+ else
+ cdi->mask |= CDC_MRW;
+
+ if (mrw_write)
+ cdi->mask &= ~CDC_MRW_W;
+ else
+ cdi->mask |= CDC_MRW_W;
+
+ if (ram_write)
+ cdi->mask &= ~CDC_RAM;
+ else
+ cdi->mask |= CDC_RAM;
+}
+EXPORT_SYMBOL(cdrom_probe_write_features);
+
static int cdrom_media_erasable(struct cdrom_device_info *cdi)
{
disc_information di;
@@ -894,33 +942,8 @@ static int cdrom_is_dvd_rw(struct cdrom_device_info *cdi)
*/
static int cdrom_open_write(struct cdrom_device_info *cdi)
{
- int mrw, mrw_write, ram_write;
int ret = 1;
- mrw = 0;
- if (!cdrom_is_mrw(cdi, &mrw_write))
- mrw = 1;
-
- if (CDROM_CAN(CDC_MO_DRIVE))
- ram_write = 1;
- else
- (void) cdrom_is_random_writable(cdi, &ram_write);
-
- if (mrw)
- cdi->mask &= ~CDC_MRW;
- else
- cdi->mask |= CDC_MRW;
-
- if (mrw_write)
- cdi->mask &= ~CDC_MRW_W;
- else
- cdi->mask |= CDC_MRW_W;
-
- if (ram_write)
- cdi->mask &= ~CDC_RAM;
- else
- cdi->mask |= CDC_RAM;
-
if (CDROM_CAN(CDC_MRW_W))
ret = cdrom_mrw_open_write(cdi);
else if (CDROM_CAN(CDC_DVD_RAM))
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index add13e3068983..803fc9c132298 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -395,7 +395,7 @@ static blk_status_t sr_init_command(struct scsi_cmnd *SCpnt)
switch (req_op(rq)) {
case REQ_OP_WRITE:
- if (!cd->writeable)
+ if (get_disk_ro(cd->disk))
goto out;
SCpnt->cmnd[0] = WRITE_10;
cd->cdi.media_written = 1;
@@ -681,6 +681,7 @@ static int sr_probe(struct device *dev)
error = -ENOMEM;
if (get_capabilities(cd))
goto fail_minor;
+ cdrom_probe_write_features(&cd->cdi);
sr_vendor_init(cd);
set_capacity(disk, cd->capacity);
@@ -899,14 +900,6 @@ static int get_capabilities(struct scsi_cd *cd)
/*else I don't think it can close its tray
cd->cdi.mask |= CDC_CLOSE_TRAY; */
- /*
- * if DVD-RAM, MRW-W or CD-RW, we are randomly writable
- */
- if ((cd->cdi.mask & (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)) !=
- (CDC_DVD_RAM | CDC_MRW_W | CDC_RAM | CDC_CD_RW)) {
- cd->writeable = 1;
- }
-
kfree(buffer);
return 0;
}
diff --git a/drivers/scsi/sr.h b/drivers/scsi/sr.h
index dc899277b3a44..2d92f9cb6fec7 100644
--- a/drivers/scsi/sr.h
+++ b/drivers/scsi/sr.h
@@ -35,7 +35,6 @@ typedef struct scsi_cd {
struct scsi_device *device;
unsigned int vendor; /* vendor code, see sr_vendor.c */
unsigned long ms_offset; /* for reading multisession-CD's */
- unsigned writeable : 1;
unsigned use:1; /* is this device still supportable */
unsigned xa_flag:1; /* CD has XA sectors ? */
unsigned readcd_known:1; /* drive supports READ_CD (0xbe) */
diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h
index b907e6c2307d8..260d7968cf720 100644
--- a/include/linux/cdrom.h
+++ b/include/linux/cdrom.h
@@ -108,6 +108,7 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
extern unsigned int cdrom_check_events(struct cdrom_device_info *cdi,
unsigned int clearing);
+extern void cdrom_probe_write_features(struct cdrom_device_info *cdi);
extern int register_cdrom(struct gendisk *disk, struct cdrom_device_info *cdi);
extern void unregister_cdrom(struct cdrom_device_info *cdi);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 764/957] netdevsim: zero initialize struct iphdr in dummy sk_buff
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (762 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 763/957] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 765/957] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
` (198 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikola Z. Ivanov, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikola Z. Ivanov <zlatistiv@gmail.com>
[ Upstream commit 35eaa6d8d6c2ee65e96f507add856e0eacf24591 ]
Syzbot reports a KMSAN uninit-value originating from
nsim_dev_trap_skb_build, with the allocation also
being performed in the same function.
Fix this by calling skb_put_zero instead of skb_put to
guarantee zero initialization of the whole IP header.
Closes: https://syzkaller.appspot.com/bug?extid=23d7fcd204e3837866ff
Fixes: da58f90f11f5 ("netdevsim: Add devlink-trap support")
Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260426201434.742030-1-zlatistiv@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netdevsim/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index 56a47c060f2e1..4064c488439b4 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -773,7 +773,7 @@ static struct sk_buff *nsim_dev_trap_skb_build(void)
skb->protocol = htons(ETH_P_IP);
skb_set_network_header(skb, skb->len);
- iph = skb_put(skb, sizeof(struct iphdr));
+ iph = skb_put_zero(skb, sizeof(struct iphdr));
iph->protocol = IPPROTO_UDP;
iph->saddr = in_aton("192.0.2.1");
iph->daddr = in_aton("198.51.100.1");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 765/957] net/sched: netem: fix probability gaps in 4-state loss model
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (763 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 764/957] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 766/957] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
` (197 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 732b463449fd0ef90acd13cda68eab1c91adb00c ]
The 4-state Markov chain in loss_4state() has gaps at the boundaries
between transition probability ranges. The comparisons use:
if (rnd < a4)
else if (a4 < rnd && rnd < a1 + a4)
When rnd equals a boundary value exactly, neither branch matches and
no state transition occurs. The redundant lower-bound check (a4 < rnd)
is already implied by being in the else branch.
Remove the unnecessary lower-bound comparisons so the ranges are
contiguous and every random value produces a transition, matching
the GI (General and Intuitive) loss model specification.
This bug goes back to original implementation of this model.
Fixes: 661b79725fea ("netem: revised correlated loss generator")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-2-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 6f8fcc4b504ce..4eb6ed60ee9b6 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -227,10 +227,10 @@ static bool loss_4state(struct netem_sched_data *q)
if (rnd < clg->a4) {
clg->state = LOST_IN_GAP_PERIOD;
return true;
- } else if (clg->a4 < rnd && rnd < clg->a1 + clg->a4) {
+ } else if (rnd < clg->a1 + clg->a4) {
clg->state = LOST_IN_BURST_PERIOD;
return true;
- } else if (clg->a1 + clg->a4 < rnd) {
+ } else {
clg->state = TX_IN_GAP_PERIOD;
}
@@ -247,9 +247,9 @@ static bool loss_4state(struct netem_sched_data *q)
case LOST_IN_BURST_PERIOD:
if (rnd < clg->a3)
clg->state = TX_IN_BURST_PERIOD;
- else if (clg->a3 < rnd && rnd < clg->a2 + clg->a3) {
+ else if (rnd < clg->a2 + clg->a3) {
clg->state = TX_IN_GAP_PERIOD;
- } else if (clg->a2 + clg->a3 < rnd) {
+ } else {
clg->state = LOST_IN_BURST_PERIOD;
return true;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 766/957] net/sched: netem: fix queue limit check to include reordered packets
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (764 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 765/957] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 767/957] net/sched: netem: only reseed PRNG when seed is explicitly provided Greg Kroah-Hartman
` (196 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 4185701fcce6b426b6c3630b25330dddd9c47b0d ]
The queue limit check in netem_enqueue() uses q->t_len which only
counts packets in the internal tfifo. Packets placed in sch->q by
the reorder path (__qdisc_enqueue_head) are not counted, allowing
the total queue occupancy to exceed sch->limit under reordering.
Include sch->q.qlen in the limit check.
Fixes: f8d4bc455047 ("net/sched: netem: account for backlog updates from child qdisc")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-3-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 4eb6ed60ee9b6..da8dcc9b61cc7 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -523,7 +523,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
1 << get_random_u32_below(8);
}
- if (unlikely(q->t_len >= sch->limit)) {
+ if (unlikely(sch->q.qlen >= sch->limit)) {
/* re-link segs, so that qdisc_drop_all() frees them all */
skb->next = segs;
qdisc_drop_all(skb, sch, to_free);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 767/957] net/sched: netem: only reseed PRNG when seed is explicitly provided
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (765 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 766/957] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 768/957] net/sched: netem: validate slot configuration Greg Kroah-Hartman
` (195 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 986afaf809940577224a99c3a08d97a15eb37e93 ]
netem_change() unconditionally reseeds the PRNG on every tc change
command. If TCA_NETEM_PRNG_SEED is not specified, a new random seed
is generated, destroying reproducibility for users who set a
deterministic seed on a previous change.
Move the initial random seed generation to netem_init() and only
reseed in netem_change() when TCA_NETEM_PRNG_SEED is explicitly
provided by the user.
Fixes: 4072d97ddc44 ("netem: add prng attribute to netem_sched_data")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-4-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index da8dcc9b61cc7..4bf65fcdaff02 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -1111,11 +1111,10 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
/* capping jitter to the range acceptable by tabledist() */
q->jitter = min_t(s64, abs(q->jitter), INT_MAX);
- if (tb[TCA_NETEM_PRNG_SEED])
+ if (tb[TCA_NETEM_PRNG_SEED]) {
q->prng.seed = nla_get_u64(tb[TCA_NETEM_PRNG_SEED]);
- else
- q->prng.seed = get_random_u64();
- prandom_seed_state(&q->prng.prng_state, q->prng.seed);
+ prandom_seed_state(&q->prng.prng_state, q->prng.seed);
+ }
unlock:
sch_tree_unlock(sch);
@@ -1138,6 +1137,9 @@ static int netem_init(struct Qdisc *sch, struct nlattr *opt,
return -EINVAL;
q->loss_model = CLG_RANDOM;
+ q->prng.seed = get_random_u64();
+ prandom_seed_state(&q->prng.prng_state, q->prng.seed);
+
ret = netem_change(sch, opt, extack);
if (ret)
pr_info("netem: change failed\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 768/957] net/sched: netem: validate slot configuration
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (766 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 767/957] net/sched: netem: only reseed PRNG when seed is explicitly provided Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 769/957] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
` (194 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 01801c359a74737b9b1aa28568b60374d857241a ]
Reject slot configurations that have no defensible meaning:
- negative min_delay or max_delay
- min_delay greater than max_delay
- negative dist_delay or dist_jitter
- negative max_packets or max_bytes
Negative or out-of-order delays underflow in get_slot_next(),
producing garbage intervals. Negative limits trip the per-slot
accounting (packets_left/bytes_left <= 0) on the first packet of
every slot, defeating the rate-limiting half of the slot feature.
Note that dist_jitter has been silently coerced to its absolute
value by get_slot() since the feature was introduced; rejecting
negatives here converts that silent coercion into -EINVAL. The
abs() can be removed in a follow-up.
Fixes: 836af83b54e3 ("netem: support delivering packets in delayed time slots")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-5-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 4bf65fcdaff02..41d60e904090d 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -826,6 +826,29 @@ static int get_dist_table(struct disttable **tbl, const struct nlattr *attr)
return 0;
}
+static int validate_slot(const struct nlattr *attr, struct netlink_ext_ack *extack)
+{
+ const struct tc_netem_slot *c = nla_data(attr);
+
+ if (c->min_delay < 0 || c->max_delay < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative slot delay");
+ return -EINVAL;
+ }
+ if (c->min_delay > c->max_delay) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "slot min delay greater than max delay");
+ return -EINVAL;
+ }
+ if (c->dist_delay < 0 || c->dist_jitter < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative dist delay");
+ return -EINVAL;
+ }
+ if (c->max_packets < 0 || c->max_bytes < 0) {
+ NL_SET_ERR_MSG_ATTR(extack, attr, "negative slot limit");
+ return -EINVAL;
+ }
+ return 0;
+}
+
static void get_slot(struct netem_sched_data *q, const struct nlattr *attr)
{
const struct tc_netem_slot *c = nla_data(attr);
@@ -1039,6 +1062,12 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
goto table_free;
}
+ if (tb[TCA_NETEM_SLOT]) {
+ ret = validate_slot(tb[TCA_NETEM_SLOT], extack);
+ if (ret)
+ goto table_free;
+ }
+
sch_tree_lock(sch);
/* backup q->clg and q->loss_model */
old_clg = q->clg;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 769/957] net/sched: netem: fix slot delay calculation overflow
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (767 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 768/957] net/sched: netem: validate slot configuration Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 770/957] net/sched: netem: check for negative latency and jitter Greg Kroah-Hartman
` (193 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 51e94e1e2fef351c74d69eb53666df808d26af95 ]
get_slot_next() computes a random delay between min_delay and
max_delay using:
get_random_u32() * (max_delay - min_delay) >> 32
This overflows signed 64-bit arithmetic when the delay range exceeds
approximately 2.1 seconds (2^31 nanoseconds), producing a negative
result that effectively disables slot-based pacing. This is a
realistic configuration for WAN emulation (e.g., slot 1s 5s).
Use mul_u64_u32_shr() which handles the widening multiply without
overflow.
Fixes: 0a9fe5c375b5 ("netem: slotting with non-uniform distribution")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-6-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 41d60e904090d..6e221bdfb3871 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -658,9 +658,8 @@ static void get_slot_next(struct netem_sched_data *q, u64 now)
if (!q->slot_dist)
next_delay = q->slot_config.min_delay +
- (get_random_u32() *
- (q->slot_config.max_delay -
- q->slot_config.min_delay) >> 32);
+ mul_u64_u32_shr(q->slot_config.max_delay - q->slot_config.min_delay,
+ get_random_u32(), 32);
else
next_delay = tabledist(q->slot_config.dist_delay,
(s32)(q->slot_config.dist_jitter),
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 770/957] net/sched: netem: check for negative latency and jitter
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (768 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 769/957] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 771/957] net: airoha: stop net_device TX queue before updating CPU index Greg Kroah-Hartman
` (192 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <stephen@networkplumber.org>
[ Upstream commit 90be9fedb218ee95a1cf59050d1306fbfb0e8b87 ]
Reject requests with negative latency or jitter.
A negative value added to current timestamp (u64) wraps
to an enormous time_to_send, disabling dequeue.
The original UAPI used u32 for these values; the conversion to 64-bit
time values via TCA_NETEM_LATENCY64 and TCA_NETEM_JITTER64
allowed signed values to reach the kernel without validation.
Jitter is already silently clamped by an abs() in netem_change();
that abs() can be removed in a follow-up once this rejection is in
place.
Fixes: 99803171ef04 ("netem: add uapi to express delay and jitter in nanoseconds")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-7-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 6e221bdfb3871..47db6da905c58 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -825,6 +825,16 @@ static int get_dist_table(struct disttable **tbl, const struct nlattr *attr)
return 0;
}
+static int validate_time(const struct nlattr *attr, const char *name,
+ struct netlink_ext_ack *extack)
+{
+ if (nla_get_s64(attr) < 0) {
+ NL_SET_ERR_MSG_ATTR_FMT(extack, attr, "negative %s", name);
+ return -EINVAL;
+ }
+ return 0;
+}
+
static int validate_slot(const struct nlattr *attr, struct netlink_ext_ack *extack)
{
const struct tc_netem_slot *c = nla_data(attr);
@@ -1067,6 +1077,18 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
goto table_free;
}
+ if (tb[TCA_NETEM_LATENCY64]) {
+ ret = validate_time(tb[TCA_NETEM_LATENCY64], "latency", extack);
+ if (ret)
+ goto table_free;
+ }
+
+ if (tb[TCA_NETEM_JITTER64]) {
+ ret = validate_time(tb[TCA_NETEM_JITTER64], "jitter", extack);
+ if (ret)
+ goto table_free;
+ }
+
sch_tree_lock(sch);
/* backup q->clg and q->loss_model */
old_clg = q->clg;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 771/957] net: airoha: stop net_device TX queue before updating CPU index
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (769 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 770/957] net/sched: netem: check for negative latency and jitter Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 772/957] net: airoha: fix typo in function name Greg Kroah-Hartman
` (191 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 3854de7b38be742cf7558476956d12414cb274f2 ]
Currently, airoha_eth driver updates the CPU index register prior of
verifying whether the number of free descriptors has fallen below the
threshold.
Move net_device TX queue length check before updating the TX CPU index
in order to update TX CPU index even if there are more packets to be
transmitted but the net_device TX queue is going to be stopped
accounting the inflight packets.
Fixes: 1d304174106c ("net: airoha: Implement BQL support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260421-airoha-xmit-stop-condition-v1-1-e670d6a48467@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 865b854bd4afc..fd612cc339e13 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -2111,17 +2111,16 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
skb_tx_timestamp(skb);
netdev_tx_sent_queue(txq, skb->len);
+ if (q->ndesc - q->queued < q->free_thr) {
+ netif_tx_stop_queue(txq);
+ q->txq_stopped = true;
+ }
if (netif_xmit_stopped(txq) || !netdev_xmit_more())
airoha_qdma_rmw(qdma, REG_TX_CPU_IDX(qid),
TX_RING_CPU_IDX_MASK,
FIELD_PREP(TX_RING_CPU_IDX_MASK, index));
- if (q->ndesc - q->queued < q->free_thr) {
- netif_tx_stop_queue(txq);
- q->txq_stopped = true;
- }
-
spin_unlock_bh(&q->lock);
return NETDEV_TX_OK;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 772/957] net: airoha: fix typo in function name
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (770 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 771/957] net: airoha: stop net_device TX queue before updating CPU index Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 773/957] net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs() Greg Kroah-Hartman
` (190 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengping Zhang, Simon Horman,
Lorenzo Bianconi, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengping Zhang <aquapinn@qq.com>
[ Upstream commit aebf15e8eb09b01e99f043e9f5d423798aac9d32 ]
Corrected the typo in the function name from
`airhoa_is_lan_gdm_port` to `airoha_is_lan_gdm_port`. This change ensures
consistency in the API naming convention.
Signed-off-by: Zhengping Zhang <aquapinn@qq.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/tencent_E4FD5D6BC0131E617D848896F5F9FCED6E0A@qq.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: e070aac63b42 ("net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 2 +-
drivers/net/ethernet/airoha/airoha_eth.h | 2 +-
drivers/net/ethernet/airoha/airoha_ppe.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index fd612cc339e13..9691b4134285f 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -76,7 +76,7 @@ static void airoha_set_macaddr(struct airoha_gdm_port *port, const u8 *addr)
struct airoha_eth *eth = port->qdma->eth;
u32 val, reg;
- reg = airhoa_is_lan_gdm_port(port) ? REG_FE_LAN_MAC_H
+ reg = airoha_is_lan_gdm_port(port) ? REG_FE_LAN_MAC_H
: REG_FE_WAN_MAC_H;
val = (addr[0] << 16) | (addr[1] << 8) | addr[2];
airoha_fe_wr(eth, reg, val);
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 28dfa35a3abed..abd996492cb7f 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -627,7 +627,7 @@ u32 airoha_rmw(void __iomem *base, u32 offset, u32 mask, u32 val);
#define airoha_qdma_clear(qdma, offset, val) \
airoha_rmw((qdma)->regs, (offset), (val), 0)
-static inline bool airhoa_is_lan_gdm_port(struct airoha_gdm_port *port)
+static inline bool airoha_is_lan_gdm_port(struct airoha_gdm_port *port)
{
/* GDM1 port on EN7581 SoC is connected to the lan dsa switch.
* GDM{2,3,4} can be used as wan port connected to an external
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index 6cd5febce6b59..005128717a45c 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -331,7 +331,7 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth,
/* For downlink traffic consume SRAM memory for hw
* forwarding descriptors queue.
*/
- if (airhoa_is_lan_gdm_port(port))
+ if (airoha_is_lan_gdm_port(port))
val |= AIROHA_FOE_IB2_FAST_PATH;
if (dsa_port >= 0)
val |= FIELD_PREP(AIROHA_FOE_IB2_NBQ,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 773/957] net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (771 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 772/957] net: airoha: fix typo in function name Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 774/957] net: airoha: Do not read uninitialized fragment address in airoha_dev_xmit() Greg Kroah-Hartman
` (189 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit e070aac63b42bf81f4dc565f9f841ff47e6c992f ]
Do not wake every netdev TX queue across all ports sharing the QDMA
running netif_tx_wake_all_queues routine in airoha_qdma_wake_netdev_txqs()
but only the ones that are mapped the specific QDMA stopped hw TX queue.
This patch can potentially avoid waking already stopped netdev TX queues
that are mapped to a different QDMA hw TX queue.
Introduce airoha_qdma_get_txq utility routine.
Fixes: b94769eb2f30 ("net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260421-airoha-wake_netdev_txqs-optmization-v1-1-e0be95115d53@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 19 +++++++++++++++----
drivers/net/ethernet/airoha/airoha_eth.h | 5 +++++
2 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 9691b4134285f..7d7f2bf6172a3 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -878,13 +878,24 @@ static void airoha_qdma_wake_netdev_txqs(struct airoha_queue *q)
{
struct airoha_qdma *qdma = q->qdma;
struct airoha_eth *eth = qdma->eth;
- int i;
+ int i, qid = q - &qdma->q_tx[0];
for (i = 0; i < ARRAY_SIZE(eth->ports); i++) {
struct airoha_gdm_port *port = eth->ports[i];
+ int j;
+
+ if (!port)
+ continue;
- if (port && port->qdma == qdma)
- netif_tx_wake_all_queues(port->dev);
+ if (port->qdma != qdma)
+ continue;
+
+ for (j = 0; j < port->dev->num_tx_queues; j++) {
+ if (airoha_qdma_get_txq(qdma, j) != qid)
+ continue;
+
+ netif_wake_subqueue(port->dev, j);
+ }
}
q->txq_stopped = false;
}
@@ -2018,7 +2029,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
u16 index;
u8 fport;
- qid = skb_get_queue_mapping(skb) % ARRAY_SIZE(qdma->q_tx);
+ qid = airoha_qdma_get_txq(qdma, skb_get_queue_mapping(skb));
tag = airoha_get_dsa_tag(skb, dev);
msg0 = FIELD_PREP(QDMA_ETH_TXMSG_CHAN_MASK,
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index abd996492cb7f..33277cc577990 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -627,6 +627,11 @@ u32 airoha_rmw(void __iomem *base, u32 offset, u32 mask, u32 val);
#define airoha_qdma_clear(qdma, offset, val) \
airoha_rmw((qdma)->regs, (offset), (val), 0)
+static inline u16 airoha_qdma_get_txq(struct airoha_qdma *qdma, u16 qid)
+{
+ return qid % ARRAY_SIZE(qdma->q_tx);
+}
+
static inline bool airoha_is_lan_gdm_port(struct airoha_gdm_port *port)
{
/* GDM1 port on EN7581 SoC is connected to the lan dsa switch.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 774/957] net: airoha: Do not read uninitialized fragment address in airoha_dev_xmit()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (772 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 773/957] net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 775/957] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
` (188 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit bde34e84edc8b5571fbde7e941e175a4293ee1eb ]
The transmit loop in airoha_dev_xmit() reads fragment address and length
during its final iteration, when the loop index equals
skb_shinfo(skb)->nr_frags, at which point the fragment data is
uninitialized. While these values are never consumed, the read itself is
unsafe and may trigger a page fault. Fix this by avoiding the fragment
read on the last iteration.
Additionally, move the skb pointer from the first to the last used packet
descriptor, so that airoha_qdma_tx_napi_poll() defers freeing the skb
until the final descriptor is processed.
Fixes: 23020f0493270 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260424-airoha-xmit-fix-read-frag-v1-1-fdc0a83c79e8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 7d7f2bf6172a3..a69544e785a2a 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -2024,8 +2024,8 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
struct netdev_queue *txq;
struct airoha_queue *q;
LIST_HEAD(tx_list);
+ int i = 0, qid;
void *data;
- int i, qid;
u16 index;
u8 fport;
@@ -2084,7 +2084,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
list);
index = e - q->entry;
- for (i = 0; i < nr_frags; i++) {
+ while (true) {
struct airoha_qdma_desc *desc = &q->desc[index];
skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
dma_addr_t addr;
@@ -2096,7 +2096,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
goto error_unmap;
list_move_tail(&e->list, &tx_list);
- e->skb = i ? NULL : skb;
+ e->skb = i == nr_frags - 1 ? skb : NULL;
e->dma_addr = addr;
e->dma_len = len;
@@ -2115,6 +2115,9 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
WRITE_ONCE(desc->msg1, cpu_to_le32(msg1));
WRITE_ONCE(desc->msg2, cpu_to_le32(0xffff));
+ if (++i == nr_frags)
+ break;
+
data = skb_frag_address(frag);
len = skb_frag_size(frag);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 775/957] net/sched: sch_choke: annotate data-races in choke_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (773 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 774/957] net: airoha: Do not read uninitialized fragment address in airoha_dev_xmit() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 776/957] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
` (187 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d3aeb889dcbd78e95f500d383799a23d949796e0 ]
choke_dump_stats() only runs with RTNL held.
It reads fields that can be changed in qdisc fast path.
Add READ_ONCE()/WRITE_ONCE() annotations.
Fixes: edb09eb17ed8 ("net: sched: do not acquire qdisc spinlock in qdisc/class stats dump")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260423062839.2524324-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_choke.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
index 59e7bdf5063e8..ea6ef76c29658 100644
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -229,7 +229,7 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* Draw a packet at random from queue and compare flow */
if (choke_match_random(q, skb, &idx)) {
- q->stats.matched++;
+ WRITE_ONCE(q->stats.matched, q->stats.matched + 1);
choke_drop_by_idx(sch, idx, to_free);
goto congestion_drop;
}
@@ -241,11 +241,13 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
qdisc_qstats_overlimit(sch);
if (use_harddrop(q) || !use_ecn(q) ||
!INET_ECN_set_ce(skb)) {
- q->stats.forced_drop++;
+ WRITE_ONCE(q->stats.forced_drop,
+ q->stats.forced_drop + 1);
goto congestion_drop;
}
- q->stats.forced_mark++;
+ WRITE_ONCE(q->stats.forced_mark,
+ q->stats.forced_mark + 1);
} else if (++q->vars.qcount) {
if (red_mark_probability(p, &q->vars, q->vars.qavg)) {
q->vars.qcount = 0;
@@ -253,11 +255,13 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
qdisc_qstats_overlimit(sch);
if (!use_ecn(q) || !INET_ECN_set_ce(skb)) {
- q->stats.prob_drop++;
+ WRITE_ONCE(q->stats.prob_drop,
+ q->stats.prob_drop + 1);
goto congestion_drop;
}
- q->stats.prob_mark++;
+ WRITE_ONCE(q->stats.prob_mark,
+ q->stats.prob_mark + 1);
}
} else
q->vars.qR = red_random(p);
@@ -272,7 +276,7 @@ static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch,
return NET_XMIT_SUCCESS;
}
- q->stats.pdrop++;
+ WRITE_ONCE(q->stats.pdrop, q->stats.pdrop + 1);
return qdisc_drop(skb, sch, to_free);
congestion_drop:
@@ -461,10 +465,12 @@ static int choke_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct choke_sched_data *q = qdisc_priv(sch);
struct tc_choke_xstats st = {
- .early = q->stats.prob_drop + q->stats.forced_drop,
- .marked = q->stats.prob_mark + q->stats.forced_mark,
- .pdrop = q->stats.pdrop,
- .matched = q->stats.matched,
+ .early = READ_ONCE(q->stats.prob_drop) +
+ READ_ONCE(q->stats.forced_drop),
+ .marked = READ_ONCE(q->stats.prob_mark) +
+ READ_ONCE(q->stats.forced_mark),
+ .pdrop = READ_ONCE(q->stats.pdrop),
+ .matched = READ_ONCE(q->stats.matched),
};
return gnet_stats_copy_app(d, &st, sizeof(st));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 776/957] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (774 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 775/957] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:20 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 777/957] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
` (186 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 59b145771c7982cfe9020d4e9e22da92d6b5ae31 ]
fq_codel_dump_stats() acquires the qdisc spinlock a bit too late.
Move this acquisition before we fill tc_fq_pie_xstats with live data.
Alternative would be to add READ_ONCE() and WRITE_ONCE() annotations,
but the spinlock is needed anyway to scan q->new_flows and q->old_flows.
Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260423063527.2568262-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_fq_pie.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
index 7b96bc3ff8918..0c7b2095f8655 100644
--- a/net/sched/sch_fq_pie.c
+++ b/net/sched/sch_fq_pie.c
@@ -510,18 +510,19 @@ static int fq_pie_dump(struct Qdisc *sch, struct sk_buff *skb)
static int fq_pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct fq_pie_sched_data *q = qdisc_priv(sch);
- struct tc_fq_pie_xstats st = {
- .packets_in = q->stats.packets_in,
- .overlimit = q->stats.overlimit,
- .overmemory = q->overmemory,
- .dropped = q->stats.dropped,
- .ecn_mark = q->stats.ecn_mark,
- .new_flow_count = q->new_flow_count,
- .memory_usage = q->memory_usage,
- };
+ struct tc_fq_pie_xstats st = { 0 };
struct list_head *pos;
sch_tree_lock(sch);
+
+ st.packets_in = q->stats.packets_in;
+ st.overlimit = q->stats.overlimit;
+ st.overmemory = q->overmemory;
+ st.dropped = q->stats.dropped;
+ st.ecn_mark = q->stats.ecn_mark;
+ st.new_flow_count = q->new_flow_count;
+ st.memory_usage = q->memory_usage;
+
list_for_each(pos, &q->new_flows)
st.new_flows_len++;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 777/957] vrf: Fix a potential NPD when removing a port from a VRF
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (775 preceding siblings ...)
2026-05-20 16:20 ` [PATCH 6.18 776/957] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 778/957] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
` (185 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoze Xie, Yifan Wu, Juefei Pu,
Yuan Tan, Ido Schimmel, David Ahern, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 2674d603a9e6970463b2b9ebcf8e31e90beae169 ]
RCU readers that identified a net device as a VRF port using
netif_is_l3_slave() assume that a subsequent call to
netdev_master_upper_dev_get_rcu() will return a VRF device. They then
continue to dereference its l3mdev operations.
This assumption is not always correct and can result in a NPD [1]. There
is no RCU synchronization when removing a port from a VRF, so it is
possible for an RCU reader to see a new master device (e.g., a bridge)
that does not have l3mdev operations.
Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE
flag. Skip this synchronization when a net device is removed from a VRF
as part of its deletion and when the VRF device itself is deleted. In
the latter case an RCU grace period will pass by the time RTNL is
released.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181)
[...]
Call Trace:
<TASK>
l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189)
__inet_bind (net/ipv4/af_inet.c:499 (discriminator 3))
inet_bind_sk (net/ipv4/af_inet.c:469)
__sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1))
__x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1))
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fixes: fdeea7be88b1 ("net: vrf: Set slave's private flag before linking")
Reported-by: Haoze Xie <royenheart@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Closes: https://lore.kernel.org/netdev/20260419145332.3988923-1-n05ec@lzu.edu.cn/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260423063607.1208202-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vrf.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 571847a7f86d7..4b62b167650ea 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -1084,6 +1084,7 @@ static int do_vrf_add_slave(struct net_device *dev, struct net_device *port_dev,
err:
port_dev->priv_flags &= ~IFF_L3MDEV_SLAVE;
+ synchronize_net();
return ret;
}
@@ -1103,10 +1104,16 @@ static int vrf_add_slave(struct net_device *dev, struct net_device *port_dev,
}
/* inverse of do_vrf_add_slave */
-static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
+static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev,
+ bool needs_sync)
{
netdev_upper_dev_unlink(port_dev, dev);
port_dev->priv_flags &= ~IFF_L3MDEV_SLAVE;
+ /* Make sure that concurrent RCU readers that identified the device
+ * as a VRF port see a VRF master or no master at all.
+ */
+ if (needs_sync)
+ synchronize_net();
cycle_netdev(port_dev, NULL);
@@ -1115,7 +1122,7 @@ static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
static int vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
{
- return do_vrf_del_slave(dev, port_dev);
+ return do_vrf_del_slave(dev, port_dev, true);
}
static void vrf_dev_uninit(struct net_device *dev)
@@ -1669,7 +1676,7 @@ static void vrf_dellink(struct net_device *dev, struct list_head *head)
struct list_head *iter;
netdev_for_each_lower_dev(dev, port_dev, iter)
- vrf_del_slave(dev, port_dev);
+ do_vrf_del_slave(dev, port_dev, false);
vrf_map_unregister_dev(dev);
@@ -1801,7 +1808,7 @@ static int vrf_device_event(struct notifier_block *unused,
goto out;
vrf_dev = netdev_master_upper_dev_get(dev);
- vrf_del_slave(vrf_dev, dev);
+ do_vrf_del_slave(vrf_dev, dev, false);
}
out:
return NOTIFY_DONE;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 778/957] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (776 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 777/957] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 779/957] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
` (184 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3f46c095ac0ca048cb71,
Andrew Lunn, Zhan Jun, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhan Jun <zhanjun@uniontech.com>
[ Upstream commit 23f0e34c64acba15cad4d23e50f41f533da195fa ]
syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()
when accessing skb->len for tx statistics after usb_submit_urb() has
been called:
BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760
drivers/net/usb/rtl8150.c:712
Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226
The URB completion handler write_bulk_callback() frees the skb via
dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU
in softirq context before usb_submit_urb() returns in the submitter,
so by the time the submitter reads skb->len the skb has already been
queued to the per-CPU completion_queue and freed by net_tx_action():
CPU A (xmit) CPU B (USB completion softirq)
------------ ------------------------------
dev->tx_skb = skb;
usb_submit_urb() --+
|-------> write_bulk_callback()
| dev_kfree_skb_irq(dev->tx_skb)
| net_tx_action()
| napi_skb_cache_put() <-- free
netdev->stats.tx_bytes |
+= skb->len; <-- UAF read
Fix it by caching skb->len before submitting the URB and using the
cached value when updating the tx_bytes counter.
The pre-existing tx_bytes semantics are preserved: the counter tracks
the original frame length (skb->len), not the ETH_ZLEN/USB-alignment
padded "count" value that is handed to the device. Changing that
would be a user-visible accounting change and is out of scope for
this UAF fix.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+3f46c095ac0ca048cb71@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e69ee7.050a0220.24bfd3.002b.GAE@google.com/
Closes: https://syzkaller.appspot.com/bug?extid=3f46c095ac0ca048cb71
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Zhan Jun <zhanjun@uniontech.com>
Link: https://patch.msgid.link/809895186B866C10+20260423004913.136655-1-zhangdandan@uniontech.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index e40b0669d9f4b..8700ae392b10a 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -685,6 +685,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
struct net_device *netdev)
{
rtl8150_t *dev = netdev_priv(netdev);
+ unsigned int skb_len;
int count, res;
/* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */
@@ -696,6 +697,8 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
return NETDEV_TX_OK;
}
+ skb_len = skb->len;
+
netif_stop_queue(netdev);
dev->tx_skb = skb;
usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2),
@@ -711,7 +714,7 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
}
} else {
netdev->stats.tx_packets++;
- netdev->stats.tx_bytes += skb->len;
+ netdev->stats.tx_bytes += skb_len;
netif_trans_update(netdev);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 779/957] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (777 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 778/957] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 780/957] spi: amlogic-spisg: initialize completion before requesting IRQ Greg Kroah-Hartman
` (183 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Morduan Zang,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Morduan Zang <zhangdandan@uniontech.com>
[ Upstream commit adbe2cdf75461891e50dbe11896ac78e9af1f874 ]
When rtl8150_start_xmit() fails to submit the tx URB, the URB is never
handed to the USB core and write_bulk_callback() will not run. The
driver returns NETDEV_TX_OK, which tells the networking stack that the
skb has been consumed, but nothing actually frees the skb on this
error path:
dev->tx_skb = skb;
...
if ((res = usb_submit_urb(dev->tx_urb, GFP_ATOMIC))) {
...
/* no kfree_skb here */
}
return NETDEV_TX_OK;
This leaks the skb on every submit failure and also leaves dev->tx_skb
pointing at memory that the driver itself may later free, which is
fragile.
Free the skb with dev_kfree_skb_any() in the error path and clear
dev->tx_skb so no stale pointer is left behind.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
Link: https://patch.msgid.link/E7D3E1C013C5A859+20260424015517.9574-1-zhangdandan@uniontech.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 8700ae392b10a..647f28b367b99 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -712,6 +712,13 @@ static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
netdev->stats.tx_errors++;
netif_start_queue(netdev);
}
+ /*
+ * The URB was not submitted, so write_bulk_callback() will
+ * never run to free dev->tx_skb. Drop the skb here and
+ * clear tx_skb to avoid leaving a stale pointer.
+ */
+ dev->tx_skb = NULL;
+ dev_kfree_skb_any(skb);
} else {
netdev->stats.tx_packets++;
netdev->stats.tx_bytes += skb_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 780/957] spi: amlogic-spisg: initialize completion before requesting IRQ
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (778 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 779/957] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 781/957] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
` (182 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Gu, Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
[ Upstream commit 8d0189c1ea98b56481eb809e3d1bdbf85557e819 ]
Move init_completion(&spisg->completion) to before devm_request_irq()
to avoid a potential race condition where an interrupt could fire
before the completion structure is initialized.
Fixes: cef9991e04ae ("spi: Add Amlogic SPISG driver")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260428-amlogic-spisg-v1-1-8eecc3b446d6@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-amlogic-spisg.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/spi/spi-amlogic-spisg.c b/drivers/spi/spi-amlogic-spisg.c
index 56a6cf8471b9f..970fddbb25857 100644
--- a/drivers/spi/spi-amlogic-spisg.c
+++ b/drivers/spi/spi-amlogic-spisg.c
@@ -795,6 +795,7 @@ static int aml_spisg_probe(struct platform_device *pdev)
dma_set_max_seg_size(&pdev->dev, SPISG_BLOCK_MAX);
+ init_completion(&spisg->completion);
ret = devm_request_irq(&pdev->dev, irq, aml_spisg_irq, 0, NULL, spisg);
if (ret) {
dev_err(&pdev->dev, "irq request failed\n");
@@ -807,8 +808,6 @@ static int aml_spisg_probe(struct platform_device *pdev)
goto out_clk;
}
- init_completion(&spisg->completion);
-
pm_runtime_put(&spisg->pdev->dev);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 781/957] NFC: trf7970a: Ignore antenna noise when checking for RF field
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (779 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 780/957] spi: amlogic-spisg: initialize completion before requesting IRQ Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 782/957] net/sched: taprio: fix NULL pointer dereference in class dump Greg Kroah-Hartman
` (181 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Geurts, Krzysztof Kozlowski,
Mark Greer, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Geurts <paul.geurts@prodrive-technologies.com>
[ Upstream commit a9bc28aa4e64320668131349436a650bf42591a5 ]
The main channel Received Signal Strength Indicator (RSSI) measurement
is used to determine whether an RF field is present or not. RSSI != 0
is interpreted as an RF Field is present. This does not take RF noise
and measurement inaccuracy into account, and results in false positives
in the field.
Define a noise level and make sure the RF field is only interpreted as
present when the RSSI is above the noise level.
Fixes: 851ee3cbf850 ("NFC: trf7970a: Don't turn on RF if there is already an RF field")
Signed-off-by: Paul Geurts <paul.geurts@prodrive-technologies.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Mark Greer <mgreer@animalcreek.com>
Link: https://patch.msgid.link/20260422100930.581237-1-paul.geurts@prodrive-technologies.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/trf7970a.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c
index d17c701c7888b..08c27bb438b59 100644
--- a/drivers/nfc/trf7970a.c
+++ b/drivers/nfc/trf7970a.c
@@ -317,6 +317,7 @@
#define TRF7970A_RSSI_OSC_STATUS_RSSI_MASK (BIT(2) | BIT(1) | BIT(0))
#define TRF7970A_RSSI_OSC_STATUS_RSSI_X_MASK (BIT(5) | BIT(4) | BIT(3))
#define TRF7970A_RSSI_OSC_STATUS_RSSI_OSC_OK BIT(6)
+#define TRF7970A_RSSI_OSC_STATUS_RSSI_NOISE_LEVEL 1
#define TRF7970A_SPECIAL_FCN_REG1_COL_7_6 BIT(0)
#define TRF7970A_SPECIAL_FCN_REG1_14_ANTICOLL BIT(1)
@@ -1300,7 +1301,7 @@ static int trf7970a_is_rf_field(struct trf7970a *trf, bool *is_rf_field)
if (ret)
return ret;
- if (rssi & TRF7970A_RSSI_OSC_STATUS_RSSI_MASK)
+ if ((rssi & TRF7970A_RSSI_OSC_STATUS_RSSI_MASK) > TRF7970A_RSSI_OSC_STATUS_RSSI_NOISE_LEVEL)
*is_rf_field = true;
else
*is_rf_field = false;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 782/957] net/sched: taprio: fix NULL pointer dereference in class dump
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (780 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 781/957] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 783/957] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
` (180 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 3d07ca5c0fae311226f737963984bd94bb159a87 ]
When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()
is called with new == NULL and stores NULL into q->qdiscs[cl - 1].
Subsequent RTM_GETTCLASS dump operations walk all classes via
taprio_walk() and call taprio_dump_class(), which calls taprio_leaf()
returning the NULL pointer, then dereferences it to read child->handle,
causing a kernel NULL pointer dereference.
The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel
with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user
namespaces enabled, an unprivileged local user can trigger a kernel
panic by creating a taprio qdisc inside a new network namespace,
grafting an explicit child qdisc, deleting it, and requesting a class
dump. The RTM_GETTCLASS dump itself requires no capability.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)
Call Trace:
<TASK>
tc_fill_tclass (net/sched/sch_api.c:1966)
qdisc_class_dump (net/sched/sch_api.c:2326)
taprio_walk (net/sched/sch_taprio.c:2514)
tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)
tc_dump_tclass_root (net/sched/sch_api.c:2370)
tc_dump_tclass (net/sched/sch_api.c:2431)
rtnl_dumpit (net/core/rtnetlink.c:6864)
netlink_dump (net/netlink/af_netlink.c:2325)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Fix this by substituting &noop_qdisc when new is NULL in
taprio_graft(), a common pattern used by other qdiscs (e.g.,
multiq_graft()) to ensure the q->qdiscs[] slots are never NULL.
This makes control-plane dump paths safe without requiring individual
NULL checks.
Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)
previously had explicit NULL guards that would drop/skip the packet
cleanly, update those checks to test for &noop_qdisc instead. Without
this, packets would reach taprio_enqueue_one() which increments the root
qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc
drops the packet but those counters are never rolled back, permanently
inflating the root qdisc's statistics.
After this change *old can be a valid qdisc, NULL, or &noop_qdisc.
Only call qdisc_put(*old) in the first case to avoid decreasing
noop_qdisc's refcount, which was never increased.
Fixes: 665338b2a7a0 ("net/sched: taprio: dump class stats for the actual q->qdiscs[]")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260422161958.2517539-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 91b85360f8091..b3481cafa6eca 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -633,7 +633,7 @@ static int taprio_enqueue(struct sk_buff *skb, struct Qdisc *sch,
queue = skb_get_queue_mapping(skb);
child = q->qdiscs[queue];
- if (unlikely(!child))
+ if (unlikely(child == &noop_qdisc))
return qdisc_drop(skb, sch, to_free);
if (taprio_skb_exceeds_queue_max_sdu(sch, skb)) {
@@ -716,7 +716,7 @@ static struct sk_buff *taprio_dequeue_from_txq(struct Qdisc *sch, int txq,
int len;
u8 tc;
- if (unlikely(!child))
+ if (unlikely(child == &noop_qdisc))
return NULL;
if (TXTIME_ASSIST_IS_ENABLED(q->flags))
@@ -2185,6 +2185,9 @@ static int taprio_graft(struct Qdisc *sch, unsigned long cl,
if (!dev_queue)
return -EINVAL;
+ if (!new)
+ new = &noop_qdisc;
+
if (dev->flags & IFF_UP)
dev_deactivate(dev);
@@ -2198,14 +2201,14 @@ static int taprio_graft(struct Qdisc *sch, unsigned long cl,
*old = q->qdiscs[cl - 1];
if (FULL_OFFLOAD_IS_ENABLED(q->flags)) {
WARN_ON_ONCE(dev_graft_qdisc(dev_queue, new) != *old);
- if (new)
+ if (new != &noop_qdisc)
qdisc_refcount_inc(new);
- if (*old)
+ if (*old && *old != &noop_qdisc)
qdisc_put(*old);
}
q->qdiscs[cl - 1] = new;
- if (new)
+ if (new != &noop_qdisc)
new->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
if (dev->flags & IFF_UP)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 783/957] neigh: let neigh_xmit take skb ownership
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (781 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 782/957] net/sched: taprio: fix NULL pointer dereference in class dump Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 784/957] tcp: make probe0 timer handle expired user timeout Greg Kroah-Hartman
` (179 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Kuniyuki Iwashima,
Ido Schimmel, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 4438113be604ee67a7bf4f81da6e1cca41332ce4 ]
neigh_xmit always releases the skb, except when no neighbour table is
found. But even the first added user of neigh_xmit (mpls) relied on
neigh_xmit to release the skb (or queue it for tx).
sashiko reported:
If neigh_xmit() is called with an uninitialized neighbor table (for
example, NEIGH_ND_TABLE when IPv6 is disabled), it returns -EAFNOSUPPORT
and bypasses its internal out_kfree_skb error path. Because the return
value of neigh_xmit() is ignored here, does this leak the SKB?
Assume full ownership and remove the last code path that doesn't
xmit or free skb.
Fixes: 4fd3d7d9e868 ("neigh: Add helper function neigh_xmit")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260424145843.74055-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 6dab4d1c2263d..dabd368eaa4e7 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -3182,8 +3182,10 @@ int neigh_xmit(int index, struct net_device *dev,
rcu_read_lock();
tbl = rcu_dereference(neigh_tables[index]);
- if (!tbl)
- goto out_unlock;
+ if (!tbl) {
+ rcu_read_unlock();
+ goto out_kfree_skb;
+ }
if (index == NEIGH_ARP_TABLE) {
u32 key = *((u32 *)addr);
@@ -3199,7 +3201,6 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
}
err = READ_ONCE(neigh->output)(neigh, skb);
-out_unlock:
rcu_read_unlock();
}
else if (index == NEIGH_LINK_TABLE) {
@@ -3209,11 +3210,10 @@ int neigh_xmit(int index, struct net_device *dev,
goto out_kfree_skb;
err = dev_queue_xmit(skb);
}
-out:
return err;
out_kfree_skb:
kfree_skb(skb);
- goto out;
+ return err;
}
EXPORT_SYMBOL(neigh_xmit);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 784/957] tcp: make probe0 timer handle expired user timeout
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (782 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 783/957] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 785/957] netpoll: fix IPv6 local-address corruption Greg Kroah-Hartman
` (178 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Altan Hacigumus, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Altan Hacigumus <ahacigu.linux@gmail.com>
[ Upstream commit 2b9f6f7065d4cfb65ba19126e0b35ac4544c3f3a ]
tcp_clamp_probe0_to_user_timeout() computes remaining time in jiffies
using subtraction with an unsigned lvalue. If elapsed probing time
exceeds the configured TCP_USER_TIMEOUT, the underflow yields a large
value.
This ends up re-arming the probe timer for a full backoff interval
instead of expiring immediately, delaying connection teardown beyond
the configured timeout.
Fix this by preventing underflow so user-set timeout expiration is
handled correctly without extending the probe timer.
Fixes: 344db93ae3ee ("tcp: make TCP_USER_TIMEOUT accurate for zero window probes")
Link: https://lore.kernel.org/r/20260414013634.43997-1-ahacigu.linux@gmail.com
Signed-off-by: Altan Hacigumus <ahacigu.linux@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260424014639.54110-1-ahacigu.linux@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_timer.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index b2e5848b6980a..1e6d7d90371a9 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -49,7 +49,8 @@ static u32 tcp_clamp_rto_to_user_timeout(const struct sock *sk)
u32 tcp_clamp_probe0_to_user_timeout(const struct sock *sk, u32 when)
{
const struct inet_connection_sock *icsk = inet_csk(sk);
- u32 remaining, user_timeout;
+ u32 user_timeout;
+ s32 remaining;
s32 elapsed;
user_timeout = READ_ONCE(icsk->icsk_user_timeout);
@@ -60,7 +61,7 @@ u32 tcp_clamp_probe0_to_user_timeout(const struct sock *sk, u32 when)
if (unlikely(elapsed < 0))
elapsed = 0;
remaining = msecs_to_jiffies(user_timeout) - elapsed;
- remaining = max_t(u32, remaining, TCP_TIMEOUT_MIN);
+ remaining = max_t(int, remaining, TCP_TIMEOUT_MIN);
return min_t(u32, remaining, when);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 785/957] netpoll: fix IPv6 local-address corruption
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (783 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 784/957] tcp: make probe0 timer handle expired user timeout Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 786/957] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
` (177 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3bc179bc7146c26c9dff75d2943d10528274e301 ]
netpoll_setup() decides whether to auto-populate the local source
address by testing np->local_ip.ip, which only inspects the first 4
bytes of the union inet_addr storage.
For an IPv6 netpoll whose caller-supplied local address has a zero
high-32 bits (::1, ::<suffix>, IPv4-mapped ::ffff:a.b.c.d, etc.), this
misdetects the address as unset (which they are not, but the first
4 bytes are empty), calls netpoll_take_ipv6() and overwrites it with
whatever matching link-local/global address the device happens to expose
first.
Introduce a helper netpoll_local_ip_unset() that picks the correct
family-aware test (ipv6_addr_any() for IPv6, !.ip for IPv4) and use it
from netpoll_setup().
Reproducer is something like:
echo "::2" > local_ip
echo 1 > enabled
cat local_ip
# before this fix: 2001:db8::1 (caller-supplied ::2 was clobbered)
# after this fix: ::2
Fixes: b7394d2429c1 ("netpoll: prepare for ipv6")
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260424-netpoll_fix-v1-1-3a55348c625f@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/netpoll.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 6b1f470264c12..854e37c41653b 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -706,6 +706,23 @@ static int netpoll_take_ipv4(struct netpoll *np, struct net_device *ndev)
return 0;
}
+/*
+ * Test whether the caller left np->local_ip unset, so that
+ * netpoll_setup() should auto-populate it from the egress device.
+ *
+ * np->local_ip is a union of __be32 (IPv4) and struct in6_addr (IPv6),
+ * so an IPv6 address whose first 4 bytes are zero (e.g. ::1, ::2,
+ * IPv4-mapped ::ffff:a.b.c.d) must not be tested via the IPv4 arm —
+ * doing so would misclassify a caller-supplied address as unset and
+ * silently overwrite it with whatever address the device exposes.
+ */
+static bool netpoll_local_ip_unset(const struct netpoll *np)
+{
+ if (np->ipv6)
+ return ipv6_addr_any(&np->local_ip.in6);
+ return !np->local_ip.ip;
+}
+
int netpoll_setup(struct netpoll *np)
{
struct net *net = current->nsproxy->net_ns;
@@ -750,7 +767,7 @@ int netpoll_setup(struct netpoll *np)
rtnl_lock();
}
- if (!np->local_ip.ip) {
+ if (netpoll_local_ip_unset(np)) {
if (!np->ipv6) {
err = netpoll_take_ipv4(np, ndev);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 786/957] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (784 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 785/957] netpoll: fix IPv6 local-address corruption Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 787/957] sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals Greg Kroah-Hartman
` (176 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c39f0bc03f84ba64c9144c95714df1dc36150f6d ]
At parsing UAC3 streams, we allocate a PD object at each time, and
either assign or free it. But there is a case where the PD object may
be leaked; namely, in __snd_usb_parse_audio_interface() loop, when an
audioformat shares the same endpoint with others, it's put to a link
and returns from snd_usb_add_audio_stream(), but the PD is forgotten
afterwards. Overall, the treatment of PD object in the parser code is
a bit flaky, and we should be more careful about the object ownership.
This patch tries to fix the above case and improve the code a bit.
The pd object is now managed with the auto-cleanup in the loop, and
the ownership is updated when the pd object gets assigned to the
stream, which guarantees the release of the leftover object.
Fixes: 7edf3b5e6a45 ("ALSA: usb-audio: AudioStreaming Power Domain parsing")
Link: https://patch.msgid.link/20260427151508.12544-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 2 +-
sound/usb/stream.c | 58 ++++++++++++++++++----------------------------
sound/usb/stream.h | 3 ++-
3 files changed, 25 insertions(+), 38 deletions(-)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index f21e708675422..1b4cfc2b68f9d 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -122,7 +122,7 @@ static int add_audio_stream_from_fixed_fmt(struct snd_usb_audio *chip,
snd_usb_audioformat_set_sync_ep(chip, fp);
- err = snd_usb_add_audio_stream(chip, stream, fp);
+ err = snd_usb_add_audio_stream(chip, stream, fp, NULL);
if (err < 0)
return err;
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 8b83092a1999e..34a50fb4e50b9 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -79,7 +79,7 @@ static void snd_usb_audio_pcm_free(struct snd_pcm *pcm)
static void snd_usb_init_substream(struct snd_usb_stream *as,
int stream,
struct audioformat *fp,
- struct snd_usb_power_domain *pd)
+ struct snd_usb_power_domain **pdptr)
{
struct snd_usb_substream *subs = &as->substream[stream];
@@ -105,10 +105,11 @@ static void snd_usb_init_substream(struct snd_usb_stream *as,
if (fp->channels > subs->channels_max)
subs->channels_max = fp->channels;
- if (pd) {
- subs->str_pd = pd;
+ if (pdptr && *pdptr) {
+ subs->str_pd = *pdptr;
+ *pdptr = NULL; /* assigned */
/* Initialize Power Domain to idle status D1 */
- snd_usb_power_domain_set(subs->stream->chip, pd,
+ snd_usb_power_domain_set(subs->stream->chip, subs->str_pd,
UAC3_PD_STATE_D1);
}
@@ -486,11 +487,14 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
* if not, create a new pcm stream. note, fp is added to the substream
* fmt_list and will be freed on the chip instance release. do not free
* fp or do remove it from the substream fmt_list to avoid double-free.
+ *
+ * pdptr is optional and can be NULL. When it's non-NULL and the PD gets
+ * assigned to the stream, *pdptr is cleared to NULL upon return.
*/
-static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp,
- struct snd_usb_power_domain *pd)
+int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
+ int stream,
+ struct audioformat *fp,
+ struct snd_usb_power_domain **pdptr)
{
struct snd_usb_stream *as;
@@ -523,7 +527,7 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
err = snd_pcm_new_stream(as->pcm, stream, 1);
if (err < 0)
return err;
- snd_usb_init_substream(as, stream, fp, pd);
+ snd_usb_init_substream(as, stream, fp, pdptr);
return add_chmap(as->pcm, stream, subs);
}
@@ -552,7 +556,7 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
else
strscpy(pcm->name, "USB Audio");
- snd_usb_init_substream(as, stream, fp, pd);
+ snd_usb_init_substream(as, stream, fp, pdptr);
/*
* Keep using head insertion for M-Audio Audiophile USB (tm) which has a
@@ -570,21 +574,6 @@ static int __snd_usb_add_audio_stream(struct snd_usb_audio *chip,
return add_chmap(pcm, stream, &as->substream[stream]);
}
-int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp)
-{
- return __snd_usb_add_audio_stream(chip, stream, fp, NULL);
-}
-
-static int snd_usb_add_audio_stream_v3(struct snd_usb_audio *chip,
- int stream,
- struct audioformat *fp,
- struct snd_usb_power_domain *pd)
-{
- return __snd_usb_add_audio_stream(chip, stream, fp, pd);
-}
-
static int parse_uac_endpoint_attributes(struct snd_usb_audio *chip,
struct usb_host_interface *alts,
int protocol, int iface_no)
@@ -1109,8 +1098,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
}
}
- if (pd)
- *pd_out = pd;
+ *pd_out = pd;
return fp;
}
@@ -1125,7 +1113,6 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
struct usb_interface_descriptor *altsd;
int i, altno, err, stream;
struct audioformat *fp = NULL;
- struct snd_usb_power_domain *pd = NULL;
bool set_iface_first;
int num, protocol;
@@ -1167,6 +1154,12 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
if (snd_usb_apply_interface_quirk(chip, iface_no, altno))
continue;
+ /* pd may be allocated at snd_usb_get_audioformat_uac3() and
+ * assigned at snd_usb_add_audio_stream(); otherwise it'll be
+ * freed automatically by cleanup at each loop.
+ */
+ struct snd_usb_power_domain *pd __free(kfree) = NULL;
+
/*
* Roland audio streaming interfaces are marked with protocols
* 0/1/2, but are UAC 1 compatible.
@@ -1222,23 +1215,16 @@ static int __snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
*has_non_pcm = true;
if ((fp->fmt_type == UAC_FORMAT_TYPE_I) == non_pcm) {
audioformat_free(fp);
- kfree(pd);
fp = NULL;
- pd = NULL;
continue;
}
snd_usb_audioformat_set_sync_ep(chip, fp);
dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
- if (protocol == UAC_VERSION_3)
- err = snd_usb_add_audio_stream_v3(chip, stream, fp, pd);
- else
- err = snd_usb_add_audio_stream(chip, stream, fp);
-
+ err = snd_usb_add_audio_stream(chip, stream, fp, &pd);
if (err < 0) {
audioformat_free(fp);
- kfree(pd);
return err;
}
diff --git a/sound/usb/stream.h b/sound/usb/stream.h
index d92e18d5818fe..61b9a133da018 100644
--- a/sound/usb/stream.h
+++ b/sound/usb/stream.h
@@ -7,7 +7,8 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip,
int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
int stream,
- struct audioformat *fp);
+ struct audioformat *fp,
+ struct snd_usb_power_domain **pdptr);
#endif /* __USBAUDIO_STREAM_H */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 787/957] sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (785 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 786/957] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 788/957] sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue Greg Kroah-Hartman
` (175 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mel Gorman, Peter Zijlstra (Intel),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mel Gorman <mgorman@techsingularity.net>
[ Upstream commit e837456fdca81899a3c8e47b3fd39e30eae6e291 ]
Reimplement NEXT_BUDDY preemption to take into account the deadline and
eligibility of the wakee with respect to the waker. In the event
multiple buddies could be considered, the one with the earliest deadline
is selected.
Sync wakeups are treated differently to every other type of wakeup. The
WF_SYNC assumption is that the waker promises to sleep in the very near
future. This is violated in enough cases that WF_SYNC should be treated
as a suggestion instead of a contract. If a waker does go to sleep almost
immediately then the delay in wakeup is negligible. In other cases, it's
throttled based on the accumulated runtime of the waker so there is a
chance that some batched wakeups have been issued before preemption.
For all other wakeups, preemption happens if the wakee has a earlier
deadline than the waker and eligible to run.
While many workloads were tested, the two main targets were a modified
dbench4 benchmark and hackbench because the are on opposite ends of the
spectrum -- one prefers throughput by avoiding preemption and the other
relies on preemption.
First is the dbench throughput data even though it is a poor metric but
it is the default metric. The test machine is a 2-socket machine and the
backing filesystem is XFS as a lot of the IO work is dispatched to kernel
threads. It's important to note that these results are not representative
across all machines, especially Zen machines, as different bottlenecks
are exposed on different machines and filesystems.
dbench4 Throughput (misleading but traditional)
6.18-rc1 6.18-rc1
vanilla sched-preemptnext-v5
Hmean 1 1268.80 ( 0.00%) 1269.74 ( 0.07%)
Hmean 4 3971.74 ( 0.00%) 3950.59 ( -0.53%)
Hmean 7 5548.23 ( 0.00%) 5420.08 ( -2.31%)
Hmean 12 7310.86 ( 0.00%) 7165.57 ( -1.99%)
Hmean 21 8874.53 ( 0.00%) 9149.04 ( 3.09%)
Hmean 30 9361.93 ( 0.00%) 10530.04 ( 12.48%)
Hmean 48 9540.14 ( 0.00%) 11820.40 ( 23.90%)
Hmean 79 9208.74 ( 0.00%) 12193.79 ( 32.42%)
Hmean 110 8573.12 ( 0.00%) 11933.72 ( 39.20%)
Hmean 141 7791.33 ( 0.00%) 11273.90 ( 44.70%)
Hmean 160 7666.60 ( 0.00%) 10768.72 ( 40.46%)
As throughput is misleading, the benchmark is modified to use a short
loadfile report the completion time duration in milliseconds.
dbench4 Loadfile Execution Time
6.18-rc1 6.18-rc1
vanilla sched-preemptnext-v5
Amean 1 14.62 ( 0.00%) 14.69 ( -0.46%)
Amean 4 18.76 ( 0.00%) 18.85 ( -0.45%)
Amean 7 23.71 ( 0.00%) 24.38 ( -2.82%)
Amean 12 31.25 ( 0.00%) 31.87 ( -1.97%)
Amean 21 45.12 ( 0.00%) 43.69 ( 3.16%)
Amean 30 61.07 ( 0.00%) 54.33 ( 11.03%)
Amean 48 95.91 ( 0.00%) 77.22 ( 19.49%)
Amean 79 163.38 ( 0.00%) 123.08 ( 24.66%)
Amean 110 243.91 ( 0.00%) 175.11 ( 28.21%)
Amean 141 343.47 ( 0.00%) 239.10 ( 30.39%)
Amean 160 401.15 ( 0.00%) 283.73 ( 29.27%)
Stddev 1 0.52 ( 0.00%) 0.51 ( 2.45%)
Stddev 4 1.36 ( 0.00%) 1.30 ( 4.04%)
Stddev 7 1.88 ( 0.00%) 1.87 ( 0.72%)
Stddev 12 3.06 ( 0.00%) 2.45 ( 19.83%)
Stddev 21 5.78 ( 0.00%) 3.87 ( 33.06%)
Stddev 30 9.85 ( 0.00%) 5.25 ( 46.76%)
Stddev 48 22.31 ( 0.00%) 8.64 ( 61.27%)
Stddev 79 35.96 ( 0.00%) 18.07 ( 49.76%)
Stddev 110 59.04 ( 0.00%) 30.93 ( 47.61%)
Stddev 141 85.38 ( 0.00%) 40.93 ( 52.06%)
Stddev 160 96.38 ( 0.00%) 39.72 ( 58.79%)
That is still looking good and the variance is reduced quite a bit.
Finally, fairness is a concern so the next report tracks how many
milliseconds does it take for all clients to complete a workfile. This
one is tricky because dbench makes to effort to synchronise clients so
the durations at benchmark start time differ substantially from typical
runtimes. This problem could be mitigated by warming up the benchmark
for a number of minutes but it's a matter of opinion whether that
counts as an evasion of inconvenient results.
dbench4 All Clients Loadfile Execution Time
6.18-rc1 6.18-rc1
vanilla sched-preemptnext-v5
Amean 1 15.06 ( 0.00%) 15.07 ( -0.03%)
Amean 4 603.81 ( 0.00%) 524.29 ( 13.17%)
Amean 7 855.32 ( 0.00%) 1331.07 ( -55.62%)
Amean 12 1890.02 ( 0.00%) 2323.97 ( -22.96%)
Amean 21 3195.23 ( 0.00%) 2009.29 ( 37.12%)
Amean 30 13919.53 ( 0.00%) 4579.44 ( 67.10%)
Amean 48 25246.07 ( 0.00%) 5705.46 ( 77.40%)
Amean 79 29701.84 ( 0.00%) 15509.26 ( 47.78%)
Amean 110 22803.03 ( 0.00%) 23782.08 ( -4.29%)
Amean 141 36356.07 ( 0.00%) 25074.20 ( 31.03%)
Amean 160 17046.71 ( 0.00%) 13247.62 ( 22.29%)
Stddev 1 0.47 ( 0.00%) 0.49 ( -3.74%)
Stddev 4 395.24 ( 0.00%) 254.18 ( 35.69%)
Stddev 7 467.24 ( 0.00%) 764.42 ( -63.60%)
Stddev 12 1071.43 ( 0.00%) 1395.90 ( -30.28%)
Stddev 21 1694.50 ( 0.00%) 1204.89 ( 28.89%)
Stddev 30 7945.63 ( 0.00%) 2552.59 ( 67.87%)
Stddev 48 14339.51 ( 0.00%) 3227.55 ( 77.49%)
Stddev 79 16620.91 ( 0.00%) 8422.15 ( 49.33%)
Stddev 110 12912.15 ( 0.00%) 13560.95 ( -5.02%)
Stddev 141 20700.13 ( 0.00%) 14544.51 ( 29.74%)
Stddev 160 9079.16 ( 0.00%) 7400.69 ( 18.49%)
This is more of a mixed bag but it at least shows that fairness
is not crippled.
The hackbench results are more neutral but this is still important.
It's possible to boost the dbench figures by a large amount but only by
crippling the performance of a workload like hackbench. The WF_SYNC
behaviour is important for these workloads and is why the WF_SYNC
changes are not a separate patch.
hackbench-process-pipes
6.18-rc1 6.18-rc1
vanilla sched-preemptnext-v5
Amean 1 0.2657 ( 0.00%) 0.2150 ( 19.07%)
Amean 4 0.6107 ( 0.00%) 0.6060 ( 0.76%)
Amean 7 0.7923 ( 0.00%) 0.7440 ( 6.10%)
Amean 12 1.1500 ( 0.00%) 1.1263 ( 2.06%)
Amean 21 1.7950 ( 0.00%) 1.7987 ( -0.20%)
Amean 30 2.3207 ( 0.00%) 2.5053 ( -7.96%)
Amean 48 3.5023 ( 0.00%) 3.9197 ( -11.92%)
Amean 79 4.8093 ( 0.00%) 5.2247 ( -8.64%)
Amean 110 6.1160 ( 0.00%) 6.6650 ( -8.98%)
Amean 141 7.4763 ( 0.00%) 7.8973 ( -5.63%)
Amean 172 8.9560 ( 0.00%) 9.3593 ( -4.50%)
Amean 203 10.4783 ( 0.00%) 10.8347 ( -3.40%)
Amean 234 12.4977 ( 0.00%) 13.0177 ( -4.16%)
Amean 265 14.7003 ( 0.00%) 15.5630 ( -5.87%)
Amean 296 16.1007 ( 0.00%) 17.4023 ( -8.08%)
Processes using pipes are impacted but the variance (not presented) indicates
it's close to noise and the results are not always reproducible. If executed
across multiple reboots, it may show neutral or small gains so the worst
measured results are presented.
Hackbench using sockets is more reliably neutral as the wakeup
mechanisms are different between sockets and pipes.
hackbench-process-sockets
6.18-rc1 6.18-rc1
vanilla sched-preemptnext-v2
Amean 1 0.3073 ( 0.00%) 0.3263 ( -6.18%)
Amean 4 0.7863 ( 0.00%) 0.7930 ( -0.85%)
Amean 7 1.3670 ( 0.00%) 1.3537 ( 0.98%)
Amean 12 2.1337 ( 0.00%) 2.1903 ( -2.66%)
Amean 21 3.4683 ( 0.00%) 3.4940 ( -0.74%)
Amean 30 4.7247 ( 0.00%) 4.8853 ( -3.40%)
Amean 48 7.6097 ( 0.00%) 7.8197 ( -2.76%)
Amean 79 14.7957 ( 0.00%) 16.1000 ( -8.82%)
Amean 110 21.3413 ( 0.00%) 21.9997 ( -3.08%)
Amean 141 29.0503 ( 0.00%) 29.0353 ( 0.05%)
Amean 172 36.4660 ( 0.00%) 36.1433 ( 0.88%)
Amean 203 39.7177 ( 0.00%) 40.5910 ( -2.20%)
Amean 234 42.1120 ( 0.00%) 43.5527 ( -3.42%)
Amean 265 45.7830 ( 0.00%) 50.0560 ( -9.33%)
Amean 296 50.7043 ( 0.00%) 54.3657 ( -7.22%)
As schbench has been mentioned in numerous bugs recently, the results
are interesting. A test case that represents the default schbench
behaviour is
schbench Wakeup Latency (usec)
6.18.0-rc1 6.18.0-rc1
vanilla sched-preemptnext-v5
Amean Wakeup-50th-80 7.17 ( 0.00%) 6.00 ( 16.28%)
Amean Wakeup-90th-80 46.56 ( 0.00%) 19.78 ( 57.52%)
Amean Wakeup-99th-80 119.61 ( 0.00%) 89.94 ( 24.80%)
Amean Wakeup-99.9th-80 3193.78 ( 0.00%) 328.22 ( 89.72%)
schbench Requests Per Second (ops/sec)
6.18.0-rc1 6.18.0-rc1
vanilla sched-preemptnext-v5
Hmean RPS-20th-80 8900.91 ( 0.00%) 9176.78 ( 3.10%)
Hmean RPS-50th-80 8987.41 ( 0.00%) 9217.89 ( 2.56%)
Hmean RPS-90th-80 9123.73 ( 0.00%) 9273.25 ( 1.64%)
Hmean RPS-max-80 9193.50 ( 0.00%) 9301.47 ( 1.17%)
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20251112122521.1331238-3-mgorman@techsingularity.net
Stable-dep-of: ac8e69e69363 ("sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 152 +++++++++++++++++++++++++++++++++++++-------
1 file changed, 130 insertions(+), 22 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index d9777c81db0da..293a8804428b0 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -1021,6 +1021,16 @@ static struct sched_entity *__pick_eevdf(struct cfs_rq *cfs_rq, bool protect)
if (cfs_rq->nr_queued == 1)
return curr && curr->on_rq ? curr : se;
+ /*
+ * Picking the ->next buddy will affect latency but not fairness.
+ */
+ if (sched_feat(PICK_BUDDY) &&
+ cfs_rq->next && entity_eligible(cfs_rq, cfs_rq->next)) {
+ /* ->next will never be delayed */
+ WARN_ON_ONCE(cfs_rq->next->sched_delayed);
+ return cfs_rq->next;
+ }
+
if (curr && (!curr->on_rq || !entity_eligible(cfs_rq, curr)))
curr = NULL;
@@ -1260,6 +1270,8 @@ static s64 update_se(struct rq *rq, struct sched_entity *se)
return delta_exec;
}
+static void set_next_buddy(struct sched_entity *se);
+
/*
* Used by other classes to account runtime.
*/
@@ -5576,16 +5588,6 @@ pick_next_entity(struct rq *rq, struct cfs_rq *cfs_rq)
{
struct sched_entity *se;
- /*
- * Picking the ->next buddy will affect latency but not fairness.
- */
- if (sched_feat(PICK_BUDDY) &&
- cfs_rq->next && entity_eligible(cfs_rq, cfs_rq->next)) {
- /* ->next will never be delayed */
- WARN_ON_ONCE(cfs_rq->next->sched_delayed);
- return cfs_rq->next;
- }
-
se = pick_eevdf(cfs_rq);
if (se->sched_delayed) {
dequeue_entities(rq, se, DEQUEUE_SLEEP | DEQUEUE_DELAYED);
@@ -7099,8 +7101,6 @@ enqueue_task_fair(struct rq *rq, struct task_struct *p, int flags)
hrtick_update(rq);
}
-static void set_next_buddy(struct sched_entity *se);
-
/*
* Basically dequeue_task_fair(), except it can deal with dequeue_entity()
* failing half-way through and resume the dequeue later.
@@ -8796,16 +8796,81 @@ static void set_next_buddy(struct sched_entity *se)
}
}
+enum preempt_wakeup_action {
+ PREEMPT_WAKEUP_NONE, /* No preemption. */
+ PREEMPT_WAKEUP_SHORT, /* Ignore slice protection. */
+ PREEMPT_WAKEUP_PICK, /* Let __pick_eevdf() decide. */
+ PREEMPT_WAKEUP_RESCHED, /* Force reschedule. */
+};
+
+static inline bool
+set_preempt_buddy(struct cfs_rq *cfs_rq, int wake_flags,
+ struct sched_entity *pse, struct sched_entity *se)
+{
+ /*
+ * Keep existing buddy if the deadline is sooner than pse.
+ * The older buddy may be cache cold and completely unrelated
+ * to the current wakeup but that is unpredictable where as
+ * obeying the deadline is more in line with EEVDF objectives.
+ */
+ if (cfs_rq->next && entity_before(cfs_rq->next, pse))
+ return false;
+
+ set_next_buddy(pse);
+ return true;
+}
+
+/*
+ * WF_SYNC|WF_TTWU indicates the waker expects to sleep but it is not
+ * strictly enforced because the hint is either misunderstood or
+ * multiple tasks must be woken up.
+ */
+static inline enum preempt_wakeup_action
+preempt_sync(struct rq *rq, int wake_flags,
+ struct sched_entity *pse, struct sched_entity *se)
+{
+ u64 threshold, delta;
+
+ /*
+ * WF_SYNC without WF_TTWU is not expected so warn if it happens even
+ * though it is likely harmless.
+ */
+ WARN_ON_ONCE(!(wake_flags & WF_TTWU));
+
+ threshold = sysctl_sched_migration_cost;
+ delta = rq_clock_task(rq) - se->exec_start;
+ if ((s64)delta < 0)
+ delta = 0;
+
+ /*
+ * WF_RQ_SELECTED implies the tasks are stacking on a CPU when they
+ * could run on other CPUs. Reduce the threshold before preemption is
+ * allowed to an arbitrary lower value as it is more likely (but not
+ * guaranteed) the waker requires the wakee to finish.
+ */
+ if (wake_flags & WF_RQ_SELECTED)
+ threshold >>= 2;
+
+ /*
+ * As WF_SYNC is not strictly obeyed, allow some runtime for batch
+ * wakeups to be issued.
+ */
+ if (entity_before(pse, se) && delta >= threshold)
+ return PREEMPT_WAKEUP_RESCHED;
+
+ return PREEMPT_WAKEUP_NONE;
+}
+
/*
* Preempt the current task with a newly woken task if needed:
*/
static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int wake_flags)
{
+ enum preempt_wakeup_action preempt_action = PREEMPT_WAKEUP_PICK;
struct task_struct *donor = rq->donor;
struct sched_entity *se = &donor->se, *pse = &p->se;
struct cfs_rq *cfs_rq = task_cfs_rq(donor);
int cse_is_idle, pse_is_idle;
- bool do_preempt_short = false;
if (unlikely(se == pse))
return;
@@ -8819,10 +8884,6 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
if (task_is_throttled(p))
return;
- if (sched_feat(NEXT_BUDDY) && !(wake_flags & WF_FORK) && !pse->sched_delayed) {
- set_next_buddy(pse);
- }
-
/*
* We can come here with TIF_NEED_RESCHED already set from new task
* wake up path.
@@ -8854,7 +8915,7 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
* When non-idle entity preempt an idle entity,
* don't give idle entity slice protection.
*/
- do_preempt_short = true;
+ preempt_action = PREEMPT_WAKEUP_SHORT;
goto preempt;
}
@@ -8873,21 +8934,68 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
* If @p has a shorter slice than current and @p is eligible, override
* current's slice protection in order to allow preemption.
*/
- do_preempt_short = sched_feat(PREEMPT_SHORT) && (pse->slice < se->slice);
+ if (sched_feat(PREEMPT_SHORT) && (pse->slice < se->slice)) {
+ preempt_action = PREEMPT_WAKEUP_SHORT;
+ goto pick;
+ }
+ /*
+ * Ignore wakee preemption on WF_FORK as it is less likely that
+ * there is shared data as exec often follow fork. Do not
+ * preempt for tasks that are sched_delayed as it would violate
+ * EEVDF to forcibly queue an ineligible task.
+ */
+ if ((wake_flags & WF_FORK) || pse->sched_delayed)
+ return;
+
+ /*
+ * If @p potentially is completing work required by current then
+ * consider preemption.
+ *
+ * Reschedule if waker is no longer eligible. */
+ if (in_task() && !entity_eligible(cfs_rq, se)) {
+ preempt_action = PREEMPT_WAKEUP_RESCHED;
+ goto preempt;
+ }
+
+ /* Prefer picking wakee soon if appropriate. */
+ if (sched_feat(NEXT_BUDDY) &&
+ set_preempt_buddy(cfs_rq, wake_flags, pse, se)) {
+
+ /*
+ * Decide whether to obey WF_SYNC hint for a new buddy. Old
+ * buddies are ignored as they may not be relevant to the
+ * waker and less likely to be cache hot.
+ */
+ if (wake_flags & WF_SYNC)
+ preempt_action = preempt_sync(rq, wake_flags, pse, se);
+ }
+
+ switch (preempt_action) {
+ case PREEMPT_WAKEUP_NONE:
+ return;
+ case PREEMPT_WAKEUP_RESCHED:
+ goto preempt;
+ case PREEMPT_WAKEUP_SHORT:
+ fallthrough;
+ case PREEMPT_WAKEUP_PICK:
+ break;
+ }
+
+pick:
/*
* If @p has become the most eligible task, force preemption.
*/
- if (__pick_eevdf(cfs_rq, !do_preempt_short) == pse)
+ if (__pick_eevdf(cfs_rq, preempt_action != PREEMPT_WAKEUP_SHORT) == pse)
goto preempt;
- if (sched_feat(RUN_TO_PARITY) && do_preempt_short)
+ if (sched_feat(RUN_TO_PARITY))
update_protect_slice(cfs_rq, se);
return;
preempt:
- if (do_preempt_short)
+ if (preempt_action == PREEMPT_WAKEUP_SHORT)
cancel_protect_slice(se);
resched_curr_lazy(rq);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 788/957] sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (786 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 787/957] sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 789/957] sched/fair: Clear rel_deadline when initializing forked entities Greg Kroah-Hartman
` (174 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Guittot,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Guittot <vincent.guittot@linaro.org>
[ Upstream commit ac8e69e693631689d74d8f1ebee6f84f737f797f ]
Similar to how pick_next_entity() must dequeue delayed entities, so too must
wakeup_preempt_fair(). Any delayed task being found means it is eligible and
hence past the 0-lag point, ready for removal.
Worse, by not removing delayed entities from consideration, it can skew the
preemption decision, with the end result that a short slice wakeup will not
result in a preemption.
tip/sched/core tip/sched/core +this patch
cyclictest slice (ms) (default)2.8 8 8
hackbench slice (ms) (default)2.8 20 20
Total Samples | 22559 22595 22683
Average (us) | 157 64( 59%) 59( 8%)
Median (P50) (us) | 57 57( 0%) 58(- 2%)
90th Percentile (us) | 64 60( 6%) 60( 0%)
99th Percentile (us) | 2407 67( 97%) 67( 0%)
99.9th Percentile (us) | 3400 2288( 33%) 727( 68%)
Maximum (us) | 5037 9252(-84%) 7461( 19%)
Fixes: f12e148892ed ("sched/fair: Prepare pick_next_task() for delayed dequeue")
Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260422093400.319251-1-vincent.guittot@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 293a8804428b0..565a96d6811e7 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -1007,7 +1007,7 @@ static inline void cancel_protect_slice(struct sched_entity *se)
*
* Which allows tree pruning through eligibility.
*/
-static struct sched_entity *__pick_eevdf(struct cfs_rq *cfs_rq, bool protect)
+static struct sched_entity *pick_eevdf(struct cfs_rq *cfs_rq, bool protect)
{
struct rb_node *node = cfs_rq->tasks_timeline.rb_root.rb_node;
struct sched_entity *se = __pick_first_entity(cfs_rq);
@@ -1078,11 +1078,6 @@ static struct sched_entity *__pick_eevdf(struct cfs_rq *cfs_rq, bool protect)
return best;
}
-static struct sched_entity *pick_eevdf(struct cfs_rq *cfs_rq)
-{
- return __pick_eevdf(cfs_rq, true);
-}
-
struct sched_entity *__pick_last_entity(struct cfs_rq *cfs_rq)
{
struct rb_node *last = rb_last(&cfs_rq->tasks_timeline.rb_root);
@@ -5584,11 +5579,11 @@ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags);
* 4) do not run the "skip" process, if something else is available
*/
static struct sched_entity *
-pick_next_entity(struct rq *rq, struct cfs_rq *cfs_rq)
+pick_next_entity(struct rq *rq, struct cfs_rq *cfs_rq, bool protect)
{
struct sched_entity *se;
- se = pick_eevdf(cfs_rq);
+ se = pick_eevdf(cfs_rq, protect);
if (se->sched_delayed) {
dequeue_entities(rq, se, DEQUEUE_SLEEP | DEQUEUE_DELAYED);
/*
@@ -8868,7 +8863,7 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
{
enum preempt_wakeup_action preempt_action = PREEMPT_WAKEUP_PICK;
struct task_struct *donor = rq->donor;
- struct sched_entity *se = &donor->se, *pse = &p->se;
+ struct sched_entity *nse, *se = &donor->se, *pse = &p->se;
struct cfs_rq *cfs_rq = task_cfs_rq(donor);
int cse_is_idle, pse_is_idle;
@@ -8983,11 +8978,17 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
}
pick:
+ nse = pick_next_entity(rq, cfs_rq, preempt_action != PREEMPT_WAKEUP_SHORT);
+ /* If @p has become the most eligible task, force preemption */
+ if (nse == pse)
+ goto preempt;
+
/*
- * If @p has become the most eligible task, force preemption.
+ * Because p is enqueued, nse being null can only mean that we
+ * dequeued a delayed task.
*/
- if (__pick_eevdf(cfs_rq, preempt_action != PREEMPT_WAKEUP_SHORT) == pse)
- goto preempt;
+ if (!nse)
+ goto pick;
if (sched_feat(RUN_TO_PARITY))
update_protect_slice(cfs_rq, se);
@@ -9022,7 +9023,7 @@ static struct task_struct *pick_task_fair(struct rq *rq)
throttled |= check_cfs_rq_runtime(cfs_rq);
- se = pick_next_entity(rq, cfs_rq);
+ se = pick_next_entity(rq, cfs_rq, true);
if (!se)
goto again;
cfs_rq = group_cfs_rq(se);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 789/957] sched/fair: Clear rel_deadline when initializing forked entities
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (787 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 788/957] sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 790/957] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
` (173 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zicheng Qu, Peter Zijlstra (Intel),
Sasha Levin, Hui Tang, Zhang Qiao
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zicheng Qu <quzicheng@huawei.com>
[ Upstream commit 3da56dc063cd77b9c0b40add930767fab4e389f3 ]
A yield-triggered crash can happen when a newly forked sched_entity
enters the fair class with se->rel_deadline unexpectedly set.
The failing sequence is:
1. A task is forked while se->rel_deadline is still set.
2. __sched_fork() initializes vruntime, vlag and other sched_entity
state, but does not clear rel_deadline.
3. On the first enqueue, enqueue_entity() calls place_entity().
4. Because se->rel_deadline is set, place_entity() treats se->deadline
as a relative deadline and converts it to an absolute deadline by
adding the current vruntime.
5. However, the forked entity's deadline is not a valid inherited
relative deadline for this new scheduling instance, so the conversion
produces an abnormally large deadline.
6. If the task later calls sched_yield(), yield_task_fair() advances
se->vruntime to se->deadline.
7. The inflated vruntime is then used by the following enqueue path,
where the vruntime-derived key can overflow when multiplied by the
entity weight.
8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility
calculation, and can eventually make all entities appear ineligible.
pick_next_entity() may then return NULL unexpectedly, leading to a
later NULL dereference.
A captured trace shows the effect clearly. Before yield, the entity's
vruntime was around:
9834017729983308
After yield_task_fair() executed:
se->vruntime = se->deadline
the vruntime jumped to:
19668035460670230
and the deadline was later advanced further to:
19668035463470230
This shows that the deadline had already become abnormally large before
yield_task_fair() copied it into vruntime.
rel_deadline is only meaningful when se->deadline really carries a
relative deadline that still needs to be placed against vruntime. A
freshly forked sched_entity should not inherit or retain this state.
Clear se->rel_deadline in __sched_fork(), together with the other
sched_entity runtime state, so that the first enqueue does not interpret
the new entity's deadline as a stale relative deadline.
Fixes: 82e9d0456e06 ("sched/fair: Avoid re-setting virtual deadline on 'migrations'")
Analyzed-by: Hui Tang <tanghui20@huawei.com>
Analyzed-by: Zhang Qiao <zhangqiao22@huawei.com>
Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260424071113.1199600-1-quzicheng@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 522d4bad56ad1..b42a65a79b701 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4453,6 +4453,7 @@ static void __sched_fork(u64 clone_flags, struct task_struct *p)
p->se.nr_migrations = 0;
p->se.vruntime = 0;
p->se.vlag = 0;
+ p->se.rel_deadline = 0;
INIT_LIST_HEAD(&p->se.group_node);
/* A delayed task cannot be in clone(). */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 790/957] net: mctp i2c: check length before marking flow active
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (788 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 789/957] sched/fair: Clear rel_deadline when initializing forked entities Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 791/957] md/raid1,raid10: dont fail devices for invalid IO errors Greg Kroah-Hartman
` (172 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William A. Kennington III,
Jeremy Kerr, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: William A. Kennington III <william@wkennington.com>
[ Upstream commit 4ca07b9239bd0478ae586632a2ed72be37ed8407 ]
Currently, mctp_i2c_get_tx_flow_state() is called before the packet length
sanity check. This function marks a new flow as active in the MCTP core.
If the sanity check fails, mctp_i2c_xmit() returns early without calling
mctp_i2c_lock_nest(). This results in a mismatched locking state: the
flow is active, but the I2C bus lock was never acquired for it.
When the flow is later released, mctp_i2c_release_flow() will see the
active state and queue an unlock marker. The TX thread will then
decrement midev->i2c_lock_count from 0, causing it to underflow to -1.
This underflow permanently breaks the driver's locking logic, allowing
future transmissions to occur without holding the I2C bus lock, leading
to bus collisions and potential hardware hangs.
Move the mctp_i2c_get_tx_flow_state() call to after the length sanity
check to ensure we only transition the flow state if we are actually
going to proceed with the transmission and locking.
Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver")
Signed-off-by: William A. Kennington III <william@wkennington.com>
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260423074741.201460-1-william@wkennington.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mctp/mctp-i2c.c | 4 ++--
net/sched/cls_flower.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c
index f138b0251313e..115494f15e87a 100644
--- a/drivers/net/mctp/mctp-i2c.c
+++ b/drivers/net/mctp/mctp-i2c.c
@@ -496,8 +496,6 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb)
u8 *pecp;
int rc;
- fs = mctp_i2c_get_tx_flow_state(midev, skb);
-
hdr = (void *)skb_mac_header(skb);
/* Sanity check that packet contents matches skb length,
* and can't exceed MCTP_I2C_BUFSZ
@@ -509,6 +507,8 @@ static void mctp_i2c_xmit(struct mctp_i2c_dev *midev, struct sk_buff *skb)
return;
}
+ fs = mctp_i2c_get_tx_flow_state(midev, skb);
+
if (skb_tailroom(skb) >= 1) {
/* Linear case with space, we can just append the PEC */
skb_put(skb, 1);
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 099ff6a3e1f51..f3af0ac892a86 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -560,6 +560,7 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
struct netlink_ext_ack *extack)
{
struct cls_fl_head *head = fl_head_dereference(tp);
+ struct fl_flow_mask *mask;
*last = false;
@@ -576,11 +577,12 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
list_del_rcu(&f->list);
spin_unlock(&tp->lock);
- *last = fl_mask_put(head, f->mask);
+ mask = f->mask;
if (!tc_skip_hw(f->flags))
fl_hw_destroy_filter(tp, f, rtnl_held, extack);
tcf_unbind_filter(tp, &f->res);
__fl_put(f);
+ *last = fl_mask_put(head, mask);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 791/957] md/raid1,raid10: dont fail devices for invalid IO errors
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (789 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 790/957] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 792/957] md: add fallback to correct bitmap_ops on version mismatch Greg Kroah-Hartman
` (171 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomáš Trnka, Keith Busch,
Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit f7b24c7b41f23b5f9caa8b913afe79cd4c397d39 ]
BLK_STS_INVAL indicates the IO request itself was invalid, not that the
device has failed. When raid1 treats this as a device error, it retries
on alternate mirrors which fail the same way, eventually exceeding the
read error threshold and removing the device from the array.
This happens when stacking configurations bypass bio_split_to_limits()
in the IO path: dm-raid calls md_handle_request() directly without going
through md_submit_bio(), skipping the alignment validation that would
otherwise reject invalid bios early. The invalid bio reaches the
lower block layers, which fail the bio with BLK_STS_INVAL, and raid1
wrongly interprets this as a device failure.
Add BLK_STS_INVAL to raid1_should_handle_error() so that invalid IO
errors are propagated back to the caller rather than triggering device
removal. This is consistent with the previous kernel behavior when
alignment checks were done earlier in the direct-io path.
Fixes: 5ff3f74e145adc7 ("block: simplify direct io validity check")
Reported-by: Tomáš Trnka <trnka@scm.com>
Closes: https://lore.kernel.org/linux-block/2982107.4sosBPzcNG@electra/
Signed-off-by: Keith Busch <kbusch@kernel.org>
Tested-by: Tomáš Trnka <trnka@scm.com>
Link: https://lore.kernel.org/r/20260416140345.3872265-1-kbusch@meta.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid1-10.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/md/raid1-10.c b/drivers/md/raid1-10.c
index 521625756128a..aba8c751e1922 100644
--- a/drivers/md/raid1-10.c
+++ b/drivers/md/raid1-10.c
@@ -298,8 +298,13 @@ static inline bool raid1_should_read_first(struct mddev *mddev,
* bio with REQ_RAHEAD or REQ_NOWAIT can fail at anytime, before such IO is
* submitted to the underlying disks, hence don't record badblocks or retry
* in this case.
+ *
+ * BLK_STS_INVAL means the bio was not valid for the underlying device. This
+ * is a user error, not a device failure, so retrying or recording bad blocks
+ * would be wrong.
*/
static inline bool raid1_should_handle_error(struct bio *bio)
{
- return !(bio->bi_opf & (REQ_RAHEAD | REQ_NOWAIT));
+ return !(bio->bi_opf & (REQ_RAHEAD | REQ_NOWAIT)) &&
+ bio->bi_status != BLK_STS_INVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 792/957] md: add fallback to correct bitmap_ops on version mismatch
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (790 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 791/957] md/raid1,raid10: dont fail devices for invalid IO errors Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 793/957] md: factor bitmap creation away from sysfs handling Greg Kroah-Hartman
` (170 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai@fnnas.com>
[ Upstream commit 09af773650024279a60348e7319d599e6571b15c ]
If default bitmap version and on-disk version doesn't match, and mdadm
is not the latest version to set bitmap_type, set bitmap_ops based on
the disk version.
Link: https://lore.kernel.org/linux-raid/20260323054644.3351791-2-yukuai@fnnas.com/
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Stable-dep-of: f2926a533d03 ("md/md-bitmap: add a none backend for bitmap grow")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 111 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 110 insertions(+), 1 deletion(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index b91ac1b7d7a15..4520c485c0c06 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6329,15 +6329,124 @@ static void md_safemode_timeout(struct timer_list *t)
static int start_dirty_degraded;
+/*
+ * Read bitmap superblock and return the bitmap_id based on disk version.
+ * This is used as fallback when default bitmap version and on-disk version
+ * doesn't match, and mdadm is not the latest version to set bitmap_type.
+ */
+static enum md_submodule_id md_bitmap_get_id_from_sb(struct mddev *mddev)
+{
+ struct md_rdev *rdev;
+ struct page *sb_page;
+ bitmap_super_t *sb;
+ enum md_submodule_id id = ID_BITMAP_NONE;
+ sector_t sector;
+ u32 version;
+
+ if (!mddev->bitmap_info.offset)
+ return ID_BITMAP_NONE;
+
+ sb_page = alloc_page(GFP_KERNEL);
+ if (!sb_page) {
+ pr_warn("md: %s: failed to allocate memory for bitmap\n",
+ mdname(mddev));
+ return ID_BITMAP_NONE;
+ }
+
+ sector = mddev->bitmap_info.offset;
+
+ rdev_for_each(rdev, mddev) {
+ u32 iosize;
+
+ if (!test_bit(In_sync, &rdev->flags) ||
+ test_bit(Faulty, &rdev->flags) ||
+ test_bit(Bitmap_sync, &rdev->flags))
+ continue;
+
+ iosize = roundup(sizeof(bitmap_super_t),
+ bdev_logical_block_size(rdev->bdev));
+ if (sync_page_io(rdev, sector, iosize, sb_page, REQ_OP_READ,
+ true))
+ goto read_ok;
+ }
+ pr_warn("md: %s: failed to read bitmap from any device\n",
+ mdname(mddev));
+ goto out;
+
+read_ok:
+ sb = kmap_local_page(sb_page);
+ if (sb->magic != cpu_to_le32(BITMAP_MAGIC)) {
+ pr_warn("md: %s: invalid bitmap magic 0x%x\n",
+ mdname(mddev), le32_to_cpu(sb->magic));
+ goto out_unmap;
+ }
+
+ version = le32_to_cpu(sb->version);
+ switch (version) {
+ case BITMAP_MAJOR_LO:
+ case BITMAP_MAJOR_HI:
+ case BITMAP_MAJOR_CLUSTERED:
+ id = ID_BITMAP;
+ break;
+ case BITMAP_MAJOR_LOCKLESS:
+ id = ID_LLBITMAP;
+ break;
+ default:
+ pr_warn("md: %s: unknown bitmap version %u\n",
+ mdname(mddev), version);
+ break;
+ }
+
+out_unmap:
+ kunmap_local(sb);
+out:
+ __free_page(sb_page);
+ return id;
+}
+
static int md_bitmap_create(struct mddev *mddev)
{
+ enum md_submodule_id orig_id = mddev->bitmap_id;
+ enum md_submodule_id sb_id;
+ int err;
+
if (mddev->bitmap_id == ID_BITMAP_NONE)
return -EINVAL;
if (!mddev_set_bitmap_ops(mddev))
return -ENOENT;
- return mddev->bitmap_ops->create(mddev);
+ err = mddev->bitmap_ops->create(mddev);
+ if (!err)
+ return 0;
+
+ /*
+ * Create failed, if default bitmap version and on-disk version
+ * doesn't match, and mdadm is not the latest version to set
+ * bitmap_type, set bitmap_ops based on the disk version.
+ */
+ mddev_clear_bitmap_ops(mddev);
+
+ sb_id = md_bitmap_get_id_from_sb(mddev);
+ if (sb_id == ID_BITMAP_NONE || sb_id == orig_id)
+ return err;
+
+ pr_info("md: %s: bitmap version mismatch, switching from %d to %d\n",
+ mdname(mddev), orig_id, sb_id);
+
+ mddev->bitmap_id = sb_id;
+ if (!mddev_set_bitmap_ops(mddev)) {
+ mddev->bitmap_id = orig_id;
+ return -ENOENT;
+ }
+
+ err = mddev->bitmap_ops->create(mddev);
+ if (err) {
+ mddev_clear_bitmap_ops(mddev);
+ mddev->bitmap_id = orig_id;
+ }
+
+ return err;
}
static void md_bitmap_destroy(struct mddev *mddev)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 793/957] md: factor bitmap creation away from sysfs handling
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (791 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 792/957] md: add fallback to correct bitmap_ops on version mismatch Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 794/957] md/md-bitmap: split bitmap sysfs groups Greg Kroah-Hartman
` (169 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Su Yue, Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai@fnnas.com>
[ Upstream commit 8776d342cf8fa0b98ca5e6fb2d956966fb5ca364 ]
Factor bitmap creation and destruction into helpers that do not touch
bitmap sysfs registration.
This prepares the bitmap sysfs rework so callers such as the sysfs
bitmap location path can create or destroy a bitmap backend without
coupling that to sysfs group lifetime management.
Reviewed-by: Su Yue <glass.su@suse.com>
Link: https://lore.kernel.org/r/20260425024615.1696892-2-yukuai@fnnas.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Stable-dep-of: f2926a533d03 ("md/md-bitmap: add a none backend for bitmap grow")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 78 +++++++++++++++++++++++++++++++------------------
1 file changed, 49 insertions(+), 29 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 4520c485c0c06..3061370e959b3 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -686,7 +686,25 @@ static void active_io_release(struct percpu_ref *ref)
static void no_op(struct percpu_ref *r) {}
-static bool mddev_set_bitmap_ops(struct mddev *mddev)
+static void md_bitmap_sysfs_add(struct mddev *mddev)
+{
+ if (sysfs_create_group(&mddev->kobj, mddev->bitmap_ops->group))
+ pr_warn("md: cannot register extra bitmap attributes for %s\n",
+ mdname(mddev));
+ else
+ /*
+ * Inform user with KOBJ_CHANGE about new bitmap
+ * attributes.
+ */
+ kobject_uevent(&mddev->kobj, KOBJ_CHANGE);
+}
+
+static void md_bitmap_sysfs_del(struct mddev *mddev)
+{
+ sysfs_remove_group(&mddev->kobj, mddev->bitmap_ops->group);
+}
+
+static bool mddev_set_bitmap_ops_nosysfs(struct mddev *mddev)
{
struct bitmap_operations *old = mddev->bitmap_ops;
struct md_submodule_head *head;
@@ -710,18 +728,6 @@ static bool mddev_set_bitmap_ops(struct mddev *mddev)
mddev->bitmap_ops = (void *)head;
xa_unlock(&md_submodule);
-
- if (!mddev_is_dm(mddev) && mddev->bitmap_ops->group) {
- if (sysfs_create_group(&mddev->kobj, mddev->bitmap_ops->group))
- pr_warn("md: cannot register extra bitmap attributes for %s\n",
- mdname(mddev));
- else
- /*
- * Inform user with KOBJ_CHANGE about new bitmap
- * attributes.
- */
- kobject_uevent(&mddev->kobj, KOBJ_CHANGE);
- }
return true;
err:
@@ -729,15 +735,6 @@ static bool mddev_set_bitmap_ops(struct mddev *mddev)
return false;
}
-static void mddev_clear_bitmap_ops(struct mddev *mddev)
-{
- if (!mddev_is_dm(mddev) && mddev->bitmap_ops &&
- mddev->bitmap_ops->group)
- sysfs_remove_group(&mddev->kobj, mddev->bitmap_ops->group);
-
- mddev->bitmap_ops = NULL;
-}
-
int mddev_init(struct mddev *mddev)
{
int err = 0;
@@ -6404,7 +6401,7 @@ static enum md_submodule_id md_bitmap_get_id_from_sb(struct mddev *mddev)
return id;
}
-static int md_bitmap_create(struct mddev *mddev)
+static int md_bitmap_create_nosysfs(struct mddev *mddev)
{
enum md_submodule_id orig_id = mddev->bitmap_id;
enum md_submodule_id sb_id;
@@ -6413,7 +6410,7 @@ static int md_bitmap_create(struct mddev *mddev)
if (mddev->bitmap_id == ID_BITMAP_NONE)
return -EINVAL;
- if (!mddev_set_bitmap_ops(mddev))
+ if (!mddev_set_bitmap_ops_nosysfs(mddev))
return -ENOENT;
err = mddev->bitmap_ops->create(mddev);
@@ -6425,7 +6422,7 @@ static int md_bitmap_create(struct mddev *mddev)
* doesn't match, and mdadm is not the latest version to set
* bitmap_type, set bitmap_ops based on the disk version.
*/
- mddev_clear_bitmap_ops(mddev);
+ mddev->bitmap_ops = NULL;
sb_id = md_bitmap_get_id_from_sb(mddev);
if (sb_id == ID_BITMAP_NONE || sb_id == orig_id)
@@ -6435,27 +6432,50 @@ static int md_bitmap_create(struct mddev *mddev)
mdname(mddev), orig_id, sb_id);
mddev->bitmap_id = sb_id;
- if (!mddev_set_bitmap_ops(mddev)) {
+ if (!mddev_set_bitmap_ops_nosysfs(mddev)) {
mddev->bitmap_id = orig_id;
return -ENOENT;
}
err = mddev->bitmap_ops->create(mddev);
if (err) {
- mddev_clear_bitmap_ops(mddev);
+ mddev->bitmap_ops = NULL;
mddev->bitmap_id = orig_id;
}
return err;
}
-static void md_bitmap_destroy(struct mddev *mddev)
+static int md_bitmap_create(struct mddev *mddev)
+{
+ int err;
+
+ err = md_bitmap_create_nosysfs(mddev);
+ if (err)
+ return err;
+
+ if (!mddev_is_dm(mddev) && mddev->bitmap_ops->group)
+ md_bitmap_sysfs_add(mddev);
+
+ return 0;
+}
+
+static void md_bitmap_destroy_nosysfs(struct mddev *mddev)
{
if (!md_bitmap_registered(mddev))
return;
mddev->bitmap_ops->destroy(mddev);
- mddev_clear_bitmap_ops(mddev);
+ mddev->bitmap_ops = NULL;
+}
+
+static void md_bitmap_destroy(struct mddev *mddev)
+{
+ if (!mddev_is_dm(mddev) && mddev->bitmap_ops &&
+ mddev->bitmap_ops->group)
+ md_bitmap_sysfs_del(mddev);
+
+ md_bitmap_destroy_nosysfs(mddev);
}
int md_run(struct mddev *mddev)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 794/957] md/md-bitmap: split bitmap sysfs groups
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (792 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 793/957] md: factor bitmap creation away from sysfs handling Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 795/957] md/md-bitmap: add a none backend for bitmap grow Greg Kroah-Hartman
` (168 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Su Yue, Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai@fnnas.com>
[ Upstream commit aba3d6d6cb55c6e1116d1215140559dd7ecdf9a9 ]
Split the classic bitmap sysfs files into a common bitmap group with
the location attribute and a separate internal bitmap group for the
remaining files.
At the same time, convert bitmap operations from a single sysfs group
to a sysfs group array so backends can share part of their sysfs
layout while adding backend-specific attributes separately.
Switch the bitmap sysfs helpers to use sysfs_update_groups() for the
add and update path, and remove groups in reverse order so shared named
groups are unmerged before the last group removes the directory.
Also make bitmap operation lookup depend only on the currently selected
bitmap id matching the installed backend. This prepares the lookup path
for a later registered none backend.
Reviewed-by: Su Yue <glass.su@suse.com>
Link: https://lore.kernel.org/r/20260425024615.1696892-3-yukuai@fnnas.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Stable-dep-of: f2926a533d03 ("md/md-bitmap: add a none backend for bitmap grow")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md-bitmap.c | 23 +++++++++++++++++++----
drivers/md/md-bitmap.h | 2 +-
drivers/md/md-llbitmap.c | 7 ++++++-
drivers/md/md.c | 21 ++++++++++++++-------
4 files changed, 40 insertions(+), 13 deletions(-)
diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index 7bb56d0491a2f..7a96600949139 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -2956,8 +2956,12 @@ static struct md_sysfs_entry max_backlog_used =
__ATTR(max_backlog_used, S_IRUGO | S_IWUSR,
behind_writes_used_show, behind_writes_used_reset);
-static struct attribute *md_bitmap_attrs[] = {
+static struct attribute *md_bitmap_common_attrs[] = {
&bitmap_location.attr,
+ NULL
+};
+
+static struct attribute *md_bitmap_internal_attrs[] = {
&bitmap_space.attr,
&bitmap_timeout.attr,
&bitmap_backlog.attr,
@@ -2968,9 +2972,20 @@ static struct attribute *md_bitmap_attrs[] = {
NULL
};
-static struct attribute_group md_bitmap_group = {
+static struct attribute_group md_bitmap_common_group = {
+ .name = "bitmap",
+ .attrs = md_bitmap_common_attrs,
+};
+
+static struct attribute_group md_bitmap_internal_group = {
.name = "bitmap",
- .attrs = md_bitmap_attrs,
+ .attrs = md_bitmap_internal_attrs,
+};
+
+static const struct attribute_group *bitmap_groups[] = {
+ &md_bitmap_common_group,
+ &md_bitmap_internal_group,
+ NULL,
};
static struct bitmap_operations bitmap_ops = {
@@ -3014,7 +3029,7 @@ static struct bitmap_operations bitmap_ops = {
.set_pages = bitmap_set_pages,
.free = md_bitmap_free,
- .group = &md_bitmap_group,
+ .groups = bitmap_groups,
};
int md_bitmap_init(void)
diff --git a/drivers/md/md-bitmap.h b/drivers/md/md-bitmap.h
index b42a28fa83a0f..214f623c7e790 100644
--- a/drivers/md/md-bitmap.h
+++ b/drivers/md/md-bitmap.h
@@ -125,7 +125,7 @@ struct bitmap_operations {
void (*set_pages)(void *data, unsigned long pages);
void (*free)(void *data);
- struct attribute_group *group;
+ const struct attribute_group **groups;
};
/* the bitmap API */
diff --git a/drivers/md/md-llbitmap.c b/drivers/md/md-llbitmap.c
index 0526e742062ac..50eeddf7f539b 100644
--- a/drivers/md/md-llbitmap.c
+++ b/drivers/md/md-llbitmap.c
@@ -1562,6 +1562,11 @@ static struct attribute_group md_llbitmap_group = {
.attrs = md_llbitmap_attrs,
};
+static const struct attribute_group *md_llbitmap_groups[] = {
+ &md_llbitmap_group,
+ NULL,
+};
+
static struct bitmap_operations llbitmap_ops = {
.head = {
.type = MD_BITMAP,
@@ -1598,7 +1603,7 @@ static struct bitmap_operations llbitmap_ops = {
.dirty_bits = llbitmap_dirty_bits,
.write_all = llbitmap_write_all,
- .group = &md_llbitmap_group,
+ .groups = md_llbitmap_groups,
};
int md_llbitmap_init(void)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 3061370e959b3..213221abc44c3 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -688,7 +688,7 @@ static void no_op(struct percpu_ref *r) {}
static void md_bitmap_sysfs_add(struct mddev *mddev)
{
- if (sysfs_create_group(&mddev->kobj, mddev->bitmap_ops->group))
+ if (sysfs_update_groups(&mddev->kobj, mddev->bitmap_ops->groups))
pr_warn("md: cannot register extra bitmap attributes for %s\n",
mdname(mddev));
else
@@ -701,16 +701,23 @@ static void md_bitmap_sysfs_add(struct mddev *mddev)
static void md_bitmap_sysfs_del(struct mddev *mddev)
{
- sysfs_remove_group(&mddev->kobj, mddev->bitmap_ops->group);
+ int nr_groups = 0;
+
+ for (nr_groups = 0; mddev->bitmap_ops->groups[nr_groups]; nr_groups++)
+ ;
+
+ while (--nr_groups >= 1)
+ sysfs_unmerge_group(&mddev->kobj,
+ mddev->bitmap_ops->groups[nr_groups]);
+ sysfs_remove_group(&mddev->kobj, mddev->bitmap_ops->groups[0]);
}
static bool mddev_set_bitmap_ops_nosysfs(struct mddev *mddev)
{
- struct bitmap_operations *old = mddev->bitmap_ops;
struct md_submodule_head *head;
- if (mddev->bitmap_id == ID_BITMAP_NONE ||
- (old && old->head.id == mddev->bitmap_id))
+ if (mddev->bitmap_ops &&
+ mddev->bitmap_ops->head.id == mddev->bitmap_id)
return true;
xa_lock(&md_submodule);
@@ -6454,7 +6461,7 @@ static int md_bitmap_create(struct mddev *mddev)
if (err)
return err;
- if (!mddev_is_dm(mddev) && mddev->bitmap_ops->group)
+ if (!mddev_is_dm(mddev) && mddev->bitmap_ops->groups)
md_bitmap_sysfs_add(mddev);
return 0;
@@ -6472,7 +6479,7 @@ static void md_bitmap_destroy_nosysfs(struct mddev *mddev)
static void md_bitmap_destroy(struct mddev *mddev)
{
if (!mddev_is_dm(mddev) && mddev->bitmap_ops &&
- mddev->bitmap_ops->group)
+ mddev->bitmap_ops->groups)
md_bitmap_sysfs_del(mddev);
md_bitmap_destroy_nosysfs(mddev);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 795/957] md/md-bitmap: add a none backend for bitmap grow
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (793 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 794/957] md/md-bitmap: split bitmap sysfs groups Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 796/957] s390/mm: Fix phys_to_folio() usage in do_secure_storage_access() Greg Kroah-Hartman
` (167 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Su Yue, Yu Kuai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai@fnnas.com>
[ Upstream commit f2926a533d03fe70d753b512b713e06a2aa174af ]
Add a real none bitmap backend that exposes the common bitmap sysfs
group and use it to keep bitmap/location available when an array has no
bitmap.
Then switch the bitmap location sysfs path to move only between none
and the classic bitmap backend, using the no-sysfs bitmap helpers while
merging or unmerging the internal bitmap sysfs group.
This restores mdadm --grow bitmap addition through bitmap/location.
Fixes: fb8cc3b0d9db ("md/md-bitmap: delay registration of bitmap_ops until creating bitmap")
Reviewed-by: Su Yue <glass.su@suse.com>
Link: https://lore.kernel.org/r/20260425024615.1696892-4-yukuai@fnnas.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md-bitmap.c | 108 ++++++++++++++++++++++++++++++++++++++---
drivers/md/md.c | 42 +++++++++++++---
drivers/md/md.h | 3 ++
3 files changed, 137 insertions(+), 16 deletions(-)
diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index 7a96600949139..35943f5f68347 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -216,6 +216,7 @@ struct bitmap {
};
static struct workqueue_struct *md_bitmap_wq;
+static struct attribute_group md_bitmap_internal_group;
static int __bitmap_resize(struct bitmap *bitmap, sector_t blocks,
int chunksize, bool init);
@@ -2581,6 +2582,30 @@ static int bitmap_resize(struct mddev *mddev, sector_t blocks, int chunksize)
return __bitmap_resize(bitmap, blocks, chunksize, false);
}
+static bool bitmap_none_enabled(void *data, bool flush)
+{
+ return false;
+}
+
+static int bitmap_none_create(struct mddev *mddev)
+{
+ return 0;
+}
+
+static int bitmap_none_load(struct mddev *mddev)
+{
+ return 0;
+}
+
+static void bitmap_none_destroy(struct mddev *mddev)
+{
+}
+
+static int bitmap_none_get_stats(void *data, struct md_bitmap_stats *stats)
+{
+ return -ENOENT;
+}
+
static ssize_t
location_show(struct mddev *mddev, char *page)
{
@@ -2619,7 +2644,11 @@ location_store(struct mddev *mddev, const char *buf, size_t len)
goto out;
}
- bitmap_destroy(mddev);
+ sysfs_unmerge_group(&mddev->kobj, &md_bitmap_internal_group);
+ md_bitmap_destroy_nosysfs(mddev);
+ mddev->bitmap_id = ID_BITMAP_NONE;
+ if (!mddev_set_bitmap_ops_nosysfs(mddev))
+ goto none_err;
mddev->bitmap_info.offset = 0;
if (mddev->bitmap_info.file) {
struct file *f = mddev->bitmap_info.file;
@@ -2655,16 +2684,25 @@ location_store(struct mddev *mddev, const char *buf, size_t len)
}
mddev->bitmap_info.offset = offset;
- rv = bitmap_create(mddev);
+ md_bitmap_destroy_nosysfs(mddev);
+ mddev->bitmap_id = ID_BITMAP;
+ if (!mddev_set_bitmap_ops_nosysfs(mddev))
+ goto bitmap_err;
+
+ rv = md_bitmap_create_nosysfs(mddev);
if (rv)
- goto out;
+ goto create_err;
- rv = bitmap_load(mddev);
+ rv = mddev->bitmap_ops->load(mddev);
if (rv) {
mddev->bitmap_info.offset = 0;
- bitmap_destroy(mddev);
- goto out;
+ goto load_err;
}
+
+ rv = sysfs_merge_group(&mddev->kobj,
+ &md_bitmap_internal_group);
+ if (rv)
+ goto merge_err;
}
}
if (!mddev->external) {
@@ -2680,6 +2718,22 @@ location_store(struct mddev *mddev, const char *buf, size_t len)
if (rv)
return rv;
return len;
+
+merge_err:
+ mddev->bitmap_info.offset = 0;
+load_err:
+ md_bitmap_destroy_nosysfs(mddev);
+create_err:
+ mddev->bitmap_info.offset = 0;
+ mddev->bitmap_id = ID_BITMAP_NONE;
+ if (!mddev_set_bitmap_ops_nosysfs(mddev))
+ rv = -ENOENT;
+ goto out;
+bitmap_err:
+ rv = -ENOENT;
+none_err:
+ mddev->bitmap_info.offset = 0;
+ goto out;
}
static struct md_sysfs_entry bitmap_location =
@@ -2988,6 +3042,27 @@ static const struct attribute_group *bitmap_groups[] = {
NULL,
};
+static const struct attribute_group *bitmap_none_groups[] = {
+ &md_bitmap_common_group,
+ NULL,
+};
+
+static struct bitmap_operations bitmap_none_ops = {
+ .head = {
+ .type = MD_BITMAP,
+ .id = ID_BITMAP_NONE,
+ .name = "none",
+ },
+
+ .enabled = bitmap_none_enabled,
+ .create = bitmap_none_create,
+ .load = bitmap_none_load,
+ .destroy = bitmap_none_destroy,
+ .get_stats = bitmap_none_get_stats,
+
+ .groups = bitmap_none_groups,
+};
+
static struct bitmap_operations bitmap_ops = {
.head = {
.type = MD_BITMAP,
@@ -3034,16 +3109,33 @@ static struct bitmap_operations bitmap_ops = {
int md_bitmap_init(void)
{
+ int err;
+
md_bitmap_wq = alloc_workqueue("md_bitmap", WQ_MEM_RECLAIM | WQ_UNBOUND,
0);
if (!md_bitmap_wq)
return -ENOMEM;
- return register_md_submodule(&bitmap_ops.head);
+ err = register_md_submodule(&bitmap_none_ops.head);
+ if (err)
+ goto err_wq;
+
+ err = register_md_submodule(&bitmap_ops.head);
+ if (err)
+ goto err_none;
+
+ return 0;
+
+err_none:
+ unregister_md_submodule(&bitmap_none_ops.head);
+err_wq:
+ destroy_workqueue(md_bitmap_wq);
+ return err;
}
void md_bitmap_exit(void)
{
- destroy_workqueue(md_bitmap_wq);
unregister_md_submodule(&bitmap_ops.head);
+ unregister_md_submodule(&bitmap_none_ops.head);
+ destroy_workqueue(md_bitmap_wq);
}
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 213221abc44c3..b7d47c018a12f 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -712,7 +712,7 @@ static void md_bitmap_sysfs_del(struct mddev *mddev)
sysfs_remove_group(&mddev->kobj, mddev->bitmap_ops->groups[0]);
}
-static bool mddev_set_bitmap_ops_nosysfs(struct mddev *mddev)
+bool mddev_set_bitmap_ops_nosysfs(struct mddev *mddev)
{
struct md_submodule_head *head;
@@ -4274,7 +4274,7 @@ bitmap_type_show(struct mddev *mddev, char *page)
xa_lock(&md_submodule);
xa_for_each(&md_submodule, i, head) {
- if (head->type != MD_BITMAP)
+ if (head->type != MD_BITMAP || head->id == ID_BITMAP_NONE)
continue;
if (mddev->bitmap_id == head->id)
@@ -6408,7 +6408,7 @@ static enum md_submodule_id md_bitmap_get_id_from_sb(struct mddev *mddev)
return id;
}
-static int md_bitmap_create_nosysfs(struct mddev *mddev)
+int md_bitmap_create_nosysfs(struct mddev *mddev)
{
enum md_submodule_id orig_id = mddev->bitmap_id;
enum md_submodule_id sb_id;
@@ -6417,8 +6417,10 @@ static int md_bitmap_create_nosysfs(struct mddev *mddev)
if (mddev->bitmap_id == ID_BITMAP_NONE)
return -EINVAL;
- if (!mddev_set_bitmap_ops_nosysfs(mddev))
+ if (!mddev_set_bitmap_ops_nosysfs(mddev)) {
+ mddev->bitmap_id = orig_id;
return -ENOENT;
+ }
err = mddev->bitmap_ops->create(mddev);
if (!err)
@@ -6432,8 +6434,10 @@ static int md_bitmap_create_nosysfs(struct mddev *mddev)
mddev->bitmap_ops = NULL;
sb_id = md_bitmap_get_id_from_sb(mddev);
- if (sb_id == ID_BITMAP_NONE || sb_id == orig_id)
+ if (sb_id == ID_BITMAP_NONE || sb_id == orig_id) {
+ mddev->bitmap_id = orig_id;
return err;
+ }
pr_info("md: %s: bitmap version mismatch, switching from %d to %d\n",
mdname(mddev), orig_id, sb_id);
@@ -6467,7 +6471,7 @@ static int md_bitmap_create(struct mddev *mddev)
return 0;
}
-static void md_bitmap_destroy_nosysfs(struct mddev *mddev)
+void md_bitmap_destroy_nosysfs(struct mddev *mddev)
{
if (!md_bitmap_registered(mddev))
return;
@@ -6485,6 +6489,16 @@ static void md_bitmap_destroy(struct mddev *mddev)
md_bitmap_destroy_nosysfs(mddev);
}
+static void md_bitmap_set_none(struct mddev *mddev)
+{
+ mddev->bitmap_id = ID_BITMAP_NONE;
+ if (!mddev_set_bitmap_ops_nosysfs(mddev))
+ return;
+
+ if (!mddev_is_dm(mddev) && mddev->bitmap_ops->groups)
+ md_bitmap_sysfs_add(mddev);
+}
+
int md_run(struct mddev *mddev)
{
int err;
@@ -6694,6 +6708,10 @@ int md_run(struct mddev *mddev)
if (mddev->sb_flags)
md_update_sb(mddev, 0);
+ if (IS_ENABLED(CONFIG_MD_BITMAP) && !mddev->bitmap_info.file &&
+ !mddev->bitmap_info.offset)
+ md_bitmap_set_none(mddev);
+
md_new_event();
return 0;
@@ -7638,7 +7656,8 @@ static int set_bitmap_file(struct mddev *mddev, int fd)
{
int err = 0;
- if (!md_bitmap_registered(mddev))
+ if (!md_bitmap_registered(mddev) ||
+ mddev->bitmap_id == ID_BITMAP_NONE)
return -EINVAL;
if (mddev->pers) {
@@ -7703,10 +7722,12 @@ static int set_bitmap_file(struct mddev *mddev, int fd)
if (err) {
md_bitmap_destroy(mddev);
+ md_bitmap_set_none(mddev);
fd = -1;
}
} else if (fd < 0) {
md_bitmap_destroy(mddev);
+ md_bitmap_set_none(mddev);
}
}
@@ -8013,12 +8034,16 @@ static int update_array_info(struct mddev *mddev, mdu_array_info_t *info)
mddev->bitmap_info.default_offset;
mddev->bitmap_info.space =
mddev->bitmap_info.default_space;
+ mddev->bitmap_id = ID_BITMAP;
rv = md_bitmap_create(mddev);
if (!rv)
rv = mddev->bitmap_ops->load(mddev);
- if (rv)
+ if (rv) {
md_bitmap_destroy(mddev);
+ mddev->bitmap_info.offset = 0;
+ md_bitmap_set_none(mddev);
+ }
} else {
struct md_bitmap_stats stats;
@@ -8046,6 +8071,7 @@ static int update_array_info(struct mddev *mddev, mdu_array_info_t *info)
}
md_bitmap_destroy(mddev);
mddev->bitmap_info.offset = 0;
+ md_bitmap_set_none(mddev);
}
}
md_update_sb(mddev, 1);
diff --git a/drivers/md/md.h b/drivers/md/md.h
index 9d66afb8cc6e6..da312d4692858 100644
--- a/drivers/md/md.h
+++ b/drivers/md/md.h
@@ -932,6 +932,9 @@ extern void md_allow_write(struct mddev *mddev);
extern void md_wait_for_blocked_rdev(struct md_rdev *rdev, struct mddev *mddev);
extern void md_set_array_sectors(struct mddev *mddev, sector_t array_sectors);
extern int md_check_no_bitmap(struct mddev *mddev);
+bool mddev_set_bitmap_ops_nosysfs(struct mddev *mddev);
+int md_bitmap_create_nosysfs(struct mddev *mddev);
+void md_bitmap_destroy_nosysfs(struct mddev *mddev);
extern int md_integrity_register(struct mddev *mddev);
extern int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 796/957] s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (794 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 795/957] md/md-bitmap: add a none backend for bitmap grow Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 797/957] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
` (166 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Borntraeger,
Claudio Imbrenda, Heiko Carstens, Alexander Gordeev, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit b95e0e792822bad8fc9eb33ea3a90005e29e75e9 ]
In case of a Secure-Storage-Access exception the effective aka virtual
address which caused the exception is contained within the TEID.
do_secure_storage_access() incorrectly uses phys_to_folio() instead of
virt_to_folio() to translate the virtual address to the corresponding
folio.
Fix this by using virt_to_folio() instead of phys_to_folio().
Fixes: 084ea4d611a3 ("s390/mm: add (non)secure page access exceptions handlers")
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
index d1f165048055b..069f72703a915 100644
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -433,7 +433,7 @@ void do_secure_storage_access(struct pt_regs *regs)
panic("Unexpected PGM 0x3d with TEID bit 61=0");
}
if (is_kernel_fault(regs)) {
- folio = phys_to_folio(addr);
+ folio = virt_to_folio((void *)addr);
if (unlikely(!folio_try_get(folio)))
return;
rc = uv_convert_from_secure(folio_to_phys(folio));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 797/957] net: phy: dp83869: fix setting CLK_O_SEL field.
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (795 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 796/957] s390/mm: Fix phys_to_folio() usage in do_secure_storage_access() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 798/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings Greg Kroah-Hartman
` (165 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Schocher, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Schocher <hs@nabladev.com>
[ Upstream commit 46f74a3f7d57d9cc0110b09cbc8163fa0a01afa2 ]
Table 7-121 in datasheet says we have to set register 0xc6
to value 0x10 before CLK_O_SEL can be modified. No more infos
about this field found in datasheet. With this fix, setting
of CLK_O_SEL field in IO_MUX_CFG register worked through dts
property "ti,clk-output-sel" on a DP83869HMRGZR.
Signed-off-by: Heiko Schocher <hs@nabladev.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 01db923e8377 ("net: phy: dp83869: Add TI dp83869 phy")
Link: https://patch.msgid.link/20260425031339.3318-1-hs@nabladev.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/dp83869.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c
index 1f381d7b13ff3..96a7d255f50fd 100644
--- a/drivers/net/phy/dp83869.c
+++ b/drivers/net/phy/dp83869.c
@@ -31,6 +31,7 @@
#define DP83869_RGMIICTL 0x0032
#define DP83869_STRAP_STS1 0x006e
#define DP83869_RGMIIDCTL 0x0086
+#define DP83869_ANA_PLL_PROG_PI 0x00c6
#define DP83869_RXFCFG 0x0134
#define DP83869_RXFPMD1 0x0136
#define DP83869_RXFPMD2 0x0137
@@ -826,12 +827,22 @@ static int dp83869_config_init(struct phy_device *phydev)
dp83869_config_port_mirroring(phydev);
/* Clock output selection if muxing property is set */
- if (dp83869->clk_output_sel != DP83869_CLK_O_SEL_REF_CLK)
+ if (dp83869->clk_output_sel != DP83869_CLK_O_SEL_REF_CLK) {
+ /*
+ * Table 7-121 in datasheet says we have to set register 0xc6
+ * to value 0x10 before CLK_O_SEL can be modified.
+ */
+ ret = phy_write_mmd(phydev, DP83869_DEVADDR,
+ DP83869_ANA_PLL_PROG_PI, 0x10);
+ if (ret)
+ return ret;
+
ret = phy_modify_mmd(phydev,
DP83869_DEVADDR, DP83869_IO_MUX_CFG,
DP83869_IO_MUX_CFG_CLK_O_SEL_MASK,
dp83869->clk_output_sel <<
DP83869_IO_MUX_CFG_CLK_O_SEL_SHIFT);
+ }
if (phy_interface_is_rgmii(phydev)) {
ret = phy_write_mmd(phydev, DP83869_DEVADDR, DP83869_RGMIIDCTL,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 798/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (796 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 797/957] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 799/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 " Greg Kroah-Hartman
` (164 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 8d80b293b41fcb5e9396db93e788b0f4ebcbafb7 ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: 1b61de45dfaf ("drm/amdgpu: add initial VCN2.0 support (v2)")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e2b5499fca55f1a32960a311bbb62e35891eaf73)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
index e35fae9cdaf66..0442bfcfd384d 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c
@@ -2113,6 +2113,7 @@ static const struct amd_ip_funcs vcn_v2_0_ip_funcs = {
static const struct amdgpu_ring_funcs vcn_v2_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0xf,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v2_0_dec_ring_get_rptr,
.get_wptr = vcn_v2_0_dec_ring_get_wptr,
@@ -2145,6 +2146,7 @@ static const struct amdgpu_ring_funcs vcn_v2_0_enc_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v2_0_enc_ring_get_rptr,
.get_wptr = vcn_v2_0_enc_ring_get_wptr,
.set_wptr = vcn_v2_0_enc_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 799/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (797 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 798/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 800/957] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 " Greg Kroah-Hartman
` (163 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 4f317863a3ab212a027d8c8c3cc3af4e3fb95704 ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: 28c17d72072b ("drm/amdgpu: add VCN2.5 basic supports")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit efc9dd5590894109bce9a0bfe1fa5592dd6b20b1)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
index 006a154511971..8b8184fe6764b 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
@@ -1778,6 +1778,7 @@ static void vcn_v2_5_dec_ring_set_wptr(struct amdgpu_ring *ring)
static const struct amdgpu_ring_funcs vcn_v2_5_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0xf,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v2_5_dec_ring_get_rptr,
.get_wptr = vcn_v2_5_dec_ring_get_wptr,
@@ -1879,6 +1880,7 @@ static const struct amdgpu_ring_funcs vcn_v2_5_enc_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v2_5_enc_ring_get_rptr,
.get_wptr = vcn_v2_5_enc_ring_get_wptr,
.set_wptr = vcn_v2_5_enc_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 800/957] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (798 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 799/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 801/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring Greg Kroah-Hartman
` (162 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit f1e5a6660d7cbf006079126d9babbf0ccf538c6b ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: cf14826cdfb5 ("drm/amdgpu: add VCN3.0 support for Sienna_Cichlid")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 663bed3c7b8b9a7624b0d95d300ddae034ad0614)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
index 8b226edfbea3e..f773f7ddfd13c 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
@@ -1856,6 +1856,7 @@ static const struct amdgpu_ring_funcs vcn_v3_0_dec_sw_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0x3f,
.nop = VCN_DEC_SW_CMD_NO_OP,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v3_0_dec_ring_get_rptr,
.get_wptr = vcn_v3_0_dec_ring_get_wptr,
@@ -2037,6 +2038,7 @@ static int vcn_v3_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p,
static const struct amdgpu_ring_funcs vcn_v3_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_DEC,
.align_mask = 0xf,
+ .no_user_fence = true,
.secure_submission_supported = true,
.get_rptr = vcn_v3_0_dec_ring_get_rptr,
.get_wptr = vcn_v3_0_dec_ring_get_wptr,
@@ -2139,6 +2141,7 @@ static const struct amdgpu_ring_funcs vcn_v3_0_enc_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v3_0_enc_ring_get_rptr,
.get_wptr = vcn_v3_0_enc_ring_get_wptr,
.set_wptr = vcn_v3_0_enc_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 801/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (799 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 800/957] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 802/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 " Greg Kroah-Hartman
` (161 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 51f694221047c84fa185be98210eb2c354ffb8c6 ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: 8da1170a16e4 ("drm/amdgpu: add VCN4 ip block support")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fd852c048b46f9825e904a4f3f4538fe9d8827d9)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
index 64bda0e944a7c..21e40eb2078d1 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
@@ -1995,6 +1995,7 @@ static struct amdgpu_ring_funcs vcn_v4_0_unified_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.extra_bytes = sizeof(struct amdgpu_vcn_rb_metadata),
.get_rptr = vcn_v4_0_unified_ring_get_rptr,
.get_wptr = vcn_v4_0_unified_ring_get_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 802/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (800 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 801/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 803/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 " Greg Kroah-Hartman
` (160 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 4532b52b34e4e4310386e6fdf6a643368599f522 ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: b889ef4ac988 ("drm/amdgpu/vcn: add vcn support for VCN4_0_3")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ff1a5a125c5a70c328806b9bc01d7d942cf3f9aa)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
index cb7123ec1a5d1..88d1139e931e2 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c
@@ -1628,6 +1628,7 @@ static const struct amdgpu_ring_funcs vcn_v4_0_3_unified_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v4_0_3_unified_ring_get_rptr,
.get_wptr = vcn_v4_0_3_unified_ring_get_wptr,
.set_wptr = vcn_v4_0_3_unified_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 803/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (801 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 802/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 804/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 " Greg Kroah-Hartman
` (159 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 589a254bf3e88204c8402b9cbccd5e23a0af990f ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: 547aad32edac ("drm/amdgpu: add VCN4 ip block support")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 084d94ac93707bdda07efb5cee786f632de4219b)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
index 1f6a22983c0dd..1571cc5a148c8 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
@@ -1483,6 +1483,7 @@ static struct amdgpu_ring_funcs vcn_v4_0_5_unified_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v4_0_5_unified_ring_get_rptr,
.get_wptr = vcn_v4_0_5_unified_ring_get_wptr,
.set_wptr = vcn_v4_0_5_unified_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 804/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (802 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 803/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 805/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 " Greg Kroah-Hartman
` (158 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 8cae0ce77de492d7c31c1532a2e80c0c6e7e58cb ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: b6d1a0632051 ("drm/amdgpu: add VCN_5_0_0 IP block support")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 49b1fbbb5a071197ee71e2d70959b1cb29bdc317)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
index 6109124f852e5..d5f49fa33bee4 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c
@@ -1207,6 +1207,7 @@ static const struct amdgpu_ring_funcs vcn_v5_0_0_unified_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v5_0_0_unified_ring_get_rptr,
.get_wptr = vcn_v5_0_0_unified_ring_get_wptr,
.set_wptr = vcn_v5_0_0_unified_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 805/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (803 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 804/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 806/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring Greg Kroah-Hartman
` (157 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 8f4954722eab88e10c4ea0c0d3b1269c31421d3a ]
VCN encoder and decoder rings do not support 64-bit user fence writes,
reject CS submissions with user fences.
Fixes: 346492f30ce3 ("drm/amdgpu: Add VCN_5_0_1 support")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e16be95a2c3ee712b142cb27d2dca0b461181359)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c
index 8bd457dea4cff..972d4a7147a12 100644
--- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c
@@ -1330,6 +1330,7 @@ static const struct amdgpu_ring_funcs vcn_v5_0_1_unified_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_ENC,
.align_mask = 0x3f,
.nop = VCN_ENC_CMD_NO_OP,
+ .no_user_fence = true,
.get_rptr = vcn_v5_0_1_unified_ring_get_rptr,
.get_wptr = vcn_v5_0_1_unified_ring_get_wptr,
.set_wptr = vcn_v5_0_1_unified_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 806/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (804 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 805/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 807/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring Greg Kroah-Hartman
` (156 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit e5f612dc91650561fe2b5b76dd6d2898ec9ad480 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: 6ac27241106b ("drm/amdgpu: add JPEG v2.0 function supports")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 96179da0c6b059eb31706a0abe8dd6381c533143)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
index 27c76bd424cfb..1e214b493402c 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c
@@ -802,6 +802,7 @@ static const struct amd_ip_funcs jpeg_v2_0_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v2_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v2_0_dec_ring_get_rptr,
.get_wptr = jpeg_v2_0_dec_ring_get_wptr,
.set_wptr = jpeg_v2_0_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 807/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (805 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 806/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 808/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring Greg Kroah-Hartman
` (155 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 79405e774ede411c6b47ed41c651e40b92de64a2 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: 14f43e8f88c5 ("drm/amdgpu: move JPEG2.5 out from VCN2.5")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3216a7f4e2642bda5fd14f57586e835ae9202587)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
index 20983f126b490..13a6e24c624a2 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c
@@ -693,6 +693,7 @@ static const struct amd_ip_funcs jpeg_v2_6_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v2_5_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v2_5_dec_ring_get_rptr,
.get_wptr = jpeg_v2_5_dec_ring_get_wptr,
.set_wptr = jpeg_v2_5_dec_ring_set_wptr,
@@ -724,6 +725,7 @@ static const struct amdgpu_ring_funcs jpeg_v2_5_dec_ring_vm_funcs = {
static const struct amdgpu_ring_funcs jpeg_v2_6_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v2_5_dec_ring_get_rptr,
.get_wptr = jpeg_v2_5_dec_ring_get_wptr,
.set_wptr = jpeg_v2_5_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 808/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (806 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 807/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 809/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring Greg Kroah-Hartman
` (154 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit a2baf12eec41f246689e6a3f8619af1200031576 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: dfd57dbf44dd ("drm/amdgpu: add JPEG3.0 support for Sienna_Cichlid")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4d7d774f100efb5089c86a1fb8c5bf47c63fc9ef)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
index d1a011c40ba23..af231d093a3ce 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c
@@ -594,6 +594,7 @@ static const struct amd_ip_funcs jpeg_v3_0_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v3_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v3_0_dec_ring_get_rptr,
.get_wptr = jpeg_v3_0_dec_ring_get_wptr,
.set_wptr = jpeg_v3_0_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 809/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (807 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 808/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 810/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring Greg Kroah-Hartman
` (153 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit e7e90b5839aeb8805ec83bb4da610b8dab8e184d ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: b13111de32a9 ("drm/amdgpu/jpeg: add jpeg support for VCN4_0_0")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8d0cac9478a3f046279c657d6a2545de49ae675a)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
index 33db2c1ae6cca..90582066e6a1a 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c
@@ -759,6 +759,7 @@ static const struct amd_ip_funcs jpeg_v4_0_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v4_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v4_0_dec_ring_get_rptr,
.get_wptr = jpeg_v4_0_dec_ring_get_wptr,
.set_wptr = jpeg_v4_0_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 810/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (808 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 809/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 811/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring Greg Kroah-Hartman
` (152 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 83e37c0987ca92f9e87789b46dd311dcf5a4a6c8 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: e684e654eba9 ("drm/amdgpu/jpeg: add jpeg support for VCN4_0_3")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2f6afc97d259d530f4f86c7743efbc573a8da927)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
index 47f2192fc7e7e..99e6dabc36ee8 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c
@@ -1214,6 +1214,7 @@ static const struct amd_ip_funcs jpeg_v4_0_3_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v4_0_3_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v4_0_3_dec_ring_get_rptr,
.get_wptr = jpeg_v4_0_3_dec_ring_get_wptr,
.set_wptr = jpeg_v4_0_3_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 811/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (809 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 810/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 812/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring Greg Kroah-Hartman
` (151 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit b65b7f3f3c18f797f81a2af7c97e2079900ad6db ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: 8f98a715da8e ("drm/amdgpu/jpeg: add jpeg support for VCN4_0_5")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit f05d0a4f21fc720116d6e238f23308b199891058)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c
index 54fd9c800c40a..a43582b9c876c 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c
@@ -804,6 +804,7 @@ static const struct amd_ip_funcs jpeg_v4_0_5_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v4_0_5_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v4_0_5_dec_ring_get_rptr,
.get_wptr = jpeg_v4_0_5_dec_ring_get_wptr,
.set_wptr = jpeg_v4_0_5_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 812/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (810 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 811/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 813/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring Greg Kroah-Hartman
` (150 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit ea7c61c5f895e8f9ea0ffffa180498ef9c740152 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: dfad65c65728 ("drm/amdgpu: Add JPEG5 support")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 0f43893d3cd478fa57836697525b338817c9c23d)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c
index 46bf15dce2bd0..72a4b2d0676fa 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c
@@ -680,6 +680,7 @@ static const struct amd_ip_funcs jpeg_v5_0_0_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v5_0_0_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v5_0_0_dec_ring_get_rptr,
.get_wptr = jpeg_v5_0_0_dec_ring_get_wptr,
.set_wptr = jpeg_v5_0_0_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 813/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (811 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 812/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 814/957] io_uring/napi: cap busy_poll_to 10 msec Greg Kroah-Hartman
` (149 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher,
Yinjie Yao, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yinjie Yao <yinjie.yao@amd.com>
[ Upstream commit 2f8e3da71a1b469b6e157aa3972f1448b3157840 ]
JPEG rings do not support 64-bit user fence writes, reject CS
submissions with user fences.
Fixes: b8f57b69942b ("drm/amdgpu: Add JPEG5_0_1 support")
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Yinjie Yao <yinjie.yao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 742a98e2e81702df8fe1b1eccee5223220a03dc2)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c
index ab0bf880d3d8a..1fb2386352ccb 100644
--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c
@@ -875,6 +875,7 @@ static const struct amd_ip_funcs jpeg_v5_0_1_ip_funcs = {
static const struct amdgpu_ring_funcs jpeg_v5_0_1_dec_ring_vm_funcs = {
.type = AMDGPU_RING_TYPE_VCN_JPEG,
.align_mask = 0xf,
+ .no_user_fence = true,
.get_rptr = jpeg_v5_0_1_dec_ring_get_rptr,
.get_wptr = jpeg_v5_0_1_dec_ring_get_wptr,
.set_wptr = jpeg_v5_0_1_dec_ring_set_wptr,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 814/957] io_uring/napi: cap busy_poll_to 10 msec
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (812 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 813/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 815/957] net: psp: check for device unregister when creating assoc Greg Kroah-Hartman
` (148 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit df8599ee18c0e5fe343ffe0b4c379636b8bb839a ]
Currently there's no cap on the maximum amount of time that napi is
allowed to poll if no events are found, which can lead to kernel
complaints on a task being stuck as there's no conditional rescheduling
done within that loop.
Just cap it to 10 msec in total, that's already way above any kind of
sane value that will reap any benefits, yet low enough that it's
nowhere near being able to trigger preemption complaints.
Fixes: 8d0c12a80cde ("io-uring: add napi busy poll support")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/napi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/io_uring/napi.c b/io_uring/napi.c
index 4a10de03e4269..8d68366a4b903 100644
--- a/io_uring/napi.c
+++ b/io_uring/napi.c
@@ -276,6 +276,8 @@ static int io_napi_register_napi(struct io_ring_ctx *ctx,
/* clean the napi list for new settings */
io_napi_free(ctx);
WRITE_ONCE(ctx->napi_track_mode, napi->op_param);
+ /* cap NAPI at 10 msec of spin time */
+ napi->busy_poll_to = min(10000, napi->busy_poll_to);
WRITE_ONCE(ctx->napi_busy_poll_dt, napi->busy_poll_to * NSEC_PER_USEC);
WRITE_ONCE(ctx->napi_prefer_busy_poll, !!napi->prefer_busy_poll);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 815/957] net: psp: check for device unregister when creating assoc
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (813 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 814/957] io_uring/napi: cap busy_poll_to 10 msec Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 816/957] net: psp: require admin permission for dev-set and key-rotate Greg Kroah-Hartman
` (147 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit b89769f936a8fa9e66de72ddc1b71a9745a488e6 ]
psp_assoc_device_get_locked() obtains a psp_dev reference via
psp_dev_get_for_sock() (which uses psp_dev_tryget() under RCU);
it then acquires psd->lock and drops the reference. Before
the lock is taken, psp_dev_unregister() can run to completion:
take psd->lock, clear out state, unlock, drop the registration
reference.
The expectation is that the lock prevents device unregistration,
but much like with netdevs special care has to be taken when
"upgrading" a reference to a locked device. Add the missing
check if device is still alive. psp_dev_is_registered() exists
already but had no callers, which makes me wonder if I either
forgot to add this or lost the check during refactoring...
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 6b46ca260e22 ("net: psp: add socket security association code")
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260427190606.366101-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/psp/psp_nl.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/psp/psp_nl.c b/net/psp/psp_nl.c
index 8aaca62744c3c..3f63ffbc5c575 100644
--- a/net/psp/psp_nl.c
+++ b/net/psp/psp_nl.c
@@ -303,8 +303,13 @@ int psp_assoc_device_get_locked(const struct genl_split_ops *ops,
psd = psp_dev_get_for_sock(socket->sk);
if (psd) {
- err = psp_dev_check_access(psd, genl_info_net(info));
- if (err) {
+ /* Extra care needed here, psp_dev_get_for_sock() only gives
+ * us access to struct psp_dev's memory, which is quite weak.
+ */
+ mutex_lock(&psd->lock);
+ if (!psp_dev_is_registered(psd) ||
+ psp_dev_check_access(psd, genl_info_net(info))) {
+ mutex_unlock(&psd->lock);
psp_dev_put(psd);
psd = NULL;
}
@@ -317,7 +322,6 @@ int psp_assoc_device_get_locked(const struct genl_split_ops *ops,
id = info->attrs[PSP_A_ASSOC_DEV_ID];
if (psd) {
- mutex_lock(&psd->lock);
if (id && psd->id != nla_get_u32(id)) {
mutex_unlock(&psd->lock);
NL_SET_ERR_MSG_ATTR(info->extack, id,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 816/957] net: psp: require admin permission for dev-set and key-rotate
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (814 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 815/957] net: psp: check for device unregister when creating assoc Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 817/957] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
` (146 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Zahka, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit b718342a7fbaa2dff5fefc31988c07af8c6cbc21 ]
The dev-set and key-rotate netlink operations modify shared device
state (PSP version configuration and cryptographic key material,
respectively) but do not require CAP_NET_ADMIN. The only access
control is psp_dev_check_access() which merely verifies netns
membership.
Fixes: 00c94ca2b99e ("psp: base PSP device support")
Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260427195856.401223-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/netlink/specs/psp.yaml | 2 ++
net/psp/psp-nl-gen.c | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/Documentation/netlink/specs/psp.yaml b/Documentation/netlink/specs/psp.yaml
index 944429e5c9a84..d41ea6155e52e 100644
--- a/Documentation/netlink/specs/psp.yaml
+++ b/Documentation/netlink/specs/psp.yaml
@@ -111,6 +111,7 @@ operations:
name: dev-set
doc: Set the configuration of a PSP device.
attribute-set: dev
+ flags: [admin-perm]
do:
request:
attributes:
@@ -130,6 +131,7 @@ operations:
name: key-rotate
doc: Rotate the device key.
attribute-set: dev
+ flags: [admin-perm]
do:
request:
attributes:
diff --git a/net/psp/psp-nl-gen.c b/net/psp/psp-nl-gen.c
index 9fdd6f831803e..85cf90999c9f1 100644
--- a/net/psp/psp-nl-gen.c
+++ b/net/psp/psp-nl-gen.c
@@ -70,7 +70,7 @@ static const struct genl_split_ops psp_nl_ops[] = {
.post_doit = psp_device_unlock,
.policy = psp_dev_set_nl_policy,
.maxattr = PSP_A_DEV_PSP_VERSIONS_ENA,
- .flags = GENL_CMD_CAP_DO,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
},
{
.cmd = PSP_CMD_KEY_ROTATE,
@@ -79,7 +79,7 @@ static const struct genl_split_ops psp_nl_ops[] = {
.post_doit = psp_device_unlock,
.policy = psp_key_rotate_nl_policy,
.maxattr = PSP_A_DEV_ID,
- .flags = GENL_CMD_CAP_DO,
+ .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
},
{
.cmd = PSP_CMD_RX_ASSOC,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 817/957] ASoC: codecs: ab8500: Fix casting of private data
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (815 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 816/957] net: psp: require admin permission for dev-set and key-rotate Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 818/957] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
` (145 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian A. Ehrhardt,
Uwe Kleine-König , Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
[ Upstream commit a201aef1a88b675e9eb8487e27d14e2eef3cef80 ]
ab8500_filter_controls[i].private_value is initialized using
.private_value = (unsigned long)&(struct filter_control)
{.count = xcount, .min = xmin, .max = xmax}
thus it's a pointer to a struct filter_control casted to unsigned long.
So to get back that pointer .private_data must be cast back, not its
address.
Fixes: 679d7abdc754 ("ASoC: codecs: Add AB8500 codec-driver")
Signed-off-by: Christian A. Ehrhardt <christian.ehrhardt@codasip.com>
Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/20260428192255.2294705-2-u.kleine-koenig@baylibre.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ab8500-codec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/soc/codecs/ab8500-codec.c b/sound/soc/codecs/ab8500-codec.c
index 04b5e1d5a6530..32d9cdbc8c310 100644
--- a/sound/soc/codecs/ab8500-codec.c
+++ b/sound/soc/codecs/ab8500-codec.c
@@ -2496,13 +2496,13 @@ static int ab8500_codec_probe(struct snd_soc_component *component)
return status;
}
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_ANC_FIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_ANC_FIR].private_value;
drvdata->anc_fir_values = (long *)fc->value;
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_ANC_IIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_ANC_IIR].private_value;
drvdata->anc_iir_values = (long *)fc->value;
fc = (struct filter_control *)
- &ab8500_filter_controls[AB8500_FILTER_SID_FIR].private_value;
+ ab8500_filter_controls[AB8500_FILTER_SID_FIR].private_value;
drvdata->sid_fir_values = (long *)fc->value;
snd_soc_dapm_disable_pin(dapm, "ANC Configure Input");
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 818/957] netfilter: skip recording stale or retransmitted INIT
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (816 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 817/957] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 819/957] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
` (144 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Florian Westphal, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 576a5d2bad4814c881a829576b1261b9b8159d2b ]
An INIT whose init_tag matches the peer's vtag does not provide new state
information. It indicates either:
- a stale INIT (after INIT-ACK has already been seen on the same side), or
- a retransmitted INIT (after INIT has already been recorded on the same
side).
In both cases, the INIT must not update ct->proto.sctp.init[] state, since
it does not advance the handshake tracking and may otherwise corrupt
INIT/INIT-ACK validation logic.
Allow INIT processing only when the conntrack entry is newly created
(SCTP_CONNTRACK_NONE), or when the init_tag differs from the stored peer
vtag.
Note it skips the check for the ct with old_state SCTP_CONNTRACK_NONE in
nf_conntrack_sctp_packet(), as it is just created in sctp_new() where it
set ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = ih->init_tag.
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/ee56c3e416452b2a40589a2a85245ac2ad5e9f4b.1777214801.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_proto_sctp.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 645d2c43ebf7a..7e10fa65cbdd3 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -466,9 +466,13 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
if (!ih)
goto out_unlock;
- if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
- ct->proto.sctp.init[!dir] = 0;
- ct->proto.sctp.init[dir] = 1;
+ /* Do not record INIT matching peer vtag (stale or retransmitted INIT). */
+ if (old_state == SCTP_CONNTRACK_NONE ||
+ ct->proto.sctp.vtag[!dir] != ih->init_tag) {
+ if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
+ ct->proto.sctp.init[!dir] = 0;
+ ct->proto.sctp.init[dir] = 1;
+ }
pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir);
ct->proto.sctp.vtag[!dir] = ih->init_tag;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 819/957] sctp: discard stale INIT after handshake completion
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (817 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 818/957] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 820/957] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
` (143 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Marcelo Ricardo Leitner,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 8a92cb475ca90d84db769e4d4383e631ace0d6e5 ]
After an association reaches ESTABLISHED, the peer’s init_tag is already
known from the handshake. Any subsequent INIT with the same init_tag is
not a valid restart, but a delayed or duplicate INIT.
Drop such INIT chunks in sctp_sf_do_unexpected_init() instead of
processing them as new association attempts.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/5788c76c1ee122a3ed00189e88dcf9df1fba226c.1777214801.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 7b823d7591419..8e89a870780c4 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1556,6 +1556,12 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
/* Tag the variable length parameters. */
chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));
+ if (asoc->state >= SCTP_STATE_ESTABLISHED) {
+ /* Discard INIT matching peer vtag after handshake completion (stale INIT). */
+ if (ntohl(chunk->subh.init_hdr->init_tag) == asoc->peer.i.init_tag)
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ }
+
/* Verify the INIT chunk before processing it. */
err_chunk = NULL;
if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 820/957] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (818 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 819/957] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 821/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (III) Greg Kroah-Hartman
` (142 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit aa6c6d9ee064aabfede4402fd1283424e649ca19 ]
bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.
Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260426165350.1663137-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bareudp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 0df3208783ad9..da5866ba06999 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev,
struct in6_addr saddr;
struct socket *sock = rcu_dereference(bareudp->sock);
+ if (!sock)
+ return -ESHUTDOWN;
+
dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock,
0, &saddr, &info->key,
sport, bareudp->port, info->key.tos,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 821/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (819 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 820/957] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 822/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
` (141 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 276a98a434964088fccd4745db5b34d6e831e358 ]
cake_dump_stats() runs without qdisc spinlock being held.
In this third patch, I add READ_ONCE()/WRITE_ONCE() annotations
for the following fields:
- packets
- tin_dropped
- tin_ecn_mark
- ack_drops
- peak_delay
- avge_delay
- base_delay
Other annotations are added in following patches, to ease code review.
Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: "Toke Høiland-Jørgensen" <toke@toke.dk>
Link: https://patch.msgid.link/20260427083606.459355-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 38 ++++++++++++++++++++------------------
1 file changed, 20 insertions(+), 18 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 1a2023cd55109..7b97f6b57cb17 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1590,7 +1590,7 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free)
sch->qstats.backlog -= len;
flow->dropped++;
- b->tin_dropped++;
+ WRITE_ONCE(b->tin_dropped, b->tin_dropped + 1);
if (q->rate_flags & CAKE_FLAG_INGRESS)
cake_advance_shaper(q, b, skb, now, true);
@@ -1808,7 +1808,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
numsegs++;
slen += segs->len;
q->buffer_used += segs->truesize;
- b->packets++;
+ WRITE_ONCE(b->packets, b->packets + 1);
}
/* stats */
@@ -1832,7 +1832,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
ack = cake_ack_filter(q, flow);
if (ack) {
- b->ack_drops++;
+ WRITE_ONCE(b->ack_drops, b->ack_drops + 1);
sch->qstats.drops++;
ack_pkt_len = qdisc_pkt_len(ack);
b->bytes += ack_pkt_len;
@@ -1848,7 +1848,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
}
/* stats */
- b->packets++;
+ WRITE_ONCE(b->packets, b->packets + 1);
b->bytes += len - ack_pkt_len;
b->backlogs[idx] += len - ack_pkt_len;
b->tin_backlog += len - ack_pkt_len;
@@ -2191,7 +2191,7 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
b->tin_deficit -= len;
}
flow->dropped++;
- b->tin_dropped++;
+ WRITE_ONCE(b->tin_dropped, b->tin_dropped + 1);
qdisc_tree_reduce_backlog(sch, 1, qdisc_pkt_len(skb));
qdisc_qstats_drop(sch);
kfree_skb_reason(skb, reason);
@@ -2199,16 +2199,18 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
goto retry;
}
- b->tin_ecn_mark += !!flow->cvars.ecn_marked;
+ WRITE_ONCE(b->tin_ecn_mark, b->tin_ecn_mark + !!flow->cvars.ecn_marked);
qdisc_bstats_update(sch, skb);
/* collect delay stats */
delay = ktime_to_ns(ktime_sub(now, cobalt_get_enqueue_time(skb)));
- b->avge_delay = cake_ewma(b->avge_delay, delay, 8);
- b->peak_delay = cake_ewma(b->peak_delay, delay,
- delay > b->peak_delay ? 2 : 8);
- b->base_delay = cake_ewma(b->base_delay, delay,
- delay < b->base_delay ? 2 : 8);
+ WRITE_ONCE(b->avge_delay, cake_ewma(b->avge_delay, delay, 8));
+ WRITE_ONCE(b->peak_delay,
+ cake_ewma(b->peak_delay, delay,
+ delay > b->peak_delay ? 2 : 8));
+ WRITE_ONCE(b->base_delay,
+ cake_ewma(b->base_delay, delay,
+ delay < b->base_delay ? 2 : 8));
len = cake_advance_shaper(q, b, skb, now, false);
flow->deficit -= len;
@@ -2940,17 +2942,17 @@ static int cake_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
PUT_TSTAT_U32(INTERVAL_US,
ktime_to_us(ns_to_ktime(b->cparams.interval)));
- PUT_TSTAT_U32(SENT_PACKETS, b->packets);
- PUT_TSTAT_U32(DROPPED_PACKETS, b->tin_dropped);
- PUT_TSTAT_U32(ECN_MARKED_PACKETS, b->tin_ecn_mark);
- PUT_TSTAT_U32(ACKS_DROPPED_PACKETS, b->ack_drops);
+ PUT_TSTAT_U32(SENT_PACKETS, READ_ONCE(b->packets));
+ PUT_TSTAT_U32(DROPPED_PACKETS, READ_ONCE(b->tin_dropped));
+ PUT_TSTAT_U32(ECN_MARKED_PACKETS, READ_ONCE(b->tin_ecn_mark));
+ PUT_TSTAT_U32(ACKS_DROPPED_PACKETS, READ_ONCE(b->ack_drops));
PUT_TSTAT_U32(PEAK_DELAY_US,
- ktime_to_us(ns_to_ktime(b->peak_delay)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->peak_delay))));
PUT_TSTAT_U32(AVG_DELAY_US,
- ktime_to_us(ns_to_ktime(b->avge_delay)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->avge_delay))));
PUT_TSTAT_U32(BASE_DELAY_US,
- ktime_to_us(ns_to_ktime(b->base_delay)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->base_delay))));
PUT_TSTAT_U32(WAY_INDIRECT_HITS, b->way_hits);
PUT_TSTAT_U32(WAY_MISSES, b->way_misses);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 822/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (820 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 821/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (III) Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 823/957] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
` (140 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a6c95b833dc17e84d16a8ac0f40fd0931616a52d ]
cake_dump_stats() runs without qdisc spinlock being held.
In this final patch, I add READ_ONCE()/WRITE_ONCE() annotations
for cparams.target and cparams.interval.
Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: "Toke Høiland-Jørgensen" <toke@toke.dk>
Link: https://patch.msgid.link/20260427083606.459355-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 7b97f6b57cb17..f2ad946a519c2 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -2305,10 +2305,11 @@ static void cake_set_rate(struct cake_tin_data *b, u64 rate, u32 mtu,
byte_target_ns = (byte_target * rate_ns) >> rate_shft;
- b->cparams.target = max((byte_target_ns * 3) / 2, target_ns);
- b->cparams.interval = max(rtt_est_ns +
- b->cparams.target - target_ns,
- b->cparams.target * 2);
+ WRITE_ONCE(b->cparams.target,
+ max((byte_target_ns * 3) / 2, target_ns));
+ WRITE_ONCE(b->cparams.interval,
+ max(rtt_est_ns + b->cparams.target - target_ns,
+ b->cparams.target * 2));
b->cparams.mtu_time = byte_target_ns;
b->cparams.p_inc = 1 << 24; /* 1/256 */
b->cparams.p_dec = 1 << 20; /* 1/4096 */
@@ -2938,9 +2939,9 @@ static int cake_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
PUT_TSTAT_U32(BACKLOG_BYTES, b->tin_backlog);
PUT_TSTAT_U32(TARGET_US,
- ktime_to_us(ns_to_ktime(b->cparams.target)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->cparams.target))));
PUT_TSTAT_U32(INTERVAL_US,
- ktime_to_us(ns_to_ktime(b->cparams.interval)));
+ ktime_to_us(ns_to_ktime(READ_ONCE(b->cparams.interval))));
PUT_TSTAT_U32(SENT_PACKETS, READ_ONCE(b->packets));
PUT_TSTAT_U32(DROPPED_PACKETS, READ_ONCE(b->tin_dropped));
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 823/957] netconsole: propagate device name truncation in dev_name_store()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (821 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 822/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 824/957] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
` (139 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 92ceb7bff62c2606f664c204750eca0b85d44112 ]
dev_name_store() calls strscpy(nt->np.dev_name, buf, IFNAMSIZ) without
checking the return value. If userspace writes an interface name longer
than IFNAMSIZ - 1, strscpy() silently truncates and returns -E2BIG, but
the function ignores it and reports a fully successful write back to
userspace.
If a real interface happens to match the truncated name, netconsole will
bind to the wrong device on the next enable, sending kernel logs and
panic output to an unintended network segment with no indication to
userspace that anything was rewritten.
Reject writes whose length cannot fit in nt->np.dev_name up front:
if (count >= IFNAMSIZ)
return -ENAMETOOLONG;
This is not a big deal of a problem, but, it is still the correct
approach.
Fixes: 0bcc1816188e57 ("[NET] netconsole: Support dynamic reconfiguration using configfs")
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260427-netconsole_ai_fixes-v2-3-59965f29d9cc@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netconsole.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index 7523f7763d36a..06345487d6aac 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -694,6 +694,13 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
size_t count)
{
struct netconsole_target *nt = to_target(item);
+ size_t len = count;
+
+ /* Account for a trailing newline appended by tools like echo */
+ if (len && buf[len - 1] == '\n')
+ len--;
+ if (len >= IFNAMSIZ)
+ return -ENAMETOOLONG;
mutex_lock(&dynamic_netconsole_mutex);
if (nt->enabled) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 824/957] ALSA: hda/conexant: Fix missing error check for jack detection
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (822 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 823/957] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 825/957] ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi() Greg Kroah-Hartman
` (138 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangdicheng <wangdicheng@kylinos.cn>
[ Upstream commit b0e2333a231107adedd38c6fcfe1adc6162716fc ]
In cx_probe(), the return value of snd_hda_jack_detect_enable_callback()
is ignored. This function returns a pointer, and if it fails (e.g., due
to memory allocation failure), it returns an error pointer which must
be checked using IS_ERR().
If the registration fails, the driver continues to probe, but the jack
detection callback will not be registered. This can lead to a kernel
crash later when the driver attempts to handle jack events or accesses
the uninitialized structure.
Check the return value using IS_ERR() and propagate the error via
PTR_ERR() to the probe caller.
Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140")
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Link: https://patch.msgid.link/20260428080450.108801-1-wangdich9700@163.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/conexant.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/hda/codecs/conexant.c b/sound/hda/codecs/conexant.c
index f71123a475464..263773f8bd6ae 100644
--- a/sound/hda/codecs/conexant.c
+++ b/sound/hda/codecs/conexant.c
@@ -1183,6 +1183,7 @@ static void add_cx5051_fake_mutes(struct hda_codec *codec)
static int cx_probe(struct hda_codec *codec, const struct hda_device_id *id)
{
struct conexant_spec *spec;
+ struct hda_jack_callback *callback;
int err;
codec_info(codec, "%s: BIOS auto-probing.\n", codec->core.chip_name);
@@ -1198,7 +1199,12 @@ static int cx_probe(struct hda_codec *codec, const struct hda_device_id *id)
case 0x14f11f86:
case 0x14f11f87:
spec->is_cx11880_sn6140 = true;
- snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref);
+ callback = snd_hda_jack_detect_enable_callback(codec, 0x19,
+ cx_update_headset_mic_vref);
+ if (IS_ERR(callback)) {
+ err = PTR_ERR(callback);
+ goto error;
+ }
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 825/957] ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (823 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 824/957] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 826/957] ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0 pages >1 Greg Kroah-Hartman
` (137 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Richard Fitzgerald,
Takashi Iwai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 90df4957a3271adf391b3432cd76a40887cf3273 ]
Eliminate the uninitialized 'nval' in cs35l56_hda_read_acpi() if a
system-specific quirk overrides processing of the dev-index property.
The value is now stored in a new 'num_amps' member of struct cs35l56_hda
so that the quirk handler can set the value.
The quirk for the Lenovo Yoga Book 9i GenX replaces the values from the
dev-index property with hardcoded indexes. So cs35l56_hda_read_acpi() would
then skip reading the property. But this left the 'nval' local variable
uninitialized when it is later passed to cirrus_scodec_get_speaker_id().
Fixes: 40b1c2f9b299 ("ALSA: hda/cs35l56: Workaround bad dev-index on Lenovo Yoga Book 9i GenX")
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/linux-sound/aenFesLAStjrVNy8@stanley.mountain/T/#u
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Link: https://patch.msgid.link/20260428130531.169600-1-rf@opensource.cirrus.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/side-codecs/cs35l56_hda.c | 12 +++++++-----
sound/hda/codecs/side-codecs/cs35l56_hda.h | 1 +
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/sound/hda/codecs/side-codecs/cs35l56_hda.c b/sound/hda/codecs/side-codecs/cs35l56_hda.c
index 82b7352e7ea97..79c15e21d4bcb 100644
--- a/sound/hda/codecs/side-codecs/cs35l56_hda.c
+++ b/sound/hda/codecs/side-codecs/cs35l56_hda.c
@@ -884,6 +884,7 @@ static int cs35l56_hda_system_resume(struct device *dev)
static int cs35l56_hda_fixup_yoga9(struct cs35l56_hda *cs35l56, int *bus_addr)
{
/* The cirrus,dev-index property has the wrong values */
+ cs35l56->num_amps = 2;
switch (*bus_addr) {
case 0x30:
cs35l56->index = 1;
@@ -933,7 +934,6 @@ static int cs35l56_hda_read_acpi(struct cs35l56_hda *cs35l56, int hid, int id)
char hid_string[8];
struct acpi_device *adev;
const char *property, *sub;
- size_t nval;
int i, ret;
/*
@@ -969,13 +969,14 @@ static int cs35l56_hda_read_acpi(struct cs35l56_hda *cs35l56, int hid, int id)
ret = -EINVAL;
goto err;
}
- nval = ret;
+ cs35l56->num_amps = ret;
- ret = device_property_read_u32_array(cs35l56->base.dev, property, values, nval);
+ ret = device_property_read_u32_array(cs35l56->base.dev, property, values,
+ cs35l56->num_amps);
if (ret)
goto err;
- for (i = 0; i < nval; i++) {
+ for (i = 0; i < cs35l56->num_amps; i++) {
if (values[i] == id) {
cs35l56->index = i;
break;
@@ -998,7 +999,8 @@ static int cs35l56_hda_read_acpi(struct cs35l56_hda *cs35l56, int hid, int id)
"Read ACPI _SUB failed(%ld): fallback to generic firmware\n",
PTR_ERR(sub));
} else {
- ret = cirrus_scodec_get_speaker_id(cs35l56->base.dev, cs35l56->index, nval, -1);
+ ret = cirrus_scodec_get_speaker_id(cs35l56->base.dev, cs35l56->index,
+ cs35l56->num_amps, -1);
if (ret == -ENOENT) {
cs35l56->system_name = sub;
} else if (ret >= 0) {
diff --git a/sound/hda/codecs/side-codecs/cs35l56_hda.h b/sound/hda/codecs/side-codecs/cs35l56_hda.h
index 38d94fb213a50..0074e8f5f18cb 100644
--- a/sound/hda/codecs/side-codecs/cs35l56_hda.h
+++ b/sound/hda/codecs/side-codecs/cs35l56_hda.h
@@ -25,6 +25,7 @@ struct cs35l56_hda {
struct work_struct dsp_work;
int index;
+ int num_amps;
const char *system_name;
const char *amp_name;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 826/957] ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0 pages >1
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (824 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 825/957] ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 827/957] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
` (136 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shenghao Ding, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shenghao Ding <shenghao-ding@ti.com>
[ Upstream commit e052a1f7199260eda4d6ca08a59c3b98738f8491 ]
In TAS2781 SPI mode, when accessing non-book-zero or page numbers greater
than 1 in book 0, an additional byte must be read. The first byte in such
cases is a dummy byte and should be ignored.
Fixes: 9fa6a693ad8d ("ALSA: hda/tas2781: Remove tas2781_spi_fwlib.c and leverage SND_SOC_TAS2781_FMWLIB")
Signed-off-by: Shenghao Ding <shenghao-ding@ti.com>
Link: https://patch.msgid.link/20260429054206.429-1-shenghao-ding@ti.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/side-codecs/tas2781_hda_spi.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/sound/hda/codecs/side-codecs/tas2781_hda_spi.c b/sound/hda/codecs/side-codecs/tas2781_hda_spi.c
index 488e35dac9524..a64f2c899d50c 100644
--- a/sound/hda/codecs/side-codecs/tas2781_hda_spi.c
+++ b/sound/hda/codecs/side-codecs/tas2781_hda_spi.c
@@ -135,10 +135,18 @@ static int tasdevice_spi_dev_update_bits(struct tasdevice_priv *tas_priv,
int ret, val;
/*
- * In our TAS2781 SPI mode, read/write was masked in last bit of
- * address, it cause regmap_update_bits() not work as expected.
+ * In TAS2781 SPI mode, when accessing non-book-zero or page numbers
+ * greater than 1 in book 0, an additional byte must be read. The
+ * first byte in such cases is a dummy byte and should be ignored.
*/
- ret = tasdevice_dev_read(tas_priv, chn, reg, &val);
+ if ((TASDEVICE_BOOK_ID(reg) > 0) || (TASDEVICE_PAGE_ID(reg) > 1)) {
+ unsigned char buf[2];
+
+ ret = tasdevice_dev_bulk_read(tas_priv, chn, reg, buf, 2);
+ val = buf[1];
+ } else {
+ ret = tasdevice_dev_read(tas_priv, chn, reg, &val);
+ }
if (ret < 0) {
dev_err(tas_priv->dev, "%s, E=%d\n", __func__, ret);
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 827/957] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (825 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 826/957] ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0 pages >1 Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 828/957] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
` (135 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moritz Klammler,
Sebastian Andrzej Siewior, Thomas Gleixner, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit bc7304f3ae20972d11db6e0b1b541c63feda5f05 ]
During wait-requeue-pi (task A) and requeue-PI (task B) the following
race can happen:
Task A Task B
futex_wait_requeue_pi()
futex_setup_timer()
futex_do_wait()
futex_requeue()
CLASS(hb, hb1)(&key1);
CLASS(hb, hb2)(&key2);
*timeout*
futex_requeue_pi_wakeup_sync()
requeue_state = Q_REQUEUE_PI_IGNORE
*blocks on hb->lock*
futex_proxy_trylock_atomic()
futex_requeue_pi_prepare()
Q_REQUEUE_PI_IGNORE => -EAGAIN
double_unlock_hb(hb1, hb2)
*retry*
Task B acquires both hb locks and attempts to acquire the PI-lock of the
top most waiter (task B). Task A is leaving early due to a signal/
timeout and started removing itself from the queue. It updates its
requeue_state but can not remove it from the list because this requires
the hb lock which is owned by task B.
Usually task A is able to swoop the lock after task B unlocked it.
However if task B is of higher priority then task A may not be able to
wake up in time and acquire the lock before task B gets it again.
Especially on a UP system where A is never scheduled.
As a result task A blocks on the lock and task B busy loops, trying to
make progress but live locks the system instead. Tragic.
This can be fixed by removing the top most waiter from the list in this
case. This allows task B to grab the next top waiter (if any) in the
next iteration and make progress.
Remove the top most waiter if futex_requeue_pi_prepare() fails.
Let the waiter conditionally remove itself from the list in
handle_early_requeue_pi_wakeup().
Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT")
Reported-by: Moritz Klammler <Moritz.Klammler@ferchau.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260428103425.dywXyPd3@linutronix.de
Closes: https://lore.kernel.org/all/VE1PR06MB6894BE61C173D802365BE19DFF4CA@VE1PR06MB6894.eurprd06.prod.outlook.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/futex/requeue.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c
index d818b4d47f1ba..b597cb3d17fc1 100644
--- a/kernel/futex/requeue.c
+++ b/kernel/futex/requeue.c
@@ -319,8 +319,11 @@ futex_proxy_trylock_atomic(u32 __user *pifutex, struct futex_hash_bucket *hb1,
return -EINVAL;
/* Ensure that this does not race against an early wakeup */
- if (!futex_requeue_pi_prepare(top_waiter, NULL))
+ if (!futex_requeue_pi_prepare(top_waiter, NULL)) {
+ plist_del(&top_waiter->list, &hb1->chain);
+ futex_hb_waiters_dec(hb1);
return -EAGAIN;
+ }
/*
* Try to take the lock for top_waiter and set the FUTEX_WAITERS bit
@@ -722,10 +725,12 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
/*
* We were woken prior to requeue by a timeout or a signal.
- * Unqueue the futex_q and determine which it was.
+ * Conditionally unqueue the futex_q and determine which it was.
*/
- plist_del(&q->list, &hb->chain);
- futex_hb_waiters_dec(hb);
+ if (!plist_node_empty(&q->list)) {
+ plist_del(&q->list, &hb->chain);
+ futex_hb_waiters_dec(hb);
+ }
/* Handle spurious wakeups gracefully */
ret = -EWOULDBLOCK;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 828/957] drm/amd/display: Allow DCE link encoder without AUX registers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (826 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 827/957] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 829/957] drm/amd/display: Allow constructing DCE6 link encoder without DDC Greg Kroah-Hartman
` (134 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit ac27e3f99035f132f23bc0409d0e57f11f054c70 ]
Allow constructing the DCE link encoder without DDC,
which means the AUX registers array will be NULL.
This is necessary to support embedded connectors without DDC.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 87f30b101af62590faf6020d106da07efdda199b)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
index 0c50fe266c8a1..4103213a572ad 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c
@@ -989,7 +989,9 @@ void dce110_link_encoder_hw_init(
ASSERT(result == BP_RESULT_OK);
}
- aux_initialize(enc110);
+
+ if (enc110->aux_regs)
+ aux_initialize(enc110);
/* reinitialize HPD.
* hpd_initialize() will pass DIG_FE id to HW context.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 829/957] drm/amd/display: Allow constructing DCE6 link encoder without DDC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (827 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 828/957] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 830/957] drm/amd/display: Allow constructing DCE8 " Greg Kroah-Hartman
` (133 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 880498a1943f865529819f778df3b9945ca57262 ]
When the DDC channel ID is set to CHANNEL_ID_UNKNOWN,
pass NULL to the AUX regs array.
This is necessary to support embedded connectors without DDC.
Fixes: 7c15fd86aaec ("drm/amd/display: dc/dce: add initial DCE6 support (v10)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 38a70e50b22a188ff601740d64dd75f46213121f)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
index f2e47f1ff4b33..e94af8522083c 100644
--- a/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce60/dce60_resource.c
@@ -728,7 +728,8 @@ static struct link_encoder *dce60_link_encoder_create(
enc_init_data,
&link_enc_feature,
&link_enc_regs[link_regs_id],
- &link_enc_aux_regs[enc_init_data->channel - 1],
+ enc_init_data->channel == CHANNEL_ID_UNKNOWN ?
+ NULL : &link_enc_aux_regs[enc_init_data->channel - 1],
enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 830/957] drm/amd/display: Allow constructing DCE8 link encoder without DDC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (828 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 829/957] drm/amd/display: Allow constructing DCE6 link encoder without DDC Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 831/957] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
` (132 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 60af4605ef35ecb7ad649a8534b83a2f7c69576d ]
When the DDC channel ID is set to CHANNEL_ID_UNKNOWN,
pass NULL to the AUX regs array.
This is necessary to support embedded connectors without DDC.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 155baf3038c1af50b602723022ed869b38e86a99)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c
index 8822d5818d29e..b645c0c8ec3c5 100644
--- a/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dce80/dce80_resource.c
@@ -734,7 +734,8 @@ static struct link_encoder *dce80_link_encoder_create(
enc_init_data,
&link_enc_feature,
&link_enc_regs[link_regs_id],
- &link_enc_aux_regs[enc_init_data->channel - 1],
+ enc_init_data->channel == CHANNEL_ID_UNKNOWN ?
+ NULL : &link_enc_aux_regs[enc_init_data->channel - 1],
enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs) ?
NULL : &link_enc_hpd_regs[enc_init_data->hpd_source]);
return &enc110->base;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 831/957] drm/amd/display: Read EDID from VBIOS embedded panel info
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (829 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 830/957] drm/amd/display: Allow constructing DCE8 " Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 832/957] drm/xe/debugfs: Correct printing of register whitelist ranges Greg Kroah-Hartman
` (131 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit 9ea16f64189bf7b6ba50fc7f0325b3c1f836d105 ]
Some board manufacturers hardcode the EDID for the embedded
panel in the VBIOS. This EDID should be used when the panel
doesn't have a DDC.
For reference, see the legacy non-DC display code:
amdgpu_atombios_encoder_get_lcd_info()
This is necessary to support embedded connectors without DDC.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/5192
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit eb105e63b474c11ef6a84a1c6b18100d851ff364)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/bios/bios_parser.c | 62 +++++++++++++++++++
.../display/include/grph_object_ctrl_defs.h | 4 ++
2 files changed, 66 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
index 154fd2c18e884..c800c603bf708 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c
@@ -1215,6 +1215,60 @@ static enum bp_result bios_parser_get_embedded_panel_info(
return BP_RESULT_FAILURE;
}
+static enum bp_result get_embedded_panel_extra_info(
+ struct bios_parser *bp,
+ struct embedded_panel_info *info,
+ const uint32_t table_offset)
+{
+ uint8_t *record = bios_get_image(&bp->base, table_offset, 1);
+ ATOM_PANEL_RESOLUTION_PATCH_RECORD *panel_res_record;
+ ATOM_FAKE_EDID_PATCH_RECORD *fake_edid_record;
+
+ while (*record != ATOM_RECORD_END_TYPE) {
+ switch (*record) {
+ case LCD_MODE_PATCH_RECORD_MODE_TYPE:
+ record += sizeof(ATOM_PATCH_RECORD_MODE);
+ break;
+ case LCD_RTS_RECORD_TYPE:
+ record += sizeof(ATOM_LCD_RTS_RECORD);
+ break;
+ case LCD_CAP_RECORD_TYPE:
+ record += sizeof(ATOM_LCD_MODE_CONTROL_CAP);
+ break;
+ case LCD_FAKE_EDID_PATCH_RECORD_TYPE:
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ if (fake_edid_record->ucFakeEDIDLength == 128)
+ info->fake_edid_size =
+ fake_edid_record->ucFakeEDIDLength;
+ else
+ info->fake_edid_size =
+ fake_edid_record->ucFakeEDIDLength * 128;
+
+ info->fake_edid = fake_edid_record->ucFakeEDIDString;
+
+ record += struct_size(fake_edid_record,
+ ucFakeEDIDString,
+ info->fake_edid_size);
+ } else {
+ /* empty fake edid record must be 3 bytes long */
+ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+ info->panel_width_mm = panel_res_record->usHSize;
+ info->panel_height_mm = panel_res_record->usVSize;
+ record += sizeof(ATOM_PANEL_RESOLUTION_PATCH_RECORD);
+ break;
+ default:
+ return BP_RESULT_BADBIOSTABLE;
+ }
+ }
+
+ return BP_RESULT_OK;
+}
+
static enum bp_result get_embedded_panel_info_v1_2(
struct bios_parser *bp,
struct embedded_panel_info *info)
@@ -1331,6 +1385,10 @@ static enum bp_result get_embedded_panel_info_v1_2(
if (ATOM_PANEL_MISC_API_ENABLED & lvds->ucLVDS_Misc)
info->lcd_timing.misc_info.API_ENABLED = true;
+ if (lvds->usExtInfoTableOffset)
+ return get_embedded_panel_extra_info(bp, info,
+ le16_to_cpu(lvds->usExtInfoTableOffset) + DATA_TABLES(LCD_Info));
+
return BP_RESULT_OK;
}
@@ -1456,6 +1514,10 @@ static enum bp_result get_embedded_panel_info_v1_3(
(uint32_t) (ATOM_PANEL_MISC_V13_GREY_LEVEL &
lvds->ucLCD_Misc) >> ATOM_PANEL_MISC_V13_GREY_LEVEL_SHIFT;
+ if (lvds->usExtInfoTableOffset)
+ return get_embedded_panel_extra_info(bp, info,
+ le16_to_cpu(lvds->usExtInfoTableOffset) + DATA_TABLES(LCD_Info));
+
return BP_RESULT_OK;
}
diff --git a/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h b/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
index cc467031651da..05eda9b28b328 100644
--- a/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
+++ b/drivers/gpu/drm/amd/display/include/grph_object_ctrl_defs.h
@@ -153,6 +153,10 @@ struct embedded_panel_info {
uint32_t drr_enabled;
uint32_t min_drr_refresh_rate;
bool realtek_eDPToLVDS;
+ uint16_t panel_width_mm;
+ uint16_t panel_height_mm;
+ uint16_t fake_edid_size;
+ const uint8_t *fake_edid;
};
struct dc_firmware_info {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 832/957] drm/xe/debugfs: Correct printing of register whitelist ranges
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (830 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 831/957] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 833/957] drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Greg Kroah-Hartman
` (130 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stuart Summers, Matt Roper,
Rodrigo Vivi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Roper <matthew.d.roper@intel.com>
[ Upstream commit 03f2499c51dffce611b065b2894406beb9f2ebe0 ]
The register-save-restore debugfs prints whitelist entries as offset
ranges. E.g.,
REG[0x39319c-0x39319f]: allow read access
for a single dword-sized register. However the GENMASK value used to
set the lower bits to '1' for the upper bound of the whitelist range
incorrectly included one more bit than it should have, causing the
whitelist ranges to sometimes appear twice as large as they really were.
For example,
REG[0x6210-0x6217]: allow rw access
was also intended to be a single dword-sized register whitelist (with a
range 0x6210-0x6213) but was printed incorrectly as a qword-sized range
because one too many bits was flipped on. Similar 'off by one' logic
was applied when printing 4-dword register ranges and 64-dword register
ranges as well.
Correct the GENMASK logic to print these ranges in debugfs correctly.
No impact outside of correcting the misleading debugfs output.
Fixes: d855d2246ea6 ("drm/xe: Print whitelist while applying")
Reviewed-by: Stuart Summers <stuart.summers@intel.com>
Link: https://patch.msgid.link/20260408-regsr_wl_range-v1-1-e9a28c8b4264@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit 1a2a722ff96749734a5585dfe7f0bea7719caa8b)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_reg_whitelist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/xe/xe_reg_whitelist.c b/drivers/gpu/drm/xe/xe_reg_whitelist.c
index 23f6c81d99946..21763dc51150b 100644
--- a/drivers/gpu/drm/xe/xe_reg_whitelist.c
+++ b/drivers/gpu/drm/xe/xe_reg_whitelist.c
@@ -174,7 +174,7 @@ void xe_reg_whitelist_print_entry(struct drm_printer *p, unsigned int indent,
}
range_start = reg & REG_GENMASK(25, range_bit);
- range_end = range_start | REG_GENMASK(range_bit, 0);
+ range_end = range_start | REG_GENMASK(range_bit - 1, 0);
switch (val & RING_FORCE_TO_NONPRIV_ACCESS_MASK) {
case RING_FORCE_TO_NONPRIV_ACCESS_RW:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 833/957] drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (831 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 832/957] drm/xe/debugfs: Correct printing of register whitelist ranges Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 834/957] drm/xe/eustall: Fix drm_dev_put called before stream disable in close Greg Kroah-Hartman
` (129 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francois Dugast, Matthew Brost,
Niranjana Vishwanathapura, Shuicheng Lin, Rodrigo Vivi,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit f3cc22d4df3ed58439ea7e21daa54c3608e03b78 ]
Two error handling issues exist in xe_exec_queue_create_ioctl():
1. When xe_hw_engine_group_add_exec_queue() fails, the error path jumps
to put_exec_queue which skips xe_exec_queue_kill(). If the VM is in
preempt fence mode, xe_vm_add_compute_exec_queue() has already added
the queue to the VM's compute exec queue list. Skipping the kill
leaves the queue on that list, leading to a dangling pointer after
the queue is freed.
2. When xa_alloc() fails after xe_hw_engine_group_add_exec_queue() has
succeeded, the error path does not call
xe_hw_engine_group_del_exec_queue() to remove the queue from the hw
engine group list. The queue is then freed while still linked into
the hw engine group, causing a use-after-free.
Fix both by:
- Changing the xe_hw_engine_group_add_exec_queue() failure path to jump
to kill_exec_queue so that xe_exec_queue_kill() properly removes the
queue from the VM's compute list.
- Adding a del_hw_engine_group label before kill_exec_queue for the
xa_alloc() failure path, which removes the queue from the hw engine
group before proceeding with the rest of the cleanup.
Fixes: 7970cb36966c ("'drm/xe/hw_engine_group: Register hw engine group's exec queues")
Cc: Francois Dugast <francois.dugast@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Niranjana Vishwanathapura <niranjana.vishwanathapura@intel.com>
Assisted-by: Claude:claude-opus-4.6
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260408020647.3397933-1-shuicheng.lin@intel.com
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit 37c831f401746a45d510b312b0ed7a77b1e06ec8)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_exec_queue.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c
index 231d1fbe5eefa..0df11f054cfba 100644
--- a/drivers/gpu/drm/xe/xe_exec_queue.c
+++ b/drivers/gpu/drm/xe/xe_exec_queue.c
@@ -789,7 +789,7 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
if (q->vm && q->hwe->hw_engine_group) {
err = xe_hw_engine_group_add_exec_queue(q->hwe->hw_engine_group, q);
if (err)
- goto put_exec_queue;
+ goto kill_exec_queue;
}
}
@@ -798,12 +798,15 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
/* user id alloc must always be last in ioctl to prevent UAF */
err = xa_alloc(&xef->exec_queue.xa, &id, q, xa_limit_32b, GFP_KERNEL);
if (err)
- goto kill_exec_queue;
+ goto del_hw_engine_group;
args->exec_queue_id = id;
return 0;
+del_hw_engine_group:
+ if (q->vm && q->hwe && q->hwe->hw_engine_group)
+ xe_hw_engine_group_del_exec_queue(q->hwe->hw_engine_group, q);
kill_exec_queue:
xe_exec_queue_kill(q);
put_exec_queue:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 834/957] drm/xe/eustall: Fix drm_dev_put called before stream disable in close
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (832 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 833/957] drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 835/957] drm/xe/gsc: Fix BO leak on error in query_compatibility_version() Greg Kroah-Hartman
` (128 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harish Chegondi, Shuicheng Lin,
Matt Roper, Rodrigo Vivi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit dc2d9842c67d883d3200ae33b9c3859dd9492408 ]
In xe_eu_stall_stream_close(), drm_dev_put() is called before the
stream is disabled and its resources are freed. If this drops the
last reference, the device structures could be freed while the
subsequent cleanup code still accesses them, leading to a
use-after-free.
Fix this by moving drm_dev_put() after all device accesses are
complete. This matches the ordering in xe_oa_release().
Fixes: 9a0b11d4cf3b ("drm/xe/eustall: Add support to init, enable and disable EU stall sampling")
Cc: Harish Chegondi <harish.chegondi@intel.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Harish Chegondi <harish.chegondi@intel.com>
Link: https://patch.msgid.link/20260415225428.3399934-1-shuicheng.lin@intel.com
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
(cherry picked from commit 35aff528f7297e949e5e19c9cd7fd748cf1cf21c)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_eu_stall.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_eu_stall.c b/drivers/gpu/drm/xe/xe_eu_stall.c
index 33a3764e3e71b..d7392250e0b3a 100644
--- a/drivers/gpu/drm/xe/xe_eu_stall.c
+++ b/drivers/gpu/drm/xe/xe_eu_stall.c
@@ -845,14 +845,14 @@ static int xe_eu_stall_stream_close(struct inode *inode, struct file *file)
struct xe_eu_stall_data_stream *stream = file->private_data;
struct xe_gt *gt = stream->gt;
- drm_dev_put(>->tile->xe->drm);
-
mutex_lock(>->eu_stall->stream_lock);
xe_eu_stall_disable_locked(stream);
xe_eu_stall_data_buf_destroy(stream);
xe_eu_stall_stream_free(stream);
mutex_unlock(>->eu_stall->stream_lock);
+ drm_dev_put(>->tile->xe->drm);
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 835/957] drm/xe/gsc: Fix BO leak on error in query_compatibility_version()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (833 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 834/957] drm/xe/eustall: Fix drm_dev_put called before stream disable in close Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 836/957] net: airoha: fix BQL imbalance in TX path Greg Kroah-Hartman
` (127 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniele Ceraolo Spurio,
Shuicheng Lin, Rodrigo Vivi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit 3762d6c36549accea7068c4a175483fafdd03657 ]
When xe_gsc_read_out_header() fails, query_compatibility_version()
returns directly instead of jumping to the out_bo label. This skips
the xe_bo_unpin_map_no_vm() call, leaving the BO pinned and mapped
with no remaining reference to free it.
Fix by using goto out_bo so the error path properly cleans up the BO,
consistent with the other error handling in the same function.
Fixes: 0881cbe04077 ("drm/xe/gsc: Query GSC compatibility version")
Cc: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
Link: https://patch.msgid.link/20260417163308.3416147-1-shuicheng.lin@intel.com
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
(cherry picked from commit 8de86d0a843c32ca9d36864bdb92f0376a830bce)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/xe/xe_gsc.c b/drivers/gpu/drm/xe/xe_gsc.c
index 83d61bf8ec62e..8371ec002e4ed 100644
--- a/drivers/gpu/drm/xe/xe_gsc.c
+++ b/drivers/gpu/drm/xe/xe_gsc.c
@@ -166,7 +166,7 @@ static int query_compatibility_version(struct xe_gsc *gsc)
&rd_offset);
if (err) {
xe_gt_err(gt, "HuC: invalid GSC reply for version query (err=%d)\n", err);
- return err;
+ goto out_bo;
}
compat->major = version_query_rd(xe, &bo->vmap, rd_offset, proj_major);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 836/957] net: airoha: fix BQL imbalance in TX path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (834 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 835/957] drm/xe/gsc: Fix BO leak on error in query_compatibility_version() Greg Kroah-Hartman
@ 2026-05-20 16:21 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 837/957] net: airoha: Do not return err in ndo_stop() callback Greg Kroah-Hartman
` (126 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 2d9f5a118205da2683ffcec78b9347f1f01a820e ]
Fix a possible BQL imbalance in airoha_dev_xmit(), where inflight
packets are accounted only for the AIROHA_NUM_TX_RING netdev TX
queues. The queue index is computed as:
qid = skb_get_queue_mapping(skb) % ARRAY_SIZE(qdma->q_tx)
txq = netdev_get_tx_queue(dev, qid);
However, airoha_qdma_tx_napi_poll() accounts completions across all
netdev TX queues (num_tx_queues), leading to inconsistent BQL
accounting.
Also reset all netdev TX queues in the ndo_stop callback.
Fixes: 1d304174106c ("net: airoha: Implement BQL support")
Fixes: c9f947769b77 ("net: airoha: Reset BQL stopping the netdevice")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260421-airoha-fix-bql-v1-1-f135afe4275b@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 4ca01292ea2f ("net: airoha: Do not return err in ndo_stop() callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index a69544e785a2a..6742d0d9068df 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -971,10 +971,9 @@ static int airoha_qdma_tx_napi_poll(struct napi_struct *napi, int budget)
q->queued--;
if (skb) {
- u16 queue = skb_get_queue_mapping(skb);
struct netdev_queue *txq;
- txq = netdev_get_tx_queue(skb->dev, queue);
+ txq = skb_get_tx_queue(skb->dev, skb);
netdev_tx_completed_queue(txq, 1, skb->len);
dev_kfree_skb_any(skb);
}
@@ -1777,7 +1776,7 @@ static int airoha_dev_stop(struct net_device *dev)
if (err)
return err;
- for (i = 0; i < ARRAY_SIZE(qdma->q_tx); i++)
+ for (i = 0; i < dev->num_tx_queues; i++)
netdev_tx_reset_subqueue(dev, i);
if (atomic_dec_and_test(&qdma->users)) {
@@ -2066,7 +2065,7 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
spin_lock_bh(&q->lock);
- txq = netdev_get_tx_queue(dev, qid);
+ txq = skb_get_tx_queue(dev, skb);
nr_frags = 1 + skb_shinfo(skb)->nr_frags;
if (q->queued + nr_frags >= q->ndesc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 837/957] net: airoha: Do not return err in ndo_stop() callback
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (835 preceding siblings ...)
2026-05-20 16:21 ` [PATCH 6.18 836/957] net: airoha: fix BQL imbalance in TX path Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 838/957] bonding: print churn state via netlink Greg Kroah-Hartman
` (125 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 4ca01292ea2f2363660610a65ba0285d7c3309ed ]
Always complete the airoha_dev_stop() routine regardless of the
airoha_set_vip_for_gdm_port() return value, since errors from
ndo_stop() are ignored by the networking stack and the interface is
always considered down after the call.
Fixes: 23020f049327 ("net: airoha: Introduce ethernet support for EN7581 SoC")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260428-airoha-ndo-stop-not-err-v1-1-674506d29a91@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 6742d0d9068df..81ecfc1a1094c 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1769,13 +1769,10 @@ static int airoha_dev_stop(struct net_device *dev)
{
struct airoha_gdm_port *port = netdev_priv(dev);
struct airoha_qdma *qdma = port->qdma;
- int i, err;
+ int i;
netif_tx_disable(dev);
- err = airoha_set_vip_for_gdm_port(port, false);
- if (err)
- return err;
-
+ airoha_set_vip_for_gdm_port(port, false);
for (i = 0; i < dev->num_tx_queues; i++)
netdev_tx_reset_subqueue(dev, i);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 838/957] bonding: print churn state via netlink
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (836 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 837/957] net: airoha: Do not return err in ndo_stop() callback Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 839/957] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
` (124 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 4916f2e2f3fc9aef289fcd07949301e5c29094c2 ]
Currently, the churn state is printed only in sysfs. Add netlink support
so users could get the state via netlink.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260224020215.6012-1-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: c4f050ce06c5 ("bonding: 3ad: implement proper RCU rules for port->aggregator")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_netlink.c | 9 +++++++++
include/uapi/linux/if_link.h | 2 ++
2 files changed, 11 insertions(+)
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 286f11c517f76..ea1a80e658aeb 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -29,6 +29,8 @@ static size_t bond_get_slave_size(const struct net_device *bond_dev,
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE */
nla_total_size(sizeof(s32)) + /* IFLA_BOND_SLAVE_PRIO */
nla_total_size(sizeof(u16)) + /* IFLA_BOND_SLAVE_ACTOR_PORT_PRIO */
+ nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE */
+ nla_total_size(sizeof(u8)) + /* IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE */
0;
}
@@ -77,6 +79,13 @@ static int bond_fill_slave_info(struct sk_buff *skb,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
ad_port->partner_oper.port_state))
goto nla_put_failure;
+
+ if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
+ ad_port->sm_churn_actor_state))
+ goto nla_put_failure;
+ if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
+ ad_port->sm_churn_partner_state))
+ goto nla_put_failure;
}
if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 3b491d96e52eb..69f19759b79d5 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -1567,6 +1567,8 @@ enum {
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
IFLA_BOND_SLAVE_PRIO,
IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
+ IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
+ IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
__IFLA_BOND_SLAVE_MAX,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 839/957] bonding: 3ad: implement proper RCU rules for port->aggregator
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (837 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 838/957] bonding: print churn state via netlink Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 840/957] page_pool: fix memory-provider leak in page_pool_create_percpu() error path Greg Kroah-Hartman
` (123 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9bb2ff2a4ab9e17307e1,
Eric Dumazet, Jay Vosburgh, Andrew Lunn, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c4f050ce06c56cfb5993268af4a5cb66ed1cd04e ]
syzbot found a data-race in bond_3ad_get_active_agg_info /
bond_3ad_state_machine_handler [1] which hints at lack of proper
RCU implementation.
Add __rcu qualifier to port->aggregator, and add proper RCU API.
[1]
BUG: KCSAN: data-race in bond_3ad_get_active_agg_info / bond_3ad_state_machine_handler
write to 0xffff88813cf5c4b0 of 8 bytes by task 36 on cpu 0:
ad_port_selection_logic drivers/net/bonding/bond_3ad.c:1659 [inline]
bond_3ad_state_machine_handler+0x9d5/0x2d60 drivers/net/bonding/bond_3ad.c:2569
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3385
worker_thread+0x58a/0x780 kernel/workqueue.c:3466
kthread+0x22a/0x280 kernel/kthread.c:436
ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read to 0xffff88813cf5c4b0 of 8 bytes by task 22063 on cpu 1:
__bond_3ad_get_active_agg_info drivers/net/bonding/bond_3ad.c:2858 [inline]
bond_3ad_get_active_agg_info+0x8c/0x230 drivers/net/bonding/bond_3ad.c:2881
bond_fill_info+0xe0f/0x10f0 drivers/net/bonding/bond_netlink.c:853
rtnl_link_info_fill net/core/rtnetlink.c:906 [inline]
rtnl_link_fill+0x1d7/0x4e0 net/core/rtnetlink.c:927
rtnl_fill_ifinfo+0xf8e/0x1380 net/core/rtnetlink.c:2168
rtmsg_ifinfo_build_skb+0x11c/0x1b0 net/core/rtnetlink.c:4453
rtmsg_ifinfo_event net/core/rtnetlink.c:4486 [inline]
rtmsg_ifinfo+0x6d/0x110 net/core/rtnetlink.c:4495
__dev_notify_flags+0x76/0x390 net/core/dev.c:9790
netif_change_flags+0xac/0xd0 net/core/dev.c:9823
do_setlink+0x905/0x2950 net/core/rtnetlink.c:3180
rtnl_group_changelink net/core/rtnetlink.c:3813 [inline]
__rtnl_newlink net/core/rtnetlink.c:3981 [inline]
rtnl_newlink+0xf55/0x1400 net/core/rtnetlink.c:4109
rtnetlink_rcv_msg+0x64b/0x720 net/core/rtnetlink.c:6995
netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:7022
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x5a8/0x680 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x5c8/0x6f0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x563/0x5b0 net/socket.c:2698
___sys_sendmsg+0x195/0x1e0 net/socket.c:2752
__sys_sendmsg net/socket.c:2784 [inline]
__do_sys_sendmsg net/socket.c:2789 [inline]
__se_sys_sendmsg net/socket.c:2787 [inline]
__x64_sys_sendmsg+0xd4/0x160 net/socket.c:2787
x64_sys_call+0x194c/0x3020 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x0000000000000000 -> 0xffff88813cf5c400
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 22063 Comm: syz.0.31122 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Fixes: 47e91f56008b ("bonding: use RCU protection for 3ad xmit path")
Reported-by: syzbot+9bb2ff2a4ab9e17307e1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69f0a82f.050a0220.3aadc4.0000.GAE@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jay Vosburgh <jv@jvosburgh.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Link: https://patch.msgid.link/20260428123207.3809211-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 109 ++++++++++++++-----------
drivers/net/bonding/bond_main.c | 8 +-
drivers/net/bonding/bond_netlink.c | 16 ++--
drivers/net/bonding/bond_procfs.c | 3 +-
drivers/net/bonding/bond_sysfs_slave.c | 17 ++--
include/net/bond_3ad.h | 2 +-
6 files changed, 89 insertions(+), 66 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index 49717b7b82a2c..f1ef99f7515b0 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -1014,6 +1014,7 @@ static void ad_cond_set_peer_notif(struct port *port)
static void ad_mux_machine(struct port *port, bool *update_slave_arr)
{
struct bonding *bond = __get_bond_by_port(port);
+ struct aggregator *aggregator;
mux_states_t last_state;
/* keep current State Machine state to compare later if it was
@@ -1021,6 +1022,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
*/
last_state = port->sm_mux_state;
+ aggregator = rcu_dereference(port->aggregator);
if (port->sm_vars & AD_PORT_BEGIN) {
port->sm_mux_state = AD_MUX_DETACHED;
} else {
@@ -1040,7 +1042,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* cycle to update ready variable, we check
* READY_N and update READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
port->sm_mux_state = AD_MUX_DETACHED;
break;
}
@@ -1055,7 +1057,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* update ready variable, we check READY_N and update
* READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
/* if the wait_while_timer expired, and the port is
* in READY state, move to ATTACHED state
@@ -1071,7 +1073,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
if ((port->sm_vars & AD_PORT_SELECTED) &&
(port->partner_oper.port_state & LACP_STATE_SYNCHRONIZATION) &&
!__check_agg_selection_timer(port)) {
- if (port->aggregator->is_active) {
+ if (aggregator->is_active) {
int state = AD_MUX_COLLECTING_DISTRIBUTING;
if (!bond->params.coupled_control)
@@ -1087,9 +1089,9 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* cycle to update ready variable, we check
* READY_N and update READY here
*/
- __set_agg_ports_ready(port->aggregator, __agg_ports_are_ready(port->aggregator));
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
port->sm_mux_state = AD_MUX_DETACHED;
- } else if (port->aggregator->is_active) {
+ } else if (aggregator->is_active) {
port->actor_oper_port_state |=
LACP_STATE_SYNCHRONIZATION;
}
@@ -1100,7 +1102,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* sure that a collecting distributing
* port in an active aggregator is enabled
*/
- if (port->aggregator->is_active &&
+ if (aggregator->is_active &&
!__port_is_collecting_distributing(port)) {
__enable_port(port);
*update_slave_arr = true;
@@ -1119,7 +1121,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
*/
struct slave *slave = port->slave;
- if (port->aggregator->is_active &&
+ if (aggregator->is_active &&
bond_is_slave_rx_disabled(slave)) {
ad_enable_collecting(port);
*update_slave_arr = true;
@@ -1139,8 +1141,8 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
* sure that a collecting distributing
* port in an active aggregator is enabled
*/
- if (port->aggregator &&
- port->aggregator->is_active &&
+ if (aggregator &&
+ aggregator->is_active &&
!__port_is_collecting_distributing(port)) {
__enable_port(port);
*update_slave_arr = true;
@@ -1172,7 +1174,7 @@ static void ad_mux_machine(struct port *port, bool *update_slave_arr)
port->sm_mux_timer_counter = __ad_timer_to_ticks(AD_WAIT_WHILE_TIMER, 0);
break;
case AD_MUX_ATTACHED:
- if (port->aggregator->is_active)
+ if (aggregator->is_active)
port->actor_oper_port_state |=
LACP_STATE_SYNCHRONIZATION;
else
@@ -1546,9 +1548,9 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
bond = __get_bond_by_port(port);
/* if the port is connected to other aggregator, detach it */
- if (port->aggregator) {
+ temp_aggregator = rcu_dereference(port->aggregator);
+ if (temp_aggregator) {
/* detach the port from its former aggregator */
- temp_aggregator = port->aggregator;
for (curr_port = temp_aggregator->lag_ports; curr_port;
last_port = curr_port,
curr_port = curr_port->next_port_in_aggregator) {
@@ -1571,7 +1573,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
/* clear the port's relations to this
* aggregator
*/
- port->aggregator = NULL;
+ RCU_INIT_POINTER(port->aggregator, NULL);
port->next_port_in_aggregator = NULL;
port->actor_port_aggregator_identifier = 0;
@@ -1594,7 +1596,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
port->slave->bond->dev->name,
port->slave->dev->name,
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ temp_aggregator->aggregator_identifier);
}
}
/* search on all aggregators for a suitable aggregator for this port */
@@ -1618,15 +1620,15 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
)
) {
/* attach to the founded aggregator */
- port->aggregator = aggregator;
+ rcu_assign_pointer(port->aggregator, aggregator);
port->actor_port_aggregator_identifier =
- port->aggregator->aggregator_identifier;
+ aggregator->aggregator_identifier;
port->next_port_in_aggregator = aggregator->lag_ports;
- port->aggregator->num_of_ports++;
+ aggregator->num_of_ports++;
aggregator->lag_ports = port;
slave_dbg(bond->dev, slave->dev, "Port %d joined LAG %d (existing LAG)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
/* mark this port as selected */
port->sm_vars |= AD_PORT_SELECTED;
@@ -1641,39 +1643,40 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
if (!found) {
if (free_aggregator) {
/* assign port a new aggregator */
- port->aggregator = free_aggregator;
port->actor_port_aggregator_identifier =
- port->aggregator->aggregator_identifier;
+ free_aggregator->aggregator_identifier;
/* update the new aggregator's parameters
* if port was responsed from the end-user
*/
if (port->actor_oper_port_key & AD_DUPLEX_KEY_MASKS)
/* if port is full duplex */
- port->aggregator->is_individual = false;
+ free_aggregator->is_individual = false;
else
- port->aggregator->is_individual = true;
+ free_aggregator->is_individual = true;
- port->aggregator->actor_admin_aggregator_key =
+ free_aggregator->actor_admin_aggregator_key =
port->actor_admin_port_key;
- port->aggregator->actor_oper_aggregator_key =
+ free_aggregator->actor_oper_aggregator_key =
port->actor_oper_port_key;
- port->aggregator->partner_system =
+ free_aggregator->partner_system =
port->partner_oper.system;
- port->aggregator->partner_system_priority =
+ free_aggregator->partner_system_priority =
port->partner_oper.system_priority;
- port->aggregator->partner_oper_aggregator_key = port->partner_oper.key;
- port->aggregator->receive_state = 1;
- port->aggregator->transmit_state = 1;
- port->aggregator->lag_ports = port;
- port->aggregator->num_of_ports++;
+ free_aggregator->partner_oper_aggregator_key = port->partner_oper.key;
+ free_aggregator->receive_state = 1;
+ free_aggregator->transmit_state = 1;
+ free_aggregator->lag_ports = port;
+ free_aggregator->num_of_ports++;
+
+ rcu_assign_pointer(port->aggregator, free_aggregator);
/* mark this port as selected */
port->sm_vars |= AD_PORT_SELECTED;
slave_dbg(bond->dev, port->slave->dev, "Port %d joined LAG %d (new LAG)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ free_aggregator->aggregator_identifier);
} else {
slave_err(bond->dev, port->slave->dev,
"Port %d did not find a suitable aggregator\n",
@@ -1685,13 +1688,12 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
* in all aggregator's ports, else set ready=FALSE in all
* aggregator's ports
*/
- __set_agg_ports_ready(port->aggregator,
- __agg_ports_are_ready(port->aggregator));
+ aggregator = rcu_dereference(port->aggregator);
+ __set_agg_ports_ready(aggregator, __agg_ports_are_ready(aggregator));
- aggregator = __get_first_agg(port);
- ad_agg_selection_logic(aggregator, update_slave_arr);
+ ad_agg_selection_logic(__get_first_agg(port), update_slave_arr);
- if (!port->aggregator->is_active)
+ if (!aggregator->is_active)
port->actor_oper_port_state &= ~LACP_STATE_SYNCHRONIZATION;
}
@@ -2060,13 +2062,15 @@ static void ad_initialize_port(struct port *port, const struct bond_params *bond
*/
static void ad_enable_collecting(struct port *port)
{
- if (port->aggregator->is_active) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator->is_active) {
struct slave *slave = port->slave;
slave_dbg(slave->bond->dev, slave->dev,
"Enabling collecting on port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__enable_collecting_port(port);
}
}
@@ -2078,11 +2082,13 @@ static void ad_enable_collecting(struct port *port)
*/
static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
{
- if (port->aggregator && __agg_has_partner(port->aggregator)) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator && __agg_has_partner(aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling distributing on port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__disable_distributing_port(port);
/* Slave array needs an update */
*update_slave_arr = true;
@@ -2099,11 +2105,13 @@ static void ad_disable_distributing(struct port *port, bool *update_slave_arr)
static void ad_enable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator->is_active) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator->is_active) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Enabling port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__enable_port(port);
/* Slave array needs update */
*update_slave_arr = true;
@@ -2120,11 +2128,13 @@ static void ad_enable_collecting_distributing(struct port *port,
static void ad_disable_collecting_distributing(struct port *port,
bool *update_slave_arr)
{
- if (port->aggregator && __agg_has_partner(port->aggregator)) {
+ struct aggregator *aggregator = rcu_dereference(port->aggregator);
+
+ if (aggregator && __agg_has_partner(aggregator)) {
slave_dbg(port->slave->bond->dev, port->slave->dev,
"Disabling port %d (LAG %d)\n",
port->actor_port_number,
- port->aggregator->aggregator_identifier);
+ aggregator->aggregator_identifier);
__disable_port(port);
/* Slave array needs an update */
*update_slave_arr = true;
@@ -2364,7 +2374,7 @@ void bond_3ad_unbind_slave(struct slave *slave)
*/
for (temp_port = aggregator->lag_ports; temp_port;
temp_port = temp_port->next_port_in_aggregator) {
- temp_port->aggregator = new_aggregator;
+ rcu_assign_pointer(temp_port->aggregator, new_aggregator);
temp_port->actor_port_aggregator_identifier = new_aggregator->aggregator_identifier;
}
@@ -2833,15 +2843,16 @@ int bond_3ad_set_carrier(struct bonding *bond)
int __bond_3ad_get_active_agg_info(struct bonding *bond,
struct ad_info *ad_info)
{
- struct aggregator *aggregator = NULL;
+ struct aggregator *aggregator = NULL, *tmp;
struct list_head *iter;
struct slave *slave;
struct port *port;
bond_for_each_slave_rcu(bond, slave, iter) {
port = &(SLAVE_AD_INFO(slave)->port);
- if (port->aggregator && port->aggregator->is_active) {
- aggregator = port->aggregator;
+ tmp = rcu_dereference(port->aggregator);
+ if (tmp && tmp->is_active) {
+ aggregator = tmp;
break;
}
}
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 1d84e348f2cc7..8b1422dda4c08 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1402,7 +1402,7 @@ static void bond_poll_controller(struct net_device *bond_dev)
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
struct aggregator *agg =
- SLAVE_AD_INFO(slave)->port.aggregator;
+ rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (agg &&
agg->aggregator_identifier != ad_info.aggregator_id)
@@ -5155,15 +5155,16 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
spin_unlock_bh(&bond->mode_lock);
agg_id = ad_info.aggregator_id;
}
+ rcu_read_lock();
bond_for_each_slave(bond, slave, iter) {
if (skipslave == slave)
continue;
all_slaves->arr[all_slaves->count++] = slave;
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
- struct aggregator *agg;
+ const struct aggregator *agg;
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (!agg || agg->aggregator_identifier != agg_id)
continue;
}
@@ -5175,6 +5176,7 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
usable_slaves->arr[usable_slaves->count++] = slave;
}
+ rcu_read_unlock();
bond_set_slave_arr(bond, usable_slaves, all_slaves);
return ret;
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index ea1a80e658aeb..c7d3e0602c831 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -66,27 +66,29 @@ static int bond_fill_slave_info(struct sk_buff *skb,
const struct port *ad_port;
ad_port = &SLAVE_AD_INFO(slave)->port;
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
+ rcu_read_lock();
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
if (agg) {
if (nla_put_u16(skb, IFLA_BOND_SLAVE_AD_AGGREGATOR_ID,
agg->aggregator_identifier))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb,
IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE,
ad_port->actor_oper_port_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u16(skb,
IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
ad_port->partner_oper.port_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_ACTOR_STATE,
ad_port->sm_churn_actor_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
if (nla_put_u8(skb, IFLA_BOND_SLAVE_AD_CHURN_PARTNER_STATE,
ad_port->sm_churn_partner_state))
- goto nla_put_failure;
+ goto nla_put_failure_rcu;
}
+ rcu_read_unlock();
if (nla_put_u16(skb, IFLA_BOND_SLAVE_ACTOR_PORT_PRIO,
SLAVE_AD_INFO(slave)->port_priority))
@@ -95,6 +97,8 @@ static int bond_fill_slave_info(struct sk_buff *skb,
return 0;
+nla_put_failure_rcu:
+ rcu_read_unlock();
nla_put_failure:
return -EMSGSIZE;
}
diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c
index 7edf72ec816ab..0c0146b761772 100644
--- a/drivers/net/bonding/bond_procfs.c
+++ b/drivers/net/bonding/bond_procfs.c
@@ -187,6 +187,7 @@ static void bond_info_show_master(struct seq_file *seq)
}
}
+/* Note: runs under rcu_read_lock() */
static void bond_info_show_slave(struct seq_file *seq,
const struct slave *slave)
{
@@ -213,7 +214,7 @@ static void bond_info_show_slave(struct seq_file *seq,
if (BOND_MODE(bond) == BOND_MODE_8023AD) {
const struct port *port = &SLAVE_AD_INFO(slave)->port;
- const struct aggregator *agg = port->aggregator;
+ const struct aggregator *agg = rcu_dereference(port->aggregator);
if (agg) {
seq_printf(seq, "Aggregator ID: %d\n",
diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
index 36d0e8440b5b9..fc6fe7181789d 100644
--- a/drivers/net/bonding/bond_sysfs_slave.c
+++ b/drivers/net/bonding/bond_sysfs_slave.c
@@ -62,10 +62,15 @@ static ssize_t ad_aggregator_id_show(struct slave *slave, char *buf)
const struct aggregator *agg;
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
- agg = SLAVE_AD_INFO(slave)->port.aggregator;
- if (agg)
- return sysfs_emit(buf, "%d\n",
- agg->aggregator_identifier);
+ rcu_read_lock();
+ agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
+ if (agg) {
+ ssize_t res = sysfs_emit(buf, "%d\n",
+ agg->aggregator_identifier);
+ rcu_read_unlock();
+ return res;
+ }
+ rcu_read_unlock();
}
return sysfs_emit(buf, "N/A\n");
@@ -78,7 +83,7 @@ static ssize_t ad_actor_oper_port_state_show(struct slave *slave, char *buf)
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
ad_port = &SLAVE_AD_INFO(slave)->port;
- if (ad_port->aggregator)
+ if (rcu_access_pointer(ad_port->aggregator))
return sysfs_emit(buf, "%u\n",
ad_port->actor_oper_port_state);
}
@@ -93,7 +98,7 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
ad_port = &SLAVE_AD_INFO(slave)->port;
- if (ad_port->aggregator)
+ if (rcu_access_pointer(ad_port->aggregator))
return sysfs_emit(buf, "%u\n",
ad_port->partner_oper.port_state);
}
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index c92d4a976246d..05572c19e14b7 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -243,7 +243,7 @@ typedef struct port {
churn_state_t sm_churn_actor_state;
churn_state_t sm_churn_partner_state;
struct slave *slave; /* pointer to the bond slave that this port belongs to */
- struct aggregator *aggregator; /* pointer to an aggregator that this port related to */
+ struct aggregator __rcu *aggregator; /* pointer to an aggregator that this port related to */
struct port *next_port_in_aggregator; /* Next port on the linked list of the parent aggregator */
u32 transaction_id; /* continuous number for identification of Marker PDU's; */
struct lacpdu lacpdu; /* the lacpdu that will be sent for this port */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 840/957] page_pool: fix memory-provider leak in page_pool_create_percpu() error path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (838 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 839/957] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 841/957] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
` (122 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hasan Basbunar, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hasan Basbunar <basbunarhasan@gmail.com>
[ Upstream commit 5ef343614db766acdc01c56d66e780a1b43c6ac6 ]
When page_pool_create_percpu() fails on page_pool_list(), it falls
through to its err_uninit: label, which calls page_pool_uninit().
At that point page_pool_init() has already taken two references
when the user requested PP_FLAG_ALLOW_UNREADABLE_NETMEM:
pool->mp_ops->init(pool)
static_branch_inc(&page_pool_mem_providers);
Neither is undone by page_pool_uninit(); both are only undone by
__page_pool_destroy() (success-side teardown). The error path
therefore leaks the per-provider reference taken by mp_ops->init
(io_zcrx_ifq->refs in the io_uring zcrx provider, the dmabuf
binding refcount in the devmem provider) plus one increment of
the page_pool_mem_providers static branch on every failure of
xa_alloc_cyclic() inside page_pool_list().
The leaked io_zcrx_ifq->refs in turn pins everything
io_zcrx_ifq_free() would release on cleanup: ifq->user (uid),
ifq->mm_account (mmdrop), ifq->dev (device refcount),
ifq->netdev_tracker (netdev refcount), and the rbuf region.
The leaked static branch increment forces all subsequent
page_pool_alloc_netmems() and page_pool_return_page() callers to
take the slow mp_ops branch for the lifetime of the kernel.
Reachable via the io_uring zcrx path:
io_uring_register(IORING_REGISTER_ZCRX_IFQ) /* CAP_NET_ADMIN */
-> __io_uring_register
-> io_register_zcrx
-> zcrx_register_netdev
-> netif_mp_open_rxq
-> driver ndo_queue_mem_alloc
-> page_pool_create_percpu
-> page_pool_init succeeds (mp_ops->init runs, branch++)
-> page_pool_list fails (xa_alloc_cyclic -ENOMEM)
-> goto err_uninit <-- leak
The same shape applies to the devmem dmabuf provider via
mp_dmabuf_devmem_init()/mp_dmabuf_devmem_destroy().
Restore the cleanup symmetry by moving the mp_ops->destroy() and
static_branch_dec() calls out of __page_pool_destroy() and into
page_pool_uninit(), so page_pool_uninit() is again the strict
inverse of page_pool_init(). page_pool_uninit() has only two
callers (the err_uninit: path and __page_pool_destroy()), so this
preserves the single-call invariant on the success path while
fixing the err path. The error path of page_pool_init() itself
still skips the mp_ops cleanup correctly: mp_ops->init is the
last action that takes a reference before page_pool_init() returns
0, so when it returns an error neither the refcount nor the static
branch has been touched.
Triggering the bug requires xa_alloc_cyclic() to fail with -ENOMEM,
which under normal GFP_KERNEL retry behaviour is rare. It is
deterministic under CONFIG_FAULT_INJECTION with fail_page_alloc /
xa fault injection, or under sustained memory pressure. The leak
is silent: there is no warning, and the released kernel build
continues running with a permanently-incremented static branch.
Fixes: 0f9214046893 ("memory-provider: dmabuf devmem memory provider")
Signed-off-by: Hasan Basbunar <basbunarhasan@gmail.com>
Link: https://patch.msgid.link/20260428170739.34881-1-basbunarhasan@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/page_pool.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/core/page_pool.c b/net/core/page_pool.c
index 1a5edec485f14..b775b6305fb78 100644
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -323,6 +323,11 @@ static void page_pool_uninit(struct page_pool *pool)
if (!pool->system)
free_percpu(pool->recycle_stats);
#endif
+
+ if (pool->mp_ops) {
+ pool->mp_ops->destroy(pool);
+ static_branch_dec(&page_pool_mem_providers);
+ }
}
/**
@@ -1122,11 +1127,6 @@ static void __page_pool_destroy(struct page_pool *pool)
page_pool_unlist(pool);
page_pool_uninit(pool);
- if (pool->mp_ops) {
- pool->mp_ops->destroy(pool);
- static_branch_dec(&page_pool_mem_providers);
- }
-
kfree(pool);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 841/957] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (839 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 840/957] page_pool: fix memory-provider leak in page_pool_create_percpu() error path Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 842/957] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
` (121 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Simon Horman, Przemek Kitszel, Jacob Keller,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 70d62b669f1f9080a25278fc90b64309f4ae8959 ]
Rename the IAVF_VLAN_IS_NEW state to IAVF_VLAN_ADDING to better
describe what the state represents: an ADD request has been sent to
the PF and is waiting for a response.
This is a pure rename with no behavioral change, preparing for a
cleanup of the VLAN filter state machine.
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-1-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: f2ce65b9b917 ("iavf: stop removing VLAN filters from PF on interface down")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 2 +-
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index e9fb0a0919e37..47a862ca5e2c3 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -158,7 +158,7 @@ struct iavf_vlan {
enum iavf_vlan_state_t {
IAVF_VLAN_INVALID,
IAVF_VLAN_ADD, /* filter needs to be added */
- IAVF_VLAN_IS_NEW, /* filter is new, wait for PF answer */
+ IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */
IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 291b21230b65f..9dab61f198c0d 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -746,7 +746,7 @@ static void iavf_vlan_add_reject(struct iavf_adapter *adapter)
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_IS_NEW) {
+ if (f->state == IAVF_VLAN_ADDING) {
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
@@ -811,7 +811,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
if (f->state == IAVF_VLAN_ADD) {
vvfl->vlan_id[i] = f->vlan.vid;
i++;
- f->state = IAVF_VLAN_IS_NEW;
+ f->state = IAVF_VLAN_ADDING;
if (i == count)
break;
}
@@ -872,7 +872,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
vlan->tpid = f->vlan.tpid;
i++;
- f->state = IAVF_VLAN_IS_NEW;
+ f->state = IAVF_VLAN_ADDING;
}
}
@@ -2906,7 +2906,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry(f, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_IS_NEW)
+ if (f->state == IAVF_VLAN_ADDING)
f->state = IAVF_VLAN_ACTIVE;
}
spin_unlock_bh(&adapter->mac_vlan_list_lock);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 842/957] iavf: stop removing VLAN filters from PF on interface down
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (840 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 841/957] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 843/957] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
` (120 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Simon Horman, Przemek Kitszel, Jacob Keller,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit f2ce65b9b917474a1a6ce68d357e15fac2aca0f2 ]
When a VF goes down, the driver currently sends DEL_VLAN to the PF for
every VLAN filter (ACTIVE -> DISABLE -> send DEL -> INACTIVE), then
re-adds them all on UP (INACTIVE -> ADD -> send ADD -> ADDING ->
ACTIVE). This round-trip is unnecessary because:
1. The PF disables the VF's queues via VIRTCHNL_OP_DISABLE_QUEUES,
which already prevents all RX/TX traffic regardless of VLAN filter
state.
2. The VLAN filters remaining in PF HW while the VF is down is
harmless - packets matching those filters have nowhere to go with
queues disabled.
3. The DEL+ADD cycle during down/up creates race windows where the
VLAN filter list is incomplete. With spoofcheck enabled, the PF
enables TX VLAN filtering on the first non-zero VLAN add, blocking
traffic for any VLANs not yet re-added.
Remove the entire DISABLE/INACTIVE state machinery:
- Remove IAVF_VLAN_DISABLE and IAVF_VLAN_INACTIVE enum values
- Remove iavf_restore_filters() and its call from iavf_open()
- Remove VLAN filter handling from iavf_clear_mac_vlan_filters(),
rename it to iavf_clear_mac_filters()
- Remove DEL_VLAN_FILTER scheduling from iavf_down()
- Remove all DISABLE/INACTIVE handling from iavf_del_vlans()
VLAN filters now stay ACTIVE across down/up cycles. Only explicit
user removal (ndo_vlan_rx_kill_vid) or PF/VF reset triggers VLAN
filter deletion/re-addition.
Fixes: ed1f5b58ea01 ("i40evf: remove VLAN filters on close")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-2-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 6 +--
drivers/net/ethernet/intel/iavf/iavf_main.c | 39 ++-----------------
.../net/ethernet/intel/iavf/iavf_virtchnl.c | 33 +++-------------
3 files changed, 12 insertions(+), 66 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index 47a862ca5e2c3..5765715914d6b 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -159,10 +159,8 @@ enum iavf_vlan_state_t {
IAVF_VLAN_INVALID,
IAVF_VLAN_ADD, /* filter needs to be added */
IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
- IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
- IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */
- IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */
- IAVF_VLAN_REMOVE, /* filter needs to be removed from list */
+ IAVF_VLAN_ACTIVE, /* PF confirmed, filter is in HW */
+ IAVF_VLAN_REMOVE, /* filter queued for DEL from PF */
};
struct iavf_vlan_filter {
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 0a72d419782e5..a12ae6446c06c 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -801,27 +801,6 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
-/**
- * iavf_restore_filters
- * @adapter: board private structure
- *
- * Restore existing non MAC filters when VF netdev comes back up
- **/
-static void iavf_restore_filters(struct iavf_adapter *adapter)
-{
- struct iavf_vlan_filter *f;
-
- /* re-add all VLAN filters */
- spin_lock_bh(&adapter->mac_vlan_list_lock);
-
- list_for_each_entry(f, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_INACTIVE)
- f->state = IAVF_VLAN_ADD;
- }
-
- spin_unlock_bh(&adapter->mac_vlan_list_lock);
- adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
-}
/**
* iavf_get_num_vlans_added - get number of VLANs added
@@ -1240,13 +1219,12 @@ static void iavf_up_complete(struct iavf_adapter *adapter)
}
/**
- * iavf_clear_mac_vlan_filters - Remove mac and vlan filters not sent to PF
- * yet and mark other to be removed.
+ * iavf_clear_mac_filters - Remove MAC filters not sent to PF yet and mark
+ * others to be removed.
* @adapter: board private structure
**/
-static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
+static void iavf_clear_mac_filters(struct iavf_adapter *adapter)
{
- struct iavf_vlan_filter *vlf, *vlftmp;
struct iavf_mac_filter *f, *ftmp;
spin_lock_bh(&adapter->mac_vlan_list_lock);
@@ -1265,11 +1243,6 @@ static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
}
}
- /* disable all VLAN filters */
- list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list,
- list)
- vlf->state = IAVF_VLAN_DISABLE;
-
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
@@ -1365,7 +1338,7 @@ void iavf_down(struct iavf_adapter *adapter)
iavf_napi_disable_all(adapter);
iavf_irq_disable(adapter);
- iavf_clear_mac_vlan_filters(adapter);
+ iavf_clear_mac_filters(adapter);
iavf_clear_cloud_filters(adapter);
iavf_clear_fdir_filters(adapter);
iavf_clear_adv_rss_conf(adapter);
@@ -1382,8 +1355,6 @@ void iavf_down(struct iavf_adapter *adapter)
*/
if (!list_empty(&adapter->mac_filter_list))
adapter->aq_required |= IAVF_FLAG_AQ_DEL_MAC_FILTER;
- if (!list_empty(&adapter->vlan_filter_list))
- adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
if (!list_empty(&adapter->cloud_filter_list))
adapter->aq_required |= IAVF_FLAG_AQ_DEL_CLOUD_FILTER;
if (!list_empty(&adapter->fdir_list_head))
@@ -4492,8 +4463,6 @@ static int iavf_open(struct net_device *netdev)
iavf_add_filter(adapter, adapter->hw.mac.addr);
spin_unlock_bh(&adapter->mac_vlan_list_lock);
- /* Restore filters that were removed with IFF_DOWN */
- iavf_restore_filters(adapter);
iavf_restore_fdir_filters(adapter);
iavf_configure(adapter);
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 9dab61f198c0d..8a856ec5ef480 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -909,22 +909,12 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- /* since VLAN capabilities are not allowed, we dont want to send
- * a VLAN delete request because it will most likely fail and
- * create unnecessary errors/noise, so just free the VLAN
- * filters marked for removal to enable bailing out before
- * sending a virtchnl message
- */
if (f->state == IAVF_VLAN_REMOVE &&
!VLAN_FILTERING_ALLOWED(adapter)) {
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
- } else if (f->state == IAVF_VLAN_DISABLE &&
- !VLAN_FILTERING_ALLOWED(adapter)) {
- f->state = IAVF_VLAN_INACTIVE;
- } else if (f->state == IAVF_VLAN_REMOVE ||
- f->state == IAVF_VLAN_DISABLE) {
+ } else if (f->state == IAVF_VLAN_REMOVE) {
count++;
}
}
@@ -956,13 +946,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl->vsi_id = adapter->vsi_res->vsi_id;
vvfl->num_elements = count;
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_DISABLE) {
- vvfl->vlan_id[i] = f->vlan.vid;
- f->state = IAVF_VLAN_INACTIVE;
- i++;
- if (i == count)
- break;
- } else if (f->state == IAVF_VLAN_REMOVE) {
+ if (f->state == IAVF_VLAN_REMOVE) {
vvfl->vlan_id[i] = f->vlan.vid;
list_del(&f->list);
kfree(f);
@@ -1003,8 +987,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
vvfl_v2->num_elements = count;
list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
- if (f->state == IAVF_VLAN_DISABLE ||
- f->state == IAVF_VLAN_REMOVE) {
+ if (f->state == IAVF_VLAN_REMOVE) {
struct virtchnl_vlan_supported_caps *filtering_support =
&adapter->vlan_v2_caps.filtering.filtering_support;
struct virtchnl_vlan *vlan;
@@ -1018,13 +1001,9 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vlan->tci = f->vlan.vid;
vlan->tpid = f->vlan.tpid;
- if (f->state == IAVF_VLAN_DISABLE) {
- f->state = IAVF_VLAN_INACTIVE;
- } else {
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
- }
+ list_del(&f->list);
+ kfree(f);
+ adapter->num_vlan_filters--;
i++;
if (i == count)
break;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 843/957] iavf: wait for PF confirmation before removing VLAN filters
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (841 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 842/957] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 844/957] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
` (119 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Przemek Kitszel, Jacob Keller, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit bbcbe4ed70dea948849549af7edf44bd42bbd695 ]
The VLAN filter DELETE path was asymmetric with the ADD path: ADD
waits for PF confirmation (ADD -> ADDING -> ACTIVE), but DELETE
immediately frees the filter struct after sending the DEL message
without waiting for the PF response.
This is problematic because:
- If the PF rejects the DEL, the filter remains in HW but the driver
has already freed the tracking structure, losing sync.
- Race conditions between DEL pending and other operations
(add, reset) cannot be properly resolved if the filter struct
is already gone.
Add IAVF_VLAN_REMOVING state to make the DELETE path symmetric:
REMOVE -> REMOVING (send DEL) -> PF confirms -> kfree
-> PF rejects -> ACTIVE
In iavf_del_vlans(), transition filters from REMOVE to REMOVING
instead of immediately freeing them. The new DEL completion handler
in iavf_virtchnl_completion() frees filters on success or reverts
them to ACTIVE on error.
Update iavf_add_vlan() to handle the REMOVING state: if a DEL is
pending and the user re-adds the same VLAN, queue it for ADD so
it gets re-programmed after the PF processes the DEL.
The !VLAN_FILTERING_ALLOWED early-exit path still frees filters
directly since no PF message is sent in that case.
Also update iavf_del_vlan() to skip filters already in REMOVING
state: DEL has been sent to PF and the completion handler will
free the filter when PF confirms. Without this guard, the sequence
DEL(pending) -> user-del -> second DEL could cause the PF to return
an error for the second DEL (filter already gone), causing the
completion handler to incorrectly revert a deleted filter back to
ACTIVE.
Fixes: 968996c070ef ("iavf: Fix VLAN_V2 addition/rejection")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-3-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf.h | 1 +
drivers/net/ethernet/intel/iavf/iavf_main.c | 13 ++++---
.../net/ethernet/intel/iavf/iavf_virtchnl.c | 37 +++++++++++++------
3 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
index 5765715914d6b..050f8241ef5e6 100644
--- a/drivers/net/ethernet/intel/iavf/iavf.h
+++ b/drivers/net/ethernet/intel/iavf/iavf.h
@@ -161,6 +161,7 @@ enum iavf_vlan_state_t {
IAVF_VLAN_ADDING, /* ADD sent to PF, waiting for response */
IAVF_VLAN_ACTIVE, /* PF confirmed, filter is in HW */
IAVF_VLAN_REMOVE, /* filter queued for DEL from PF */
+ IAVF_VLAN_REMOVING, /* DEL sent to PF, waiting for response */
};
struct iavf_vlan_filter {
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index a12ae6446c06c..d09add9a110ea 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -757,10 +757,10 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
adapter->num_vlan_filters++;
iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
} else if (f->state == IAVF_VLAN_REMOVE) {
- /* Re-add the filter since we cannot tell whether the
- * pending delete has already been processed by the PF.
- * A duplicate add is harmless.
- */
+ /* DEL not yet sent to PF, cancel it */
+ f->state = IAVF_VLAN_ACTIVE;
+ } else if (f->state == IAVF_VLAN_REMOVING) {
+ /* DEL already sent to PF, re-add after completion */
f->state = IAVF_VLAN_ADD;
iavf_schedule_aq_request(adapter,
IAVF_FLAG_AQ_ADD_VLAN_FILTER);
@@ -791,11 +791,14 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
list_del(&f->list);
kfree(f);
adapter->num_vlan_filters--;
- } else {
+ } else if (f->state != IAVF_VLAN_REMOVING) {
f->state = IAVF_VLAN_REMOVE;
iavf_schedule_aq_request(adapter,
IAVF_FLAG_AQ_DEL_VLAN_FILTER);
}
+ /* If REMOVING, DEL is already sent to PF; completion
+ * handler will free the filter when PF confirms.
+ */
}
spin_unlock_bh(&adapter->mac_vlan_list_lock);
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 8a856ec5ef480..9132f16d853e5 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -945,12 +945,10 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl->vsi_id = adapter->vsi_res->vsi_id;
vvfl->num_elements = count;
- list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_REMOVE) {
vvfl->vlan_id[i] = f->vlan.vid;
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
+ f->state = IAVF_VLAN_REMOVING;
i++;
if (i == count)
break;
@@ -986,7 +984,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
vvfl_v2->num_elements = count;
- list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_REMOVE) {
struct virtchnl_vlan_supported_caps *filtering_support =
&adapter->vlan_v2_caps.filtering.filtering_support;
@@ -1001,9 +999,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
vlan->tci = f->vlan.vid;
vlan->tpid = f->vlan.tpid;
- list_del(&f->list);
- kfree(f);
- adapter->num_vlan_filters--;
+ f->state = IAVF_VLAN_REMOVING;
i++;
if (i == count)
break;
@@ -2366,10 +2362,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
ether_addr_copy(adapter->hw.mac.addr, netdev->dev_addr);
wake_up(&adapter->vc_waitqueue);
break;
- case VIRTCHNL_OP_DEL_VLAN:
- dev_err(&adapter->pdev->dev, "Failed to delete VLAN filter, error %s\n",
- iavf_stat_str(&adapter->hw, v_retval));
- break;
case VIRTCHNL_OP_DEL_ETH_ADDR:
dev_err(&adapter->pdev->dev, "Failed to delete MAC filter, error %s\n",
iavf_stat_str(&adapter->hw, v_retval));
@@ -2891,6 +2883,27 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_unlock_bh(&adapter->mac_vlan_list_lock);
}
break;
+ case VIRTCHNL_OP_DEL_VLAN:
+ case VIRTCHNL_OP_DEL_VLAN_V2: {
+ struct iavf_vlan_filter *f, *ftmp;
+
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list,
+ list) {
+ if (f->state == IAVF_VLAN_REMOVING) {
+ if (v_retval) {
+ /* PF rejected DEL, keep filter */
+ f->state = IAVF_VLAN_ACTIVE;
+ } else {
+ list_del(&f->list);
+ kfree(f);
+ adapter->num_vlan_filters--;
+ }
+ }
+ }
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+ }
+ break;
case VIRTCHNL_OP_ENABLE_VLAN_STRIPPING:
/* PF enabled vlan strip on this VF.
* Update netdev->features if needed to be in sync with ethtool.
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 844/957] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (842 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 843/957] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 845/957] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
` (118 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Aleksandr Loktionov,
Rafal Romanowski, Przemek Kitszel, Jacob Keller, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 34d33313b52eeac3a97ad2e3176d523ec70d9283 ]
The V1 ADD_VLAN opcode had no success handler; filters sent via V1
stayed in ADDING state permanently. Add a fallthrough case so V1
filters also transition ADDING -> ACTIVE on PF confirmation.
Critically, add an `if (v_retval) break` guard: the error switch in
iavf_virtchnl_completion() does NOT return after handling errors,
it falls through to the success switch. Without this guard, a
PF-rejected ADD would incorrectly mark ADDING filters as ACTIVE,
creating a driver/HW mismatch where the driver believes the filter
is installed but the PF never accepted it.
For V2, this is harmless: iavf_vlan_add_reject() in the error
block already kfree'd all ADDING filters, so the success handler
finds nothing to transition.
Fixes: 968996c070ef ("iavf: Fix VLAN_V2 addition/rejection")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-4-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
index 9132f16d853e5..f1a01b8e2235c 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
@@ -2872,9 +2872,13 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
spin_unlock_bh(&adapter->adv_rss_lock);
}
break;
+ case VIRTCHNL_OP_ADD_VLAN:
case VIRTCHNL_OP_ADD_VLAN_V2: {
struct iavf_vlan_filter *f;
+ if (v_retval)
+ break;
+
spin_lock_bh(&adapter->mac_vlan_list_lock);
list_for_each_entry(f, &adapter->vlan_filter_list, list) {
if (f->state == IAVF_VLAN_ADDING)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 845/957] ice: fix NULL pointer dereference in ice_reset_all_vfs()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (843 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 844/957] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 846/957] ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw Greg Kroah-Hartman
` (117 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Rafal Romanowski,
Jacob Keller, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 54ef02487914c24170c7e1c061e45212dc55365e ]
ice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().
When the VSI rebuild fails (e.g. during NVM firmware update via
nvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,
leaving txq_map and rxq_map as NULL. The subsequent unconditional call
to ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in
ice_ena_vf_q_mappings() when it accesses vsi->txq_map[0].
The single-VF reset path in ice_reset_vf() already handles this
correctly by checking the return value of ice_vf_reconfig_vsi() and
skipping ice_vf_post_vsi_rebuild() on failure.
Apply the same pattern to ice_reset_all_vfs(): check the return value
of ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and
ice_eswitch_attach_vf() on failure. The VF is left safely disabled
(ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can
be recovered via a VFLR triggered by a PCI reset of the VF
(sysfs reset or driver rebind).
Note that this patch does not prevent the VF VSI rebuild from failing
during NVM update — the underlying cause is firmware being in a
transitional state while the EMP reset is processed, which can cause
Admin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This
patch only prevents the subsequent NULL pointer dereference that
crashes the kernel when the rebuild does fail.
crash> bt
PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5"
#0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee
#1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba
#2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540
#3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda
#4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997
#5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595
#6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2
[exception RIP: ice_ena_vf_q_mappings+0x79]
RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206
RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000
RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040
R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000
R13: 0000000000000010 R14: R15:
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]
#8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]
#9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]
#10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4
#11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de
#12 [ff72159bcfe5bf18] kthread at ffffffffaa946663
#13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9
The panic occurs attempting to dereference the NULL pointer in RDX at
ice_sriov.c:294, which loads vsi->txq_map (offset 0x4b8 in ice_vsi).
The faulting VSI is an allocated slab object but not fully initialized
after a failed ice_vsi_rebuild():
crash> struct ice_vsi 0xff34c9efc27d4828
netdev = 0x0,
rx_rings = 0x0,
tx_rings = 0x0,
q_vectors = 0x0,
txq_map = 0x0,
rxq_map = 0x0,
alloc_txq = 0x10,
num_txq = 0x10,
alloc_rxq = 0x10,
num_rxq = 0x10,
The nvmupdate64e process was performing NVM firmware update:
crash> bt 0xff34c9edd1a30000
PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e"
#0 [ff72159bcd617618] __schedule at ffffffffab5333f8
#4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]
#5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]
#6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]
#7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]
#8 [ff72159bcd6178b8] ice_read_flat_nvm at ffffffffc0a4034c [ice]
#9 [ff72159bcd617918] ice_devlink_nvm_snapshot at ffffffffc0a6ffa5 [ice]
dmesg:
ice 0000:13:00.0: firmware recommends not updating fw.mgmt, as it
may result in a downgrade. continuing anyways
ice 0000:13:00.1: ice_init_nvm failed -5
ice 0000:13:00.1: Rebuild failed, unload and reload driver
Fixes: 12bb018c538c ("ice: Refactor VF reset")
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-5-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
index de9e81ccee664..e53a1e4247cb1 100644
--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
@@ -804,7 +804,12 @@ void ice_reset_all_vfs(struct ice_pf *pf)
ice_vf_ctrl_invalidate_vsi(vf);
ice_vf_pre_vsi_rebuild(vf);
- ice_vf_rebuild_vsi(vf);
+ if (ice_vf_rebuild_vsi(vf)) {
+ dev_err(dev, "VF %u VSI rebuild failed, leaving VF disabled\n",
+ vf->vf_id);
+ mutex_unlock(&vf->cfg_lock);
+ continue;
+ }
ice_vf_post_vsi_rebuild(vf);
ice_eswitch_attach_vf(pf, vf);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 846/957] ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (844 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 845/957] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 847/957] ice: fix missing SMA pin initialization in DPLL subsystem Greg Kroah-Hartman
` (116 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Paul Menzel, Jacob Keller,
Aleksandr Loktionov, Przemek Kitszel, Alexander Nowlin,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 70ad216411e030f67b1743774e245601194aee6a ]
On certain E810 configurations where firmware supports Tx scheduler
topology switching (tx_sched_topo_comp_mode_en), ice_cfg_tx_topo()
may need to apply a new 5-layer or 9-layer topology from the DDP
package. If the AQ command to set the topology fails (e.g. due to
invalid DDP data or firmware limitations), the global configuration
lock must still be cleared via a CORER reset.
Commit 86aae43f21cf ("ice: don't leave device non-functional if Tx
scheduler config fails") correctly fixed this by refactoring
ice_cfg_tx_topo() to always trigger CORER after acquiring the global
lock and re-initialize hardware via ice_init_hw() afterwards.
However, commit 8a37f9e2ff40 ("ice: move ice_deinit_dev() to the end
of deinit paths") later moved ice_init_dev_hw() into ice_init_hw(),
breaking the reinit path introduced by 86aae43f21cf. This creates an
infinite recursive call chain:
ice_init_hw()
ice_init_dev_hw()
ice_cfg_tx_topo() # topology change needed
ice_deinit_hw()
ice_init_hw() # reinit after CORER
ice_init_dev_hw() # recurse
ice_cfg_tx_topo()
... # stack overflow
Fix by moving ice_init_dev_hw() back out of ice_init_hw() and calling
it explicitly from ice_probe() and ice_devlink_reinit_up(). The third
caller, ice_cfg_tx_topo(), intentionally does not need ice_init_dev_hw()
during its reinit, it only needs the core HW reinitialization. This
breaks the recursion cleanly without adding flags or guards.
The deinit ordering changes from commit 8a37f9e2ff40 ("ice: move
ice_deinit_dev() to the end of deinit paths") which fixed slow rmmod
are preserved, only the init-side placement of ice_init_dev_hw() is
reverted.
Fixes: 8a37f9e2ff40 ("ice: move ice_deinit_dev() to the end of deinit paths")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-6-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/devlink/devlink.c | 2 ++
drivers/net/ethernet/intel/ice/ice_common.c | 2 --
drivers/net/ethernet/intel/ice/ice_main.c | 2 ++
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/devlink/devlink.c b/drivers/net/ethernet/intel/ice/devlink/devlink.c
index 862ff1cdd46d6..839b7bfa19359 100644
--- a/drivers/net/ethernet/intel/ice/devlink/devlink.c
+++ b/drivers/net/ethernet/intel/ice/devlink/devlink.c
@@ -1243,6 +1243,8 @@ static int ice_devlink_reinit_up(struct ice_pf *pf)
return err;
}
+ ice_init_dev_hw(pf);
+
/* load MSI-X values */
ice_set_min_max_msix(pf);
diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
index c23a31ec3c413..4dcc3b41800b3 100644
--- a/drivers/net/ethernet/intel/ice/ice_common.c
+++ b/drivers/net/ethernet/intel/ice/ice_common.c
@@ -1162,8 +1162,6 @@ int ice_init_hw(struct ice_hw *hw)
if (status)
goto err_unroll_fltr_mgmt_struct;
- ice_init_dev_hw(hw->back);
-
mutex_init(&hw->tnl_lock);
ice_init_chk_recipe_reuse_support(hw);
diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
index a4ae032f2161b..c064c3653c540 100644
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -5321,6 +5321,8 @@ ice_probe(struct pci_dev *pdev, const struct pci_device_id __always_unused *ent)
return err;
}
+ ice_init_dev_hw(pf);
+
adapter = ice_adapter_get(pdev);
if (IS_ERR(adapter)) {
err = PTR_ERR(adapter);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 847/957] ice: fix missing SMA pin initialization in DPLL subsystem
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (845 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 846/957] ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 848/957] ice: fix SMA and U.FL pin state changes affecting paired pin Greg Kroah-Hartman
` (115 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Ivan Vecera,
Arkadiusz Kubalewski, Alexander Nowlin, Jacob Keller, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 56a643aed0f0af5c29ebb4593d4917b78344dd48 ]
The DPLL SMA/U.FL pin redesign introduced ice_dpll_sw_pin_frequency_get()
which gates frequency reporting on the pin's active flag. This flag is
determined by ice_dpll_sw_pins_update() from the PCA9575 GPIO expander
state. Before the redesign, SMA pins were exposed as direct HW
input/output pins and ice_dpll_frequency_get() returned the CGU
frequency unconditionally — the PCA9575 state was never consulted.
The PCA9575 powers on with all outputs high, setting ICE_SMA1_DIR_EN,
ICE_SMA1_TX_EN, ICE_SMA2_DIR_EN and ICE_SMA2_TX_EN. Nothing in the
driver writes the register during initialization, so
ice_dpll_sw_pins_update() sees all pins as inactive and
ice_dpll_sw_pin_frequency_get() permanently returns 0 Hz for every
SW pin.
Fix this by writing a default SMA configuration in
ice_dpll_init_info_sw_pins(): clear all SMA bits, then set SMA1 and
SMA2 as active inputs (DIR_EN=0) with U.FL1 output and U.FL2 input
disabled. Each SMA/U.FL pair shares a physical signal path so only
one pin per pair can be active at a time. U.FL pins still report
frequency 0 after this fix: U.FL1 (output-only) is disabled by
ICE_SMA1_TX_EN which keeps the TX output buffer off, and U.FL2
(input-only) is disabled by ICE_SMA2_UFL2_RX_DIS. They can be
activated by changing the corresponding SMA pin direction via dpll
netlink.
Fixes: 2dd5d03c77e2 ("ice: redesign dpll sma/u.fl pins control")
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-7-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dpll.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
index 53b54e395a2ed..c2ad39bfe177d 100644
--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
+++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
@@ -3545,6 +3545,7 @@ static int ice_dpll_init_info_sw_pins(struct ice_pf *pf)
struct ice_dpll_pin *pin;
u32 phase_adj_max, caps;
int i, ret;
+ u8 data;
if (pf->hw.device_id == ICE_DEV_ID_E810C_QSFP)
input_idx_offset = ICE_E810_RCLK_PINS_NUM;
@@ -3604,6 +3605,22 @@ static int ice_dpll_init_info_sw_pins(struct ice_pf *pf)
}
ice_dpll_phase_range_set(&pin->prop.phase_range, phase_adj_max);
}
+
+ /* Initialize the SMA control register to a known-good default state.
+ * Without this write the PCA9575 GPIO expander retains its power-on
+ * default (all outputs high) which makes all SW pins appear inactive.
+ * Set SMA1 and SMA2 as active inputs, disable U.FL1 output and
+ * U.FL2 input.
+ */
+ ret = ice_read_sma_ctrl(&pf->hw, &data);
+ if (ret)
+ return ret;
+ data &= ~ICE_ALL_SMA_MASK;
+ data |= ICE_SMA1_TX_EN | ICE_SMA2_TX_EN | ICE_SMA2_UFL2_RX_DIS;
+ ret = ice_write_sma_ctrl(&pf->hw, data);
+ if (ret)
+ return ret;
+
ret = ice_dpll_pin_state_update(pf, pin, ICE_DPLL_PIN_TYPE_SOFTWARE,
NULL);
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 848/957] ice: fix SMA and U.FL pin state changes affecting paired pin
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (846 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 847/957] ice: fix missing SMA pin initialization in DPLL subsystem Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 849/957] ice: fix missing dpll notifications for SW pins Greg Kroah-Hartman
` (114 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Alexander Nowlin,
Arkadiusz Kubalewski, Jacob Keller, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 6f9d8393c9f50fbc68b9c9e99f78ca5a7b43ff44 ]
SMA and U.FL pins share physical signal paths in pairs (SMA1/U.FL1 and
SMA2/U.FL2) controlled by the PCA9575 GPIO expander. Each pair can
only have one active pin at a time: SMA1 output and U.FL1 output share
the same CGU output, SMA2 input and U.FL2 input share the same CGU
input. The PCA9575 register bits determine which connector in each
pair owns the signal path.
The driver does not account for this pairing in two places:
ice_dpll_ufl_pin_state_set() modifies PCA9575 bits and disables the
backing CGU pin without checking whether the U.FL pin is currently
active. Disconnecting an already inactive U.FL pin flips bits that
the paired SMA pin relies on, breaking its connection.
ice_dpll_sma_direction_set() does not propagate direction changes to
the paired U.FL pin. For SMA2/U.FL2 the ICE_SMA2_UFL2_RX_DIS bit is
never managed, so U.FL2 stays disconnected after SMA2 switches to
output. For both pairs the backing CGU pin of the U.FL side is never
enabled when a direction change activates it, so userspace sees the
pin as disconnected even though the routing is correct.
Fix by guarding the U.FL disconnect path against inactive pins and by
updating the paired U.FL pin fully on SMA direction changes: manage
ICE_SMA2_UFL2_RX_DIS for the SMA2/U.FL2 pair and enable the backing
CGU pin whenever the peer becomes active.
Fixes: 2dd5d03c77e2 ("ice: redesign dpll sma/u.fl pins control")
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-8-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dpll.c | 50 ++++++++++++++++++++++-
1 file changed, 49 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
index c2ad39bfe177d..3254be7b0dca8 100644
--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
+++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
@@ -1090,6 +1090,8 @@ static int ice_dpll_sma_direction_set(struct ice_dpll_pin *p,
enum dpll_pin_direction direction,
struct netlink_ext_ack *extack)
{
+ struct ice_dplls *d = &p->pf->dplls;
+ struct ice_dpll_pin *peer;
u8 data;
int ret;
@@ -1108,8 +1110,9 @@ static int ice_dpll_sma_direction_set(struct ice_dpll_pin *p,
case ICE_DPLL_PIN_SW_2_IDX:
if (direction == DPLL_PIN_DIRECTION_INPUT) {
data &= ~ICE_SMA2_DIR_EN;
+ data |= ICE_SMA2_UFL2_RX_DIS;
} else {
- data &= ~ICE_SMA2_TX_EN;
+ data &= ~(ICE_SMA2_TX_EN | ICE_SMA2_UFL2_RX_DIS);
data |= ICE_SMA2_DIR_EN;
}
break;
@@ -1121,6 +1124,34 @@ static int ice_dpll_sma_direction_set(struct ice_dpll_pin *p,
ret = ice_dpll_pin_state_update(p->pf, p,
ICE_DPLL_PIN_TYPE_SOFTWARE,
extack);
+ if (ret)
+ return ret;
+
+ /* When a direction change activates the paired U.FL pin, enable
+ * its backing CGU pin so the pin reports as connected. Without
+ * this the U.FL routing is correct but the CGU pin stays disabled
+ * and userspace sees the pin as disconnected. Do not disable the
+ * backing pin when U.FL becomes inactive because the SMA pin may
+ * still be using it.
+ */
+ peer = &d->ufl[p->idx];
+ if (peer->active) {
+ struct ice_dpll_pin *target;
+ enum ice_dpll_pin_type type;
+
+ if (peer->output) {
+ target = peer->output;
+ type = ICE_DPLL_PIN_TYPE_OUTPUT;
+ } else {
+ target = peer->input;
+ type = ICE_DPLL_PIN_TYPE_INPUT;
+ }
+ ret = ice_dpll_pin_enable(&p->pf->hw, target,
+ d->eec.dpll_idx, type, extack);
+ if (!ret)
+ ret = ice_dpll_pin_state_update(p->pf, target,
+ type, extack);
+ }
return ret;
}
@@ -1172,6 +1203,14 @@ ice_dpll_ufl_pin_state_set(const struct dpll_pin *pin, void *pin_priv,
data &= ~ICE_SMA1_MASK;
enable = true;
} else if (state == DPLL_PIN_STATE_DISCONNECTED) {
+ /* Skip if U.FL1 is not active, setting TX_EN
+ * while DIR_EN is set would also deactivate
+ * the paired SMA1 output.
+ */
+ if (data & (ICE_SMA1_DIR_EN | ICE_SMA1_TX_EN)) {
+ ret = 0;
+ goto unlock;
+ }
data |= ICE_SMA1_TX_EN;
enable = false;
} else {
@@ -1186,6 +1225,15 @@ ice_dpll_ufl_pin_state_set(const struct dpll_pin *pin, void *pin_priv,
data &= ~ICE_SMA2_UFL2_RX_DIS;
enable = true;
} else if (state == DPLL_PIN_STATE_DISCONNECTED) {
+ /* Skip if U.FL2 is not active, setting
+ * UFL2_RX_DIS could also disable the paired
+ * SMA2 input.
+ */
+ if (!(data & ICE_SMA2_DIR_EN) ||
+ (data & ICE_SMA2_UFL2_RX_DIS)) {
+ ret = 0;
+ goto unlock;
+ }
data |= ICE_SMA2_UFL2_RX_DIS;
enable = false;
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 849/957] ice: fix missing dpll notifications for SW pins
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (847 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 848/957] ice: fix SMA and U.FL pin state changes affecting paired pin Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 850/957] dpll: Allow associating dpll pin with a firmware node Greg Kroah-Hartman
` (113 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Alexander Nowlin,
Arkadiusz Kubalewski, Aleksandr Loktionov, Ivan Vecera,
Jacob Keller, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 1a41b58fd4dc80dca16c717e6e77c88b9d4e83a7 ]
The SMA/U.FL pin redesign (commit 2dd5d03c77e2 ("ice: redesign dpll
sma/u.fl pins control")) introduced software-controlled pins that wrap
backing CGU input/output pins, but never updated the notification and
data paths to propagate pin events to these SW wrappers.
The periodic work sends dpll_pin_change_ntf() only for direct CGU input
pins. SW pins that wrap these inputs never receive change or phase
offset notifications, so userspace consumers such as synce4l monitoring
SMA pins via dpll netlink never learn about state transitions or phase
offset updates. Similarly, ice_dpll_phase_offset_get() reads the SW
pin's own phase_offset field which is never updated; the PPS monitor
writes to the backing CGU input's field instead.
Fix by introducing ice_dpll_pin_ntf(), a wrapper around
dpll_pin_change_ntf() that also notifies any registered SMA/U.FL pin
whose backing CGU input matches. Replace all direct
dpll_pin_change_ntf() calls in the periodic notification paths with
this wrapper. Fix ice_dpll_phase_offset_get() to return the backing
CGU input's phase_offset for input-direction SW pins.
Fixes: 2dd5d03c77e2 ("ice: redesign dpll sma/u.fl pins control")
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-10-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dpll.c | 47 +++++++++++++++++------
1 file changed, 36 insertions(+), 11 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
index 3254be7b0dca8..baf492f5c4925 100644
--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
+++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
@@ -1882,7 +1882,10 @@ ice_dpll_phase_offset_get(const struct dpll_pin *pin, void *pin_priv,
d->active_input == p->input->pin))
*phase_offset = d->phase_offset * ICE_DPLL_PHASE_OFFSET_FACTOR;
else if (d->phase_offset_monitor_period)
- *phase_offset = p->phase_offset * ICE_DPLL_PHASE_OFFSET_FACTOR;
+ *phase_offset = (p->input &&
+ p->direction == DPLL_PIN_DIRECTION_INPUT ?
+ p->input->phase_offset :
+ p->phase_offset) * ICE_DPLL_PHASE_OFFSET_FACTOR;
else
*phase_offset = 0;
mutex_unlock(&pf->dplls.lock);
@@ -2510,6 +2513,27 @@ static u64 ice_generate_clock_id(struct ice_pf *pf)
return pci_get_dsn(pf->pdev);
}
+/**
+ * ice_dpll_pin_ntf - notify pin change including any SW pin wrappers
+ * @dplls: pointer to dplls struct
+ * @pin: the dpll_pin that changed
+ *
+ * Send a change notification for @pin and for any registered SMA/U.FL pin
+ * whose backing CGU input matches @pin.
+ */
+static void ice_dpll_pin_ntf(struct ice_dplls *dplls, struct dpll_pin *pin)
+{
+ dpll_pin_change_ntf(pin);
+ for (int i = 0; i < ICE_DPLL_PIN_SW_NUM; i++) {
+ if (dplls->sma[i].pin && dplls->sma[i].input &&
+ dplls->sma[i].input->pin == pin)
+ dpll_pin_change_ntf(dplls->sma[i].pin);
+ if (dplls->ufl[i].pin && dplls->ufl[i].input &&
+ dplls->ufl[i].input->pin == pin)
+ dpll_pin_change_ntf(dplls->ufl[i].pin);
+ }
+}
+
/**
* ice_dpll_notify_changes - notify dpll subsystem about changes
* @d: pointer do dpll
@@ -2518,6 +2542,7 @@ static u64 ice_generate_clock_id(struct ice_pf *pf)
*/
static void ice_dpll_notify_changes(struct ice_dpll *d)
{
+ struct ice_dplls *dplls = &d->pf->dplls;
bool pin_notified = false;
if (d->prev_dpll_state != d->dpll_state) {
@@ -2526,17 +2551,17 @@ static void ice_dpll_notify_changes(struct ice_dpll *d)
}
if (d->prev_input != d->active_input) {
if (d->prev_input)
- dpll_pin_change_ntf(d->prev_input);
+ ice_dpll_pin_ntf(dplls, d->prev_input);
d->prev_input = d->active_input;
if (d->active_input) {
- dpll_pin_change_ntf(d->active_input);
+ ice_dpll_pin_ntf(dplls, d->active_input);
pin_notified = true;
}
}
if (d->prev_phase_offset != d->phase_offset) {
d->prev_phase_offset = d->phase_offset;
if (!pin_notified && d->active_input)
- dpll_pin_change_ntf(d->active_input);
+ ice_dpll_pin_ntf(dplls, d->active_input);
}
}
@@ -2565,6 +2590,7 @@ static bool ice_dpll_is_pps_phase_monitor(struct ice_pf *pf)
/**
* ice_dpll_pins_notify_mask - notify dpll subsystem about bulk pin changes
+ * @dplls: pointer to dplls struct
* @pins: array of ice_dpll_pin pointers registered within dpll subsystem
* @pin_num: number of pins
* @phase_offset_ntf_mask: bitmask of pin indexes to notify
@@ -2574,15 +2600,14 @@ static bool ice_dpll_is_pps_phase_monitor(struct ice_pf *pf)
*
* Context: Must be called while pf->dplls.lock is released.
*/
-static void ice_dpll_pins_notify_mask(struct ice_dpll_pin *pins,
+static void ice_dpll_pins_notify_mask(struct ice_dplls *dplls,
+ struct ice_dpll_pin *pins,
u8 pin_num,
u32 phase_offset_ntf_mask)
{
- int i = 0;
-
- for (i = 0; i < pin_num; i++)
- if (phase_offset_ntf_mask & (1 << i))
- dpll_pin_change_ntf(pins[i].pin);
+ for (int i = 0; i < pin_num; i++)
+ if (phase_offset_ntf_mask & BIT(i))
+ ice_dpll_pin_ntf(dplls, pins[i].pin);
}
/**
@@ -2758,7 +2783,7 @@ static void ice_dpll_periodic_work(struct kthread_work *work)
ice_dpll_notify_changes(de);
ice_dpll_notify_changes(dp);
if (phase_offset_ntf)
- ice_dpll_pins_notify_mask(d->inputs, d->num_inputs,
+ ice_dpll_pins_notify_mask(d, d->inputs, d->num_inputs,
phase_offset_ntf);
resched:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 850/957] dpll: Allow associating dpll pin with a firmware node
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (848 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 849/957] ice: fix missing dpll notifications for SW pins Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 851/957] dpll: Add notifier chain for dpll events Greg Kroah-Hartman
` (112 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Vadim Fedorenko,
Ivan Vecera, Arkadiusz Kubalewski, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
[ Upstream commit d0f4771e2befbe8de3a16a564c6bbd1d5502cec3 ]
Extend the DPLL core to support associating a DPLL pin with a firmware
node. This association is required to allow other subsystems (such as
network drivers) to locate and request specific DPLL pins defined in
the Device Tree or ACPI.
* Add a .fwnode field to the struct dpll_pin
* Introduce dpll_pin_fwnode_set() helper to allow the provider driver
to associate a pin with a fwnode after the pin has been allocated
* Introduce fwnode_dpll_pin_find() helper to allow consumers to search
for a registered DPLL pin using its associated fwnode handle
* Ensure the fwnode reference is properly released in dpll_pin_put()
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Link: https://patch.msgid.link/20260203174002.705176-2-ivecera@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 9e5dead140af ("ice: add dpll peer notification for paired SMA and U.FL pins")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dpll/dpll_core.c | 49 ++++++++++++++++++++++++++++++++++++++++
drivers/dpll/dpll_core.h | 2 ++
include/linux/dpll.h | 11 +++++++++
3 files changed, 62 insertions(+)
diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c
index 8879a72351561..f04ed7195cadd 100644
--- a/drivers/dpll/dpll_core.c
+++ b/drivers/dpll/dpll_core.c
@@ -10,6 +10,7 @@
#include <linux/device.h>
#include <linux/err.h>
+#include <linux/property.h>
#include <linux/slab.h>
#include <linux/string.h>
@@ -595,12 +596,60 @@ void dpll_pin_put(struct dpll_pin *pin)
xa_destroy(&pin->parent_refs);
xa_destroy(&pin->ref_sync_pins);
dpll_pin_prop_free(&pin->prop);
+ fwnode_handle_put(pin->fwnode);
kfree_rcu(pin, rcu);
}
mutex_unlock(&dpll_lock);
}
EXPORT_SYMBOL_GPL(dpll_pin_put);
+/**
+ * dpll_pin_fwnode_set - set dpll pin firmware node reference
+ * @pin: pointer to a dpll pin
+ * @fwnode: firmware node handle
+ *
+ * Set firmware node handle for the given dpll pin.
+ */
+void dpll_pin_fwnode_set(struct dpll_pin *pin, struct fwnode_handle *fwnode)
+{
+ mutex_lock(&dpll_lock);
+ fwnode_handle_put(pin->fwnode); /* Drop fwnode previously set */
+ pin->fwnode = fwnode_handle_get(fwnode);
+ mutex_unlock(&dpll_lock);
+}
+EXPORT_SYMBOL_GPL(dpll_pin_fwnode_set);
+
+/**
+ * fwnode_dpll_pin_find - find dpll pin by firmware node reference
+ * @fwnode: reference to firmware node
+ *
+ * Get existing object of a pin that is associated with given firmware node
+ * reference.
+ *
+ * Context: Acquires a lock (dpll_lock)
+ * Return:
+ * * valid dpll_pin pointer on success
+ * * NULL when no such pin exists
+ */
+struct dpll_pin *fwnode_dpll_pin_find(struct fwnode_handle *fwnode)
+{
+ struct dpll_pin *pin, *ret = NULL;
+ unsigned long index;
+
+ mutex_lock(&dpll_lock);
+ xa_for_each(&dpll_pin_xa, index, pin) {
+ if (pin->fwnode == fwnode) {
+ ret = pin;
+ refcount_inc(&ret->refcount);
+ break;
+ }
+ }
+ mutex_unlock(&dpll_lock);
+
+ return ret;
+}
+EXPORT_SYMBOL_GPL(fwnode_dpll_pin_find);
+
static int
__dpll_pin_register(struct dpll_device *dpll, struct dpll_pin *pin,
const struct dpll_pin_ops *ops, void *priv, void *cookie)
diff --git a/drivers/dpll/dpll_core.h b/drivers/dpll/dpll_core.h
index 8ce969bbeb64e..d3e17ff0ecef0 100644
--- a/drivers/dpll/dpll_core.h
+++ b/drivers/dpll/dpll_core.h
@@ -42,6 +42,7 @@ struct dpll_device {
* @pin_idx: index of a pin given by dev driver
* @clock_id: clock_id of creator
* @module: module of creator
+ * @fwnode: optional reference to firmware node
* @dpll_refs: hold referencees to dplls pin was registered with
* @parent_refs: hold references to parent pins pin was registered with
* @ref_sync_pins: hold references to pins for Reference SYNC feature
@@ -54,6 +55,7 @@ struct dpll_pin {
u32 pin_idx;
u64 clock_id;
struct module *module;
+ struct fwnode_handle *fwnode;
struct xarray dpll_refs;
struct xarray parent_refs;
struct xarray ref_sync_pins;
diff --git a/include/linux/dpll.h b/include/linux/dpll.h
index 562f520b23c27..f0c31a111c304 100644
--- a/include/linux/dpll.h
+++ b/include/linux/dpll.h
@@ -16,6 +16,7 @@
struct dpll_device;
struct dpll_pin;
struct dpll_pin_esync;
+struct fwnode_handle;
struct dpll_device_ops {
int (*mode_get)(const struct dpll_device *dpll, void *dpll_priv,
@@ -173,6 +174,8 @@ void dpll_netdev_pin_clear(struct net_device *dev);
size_t dpll_netdev_pin_handle_size(const struct net_device *dev);
int dpll_netdev_add_pin_handle(struct sk_buff *msg,
const struct net_device *dev);
+
+struct dpll_pin *fwnode_dpll_pin_find(struct fwnode_handle *fwnode);
#else
static inline void
dpll_netdev_pin_set(struct net_device *dev, struct dpll_pin *dpll_pin) { }
@@ -188,6 +191,12 @@ dpll_netdev_add_pin_handle(struct sk_buff *msg, const struct net_device *dev)
{
return 0;
}
+
+static inline struct dpll_pin *
+fwnode_dpll_pin_find(struct fwnode_handle *fwnode)
+{
+ return NULL;
+}
#endif
struct dpll_device *
@@ -213,6 +222,8 @@ void dpll_pin_unregister(struct dpll_device *dpll, struct dpll_pin *pin,
void dpll_pin_put(struct dpll_pin *pin);
+void dpll_pin_fwnode_set(struct dpll_pin *pin, struct fwnode_handle *fwnode);
+
int dpll_pin_on_pin_register(struct dpll_pin *parent, struct dpll_pin *pin,
const struct dpll_pin_ops *ops, void *priv);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 851/957] dpll: Add notifier chain for dpll events
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (849 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 850/957] dpll: Allow associating dpll pin with a firmware node Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 852/957] dpll: export __dpll_pin_change_ntf() for use under dpll_lock Greg Kroah-Hartman
` (111 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vadim Fedorenko, Ivan Vecera,
Petr Oros, Arkadiusz Kubalewski, Aleksandr Loktionov, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 2be467588d6bc6ec5988fc254e62a44b865912a0 ]
Currently, the DPLL subsystem reports events (creation, deletion, changes)
to userspace via Netlink. However, there is no mechanism for other kernel
components to be notified of these events directly.
Add a raw notifier chain to the DPLL core protected by dpll_lock. This
allows other kernel subsystems or drivers to register callbacks and
receive notifications when DPLL devices or pins are created, deleted,
or modified.
Define the following:
- Registration helpers: {,un}register_dpll_notifier()
- Event types: DPLL_DEVICE_CREATED, DPLL_PIN_CREATED, etc.
- Context structures: dpll_{device,pin}_notifier_info to pass relevant
data to the listeners.
The notification chain is invoked alongside the existing Netlink event
generation to ensure in-kernel listeners are kept in sync with the
subsystem state.
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Co-developed-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Petr Oros <poros@redhat.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Link: https://patch.msgid.link/20260203174002.705176-4-ivecera@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 9e5dead140af ("ice: add dpll peer notification for paired SMA and U.FL pins")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dpll/dpll_core.c | 57 +++++++++++++++++++++++++++++++++++++
drivers/dpll/dpll_core.h | 4 +++
drivers/dpll/dpll_netlink.c | 6 ++++
include/linux/dpll.h | 29 +++++++++++++++++++
4 files changed, 96 insertions(+)
diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c
index f04ed7195cadd..b05fe2ba46d91 100644
--- a/drivers/dpll/dpll_core.c
+++ b/drivers/dpll/dpll_core.c
@@ -23,6 +23,8 @@ DEFINE_MUTEX(dpll_lock);
DEFINE_XARRAY_FLAGS(dpll_device_xa, XA_FLAGS_ALLOC);
DEFINE_XARRAY_FLAGS(dpll_pin_xa, XA_FLAGS_ALLOC);
+static RAW_NOTIFIER_HEAD(dpll_notifier_chain);
+
static u32 dpll_device_xa_id;
static u32 dpll_pin_xa_id;
@@ -46,6 +48,39 @@ struct dpll_pin_registration {
void *cookie;
};
+static int call_dpll_notifiers(unsigned long action, void *info)
+{
+ lockdep_assert_held(&dpll_lock);
+ return raw_notifier_call_chain(&dpll_notifier_chain, action, info);
+}
+
+void dpll_device_notify(struct dpll_device *dpll, unsigned long action)
+{
+ struct dpll_device_notifier_info info = {
+ .dpll = dpll,
+ .id = dpll->id,
+ .idx = dpll->device_idx,
+ .clock_id = dpll->clock_id,
+ .type = dpll->type,
+ };
+
+ call_dpll_notifiers(action, &info);
+}
+
+void dpll_pin_notify(struct dpll_pin *pin, unsigned long action)
+{
+ struct dpll_pin_notifier_info info = {
+ .pin = pin,
+ .id = pin->id,
+ .idx = pin->pin_idx,
+ .clock_id = pin->clock_id,
+ .fwnode = pin->fwnode,
+ .prop = &pin->prop,
+ };
+
+ call_dpll_notifiers(action, &info);
+}
+
struct dpll_device *dpll_device_get_by_id(int id)
{
if (xa_get_mark(&dpll_device_xa, id, DPLL_REGISTERED))
@@ -539,6 +574,28 @@ void dpll_netdev_pin_clear(struct net_device *dev)
}
EXPORT_SYMBOL(dpll_netdev_pin_clear);
+int register_dpll_notifier(struct notifier_block *nb)
+{
+ int ret;
+
+ mutex_lock(&dpll_lock);
+ ret = raw_notifier_chain_register(&dpll_notifier_chain, nb);
+ mutex_unlock(&dpll_lock);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(register_dpll_notifier);
+
+int unregister_dpll_notifier(struct notifier_block *nb)
+{
+ int ret;
+
+ mutex_lock(&dpll_lock);
+ ret = raw_notifier_chain_unregister(&dpll_notifier_chain, nb);
+ mutex_unlock(&dpll_lock);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(unregister_dpll_notifier);
+
/**
* dpll_pin_get - find existing or create new dpll pin
* @clock_id: clock_id of creator
diff --git a/drivers/dpll/dpll_core.h b/drivers/dpll/dpll_core.h
index d3e17ff0ecef0..b7b4bb251f739 100644
--- a/drivers/dpll/dpll_core.h
+++ b/drivers/dpll/dpll_core.h
@@ -91,4 +91,8 @@ struct dpll_pin_ref *dpll_xa_ref_dpll_first(struct xarray *xa_refs);
extern struct xarray dpll_device_xa;
extern struct xarray dpll_pin_xa;
extern struct mutex dpll_lock;
+
+void dpll_device_notify(struct dpll_device *dpll, unsigned long action);
+void dpll_pin_notify(struct dpll_pin *pin, unsigned long action);
+
#endif
diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c
index 64944f601ee5a..fe9c3d9073f0f 100644
--- a/drivers/dpll/dpll_netlink.c
+++ b/drivers/dpll/dpll_netlink.c
@@ -742,17 +742,20 @@ dpll_device_event_send(enum dpll_cmd event, struct dpll_device *dpll)
int dpll_device_create_ntf(struct dpll_device *dpll)
{
+ dpll_device_notify(dpll, DPLL_DEVICE_CREATED);
return dpll_device_event_send(DPLL_CMD_DEVICE_CREATE_NTF, dpll);
}
int dpll_device_delete_ntf(struct dpll_device *dpll)
{
+ dpll_device_notify(dpll, DPLL_DEVICE_DELETED);
return dpll_device_event_send(DPLL_CMD_DEVICE_DELETE_NTF, dpll);
}
static int
__dpll_device_change_ntf(struct dpll_device *dpll)
{
+ dpll_device_notify(dpll, DPLL_DEVICE_CHANGED);
return dpll_device_event_send(DPLL_CMD_DEVICE_CHANGE_NTF, dpll);
}
@@ -810,16 +813,19 @@ dpll_pin_event_send(enum dpll_cmd event, struct dpll_pin *pin)
int dpll_pin_create_ntf(struct dpll_pin *pin)
{
+ dpll_pin_notify(pin, DPLL_PIN_CREATED);
return dpll_pin_event_send(DPLL_CMD_PIN_CREATE_NTF, pin);
}
int dpll_pin_delete_ntf(struct dpll_pin *pin)
{
+ dpll_pin_notify(pin, DPLL_PIN_DELETED);
return dpll_pin_event_send(DPLL_CMD_PIN_DELETE_NTF, pin);
}
int __dpll_pin_change_ntf(struct dpll_pin *pin)
{
+ dpll_pin_notify(pin, DPLL_PIN_CHANGED);
return dpll_pin_event_send(DPLL_CMD_PIN_CHANGE_NTF, pin);
}
diff --git a/include/linux/dpll.h b/include/linux/dpll.h
index f0c31a111c304..34b005bb4df6f 100644
--- a/include/linux/dpll.h
+++ b/include/linux/dpll.h
@@ -11,6 +11,7 @@
#include <linux/device.h>
#include <linux/netlink.h>
#include <linux/netdevice.h>
+#include <linux/notifier.h>
#include <linux/rtnetlink.h>
struct dpll_device;
@@ -167,6 +168,30 @@ struct dpll_pin_properties {
u32 phase_gran;
};
+#define DPLL_DEVICE_CREATED 1
+#define DPLL_DEVICE_DELETED 2
+#define DPLL_DEVICE_CHANGED 3
+#define DPLL_PIN_CREATED 4
+#define DPLL_PIN_DELETED 5
+#define DPLL_PIN_CHANGED 6
+
+struct dpll_device_notifier_info {
+ struct dpll_device *dpll;
+ u32 id;
+ u32 idx;
+ u64 clock_id;
+ enum dpll_type type;
+};
+
+struct dpll_pin_notifier_info {
+ struct dpll_pin *pin;
+ u32 id;
+ u32 idx;
+ u64 clock_id;
+ const struct fwnode_handle *fwnode;
+ const struct dpll_pin_properties *prop;
+};
+
#if IS_ENABLED(CONFIG_DPLL)
void dpll_netdev_pin_set(struct net_device *dev, struct dpll_pin *dpll_pin);
void dpll_netdev_pin_clear(struct net_device *dev);
@@ -237,4 +262,8 @@ int dpll_device_change_ntf(struct dpll_device *dpll);
int dpll_pin_change_ntf(struct dpll_pin *pin);
+int register_dpll_notifier(struct notifier_block *nb);
+
+int unregister_dpll_notifier(struct notifier_block *nb);
+
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 852/957] dpll: export __dpll_pin_change_ntf() for use under dpll_lock
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (850 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 851/957] dpll: Add notifier chain for dpll events Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 853/957] ice: add dpll peer notification for paired SMA and U.FL pins Greg Kroah-Hartman
` (110 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vadim Fedorenko, Ivan Vecera,
Petr Oros, Alexander Nowlin, Arkadiusz Kubalewski, Jacob Keller,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
[ Upstream commit 620055cb1036a6125fd912e7a14b47a6572b809b ]
Export __dpll_pin_change_ntf() so that drivers can send pin change
notifications from within pin callbacks, which are already called
under dpll_lock. Using dpll_pin_change_ntf() in that context would
deadlock.
Add lockdep_assert_held() to catch misuse without the lock held.
Acked-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-9-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 9e5dead140af ("ice: add dpll peer notification for paired SMA and U.FL pins")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dpll/dpll_netlink.c | 10 ++++++++++
drivers/dpll/dpll_netlink.h | 2 --
include/linux/dpll.h | 1 +
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c
index fe9c3d9073f0f..de8b065280d15 100644
--- a/drivers/dpll/dpll_netlink.c
+++ b/drivers/dpll/dpll_netlink.c
@@ -823,11 +823,21 @@ int dpll_pin_delete_ntf(struct dpll_pin *pin)
return dpll_pin_event_send(DPLL_CMD_PIN_DELETE_NTF, pin);
}
+/**
+ * __dpll_pin_change_ntf - notify that the pin has been changed
+ * @pin: registered pin pointer
+ *
+ * Context: caller must hold dpll_lock. Suitable for use inside pin
+ * callbacks which are already invoked under dpll_lock.
+ * Return: 0 if succeeds, error code otherwise.
+ */
int __dpll_pin_change_ntf(struct dpll_pin *pin)
{
+ lockdep_assert_held(&dpll_lock);
dpll_pin_notify(pin, DPLL_PIN_CHANGED);
return dpll_pin_event_send(DPLL_CMD_PIN_CHANGE_NTF, pin);
}
+EXPORT_SYMBOL_GPL(__dpll_pin_change_ntf);
/**
* dpll_pin_change_ntf - notify that the pin has been changed
diff --git a/drivers/dpll/dpll_netlink.h b/drivers/dpll/dpll_netlink.h
index dd28b56d27c56..a9cfd55f57fc4 100644
--- a/drivers/dpll/dpll_netlink.h
+++ b/drivers/dpll/dpll_netlink.h
@@ -11,5 +11,3 @@ int dpll_device_delete_ntf(struct dpll_device *dpll);
int dpll_pin_create_ntf(struct dpll_pin *pin);
int dpll_pin_delete_ntf(struct dpll_pin *pin);
-
-int __dpll_pin_change_ntf(struct dpll_pin *pin);
diff --git a/include/linux/dpll.h b/include/linux/dpll.h
index 34b005bb4df6f..480ea3cbe709b 100644
--- a/include/linux/dpll.h
+++ b/include/linux/dpll.h
@@ -260,6 +260,7 @@ int dpll_pin_ref_sync_pair_add(struct dpll_pin *pin,
int dpll_device_change_ntf(struct dpll_device *dpll);
+int __dpll_pin_change_ntf(struct dpll_pin *pin);
int dpll_pin_change_ntf(struct dpll_pin *pin);
int register_dpll_notifier(struct notifier_block *nb);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 853/957] ice: add dpll peer notification for paired SMA and U.FL pins
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (851 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 852/957] dpll: export __dpll_pin_change_ntf() for use under dpll_lock Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 854/957] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
` (109 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Oros, Alexander Nowlin,
Arkadiusz Kubalewski, Aleksandr Loktionov, Jacob Keller,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Oros <poros@redhat.com>
[ Upstream commit 9e5dead140af10e8b5f975b8f04e46197d48d274 ]
SMA and U.FL pins share physical signal paths in pairs (SMA1/U.FL1 and
SMA2/U.FL2). When one pin's state changes via a PCA9575 GPIO write,
the paired pin's state also changes, but no notification is sent for
the peer pin. Userspace consumers monitoring the peer via dpll netlink
subscribe never learn about the update.
Add ice_dpll_sw_pin_notify_peer() which sends a change notification for
the paired SW pin. Call it from ice_dpll_pin_sma_direction_set(),
ice_dpll_sma_pin_state_set(), and ice_dpll_ufl_pin_state_set() after
pf->dplls.lock is released. Use __dpll_pin_change_ntf() because
dpll_lock is still held by the dpll netlink layer (dpll_pin_pre_doit).
Fixes: 2dd5d03c77e2 ("ice: redesign dpll sma/u.fl pins control")
Signed-off-by: Petr Oros <poros@redhat.com>
Tested-by: Alexander Nowlin <alexander.nowlin@intel.com>
Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260427-jk-iwl-net-petr-oros-fixes-v1-11-cdcb48303fd8@intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_dpll.c | 32 +++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
index baf492f5c4925..14048ac5eff56 100644
--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
+++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
@@ -1073,6 +1073,32 @@ ice_dpll_input_state_get(const struct dpll_pin *pin, void *pin_priv,
extack, ICE_DPLL_PIN_TYPE_INPUT);
}
+/**
+ * ice_dpll_sw_pin_notify_peer - notify the paired SW pin after a state change
+ * @d: pointer to dplls struct
+ * @changed: the SW pin that was explicitly changed (already notified by dpll core)
+ *
+ * SMA and U.FL pins share physical signal paths in pairs (SMA1/U.FL1 and
+ * SMA2/U.FL2). When one pin's routing changes via the PCA9575 GPIO
+ * expander, the paired pin's state may also change. Send a change
+ * notification for the peer pin so userspace consumers monitoring the
+ * peer via dpll netlink learn about the update.
+ *
+ * Context: Called from dpll_pin_ops callbacks after pf->dplls.lock is
+ * released. Uses __dpll_pin_change_ntf() because dpll_lock is
+ * still held by the dpll netlink layer.
+ */
+static void ice_dpll_sw_pin_notify_peer(struct ice_dplls *d,
+ struct ice_dpll_pin *changed)
+{
+ struct ice_dpll_pin *peer;
+
+ peer = (changed >= d->sma && changed < d->sma + ICE_DPLL_PIN_SW_NUM) ?
+ &d->ufl[changed->idx] : &d->sma[changed->idx];
+ if (peer->pin)
+ __dpll_pin_change_ntf(peer->pin);
+}
+
/**
* ice_dpll_sma_direction_set - set direction of SMA pin
* @p: pointer to a pin
@@ -1263,6 +1289,8 @@ ice_dpll_ufl_pin_state_set(const struct dpll_pin *pin, void *pin_priv,
unlock:
mutex_unlock(&pf->dplls.lock);
+ if (!ret)
+ ice_dpll_sw_pin_notify_peer(&pf->dplls, p);
return ret;
}
@@ -1381,6 +1409,8 @@ ice_dpll_sma_pin_state_set(const struct dpll_pin *pin, void *pin_priv,
unlock:
mutex_unlock(&pf->dplls.lock);
+ if (!ret)
+ ice_dpll_sw_pin_notify_peer(&pf->dplls, sma);
return ret;
}
@@ -1576,6 +1606,8 @@ ice_dpll_pin_sma_direction_set(const struct dpll_pin *pin, void *pin_priv,
mutex_lock(&pf->dplls.lock);
ret = ice_dpll_sma_direction_set(p, direction, extack);
mutex_unlock(&pf->dplls.lock);
+ if (!ret)
+ ice_dpll_sw_pin_notify_peer(&pf->dplls, p);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 854/957] net: tls: fix strparser anchor skb leak on offload RX setup failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (852 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 853/957] ice: add dpll peer notification for paired SMA and U.FL pins Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 855/957] sfc: fix error code in efx_devlink_info_running_versions() Greg Kroah-Hartman
` (108 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Vadim Fedorenko,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 58689498ca3384851145a754dbb1d8ed1cf9fb54 ]
When tls_set_device_offload_rx() fails at tls_dev_add(), the error path
calls tls_sw_free_resources_rx() to clean up the SW context that was
initialized by tls_set_sw_offload(). This function calls
tls_sw_release_resources_rx() (which stops the strparser via
tls_strp_stop()) and tls_sw_free_ctx_rx() (which kfrees the context),
but never frees the anchor skb that was allocated by alloc_skb(0) in
tls_strp_init().
Note that tls_sw_free_resources_rx() is exclusively used for this
"failed to start offload" code path, there's no other caller.
The leak did not exist before commit 84c61fe1a75b ("tls: rx: do not use
the standard strparser"), because the standard strparser doesn't try
to pre-allocate an skb.
The normal close path in tls_sk_proto_close() handles cleanup by calling
tls_sw_strparser_done() (which calls tls_strp_done()) after dropping
the socket lock, because tls_strp_done() does cancel_work_sync() and
the strparser work handler takes the socket lock.
Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260428231559.1358502-1-kuba@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls.h | 1 +
net/tls/tls_strp.c | 6 ++++++
net/tls/tls_sw.c | 4 ++++
3 files changed, 11 insertions(+)
diff --git a/net/tls/tls.h b/net/tls/tls.h
index 2f86baeb71fcb..a1d8467bece33 100644
--- a/net/tls/tls.h
+++ b/net/tls/tls.h
@@ -188,6 +188,7 @@ int tls_strp_dev_init(void);
void tls_strp_dev_exit(void);
void tls_strp_done(struct tls_strparser *strp);
+void __tls_strp_done(struct tls_strparser *strp);
void tls_strp_stop(struct tls_strparser *strp);
int tls_strp_init(struct tls_strparser *strp, struct sock *sk);
void tls_strp_data_ready(struct tls_strparser *strp);
diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
index 98e12f0ff57e5..c72e883176273 100644
--- a/net/tls/tls_strp.c
+++ b/net/tls/tls_strp.c
@@ -624,6 +624,12 @@ void tls_strp_done(struct tls_strparser *strp)
WARN_ON(!strp->stopped);
cancel_work_sync(&strp->work);
+ __tls_strp_done(strp);
+}
+
+/* For setup error paths where the strparser was initialized but never armed. */
+void __tls_strp_done(struct tls_strparser *strp)
+{
tls_strp_anchor_free(strp);
}
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 16aaf41a8cc09..f2ea190777f0b 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2625,8 +2625,12 @@ void tls_sw_free_ctx_rx(struct tls_context *tls_ctx)
void tls_sw_free_resources_rx(struct sock *sk)
{
struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct tls_sw_context_rx *ctx;
+
+ ctx = tls_sw_ctx_rx(tls_ctx);
tls_sw_release_resources_rx(sk);
+ __tls_strp_done(&ctx->strp);
tls_sw_free_ctx_rx(tls_ctx);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 855/957] sfc: fix error code in efx_devlink_info_running_versions()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (853 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 854/957] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 856/957] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
` (107 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Edward Cree,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit 051ffb001b8a232cfa6e72f38bb5f51c4270a60b ]
Return -EIO if efx_mcdi_rpc() doesn't return enough space.
Fixes: 14743ddd2495 ("sfc: add devlink info support for ef100")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
Link: https://patch.msgid.link/afGpsbLRHL4_H0KS@stanley.mountain
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/sfc/efx_devlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/sfc/efx_devlink.c b/drivers/net/ethernet/sfc/efx_devlink.c
index d842c60dfc100..e5c6f81af48be 100644
--- a/drivers/net/ethernet/sfc/efx_devlink.c
+++ b/drivers/net/ethernet/sfc/efx_devlink.c
@@ -531,7 +531,7 @@ static int efx_devlink_info_running_versions(struct efx_nic *efx,
if (rc || outlength < MC_CMD_GET_VERSION_OUT_LEN) {
netif_err(efx, drv, efx->net_dev,
"mcdi MC_CMD_GET_VERSION failed\n");
- return rc;
+ return rc ?: -EIO;
}
/* Handle previous output */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 856/957] net/sched: cls_flower: revert unintended changes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (854 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 855/957] sfc: fix error code in efx_devlink_info_running_versions() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 857/957] kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition Greg Kroah-Hartman
` (106 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 1e01abec856593e02cd69fd95b784c10dd46880c ]
While applying the blamed commit 4ca07b9239bd ("net: mctp i2c: check
length before marking flow active"), I unintentionally included
unrelated and unacceptable changes.
Revert them.
Fixes: 4ca07b9239bd ("net: mctp i2c: check length before marking flow active")
Reported-by: Jeremy Kerr <jk@codeconstruct.com.au>
Closes: https://lore.kernel.org/netdev/bd8704fe0bd53e278add5cde4873256656623e2e.camel@codeconstruct.com.au/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Link: https://patch.msgid.link/043026a53ff84da88b17648c4b0d17f0331749cb.1777447863.git.pabeni@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_flower.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index f3af0ac892a86..099ff6a3e1f51 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -560,7 +560,6 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
struct netlink_ext_ack *extack)
{
struct cls_fl_head *head = fl_head_dereference(tp);
- struct fl_flow_mask *mask;
*last = false;
@@ -577,12 +576,11 @@ static int __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f,
list_del_rcu(&f->list);
spin_unlock(&tp->lock);
- mask = f->mask;
+ *last = fl_mask_put(head, f->mask);
if (!tc_skip_hw(f->flags))
fl_hw_destroy_filter(tp, f, rtnl_held, extack);
tcf_unbind_filter(tp, &f->res);
__fl_put(f);
- *last = fl_mask_put(head, mask);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 857/957] kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (855 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 856/957] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 858/957] arm64: Reserve an extra page for early kernel mapping Greg Kroah-Hartman
` (105 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Mark Brown, Catalin Marinas,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit bb7235e226888607e6aac1288062fcb1ac105589 ]
kselftest includes kernel uAPI headers with option:
-isystem $(top_srcdir)/usr/include
Include <asm/ptrace.h> in libc-gcs.c for the definition of struct
user_gcs from the uAPI headers, and remove the redundant definition in
gcs-util.h. This fixes a compilation error on systems where the
toolchain defines NT_ARM_GCS.
Fixes: a505a52b4e29 ("kselftest/arm64: Add a GCS test program built with the system libc")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/arm64/gcs/gcs-util.h | 6 ------
tools/testing/selftests/arm64/gcs/libc-gcs.c | 1 +
2 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/tools/testing/selftests/arm64/gcs/gcs-util.h b/tools/testing/selftests/arm64/gcs/gcs-util.h
index c99a6b39ac147..7a81bb07ed4b8 100644
--- a/tools/testing/selftests/arm64/gcs/gcs-util.h
+++ b/tools/testing/selftests/arm64/gcs/gcs-util.h
@@ -18,12 +18,6 @@
#ifndef NT_ARM_GCS
#define NT_ARM_GCS 0x410
-
-struct user_gcs {
- __u64 features_enabled;
- __u64 features_locked;
- __u64 gcspr_el0;
-};
#endif
/* Shadow Stack/Guarded Control Stack interface */
diff --git a/tools/testing/selftests/arm64/gcs/libc-gcs.c b/tools/testing/selftests/arm64/gcs/libc-gcs.c
index 17b2fabfec386..72e82bfbecc99 100644
--- a/tools/testing/selftests/arm64/gcs/libc-gcs.c
+++ b/tools/testing/selftests/arm64/gcs/libc-gcs.c
@@ -16,6 +16,7 @@
#include <asm/hwcap.h>
#include <asm/mman.h>
+#include <asm/ptrace.h>
#include <linux/compiler.h>
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 858/957] arm64: Reserve an extra page for early kernel mapping
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (856 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 857/957] kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 859/957] futex: Drop CLONE_THREAD requirement for private default hash alloc Greg Kroah-Hartman
` (104 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Zhaoyang Huang,
Catalin Marinas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
[ Upstream commit 4d8e74ad4585672489da6145b3328d415f50db82 ]
The final part of [data, end) segment may overflow into the next page of
init_pg_end[1] which is the gap page before early_init_stack[2]:
[1]
crash_arm64_v9.0.1> vtop ffffffed00601000
VIRTUAL PHYSICAL
ffffffed00601000 83401000
PAGE DIRECTORY: ffffffecffd62000
PGD: ffffffecffd62da0 => 10000000833fb003
PMD: ffffff80033fb018 => 10000000833fe003
PTE: ffffff80033fe008 => 68000083401f03
PAGE: 83401000
PTE PHYSICAL FLAGS
68000083401f03 83401000 (VALID|SHARED|AF|NG|PXN|UXN)
PAGE PHYSICAL MAPPING INDEX CNT FLAGS
fffffffec00d0040 83401000 0 0 1 4000 reserved
[2]
ffffffed002c8000 (r) __pi__data
ffffffed0054e000 (d) __pi___bss_start
ffffffed005f5000 (b) __pi_init_pg_dir
ffffffed005fe000 (b) __pi_init_pg_end
ffffffed005ff000 (B) early_init_stack
ffffffed00608000 (b) __pi__end
For 4K pages, the early kernel mapping may use 2MB block entries but the
kernel segments are only 64KB aligned. Segment boundaries that fall
within a 2MB block therefore require a PTE table so that different
attributes can be applied on either side of the boundary.
KERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel
VMAs registered by declare_kernel_vmas(). However, since commit
5973a62efa34 ("arm64: map [_text, _stext) virtual address range
non-executable+read-only"), the early mapper also maps [_text, _stext)
separately from [_stext, _etext). This adds one more early-only split
and can require one more page-table page than the existing
EARLY_SEGMENT_EXTRA_PAGES allowance reserves.
Increase the 4K-page early mapping allowance by one page to cover that
additional split.
Fixes: 5973a62efa34 ("arm64: map [_text, _stext) virtual address range non-executable+read-only")
Assisted-by: TRAE:GLM-5.1
Suggested-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
[catalin.marinas@arm.com: rewrote part of the commit log]
[catalin.marinas@arm.com: expanded the code comment]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/kernel-pgtable.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/kernel-pgtable.h b/arch/arm64/include/asm/kernel-pgtable.h
index 74a4f738c5f52..229ee7976f693 100644
--- a/arch/arm64/include/asm/kernel-pgtable.h
+++ b/arch/arm64/include/asm/kernel-pgtable.h
@@ -68,7 +68,12 @@
#define KERNEL_SEGMENT_COUNT 5
#if SWAPPER_BLOCK_SIZE > SEGMENT_ALIGN
-#define EARLY_SEGMENT_EXTRA_PAGES (KERNEL_SEGMENT_COUNT + 1)
+/*
+ * KERNEL_SEGMENT_COUNT counts the permanent kernel VMAs. The early mapping
+ * has one additional split, [_text, _stext). Reserve one more page for the
+ * SWAPPER_BLOCK_SIZE-unaligned boundaries.
+ */
+#define EARLY_SEGMENT_EXTRA_PAGES (KERNEL_SEGMENT_COUNT + 2)
/*
* The initial ID map consists of the kernel image, mapped as two separate
* segments, and may appear misaligned wrt the swapper block size. This means
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 859/957] futex: Drop CLONE_THREAD requirement for private default hash alloc
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (857 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 858/957] arm64: Reserve an extra page for early kernel mapping Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 860/957] Revert "pseries/papr-hvpipe: Fix race with interrupt handler" Greg Kroah-Hartman
` (103 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Davidlohr Bueso,
Linus Torvalds, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
[ Upstream commit ee9dce44362b2d8132c32964656ab6dff7dfbc6a ]
Currently need_futex_hash_allocate_default() depends on strict pthread
semantics, abusing CLONE_THREAD. This breaks the non-concurrency
assumptions when doing the mm->futex_ref pcpu allocations, leading to
bugs[0] when sharing the mm in other ways; ie:
BUG: KASAN: slab-use-after-free in futex_hash_put
... where the +1 bias can end up on a percpu counter that mm->futex_ref
no longer points at.
Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding
vfork keeps the existing paths untouched (no overhead), and we can't
race in the first place: either the parent is suspended and the child
runs alone, or mm->futex_ref is already allocated from an earlier
CLONE_VM.
Link: https://lore.kernel.org/all/CAL_bE8LsmCQ-FAtYDuwbJhOkt9p2wwYQwAbMh=PifC=VsiBM6A@mail.gmail.com/ [0]
Fixes: d9b05321e21e ("futex: Move futex_hash_free() back to __mmput()")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 3ad76c2cf5af5..1215d3f52c6d2 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1911,9 +1911,11 @@ static void rv_task_fork(struct task_struct *p)
static bool need_futex_hash_allocate_default(u64 clone_flags)
{
- if ((clone_flags & (CLONE_THREAD | CLONE_VM)) != (CLONE_THREAD | CLONE_VM))
- return false;
- return true;
+ /*
+ * Allocate a default futex hash for any sibling that will
+ * share the parent's mm, except vfork.
+ */
+ return (clone_flags & (CLONE_VM | CLONE_VFORK)) == CLONE_VM;
}
/*
@@ -2296,10 +2298,6 @@ __latent_entropy struct task_struct *copy_process(
if (retval)
goto bad_fork_cancel_cgroup;
- /*
- * Allocate a default futex hash for the user process once the first
- * thread spawns.
- */
if (need_futex_hash_allocate_default(clone_flags)) {
retval = futex_hash_allocate_default();
if (retval)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 860/957] Revert "pseries/papr-hvpipe: Fix race with interrupt handler"
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (858 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 859/957] futex: Drop CLONE_THREAD requirement for private default hash alloc Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 861/957] Revert "papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()" Greg Kroah-Hartman
` (102 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 6542e180fa6e1c701aba446a555c65556e6fd1a5.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/papr-hvpipe.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c
index a238db095b4ec..3d8672642c251 100644
--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c
+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c
@@ -449,14 +449,13 @@ static int papr_hvpipe_handle_release(struct inode *inode,
struct file *file)
{
struct hvpipe_source_info *src_info;
- unsigned long flags;
/*
* Hold the lock, remove source from src_list, reset the
* hvpipe status and release the lock to prevent any race
* with message event IRQ.
*/
- spin_lock_irqsave(&hvpipe_src_list_lock, flags);
+ spin_lock(&hvpipe_src_list_lock);
src_info = file->private_data;
list_del(&src_info->list);
file->private_data = NULL;
@@ -467,10 +466,10 @@ static int papr_hvpipe_handle_release(struct inode *inode,
*/
if (src_info->hvpipe_status & HVPIPE_MSG_AVAILABLE) {
src_info->hvpipe_status = 0;
- spin_unlock_irqrestore(&hvpipe_src_list_lock, flags);
+ spin_unlock(&hvpipe_src_list_lock);
hvpipe_rtas_recv_msg(NULL, 0);
} else
- spin_unlock_irqrestore(&hvpipe_src_list_lock, flags);
+ spin_unlock(&hvpipe_src_list_lock);
kfree(src_info);
return 0;
@@ -486,21 +485,20 @@ static const struct file_operations papr_hvpipe_handle_ops = {
static int papr_hvpipe_dev_create_handle(u32 srcID)
{
struct hvpipe_source_info *src_info __free(kfree) = NULL;
- unsigned long flags;
- spin_lock_irqsave(&hvpipe_src_list_lock, flags);
+ spin_lock(&hvpipe_src_list_lock);
/*
* Do not allow more than one process communicates with
* each source.
*/
src_info = hvpipe_find_source(srcID);
if (src_info) {
- spin_unlock_irqrestore(&hvpipe_src_list_lock, flags);
+ spin_unlock(&hvpipe_src_list_lock);
pr_err("pid(%d) is already using the source(%d)\n",
src_info->tsk->pid, srcID);
return -EALREADY;
}
- spin_unlock_irqrestore(&hvpipe_src_list_lock, flags);
+ spin_unlock(&hvpipe_src_list_lock);
src_info = kzalloc(sizeof(*src_info), GFP_KERNEL_ACCOUNT);
if (!src_info)
@@ -517,18 +515,18 @@ static int papr_hvpipe_dev_create_handle(u32 srcID)
return fdf.err;
retain_and_null_ptr(src_info);
- spin_lock_irqsave(&hvpipe_src_list_lock, flags);
+ spin_lock(&hvpipe_src_list_lock);
/*
* If two processes are executing ioctl() for the same
* source ID concurrently, prevent the second process to
* acquire FD.
*/
if (hvpipe_find_source(srcID)) {
- spin_unlock_irqrestore(&hvpipe_src_list_lock, flags);
+ spin_unlock(&hvpipe_src_list_lock);
return -EALREADY;
}
list_add(&src_info->list, &hvpipe_src_list);
- spin_unlock_irqrestore(&hvpipe_src_list_lock, flags);
+ spin_unlock(&hvpipe_src_list_lock);
return fd_publish(fdf);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 861/957] Revert "papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (859 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 860/957] Revert "pseries/papr-hvpipe: Fix race with interrupt handler" Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 862/957] PCI: Initialize temporary device in new_id_store() Greg Kroah-Hartman
` (101 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
This reverts commit 09c15bbbed533903e600660ea09098b3b0524f48.
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/papr-hvpipe.c | 39 +++++++++++++++-----
1 file changed, 30 insertions(+), 9 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c
index 3d8672642c251..431f6a3da4c5a 100644
--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c
+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c
@@ -484,7 +484,10 @@ static const struct file_operations papr_hvpipe_handle_ops = {
static int papr_hvpipe_dev_create_handle(u32 srcID)
{
- struct hvpipe_source_info *src_info __free(kfree) = NULL;
+ struct hvpipe_source_info *src_info;
+ struct file *file;
+ long err;
+ int fd;
spin_lock(&hvpipe_src_list_lock);
/*
@@ -508,13 +511,20 @@ static int papr_hvpipe_dev_create_handle(u32 srcID)
src_info->tsk = current;
init_waitqueue_head(&src_info->recv_wqh);
- FD_PREPARE(fdf, O_RDONLY | O_CLOEXEC,
- anon_inode_getfile("[papr-hvpipe]", &papr_hvpipe_handle_ops,
- (void *)src_info, O_RDWR));
- if (fdf.err)
- return fdf.err;
+ fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
+ if (fd < 0) {
+ err = fd;
+ goto free_buf;
+ }
+
+ file = anon_inode_getfile("[papr-hvpipe]",
+ &papr_hvpipe_handle_ops, (void *)src_info,
+ O_RDWR);
+ if (IS_ERR(file)) {
+ err = PTR_ERR(file);
+ goto free_fd;
+ }
- retain_and_null_ptr(src_info);
spin_lock(&hvpipe_src_list_lock);
/*
* If two processes are executing ioctl() for the same
@@ -523,11 +533,22 @@ static int papr_hvpipe_dev_create_handle(u32 srcID)
*/
if (hvpipe_find_source(srcID)) {
spin_unlock(&hvpipe_src_list_lock);
- return -EALREADY;
+ err = -EALREADY;
+ goto free_file;
}
list_add(&src_info->list, &hvpipe_src_list);
spin_unlock(&hvpipe_src_list_lock);
- return fd_publish(fdf);
+
+ fd_install(fd, file);
+ return fd;
+
+free_file:
+ fput(file);
+free_fd:
+ put_unused_fd(fd);
+free_buf:
+ kfree(src_info);
+ return err;
}
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 862/957] PCI: Initialize temporary device in new_id_store()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (860 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 861/957] Revert "papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()" Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 863/957] erofs: fix offset truncation when shifting pgoff on 32-bit platforms Greg Kroah-Hartman
` (100 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samiullah Khawaja, Bjorn Helgaas,
Danilo Krummrich, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Samiullah Khawaja <skhawaja@google.com>
[ Upstream commit f45a49a2380a47332817b7248c61a0ebbc6f0d00 ]
When setting new_id of a PCI device driver using sysfs a lockdep splat
occurs. This is because new_id_store() builds a temporary pci_dev for
pci_match_device(), which calls device_match_driver_override(). That
depends on the driver_override.lock added by cb3d1049f4ea ("driver core:
generalize driver_override in struct device").
The new driver_override.lock was not initialized in the temporary pci_dev,
resulting in this lockdep splat.
Initialize the temporary pci_dev to fix this.
Repro:
Build with CONFIG_LOCKDEP=y, boot with QEMU, and add a new ID:
# echo "8086 10f5" > /sys/bus/pci/drivers/e1000e/new_id
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 2 UID: 0 PID: 177 Comm: liveupdate-iomm Not tainted 7.0.0+ #9 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
register_lock_class+0x77e/0x790
lock_acquire+0xbf/0x2e0
pci_match_device+0x24/0x180
new_id_store+0x189/0x1d0
kernfs_fop_write_iter+0x14f/0x210
vfs_write+0x263/0x5e0
ksys_write+0x79/0xf0
do_syscall_64+0x117/0xf80
Fixes: 10a4206a2401 ("PCI: use generic driver_override infrastructure")
Fixes: 8895d3bcb8ba ("PCI: Fail new_id for vendor/device values already built into driver")
Signed-off-by: Samiullah Khawaja <skhawaja@google.com>
[bhelgaas: add commit log details and repro, trim backtrace]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patch.msgid.link/20260505234327.716630-1-skhawaja@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/pci-driver.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index fba07a700508f..f9ead94d5ebb6 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -179,6 +179,11 @@ static const struct pci_device_id *pci_match_device(struct pci_driver *drv,
return NULL;
}
+static void _pci_free_device(struct device *dev)
+{
+ kfree(to_pci_dev(dev));
+}
+
/**
* new_id_store - sysfs frontend to pci_add_dynid()
* @driver: target device driver
@@ -214,11 +219,13 @@ static ssize_t new_id_store(struct device_driver *driver, const char *buf,
pdev->subsystem_vendor = subvendor;
pdev->subsystem_device = subdevice;
pdev->class = class;
+ pdev->dev.release = _pci_free_device;
+ device_initialize(&pdev->dev);
if (pci_match_device(pdrv, pdev))
retval = -EEXIST;
- kfree(pdev);
+ put_device(&pdev->dev);
if (retval)
return retval;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 863/957] erofs: fix offset truncation when shifting pgoff on 32-bit platforms
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (861 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 862/957] PCI: Initialize temporary device in new_id_store() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 864/957] bpf: Fix sync_linked_regs regarding BPF_ADD_CONST32 zext propagation Greg Kroah-Hartman
` (99 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Gao Xiang, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit c99493ce409c3b98fec1616dbcf24c102e006deb ]
On 32-bit platforms, pgoff_t is 32 bits wide, so left-shifting
large arbitrary pgoff_t values by PAGE_SHIFT performs 32-bit arithmetic
and silently truncates the result for pages beyond the 4 GiB boundary.
Cast the page index to loff_t before shifting to produce a correct
64-bit byte offset.
Fixes: 386292919c25 ("erofs: introduce readmore decompression strategy")
Fixes: 307210c262a2 ("erofs: verify metadata accesses for file-backed mounts")
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/data.c | 2 +-
fs/erofs/zdata.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/erofs/data.c b/fs/erofs/data.c
index 58aea2b48580c..d685ee1d9c554 100644
--- a/fs/erofs/data.c
+++ b/fs/erofs/data.c
@@ -38,7 +38,7 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offset, bool need_kmap)
* However, the data access range must be verified here in advance.
*/
if (buf->file) {
- fpos = index << PAGE_SHIFT;
+ fpos = (loff_t)index << PAGE_SHIFT;
err = rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE);
if (err < 0)
return ERR_PTR(err);
diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index 71f01f0a07435..0f09f3ba32149 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1869,7 +1869,7 @@ static void z_erofs_pcluster_readmore(struct z_erofs_frontend *f,
if (cur < PAGE_SIZE)
break;
- cur = (index << PAGE_SHIFT) - 1;
+ cur = ((loff_t)index << PAGE_SHIFT) - 1;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 864/957] bpf: Fix sync_linked_regs regarding BPF_ADD_CONST32 zext propagation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (862 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 863/957] erofs: fix offset truncation when shifting pgoff on 32-bit platforms Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 865/957] net: airoha: Fix a copy and paste bug in probe() Greg Kroah-Hartman
` (98 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jenny Guanni Qu, Puranjay Mohan,
Daniel Borkmann, Eduard Zingerman, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit bc308be380c136800e1e94c6ce49cb53141d6506 ]
Jenny reported that in sync_linked_regs() the BPF_ADD_CONST32 flag is
checked on known_reg (the register narrowed by a conditional branch)
instead of reg (the linked target register created by an alu32 operation).
Example case with reg:
1. r6 = bpf_get_prandom_u32()
2. r7 = r6 (linked, same id)
3. w7 += 5 (alu32 -- r7 gets BPF_ADD_CONST32, zero-extended by CPU)
4. if w6 < 0xFFFFFFFC goto safe (narrows r6 to [0xFFFFFFFC, 0xFFFFFFFF])
5. sync_linked_regs() propagates to r7 but does NOT call zext_32_to_64()
6. Verifier thinks r7 is [0x100000001, 0x100000004] instead of [1, 4]
Since known_reg above does not have BPF_ADD_CONST32 set above, zext_32_to_64()
is never called on alu32-derived linked registers. This causes the verifier
to track incorrect 64-bit bounds, while the CPU correctly zero-extends the
32-bit result.
The code checking known_reg->id was correct however (see scalars_alu32_wrap
selftest case), but the real fix needs to handle both directions - zext
propagation should be done when either register has BPF_ADD_CONST32, since
the linked relationship involves a 32-bit operation regardless of which
side has the flag.
Example case with known_reg (exercised also by scalars_alu32_wrap):
1. r1 = r0; w1 += 0x100 (alu32 -- r1 gets BPF_ADD_CONST32)
2. if r1 > 0x80 - known_reg = r1 (has BPF_ADD_CONST32), reg = r0 (doesn't)
Hence, fix it by checking for (reg->id | known_reg->id) & BPF_ADD_CONST32.
Moreover, sync_linked_regs() also has a soundness issue when two linked
registers used different ALU widths: one with BPF_ADD_CONST32 and the
other with BPF_ADD_CONST64. The delta relationship between linked registers
assumes the same arithmetic width though. When one register went through
alu32 (CPU zero-extends the 32-bit result) and the other went through
alu64 (no zero-extension), the propagation produces incorrect bounds.
Example:
r6 = bpf_get_prandom_u32() // fully unknown
if r6 >= 0x100000000 goto out // constrain r6 to [0, U32_MAX]
r7 = r6
w7 += 1 // alu32: r7.id = N | BPF_ADD_CONST32
r8 = r6
r8 += 2 // alu64: r8.id = N | BPF_ADD_CONST64
if r7 < 0xFFFFFFFF goto out // narrows r7 to [0xFFFFFFFF, 0xFFFFFFFF]
At the branch on r7, sync_linked_regs() runs with known_reg=r7
(BPF_ADD_CONST32) and reg=r8 (BPF_ADD_CONST64). The delta path
computes:
r8 = r7 + (delta_r8 - delta_r7) = 0xFFFFFFFF + (2 - 1) = 0x100000000
Then, because known_reg->id has BPF_ADD_CONST32, zext_32_to_64(r8) is
called, truncating r8 to [0, 0]. But r8 used a 64-bit ALU op -- the
CPU does NOT zero-extend it. The actual CPU value of r8 is
0xFFFFFFFE + 2 = 0x100000000, not 0. The verifier now underestimates
r8's 64-bit bounds, which is a soundness violation.
Fix sync_linked_regs() by skipping propagation when the two registers
have mixed ALU widths (one BPF_ADD_CONST32, the other BPF_ADD_CONST64).
Lastly, fix regsafe() used for path pruning: the existing checks used
"& BPF_ADD_CONST" to test for offset linkage, which treated
BPF_ADD_CONST32 and BPF_ADD_CONST64 as equivalent.
Fixes: 7a433e519364 ("bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking")
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>
Co-developed-by: Puranjay Mohan <puranjay@kernel.org>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260319211507.213816-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ebfa27d4002c5..3dcf591acd50d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16913,6 +16913,12 @@ static void sync_linked_regs(struct bpf_verifier_state *vstate, struct bpf_reg_s
continue;
if ((reg->id & ~BPF_ADD_CONST) != (known_reg->id & ~BPF_ADD_CONST))
continue;
+ /*
+ * Skip mixed 32/64-bit links: the delta relationship doesn't
+ * hold across different ALU widths.
+ */
+ if (((reg->id ^ known_reg->id) & BPF_ADD_CONST) == BPF_ADD_CONST)
+ continue;
if ((!(reg->id & BPF_ADD_CONST) && !(known_reg->id & BPF_ADD_CONST)) ||
reg->off == known_reg->off) {
s32 saved_subreg_def = reg->subreg_def;
@@ -16940,7 +16946,7 @@ static void sync_linked_regs(struct bpf_verifier_state *vstate, struct bpf_reg_s
scalar32_min_max_add(reg, &fake_reg);
scalar_min_max_add(reg, &fake_reg);
reg->var_off = tnum_add(reg->var_off, fake_reg.var_off);
- if (known_reg->id & BPF_ADD_CONST32)
+ if ((reg->id | known_reg->id) & BPF_ADD_CONST32)
zext_32_to_64(reg);
reg_bounds_sync(reg);
}
@@ -19056,11 +19062,14 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
* Also verify that new value satisfies old value range knowledge.
*/
- /* ADD_CONST mismatch: different linking semantics */
- if ((rold->id & BPF_ADD_CONST) && !(rcur->id & BPF_ADD_CONST))
- return false;
-
- if (rold->id && !(rold->id & BPF_ADD_CONST) && (rcur->id & BPF_ADD_CONST))
+ /*
+ * ADD_CONST flags must match exactly: BPF_ADD_CONST32 and
+ * BPF_ADD_CONST64 have different linking semantics in
+ * sync_linked_regs() (alu32 zero-extends, alu64 does not),
+ * so pruning across different flag types is unsafe.
+ */
+ if (rold->id &&
+ (rold->id & BPF_ADD_CONST) != (rcur->id & BPF_ADD_CONST))
return false;
/* Both have offset linkage: offsets must match */
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 865/957] net: airoha: Fix a copy and paste bug in probe()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (863 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 864/957] bpf: Fix sync_linked_regs regarding BPF_ADD_CONST32 zext propagation Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 866/957] fuse: fix race when disposing stale dentries Greg Kroah-Hartman
` (97 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Lorenzo Bianconi,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 05e090620bacf317020f9591cfff8926093380bd ]
This code has a copy and paste bug where it accidentally checks "if (err)"
instead of checking if "xsi_rsts" is NULL. Also, as a free bonus, I
changed the allocation from kzalloc() to kcalloc() which is a kernel
hardening measure to protect against integer overflows.
Fixes: 5863b4e065e2 ("net: airoha: Add airoha_eth_soc_data struct")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/aPtht6y5DRokn9zv@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 81ecfc1a1094c..4364f4320428a 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -3097,11 +3097,11 @@ static int airoha_probe(struct platform_device *pdev)
return err;
}
- xsi_rsts = devm_kzalloc(eth->dev,
- eth->soc->num_xsi_rsts * sizeof(*xsi_rsts),
+ xsi_rsts = devm_kcalloc(eth->dev,
+ eth->soc->num_xsi_rsts, sizeof(*xsi_rsts),
GFP_KERNEL);
- if (err)
- return err;
+ if (!xsi_rsts)
+ return -ENOMEM;
eth->xsi_rsts = xsi_rsts;
for (i = 0; i < eth->soc->num_xsi_rsts; i++)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 866/957] fuse: fix race when disposing stale dentries
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (864 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 865/957] net: airoha: Fix a copy and paste bug in probe() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 867/957] fuse: make sure dentry is evicted if stale Greg Kroah-Hartman
` (96 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Miklos Szeredi,
Christian Brauner, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
[ Upstream commit cb8d2bdcb8241b66ca4ac4868f20e12cd6881ebc ]
In fuse_dentry_tree_work() just before d_dispose_if_unused() the dentry
could get evicted, resulting in UAF.
Move unlocking dentry_hash[i].lock to after the dispose. To do this,
fuse_dentry_tree_del_node() needs to be moved from fuse_dentry_prune() to
fuse_dentry_release() to prevent an ABBA deadlock.
The lock ordering becomes:
-> dentry_bucket.lock
-> dentry.d_lock
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Closes: https://lore.kernel.org/all/20251206014242.GO1712166@ZenIV/
Fixes: ab84ad597386 ("fuse: new work queue to periodically invalidate expired dentries")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://patch.msgid.link/20260114145344.468856-2-mszeredi@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: 1e2c1af1beb3 ("fuse: make sure dentry is evicted if stale")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dir.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 98b174bd802f0..b7a6a5b6bbc8a 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -172,8 +172,8 @@ static void fuse_dentry_tree_work(struct work_struct *work)
if (time_after64(get_jiffies_64(), fd->time)) {
rb_erase(&fd->node, &dentry_hash[i].tree);
RB_CLEAR_NODE(&fd->node);
- spin_unlock(&dentry_hash[i].lock);
d_dispose_if_unused(fd->dentry, &dispose);
+ spin_unlock(&dentry_hash[i].lock);
cond_resched();
spin_lock(&dentry_hash[i].lock);
} else
@@ -464,18 +464,12 @@ static int fuse_dentry_init(struct dentry *dentry)
return 0;
}
-static void fuse_dentry_prune(struct dentry *dentry)
+static void fuse_dentry_release(struct dentry *dentry)
{
struct fuse_dentry *fd = dentry->d_fsdata;
if (!RB_EMPTY_NODE(&fd->node))
fuse_dentry_tree_del_node(dentry);
-}
-
-static void fuse_dentry_release(struct dentry *dentry)
-{
- struct fuse_dentry *fd = dentry->d_fsdata;
-
kfree_rcu(fd, rcu);
}
@@ -512,7 +506,6 @@ const struct dentry_operations fuse_dentry_operations = {
.d_revalidate = fuse_dentry_revalidate,
.d_delete = fuse_dentry_delete,
.d_init = fuse_dentry_init,
- .d_prune = fuse_dentry_prune,
.d_release = fuse_dentry_release,
.d_automount = fuse_dentry_automount,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 867/957] fuse: make sure dentry is evicted if stale
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (865 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 866/957] fuse: fix race when disposing stale dentries Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 868/957] rtla: Fix parse_cpu_set() bug introduced by strtoi() Greg Kroah-Hartman
` (95 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miklos Szeredi, Christian Brauner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
[ Upstream commit 1e2c1af1beb395841743e240a59ab37edc9a7d33 ]
d_dispose_if_unused() may find the dentry with a positive refcount, in
which case it won't be put on the dispose list even though it has already
timed out.
"Reinstall" the d_delete() callback, which was optimized out in
fuse_dentry_settime(). This will result in the dentry being evicted as
soon as the refcount hits zero.
Fixes: ab84ad597386 ("fuse: new work queue to periodically invalidate expired dentries")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Link: https://patch.msgid.link/20260114145344.468856-3-mszeredi@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dir.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index b7a6a5b6bbc8a..ac5d0c305b51f 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -172,6 +172,10 @@ static void fuse_dentry_tree_work(struct work_struct *work)
if (time_after64(get_jiffies_64(), fd->time)) {
rb_erase(&fd->node, &dentry_hash[i].tree);
RB_CLEAR_NODE(&fd->node);
+ spin_lock(&fd->dentry->d_lock);
+ /* If dentry is still referenced, let next dput release it */
+ fd->dentry->d_flags |= DCACHE_OP_DELETE;
+ spin_unlock(&fd->dentry->d_lock);
d_dispose_if_unused(fd->dentry, &dispose);
spin_unlock(&dentry_hash[i].lock);
cond_resched();
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 868/957] rtla: Fix parse_cpu_set() bug introduced by strtoi()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (866 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 867/957] fuse: make sure dentry is evicted if stale Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 869/957] net: airoha: Move entries to queue head in case of DMA mapping failure in airoha_dev_xmit() Greg Kroah-Hartman
` (94 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Costa Shulyupin,
Masami Hiramatsu (Google), Tomas Glozar, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Costa Shulyupin <costa.shul@redhat.com>
[ Upstream commit 6ea8a206108fe8b5940c2797afc54ae9f5a7bbdd ]
The patch 'Replace atoi() with a robust strtoi()' introduced a bug
in parse_cpu_set(), which relies on partial parsing of the input string.
The function parses CPU specifications like '0-3,5' by incrementing
a pointer through the string. strtoi() rejects strings with trailing
characters, causing parse_cpu_set() to fail on any CPU list with
multiple entries.
Restore the original use of atoi() in parse_cpu_set().
Fixes: 7e9dfccf8f11 ("rtla: Replace atoi() with a robust strtoi()")
Signed-off-by: Costa Shulyupin <costa.shul@redhat.com>
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://lore.kernel.org/r/20260112192642.212848-2-costa.shul@redhat.com
Signed-off-by: Tomas Glozar <tglozar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/tracing/rtla/src/utils.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/tools/tracing/rtla/src/utils.c b/tools/tracing/rtla/src/utils.c
index bf20077cca742..b4cd93f784522 100644
--- a/tools/tracing/rtla/src/utils.c
+++ b/tools/tracing/rtla/src/utils.c
@@ -113,18 +113,16 @@ int parse_cpu_set(char *cpu_list, cpu_set_t *set)
nr_cpus = sysconf(_SC_NPROCESSORS_CONF);
for (p = cpu_list; *p; ) {
- if (strtoi(p, &cpu))
- goto err;
- if (cpu < 0 || cpu >= nr_cpus)
+ cpu = atoi(p);
+ if (cpu < 0 || (!cpu && *p != '0') || cpu >= nr_cpus)
goto err;
while (isdigit(*p))
p++;
if (*p == '-') {
p++;
- if (strtoi(p, &end_cpu))
- goto err;
- if (end_cpu < cpu || end_cpu >= nr_cpus)
+ end_cpu = atoi(p);
+ if (end_cpu < cpu || (!end_cpu && *p != '0') || end_cpu >= nr_cpus)
goto err;
while (isdigit(*p))
p++;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 869/957] net: airoha: Move entries to queue head in case of DMA mapping failure in airoha_dev_xmit()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (867 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 868/957] rtla: Fix parse_cpu_set() bug introduced by strtoi() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 870/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx() Greg Kroah-Hartman
` (93 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 75df490c9e8457990c8b227650f6491218ce018b ]
In order to respect the original descriptor order and avoid any
potential IOMMU fault or memory corruption, move pending queue entries
to the head of hw queue tx_list if the DMA mapping of current inflight
packet fails in airoha_dev_xmit routine.
Fixes: 3f47e67dff1f7 ("net: airoha: Add the capability to consume out-of-order DMA tx descriptors")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260429-airoha-xmit-unmap-error-path-v2-1-32e43b7c6d25@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 4364f4320428a..b4dfab2702cb9 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -2136,14 +2136,12 @@ static netdev_tx_t airoha_dev_xmit(struct sk_buff *skb,
return NETDEV_TX_OK;
error_unmap:
- while (!list_empty(&tx_list)) {
- e = list_first_entry(&tx_list, struct airoha_queue_entry,
- list);
+ list_for_each_entry(e, &tx_list, list) {
dma_unmap_single(dev->dev.parent, e->dma_addr, e->dma_len,
DMA_TO_DEVICE);
e->dma_addr = 0;
- list_move_tail(&e->list, &q->tx_list);
}
+ list_splice(&tx_list, &q->tx_list);
spin_unlock_bh(&q->lock);
error:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 870/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (868 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 869/957] net: airoha: Move entries to queue head in case of DMA mapping failure in airoha_dev_xmit() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 871/957] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
` (92 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit f329924bb49458c65297f1361f545816a5b90998 ]
If queue entry list allocation fails in airoha_qdma_init_tx_queue routine,
airoha_qdma_cleanup_tx_queue() will trigger a NULL pointer dereference
accessing the queue entry array. The issue is due to the early ndesc
initialization in airoha_qdma_init_tx_queue(). Fix the issue moving ndesc
initialization at end of airoha_qdma_init_tx routine.
Fixes: 3f47e67dff1f7 ("net: airoha: Add the capability to consume out-of-order DMA tx descriptors")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260417-airoha_qdma_cleanup_tx_queue-fix-net-v4-1-e04bcc2c9642@kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index b4dfab2702cb9..3f97a0135f7f8 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -1019,27 +1019,27 @@ static int airoha_qdma_init_tx_queue(struct airoha_queue *q,
dma_addr_t dma_addr;
spin_lock_init(&q->lock);
- q->ndesc = size;
q->qdma = qdma;
q->free_thr = 1 + MAX_SKB_FRAGS;
INIT_LIST_HEAD(&q->tx_list);
- q->entry = devm_kzalloc(eth->dev, q->ndesc * sizeof(*q->entry),
+ q->entry = devm_kzalloc(eth->dev, size * sizeof(*q->entry),
GFP_KERNEL);
if (!q->entry)
return -ENOMEM;
- q->desc = dmam_alloc_coherent(eth->dev, q->ndesc * sizeof(*q->desc),
+ q->desc = dmam_alloc_coherent(eth->dev, size * sizeof(*q->desc),
&dma_addr, GFP_KERNEL);
if (!q->desc)
return -ENOMEM;
- for (i = 0; i < q->ndesc; i++) {
+ for (i = 0; i < size; i++) {
u32 val = FIELD_PREP(QDMA_DESC_DONE_MASK, 1);
list_add_tail(&q->entry[i].list, &q->tx_list);
WRITE_ONCE(q->desc[i].ctrl, cpu_to_le32(val));
}
+ q->ndesc = size;
/* xmit ring drop default setting */
airoha_qdma_set(qdma, REG_TX_RING_BLOCKING(qid),
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 871/957] net/sched: sch_pie: annotate more data-races in pie_dump_stats()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (869 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 870/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 872/957] net: airoha: Remove code duplication in airoha_regs.h Greg Kroah-Hartman
` (91 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6d4106e8df94c0c52cf3ca6a6a0d01567fb3844e ]
My prior patch missed few READ_ONCE()/WRITE_ONCE() annotations.
Fixes: 5154561d9b11 ("net/sched: sch_pie: annotate data-races in pie_dump_stats()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430080056.35104-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_pie.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
index 73650200482f4..40149edecbd5a 100644
--- a/net/sched/sch_pie.c
+++ b/net/sched/sch_pie.c
@@ -219,16 +219,14 @@ void pie_process_dequeue(struct sk_buff *skb, struct pie_params *params,
* packet timestamp.
*/
if (!params->dq_rate_estimator) {
- vars->qdelay = now - pie_get_enqueue_time(skb);
+ WRITE_ONCE(vars->qdelay,
+ backlog ? now - pie_get_enqueue_time(skb) : 0);
if (vars->dq_tstamp != DTIME_INVALID)
dtime = now - vars->dq_tstamp;
vars->dq_tstamp = now;
- if (backlog == 0)
- vars->qdelay = 0;
-
if (dtime == 0)
return;
@@ -376,7 +374,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (qdelay > (PSCHED_NS2TICKS(250 * NSEC_PER_MSEC)))
delta += MAX_PROB / (100 / 2);
- vars->prob += delta;
+ WRITE_ONCE(vars->prob, vars->prob + delta);
if (delta > 0) {
/* prevent overflow */
@@ -401,7 +399,7 @@ void pie_calculate_probability(struct pie_params *params, struct pie_vars *vars,
if (qdelay == 0 && qdelay_old == 0 && update_prob)
/* Reduce drop probability to 98.4% */
- vars->prob -= vars->prob / 64;
+ WRITE_ONCE(vars->prob, vars->prob - vars->prob / 64);
WRITE_ONCE(vars->qdelay, qdelay);
vars->backlog_old = backlog;
@@ -501,7 +499,7 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
{
struct pie_sched_data *q = qdisc_priv(sch);
struct tc_pie_xstats st = {
- .prob = q->vars.prob << BITS_PER_BYTE,
+ .prob = READ_ONCE(q->vars.prob) << BITS_PER_BYTE,
.delay = ((u32)PSCHED_TICKS2NS(READ_ONCE(q->vars.qdelay))) /
NSEC_PER_USEC,
.packets_in = READ_ONCE(q->stats.packets_in),
@@ -512,7 +510,7 @@ static int pie_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
};
/* avg_dq_rate is only valid if dq_rate_estimator is enabled */
- st.dq_rate_estimating = q->params.dq_rate_estimator;
+ st.dq_rate_estimating = READ_ONCE(q->params.dq_rate_estimator);
/* unscale and return dq_rate in bytes per sec */
if (st.dq_rate_estimating)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 872/957] net: airoha: Remove code duplication in airoha_regs.h
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (870 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 871/957] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 873/957] net: airoha: Use gdm port enum value whenever possible Greg Kroah-Hartman
` (90 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Lorenzo Bianconi,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 99ad2b6815f41acbec15ab051ccc79b11b05710a ]
This patch does not introduce any logical change, it just removes
duplicated code in airoha_regs.h.
Fix naming conventions in airoha_regs.h.
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251022-airoha-regs-cosmetics-v2-1-e0425b3f2c2c@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1acdfbdb516b ("net: airoha: Fix VIP configuration for AN7583 SoC")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 102 ++++++++++----------
drivers/net/ethernet/airoha/airoha_regs.h | 109 ++++++++++------------
2 files changed, 100 insertions(+), 111 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 3f97a0135f7f8..269ed7179e6c9 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -137,11 +137,11 @@ static void airoha_fe_maccr_init(struct airoha_eth *eth)
for (p = 1; p <= ARRAY_SIZE(eth->ports); p++)
airoha_fe_set(eth, REG_GDM_FWD_CFG(p),
- GDM_TCP_CKSUM | GDM_UDP_CKSUM | GDM_IP4_CKSUM |
- GDM_DROP_CRC_ERR);
+ GDM_TCP_CKSUM_MASK | GDM_UDP_CKSUM_MASK |
+ GDM_IP4_CKSUM_MASK | GDM_DROP_CRC_ERR_MASK);
- airoha_fe_rmw(eth, REG_CDM1_VLAN_CTRL, CDM1_VLAN_MASK,
- FIELD_PREP(CDM1_VLAN_MASK, 0x8100));
+ airoha_fe_rmw(eth, REG_CDM_VLAN_CTRL(1), CDM_VLAN_MASK,
+ FIELD_PREP(CDM_VLAN_MASK, 0x8100));
airoha_fe_set(eth, REG_FE_CPORT_CFG, FE_CPORT_PAD);
}
@@ -405,46 +405,46 @@ static int airoha_fe_mc_vlan_clear(struct airoha_eth *eth)
static void airoha_fe_crsn_qsel_init(struct airoha_eth *eth)
{
/* CDM1_CRSN_QSEL */
- airoha_fe_rmw(eth, REG_CDM1_CRSN_QSEL(CRSN_22 >> 2),
- CDM1_CRSN_QSEL_REASON_MASK(CRSN_22),
- FIELD_PREP(CDM1_CRSN_QSEL_REASON_MASK(CRSN_22),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(1, CRSN_22 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_22),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_22),
CDM_CRSN_QSEL_Q1));
- airoha_fe_rmw(eth, REG_CDM1_CRSN_QSEL(CRSN_08 >> 2),
- CDM1_CRSN_QSEL_REASON_MASK(CRSN_08),
- FIELD_PREP(CDM1_CRSN_QSEL_REASON_MASK(CRSN_08),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(1, CRSN_08 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_08),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_08),
CDM_CRSN_QSEL_Q1));
- airoha_fe_rmw(eth, REG_CDM1_CRSN_QSEL(CRSN_21 >> 2),
- CDM1_CRSN_QSEL_REASON_MASK(CRSN_21),
- FIELD_PREP(CDM1_CRSN_QSEL_REASON_MASK(CRSN_21),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(1, CRSN_21 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_21),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_21),
CDM_CRSN_QSEL_Q1));
- airoha_fe_rmw(eth, REG_CDM1_CRSN_QSEL(CRSN_24 >> 2),
- CDM1_CRSN_QSEL_REASON_MASK(CRSN_24),
- FIELD_PREP(CDM1_CRSN_QSEL_REASON_MASK(CRSN_24),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(1, CRSN_24 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_24),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_24),
CDM_CRSN_QSEL_Q6));
- airoha_fe_rmw(eth, REG_CDM1_CRSN_QSEL(CRSN_25 >> 2),
- CDM1_CRSN_QSEL_REASON_MASK(CRSN_25),
- FIELD_PREP(CDM1_CRSN_QSEL_REASON_MASK(CRSN_25),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(1, CRSN_25 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_25),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_25),
CDM_CRSN_QSEL_Q1));
/* CDM2_CRSN_QSEL */
- airoha_fe_rmw(eth, REG_CDM2_CRSN_QSEL(CRSN_08 >> 2),
- CDM2_CRSN_QSEL_REASON_MASK(CRSN_08),
- FIELD_PREP(CDM2_CRSN_QSEL_REASON_MASK(CRSN_08),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(2, CRSN_08 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_08),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_08),
CDM_CRSN_QSEL_Q1));
- airoha_fe_rmw(eth, REG_CDM2_CRSN_QSEL(CRSN_21 >> 2),
- CDM2_CRSN_QSEL_REASON_MASK(CRSN_21),
- FIELD_PREP(CDM2_CRSN_QSEL_REASON_MASK(CRSN_21),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(2, CRSN_21 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_21),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_21),
CDM_CRSN_QSEL_Q1));
- airoha_fe_rmw(eth, REG_CDM2_CRSN_QSEL(CRSN_22 >> 2),
- CDM2_CRSN_QSEL_REASON_MASK(CRSN_22),
- FIELD_PREP(CDM2_CRSN_QSEL_REASON_MASK(CRSN_22),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(2, CRSN_22 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_22),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_22),
CDM_CRSN_QSEL_Q1));
- airoha_fe_rmw(eth, REG_CDM2_CRSN_QSEL(CRSN_24 >> 2),
- CDM2_CRSN_QSEL_REASON_MASK(CRSN_24),
- FIELD_PREP(CDM2_CRSN_QSEL_REASON_MASK(CRSN_24),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(2, CRSN_24 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_24),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_24),
CDM_CRSN_QSEL_Q6));
- airoha_fe_rmw(eth, REG_CDM2_CRSN_QSEL(CRSN_25 >> 2),
- CDM2_CRSN_QSEL_REASON_MASK(CRSN_25),
- FIELD_PREP(CDM2_CRSN_QSEL_REASON_MASK(CRSN_25),
+ airoha_fe_rmw(eth, REG_CDM_CRSN_QSEL(2, CRSN_25 >> 2),
+ CDM_CRSN_QSEL_REASON_MASK(CRSN_25),
+ FIELD_PREP(CDM_CRSN_QSEL_REASON_MASK(CRSN_25),
CDM_CRSN_QSEL_Q1));
}
@@ -464,18 +464,18 @@ static int airoha_fe_init(struct airoha_eth *eth)
airoha_fe_wr(eth, REG_FE_PCE_CFG,
PCE_DPI_EN_MASK | PCE_KA_EN_MASK | PCE_MC_EN_MASK);
/* set vip queue selection to ring 1 */
- airoha_fe_rmw(eth, REG_CDM1_FWD_CFG, CDM1_VIP_QSEL_MASK,
- FIELD_PREP(CDM1_VIP_QSEL_MASK, 0x4));
- airoha_fe_rmw(eth, REG_CDM2_FWD_CFG, CDM2_VIP_QSEL_MASK,
- FIELD_PREP(CDM2_VIP_QSEL_MASK, 0x4));
+ airoha_fe_rmw(eth, REG_CDM_FWD_CFG(1), CDM_VIP_QSEL_MASK,
+ FIELD_PREP(CDM_VIP_QSEL_MASK, 0x4));
+ airoha_fe_rmw(eth, REG_CDM_FWD_CFG(2), CDM_VIP_QSEL_MASK,
+ FIELD_PREP(CDM_VIP_QSEL_MASK, 0x4));
/* set GDM4 source interface offset to 8 */
- airoha_fe_rmw(eth, REG_GDM4_SRC_PORT_SET,
- GDM4_SPORT_OFF2_MASK |
- GDM4_SPORT_OFF1_MASK |
- GDM4_SPORT_OFF0_MASK,
- FIELD_PREP(GDM4_SPORT_OFF2_MASK, 8) |
- FIELD_PREP(GDM4_SPORT_OFF1_MASK, 8) |
- FIELD_PREP(GDM4_SPORT_OFF0_MASK, 8));
+ airoha_fe_rmw(eth, REG_GDM_SRC_PORT_SET(4),
+ GDM_SPORT_OFF2_MASK |
+ GDM_SPORT_OFF1_MASK |
+ GDM_SPORT_OFF0_MASK,
+ FIELD_PREP(GDM_SPORT_OFF2_MASK, 8) |
+ FIELD_PREP(GDM_SPORT_OFF1_MASK, 8) |
+ FIELD_PREP(GDM_SPORT_OFF0_MASK, 8));
/* set PSE Page as 128B */
airoha_fe_rmw(eth, REG_FE_DMA_GLO_CFG,
@@ -501,8 +501,8 @@ static int airoha_fe_init(struct airoha_eth *eth)
airoha_fe_set(eth, REG_GDM_MISC_CFG,
GDM2_RDM_ACK_WAIT_PREF_MASK |
GDM2_CHN_VLD_MODE_MASK);
- airoha_fe_rmw(eth, REG_CDM2_FWD_CFG, CDM2_OAM_QSEL_MASK,
- FIELD_PREP(CDM2_OAM_QSEL_MASK, 15));
+ airoha_fe_rmw(eth, REG_CDM_FWD_CFG(2), CDM_OAM_QSEL_MASK,
+ FIELD_PREP(CDM_OAM_QSEL_MASK, 15));
/* init fragment and assemble Force Port */
/* NPU Core-3, NPU Bridge Channel-3 */
@@ -516,8 +516,8 @@ static int airoha_fe_init(struct airoha_eth *eth)
FIELD_PREP(IP_ASSEMBLE_PORT_MASK, 0) |
FIELD_PREP(IP_ASSEMBLE_NBQ_MASK, 22));
- airoha_fe_set(eth, REG_GDM3_FWD_CFG, GDM3_PAD_EN_MASK);
- airoha_fe_set(eth, REG_GDM4_FWD_CFG, GDM4_PAD_EN_MASK);
+ airoha_fe_set(eth, REG_GDM_FWD_CFG(3), GDM_PAD_EN_MASK);
+ airoha_fe_set(eth, REG_GDM_FWD_CFG(4), GDM_PAD_EN_MASK);
airoha_fe_crsn_qsel_init(eth);
@@ -525,7 +525,7 @@ static int airoha_fe_init(struct airoha_eth *eth)
airoha_fe_set(eth, REG_FE_CPORT_CFG, FE_CPORT_PORT_XFC_MASK);
/* default aging mode for mbi unlock issue */
- airoha_fe_rmw(eth, REG_GDM2_CHN_RLS,
+ airoha_fe_rmw(eth, REG_GDM_CHN_RLS(2),
MBI_RX_AGE_SEL_MASK | MBI_TX_AGE_SEL_MASK,
FIELD_PREP(MBI_RX_AGE_SEL_MASK, 3) |
FIELD_PREP(MBI_TX_AGE_SEL_MASK, 3));
@@ -1816,7 +1816,7 @@ static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
pse_port = port->id == AIROHA_GDM3_IDX ? FE_PSE_PORT_GDM3
: FE_PSE_PORT_GDM4;
airoha_set_gdm_port_fwd_cfg(eth, REG_GDM_FWD_CFG(2), pse_port);
- airoha_fe_clear(eth, REG_GDM_FWD_CFG(2), GDM_STRIP_CRC);
+ airoha_fe_clear(eth, REG_GDM_FWD_CFG(2), GDM_STRIP_CRC_MASK);
/* Enable GDM2 loopback */
airoha_fe_wr(eth, REG_GDM_TXCHN_EN(2), 0xffffffff);
diff --git a/drivers/net/ethernet/airoha/airoha_regs.h b/drivers/net/ethernet/airoha/airoha_regs.h
index ebcce00d9bc6f..ed4e3407f4a0e 100644
--- a/drivers/net/ethernet/airoha/airoha_regs.h
+++ b/drivers/net/ethernet/airoha/airoha_regs.h
@@ -23,6 +23,8 @@
#define GDM3_BASE 0x1100
#define GDM4_BASE 0x2500
+#define CDM_BASE(_n) \
+ ((_n) == 2 ? CDM2_BASE : CDM1_BASE)
#define GDM_BASE(_n) \
((_n) == 4 ? GDM4_BASE : \
(_n) == 3 ? GDM3_BASE : \
@@ -109,30 +111,24 @@
#define PATN_DP_MASK GENMASK(31, 16)
#define PATN_SP_MASK GENMASK(15, 0)
-#define REG_CDM1_VLAN_CTRL CDM1_BASE
-#define CDM1_VLAN_MASK GENMASK(31, 16)
+#define REG_CDM_VLAN_CTRL(_n) CDM_BASE(_n)
+#define CDM_VLAN_MASK GENMASK(31, 16)
-#define REG_CDM1_FWD_CFG (CDM1_BASE + 0x08)
-#define CDM1_VIP_QSEL_MASK GENMASK(24, 20)
+#define REG_CDM_FWD_CFG(_n) (CDM_BASE(_n) + 0x08)
+#define CDM_OAM_QSEL_MASK GENMASK(31, 27)
+#define CDM_VIP_QSEL_MASK GENMASK(24, 20)
-#define REG_CDM1_CRSN_QSEL(_n) (CDM1_BASE + 0x10 + ((_n) << 2))
-#define CDM1_CRSN_QSEL_REASON_MASK(_n) \
- GENMASK(4 + (((_n) % 4) << 3), (((_n) % 4) << 3))
-
-#define REG_CDM2_FWD_CFG (CDM2_BASE + 0x08)
-#define CDM2_OAM_QSEL_MASK GENMASK(31, 27)
-#define CDM2_VIP_QSEL_MASK GENMASK(24, 20)
-
-#define REG_CDM2_CRSN_QSEL(_n) (CDM2_BASE + 0x10 + ((_n) << 2))
-#define CDM2_CRSN_QSEL_REASON_MASK(_n) \
+#define REG_CDM_CRSN_QSEL(_n, _m) (CDM_BASE(_n) + 0x10 + ((_m) << 2))
+#define CDM_CRSN_QSEL_REASON_MASK(_n) \
GENMASK(4 + (((_n) % 4) << 3), (((_n) % 4) << 3))
#define REG_GDM_FWD_CFG(_n) GDM_BASE(_n)
-#define GDM_DROP_CRC_ERR BIT(23)
-#define GDM_IP4_CKSUM BIT(22)
-#define GDM_TCP_CKSUM BIT(21)
-#define GDM_UDP_CKSUM BIT(20)
-#define GDM_STRIP_CRC BIT(16)
+#define GDM_PAD_EN_MASK BIT(28)
+#define GDM_DROP_CRC_ERR_MASK BIT(23)
+#define GDM_IP4_CKSUM_MASK BIT(22)
+#define GDM_TCP_CKSUM_MASK BIT(21)
+#define GDM_UDP_CKSUM_MASK BIT(20)
+#define GDM_STRIP_CRC_MASK BIT(16)
#define GDM_UCFQ_MASK GENMASK(15, 12)
#define GDM_BCFQ_MASK GENMASK(11, 8)
#define GDM_MCFQ_MASK GENMASK(7, 4)
@@ -156,6 +152,10 @@
#define LBK_CHAN_MODE_MASK BIT(1)
#define LPBK_EN_MASK BIT(0)
+#define REG_GDM_CHN_RLS(_n) (GDM_BASE(_n) + 0x20)
+#define MBI_RX_AGE_SEL_MASK GENMASK(26, 25)
+#define MBI_TX_AGE_SEL_MASK GENMASK(18, 17)
+
#define REG_GDM_TXCHN_EN(_n) (GDM_BASE(_n) + 0x24)
#define REG_GDM_RXCHN_EN(_n) (GDM_BASE(_n) + 0x28)
@@ -168,10 +168,10 @@
#define FE_GDM_MIB_RX_CLEAR_MASK BIT(1)
#define FE_GDM_MIB_TX_CLEAR_MASK BIT(0)
-#define REG_FE_GDM1_MIB_CFG (GDM1_BASE + 0xf4)
+#define REG_FE_GDM_MIB_CFG(_n) (GDM_BASE(_n) + 0xf4)
#define FE_STRICT_RFC2819_MODE_MASK BIT(31)
-#define FE_GDM1_TX_MIB_SPLIT_EN_MASK BIT(17)
-#define FE_GDM1_RX_MIB_SPLIT_EN_MASK BIT(16)
+#define FE_GDM_TX_MIB_SPLIT_EN_MASK BIT(17)
+#define FE_GDM_RX_MIB_SPLIT_EN_MASK BIT(16)
#define FE_TX_MIB_ID_MASK GENMASK(15, 8)
#define FE_RX_MIB_ID_MASK GENMASK(7, 0)
@@ -214,6 +214,33 @@
#define REG_FE_GDM_RX_ETH_L511_CNT_L(_n) (GDM_BASE(_n) + 0x198)
#define REG_FE_GDM_RX_ETH_L1023_CNT_L(_n) (GDM_BASE(_n) + 0x19c)
+#define REG_GDM_SRC_PORT_SET(_n) (GDM_BASE(_n) + 0x23c)
+#define GDM_SPORT_OFF2_MASK GENMASK(19, 16)
+#define GDM_SPORT_OFF1_MASK GENMASK(15, 12)
+#define GDM_SPORT_OFF0_MASK GENMASK(11, 8)
+
+#define REG_FE_GDM_TX_OK_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x280)
+#define REG_FE_GDM_TX_OK_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x284)
+#define REG_FE_GDM_TX_ETH_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x288)
+#define REG_FE_GDM_TX_ETH_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x28c)
+
+#define REG_FE_GDM_RX_OK_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x290)
+#define REG_FE_GDM_RX_OK_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x294)
+#define REG_FE_GDM_RX_ETH_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x298)
+#define REG_FE_GDM_RX_ETH_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x29c)
+#define REG_FE_GDM_TX_ETH_E64_CNT_H(_n) (GDM_BASE(_n) + 0x2b8)
+#define REG_FE_GDM_TX_ETH_L64_CNT_H(_n) (GDM_BASE(_n) + 0x2bc)
+#define REG_FE_GDM_TX_ETH_L127_CNT_H(_n) (GDM_BASE(_n) + 0x2c0)
+#define REG_FE_GDM_TX_ETH_L255_CNT_H(_n) (GDM_BASE(_n) + 0x2c4)
+#define REG_FE_GDM_TX_ETH_L511_CNT_H(_n) (GDM_BASE(_n) + 0x2c8)
+#define REG_FE_GDM_TX_ETH_L1023_CNT_H(_n) (GDM_BASE(_n) + 0x2cc)
+#define REG_FE_GDM_RX_ETH_E64_CNT_H(_n) (GDM_BASE(_n) + 0x2e8)
+#define REG_FE_GDM_RX_ETH_L64_CNT_H(_n) (GDM_BASE(_n) + 0x2ec)
+#define REG_FE_GDM_RX_ETH_L127_CNT_H(_n) (GDM_BASE(_n) + 0x2f0)
+#define REG_FE_GDM_RX_ETH_L255_CNT_H(_n) (GDM_BASE(_n) + 0x2f4)
+#define REG_FE_GDM_RX_ETH_L511_CNT_H(_n) (GDM_BASE(_n) + 0x2f8)
+#define REG_FE_GDM_RX_ETH_L1023_CNT_H(_n) (GDM_BASE(_n) + 0x2fc)
+
#define REG_PPE_GLO_CFG(_n) (((_n) ? PPE2_BASE : PPE1_BASE) + 0x200)
#define PPE_GLO_CFG_BUSY_MASK BIT(31)
#define PPE_GLO_CFG_FLOW_DROP_UPDATE_MASK BIT(9)
@@ -326,44 +353,6 @@
#define REG_UPDMEM_DATA(_n) (((_n) ? PPE2_BASE : PPE1_BASE) + 0x374)
-#define REG_FE_GDM_TX_OK_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x280)
-#define REG_FE_GDM_TX_OK_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x284)
-#define REG_FE_GDM_TX_ETH_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x288)
-#define REG_FE_GDM_TX_ETH_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x28c)
-
-#define REG_FE_GDM_RX_OK_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x290)
-#define REG_FE_GDM_RX_OK_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x294)
-#define REG_FE_GDM_RX_ETH_PKT_CNT_H(_n) (GDM_BASE(_n) + 0x298)
-#define REG_FE_GDM_RX_ETH_BYTE_CNT_H(_n) (GDM_BASE(_n) + 0x29c)
-#define REG_FE_GDM_TX_ETH_E64_CNT_H(_n) (GDM_BASE(_n) + 0x2b8)
-#define REG_FE_GDM_TX_ETH_L64_CNT_H(_n) (GDM_BASE(_n) + 0x2bc)
-#define REG_FE_GDM_TX_ETH_L127_CNT_H(_n) (GDM_BASE(_n) + 0x2c0)
-#define REG_FE_GDM_TX_ETH_L255_CNT_H(_n) (GDM_BASE(_n) + 0x2c4)
-#define REG_FE_GDM_TX_ETH_L511_CNT_H(_n) (GDM_BASE(_n) + 0x2c8)
-#define REG_FE_GDM_TX_ETH_L1023_CNT_H(_n) (GDM_BASE(_n) + 0x2cc)
-#define REG_FE_GDM_RX_ETH_E64_CNT_H(_n) (GDM_BASE(_n) + 0x2e8)
-#define REG_FE_GDM_RX_ETH_L64_CNT_H(_n) (GDM_BASE(_n) + 0x2ec)
-#define REG_FE_GDM_RX_ETH_L127_CNT_H(_n) (GDM_BASE(_n) + 0x2f0)
-#define REG_FE_GDM_RX_ETH_L255_CNT_H(_n) (GDM_BASE(_n) + 0x2f4)
-#define REG_FE_GDM_RX_ETH_L511_CNT_H(_n) (GDM_BASE(_n) + 0x2f8)
-#define REG_FE_GDM_RX_ETH_L1023_CNT_H(_n) (GDM_BASE(_n) + 0x2fc)
-
-#define REG_GDM2_CHN_RLS (GDM2_BASE + 0x20)
-#define MBI_RX_AGE_SEL_MASK GENMASK(26, 25)
-#define MBI_TX_AGE_SEL_MASK GENMASK(18, 17)
-
-#define REG_GDM3_FWD_CFG GDM3_BASE
-#define GDM3_PAD_EN_MASK BIT(28)
-
-#define REG_GDM4_FWD_CFG GDM4_BASE
-#define GDM4_PAD_EN_MASK BIT(28)
-#define GDM4_SPORT_OFFSET0_MASK GENMASK(11, 8)
-
-#define REG_GDM4_SRC_PORT_SET (GDM4_BASE + 0x23c)
-#define GDM4_SPORT_OFF2_MASK GENMASK(19, 16)
-#define GDM4_SPORT_OFF1_MASK GENMASK(15, 12)
-#define GDM4_SPORT_OFF0_MASK GENMASK(11, 8)
-
#define REG_IP_FRAG_FP 0x2010
#define IP_ASSEMBLE_PORT_MASK GENMASK(24, 21)
#define IP_ASSEMBLE_NBQ_MASK GENMASK(20, 16)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 873/957] net: airoha: Use gdm port enum value whenever possible
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (871 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 872/957] net: airoha: Remove code duplication in airoha_regs.h Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 874/957] net: airoha: Fix VIP configuration for AN7583 SoC Greg Kroah-Hartman
` (89 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 4d513329b87c1bd0546d9f0288794e244322daa6 ]
Use AIROHA_GDMx_IDX enum value whenever possible.
This patch is just cosmetic changes and does not introduce any logic one.
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260105-airoha-use-port-idx-enum-v1-1-503ca5763858@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1acdfbdb516b ("net: airoha: Fix VIP configuration for AN7583 SoC")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 40 +++++++++++++-----------
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index 269ed7179e6c9..c5f509cd52e63 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -108,11 +108,11 @@ static int airoha_set_vip_for_gdm_port(struct airoha_gdm_port *port,
u32 vip_port;
switch (port->id) {
- case 3:
+ case AIROHA_GDM3_IDX:
/* FIXME: handle XSI_PCIE1_PORT */
vip_port = XSI_PCIE0_VIP_PORT_MASK;
break;
- case 4:
+ case AIROHA_GDM4_IDX:
/* FIXME: handle XSI_USB_PORT */
vip_port = XSI_ETH_VIP_PORT_MASK;
break;
@@ -516,8 +516,8 @@ static int airoha_fe_init(struct airoha_eth *eth)
FIELD_PREP(IP_ASSEMBLE_PORT_MASK, 0) |
FIELD_PREP(IP_ASSEMBLE_NBQ_MASK, 22));
- airoha_fe_set(eth, REG_GDM_FWD_CFG(3), GDM_PAD_EN_MASK);
- airoha_fe_set(eth, REG_GDM_FWD_CFG(4), GDM_PAD_EN_MASK);
+ airoha_fe_set(eth, REG_GDM_FWD_CFG(AIROHA_GDM3_IDX), GDM_PAD_EN_MASK);
+ airoha_fe_set(eth, REG_GDM_FWD_CFG(AIROHA_GDM4_IDX), GDM_PAD_EN_MASK);
airoha_fe_crsn_qsel_init(eth);
@@ -1815,27 +1815,29 @@ static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
/* Forward the traffic to the proper GDM port */
pse_port = port->id == AIROHA_GDM3_IDX ? FE_PSE_PORT_GDM3
: FE_PSE_PORT_GDM4;
- airoha_set_gdm_port_fwd_cfg(eth, REG_GDM_FWD_CFG(2), pse_port);
- airoha_fe_clear(eth, REG_GDM_FWD_CFG(2), GDM_STRIP_CRC_MASK);
+ airoha_set_gdm_port_fwd_cfg(eth, REG_GDM_FWD_CFG(AIROHA_GDM2_IDX),
+ pse_port);
+ airoha_fe_clear(eth, REG_GDM_FWD_CFG(AIROHA_GDM2_IDX),
+ GDM_STRIP_CRC_MASK);
/* Enable GDM2 loopback */
- airoha_fe_wr(eth, REG_GDM_TXCHN_EN(2), 0xffffffff);
- airoha_fe_wr(eth, REG_GDM_RXCHN_EN(2), 0xffff);
+ airoha_fe_wr(eth, REG_GDM_TXCHN_EN(AIROHA_GDM2_IDX), 0xffffffff);
+ airoha_fe_wr(eth, REG_GDM_RXCHN_EN(AIROHA_GDM2_IDX), 0xffff);
chan = port->id == AIROHA_GDM3_IDX ? airoha_is_7581(eth) ? 4 : 3 : 0;
- airoha_fe_rmw(eth, REG_GDM_LPBK_CFG(2),
+ airoha_fe_rmw(eth, REG_GDM_LPBK_CFG(AIROHA_GDM2_IDX),
LPBK_CHAN_MASK | LPBK_MODE_MASK | LPBK_EN_MASK,
FIELD_PREP(LPBK_CHAN_MASK, chan) |
LBK_GAP_MODE_MASK | LBK_LEN_MODE_MASK |
LBK_CHAN_MODE_MASK | LPBK_EN_MASK);
- airoha_fe_rmw(eth, REG_GDM_LEN_CFG(2),
+ airoha_fe_rmw(eth, REG_GDM_LEN_CFG(AIROHA_GDM2_IDX),
GDM_SHORT_LEN_MASK | GDM_LONG_LEN_MASK,
FIELD_PREP(GDM_SHORT_LEN_MASK, 60) |
FIELD_PREP(GDM_LONG_LEN_MASK, AIROHA_MAX_MTU));
/* Disable VIP and IFC for GDM2 */
- airoha_fe_clear(eth, REG_FE_VIP_PORT_EN, BIT(2));
- airoha_fe_clear(eth, REG_FE_IFC_PORT_EN, BIT(2));
+ airoha_fe_clear(eth, REG_FE_VIP_PORT_EN, BIT(AIROHA_GDM2_IDX));
+ airoha_fe_clear(eth, REG_FE_IFC_PORT_EN, BIT(AIROHA_GDM2_IDX));
/* XXX: handle XSI_USB_PORT and XSI_PCE1_PORT */
nbq = port->id == AIROHA_GDM3_IDX && airoha_is_7581(eth) ? 4 : 0;
@@ -1869,8 +1871,8 @@ static int airoha_dev_init(struct net_device *dev)
airoha_set_macaddr(port, dev->dev_addr);
switch (port->id) {
- case 3:
- case 4:
+ case AIROHA_GDM3_IDX:
+ case AIROHA_GDM4_IDX:
/* If GDM2 is active we can't enable loopback */
if (!eth->ports[1]) {
int err;
@@ -1880,7 +1882,7 @@ static int airoha_dev_init(struct net_device *dev)
return err;
}
fallthrough;
- case 2:
+ case AIROHA_GDM2_IDX:
if (airoha_ppe_is_enabled(eth, 1)) {
pse_port = FE_PSE_PORT_PPE2;
break;
@@ -3206,14 +3208,14 @@ static const char * const en7581_xsi_rsts_names[] = {
static int airoha_en7581_get_src_port_id(struct airoha_gdm_port *port, int nbq)
{
switch (port->id) {
- case 3:
+ case AIROHA_GDM3_IDX:
/* 7581 SoC supports PCIe serdes on GDM3 port */
if (nbq == 4)
return HSGMII_LAN_7581_PCIE0_SRCPORT;
if (nbq == 5)
return HSGMII_LAN_7581_PCIE1_SRCPORT;
break;
- case 4:
+ case AIROHA_GDM4_IDX:
/* 7581 SoC supports eth and usb serdes on GDM4 port */
if (!nbq)
return HSGMII_LAN_7581_ETH_SRCPORT;
@@ -3237,12 +3239,12 @@ static const char * const an7583_xsi_rsts_names[] = {
static int airoha_an7583_get_src_port_id(struct airoha_gdm_port *port, int nbq)
{
switch (port->id) {
- case 3:
+ case AIROHA_GDM3_IDX:
/* 7583 SoC supports eth serdes on GDM3 port */
if (!nbq)
return HSGMII_LAN_7583_ETH_SRCPORT;
break;
- case 4:
+ case AIROHA_GDM4_IDX:
/* 7583 SoC supports PCIe and USB serdes on GDM4 port */
if (!nbq)
return HSGMII_LAN_7583_PCIE_SRCPORT;
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 874/957] net: airoha: Fix VIP configuration for AN7583 SoC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (872 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 873/957] net: airoha: Use gdm port enum value whenever possible Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 875/957] net: mana: Fix use-after-free in reset service rescan path Greg Kroah-Hartman
` (88 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 1acdfbdb516b32165a8ecd1d5f8c68e4eac64637 ]
EN7581 and AN7583 SoCs have different VIP definitions. Introduce
get_vip_port callback in airoha_eth_soc_data struct in order to take
into account EN7581 and AN7583 VIP register layout and definition
differences.
Introduce nbq parameter in airoha_gdm_port struct. At the moment nbq
is set statically to value previously used in airhoha_set_gdm2_loopback
routine and it will be read from device tree in subsequent patches.
Fixes: e4e5ce823bdd ("net: airoha: Add AN7583 SoC support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260412-airoha-7583-vip-fix-v1-1-c35e02b054bb@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_eth.c | 66 ++++++++++++++++++------
drivers/net/ethernet/airoha/airoha_eth.h | 2 +
2 files changed, 51 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
index c5f509cd52e63..27d62acfcc39c 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.c
+++ b/drivers/net/ethernet/airoha/airoha_eth.c
@@ -107,19 +107,7 @@ static int airoha_set_vip_for_gdm_port(struct airoha_gdm_port *port,
struct airoha_eth *eth = port->qdma->eth;
u32 vip_port;
- switch (port->id) {
- case AIROHA_GDM3_IDX:
- /* FIXME: handle XSI_PCIE1_PORT */
- vip_port = XSI_PCIE0_VIP_PORT_MASK;
- break;
- case AIROHA_GDM4_IDX:
- /* FIXME: handle XSI_USB_PORT */
- vip_port = XSI_ETH_VIP_PORT_MASK;
- break;
- default:
- return 0;
- }
-
+ vip_port = eth->soc->ops.get_vip_port(port, port->nbq);
if (enable) {
airoha_fe_set(eth, REG_FE_VIP_PORT_EN, vip_port);
airoha_fe_set(eth, REG_FE_IFC_PORT_EN, vip_port);
@@ -1809,7 +1797,7 @@ static int airoha_dev_set_macaddr(struct net_device *dev, void *p)
static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
{
struct airoha_eth *eth = port->qdma->eth;
- u32 val, pse_port, chan, nbq;
+ u32 val, pse_port, chan;
int src_port;
/* Forward the traffic to the proper GDM port */
@@ -1839,9 +1827,7 @@ static int airhoha_set_gdm2_loopback(struct airoha_gdm_port *port)
airoha_fe_clear(eth, REG_FE_VIP_PORT_EN, BIT(AIROHA_GDM2_IDX));
airoha_fe_clear(eth, REG_FE_IFC_PORT_EN, BIT(AIROHA_GDM2_IDX));
- /* XXX: handle XSI_USB_PORT and XSI_PCE1_PORT */
- nbq = port->id == AIROHA_GDM3_IDX && airoha_is_7581(eth) ? 4 : 0;
- src_port = eth->soc->ops.get_src_port_id(port, nbq);
+ src_port = eth->soc->ops.get_src_port_id(port, port->nbq);
if (src_port < 0)
return src_port;
@@ -3034,6 +3020,8 @@ static int airoha_alloc_gdm_port(struct airoha_eth *eth,
port->qdma = qdma;
port->dev = dev;
port->id = id;
+ /* XXX: Read nbq from DTS */
+ port->nbq = id == AIROHA_GDM3_IDX && airoha_is_7581(eth) ? 4 : 0;
eth->ports[p] = port;
return airoha_metadata_dst_alloc(port);
@@ -3229,6 +3217,28 @@ static int airoha_en7581_get_src_port_id(struct airoha_gdm_port *port, int nbq)
return -EINVAL;
}
+static u32 airoha_en7581_get_vip_port(struct airoha_gdm_port *port, int nbq)
+{
+ switch (port->id) {
+ case AIROHA_GDM3_IDX:
+ if (nbq == 4)
+ return XSI_PCIE0_VIP_PORT_MASK;
+ if (nbq == 5)
+ return XSI_PCIE1_VIP_PORT_MASK;
+ break;
+ case AIROHA_GDM4_IDX:
+ if (!nbq)
+ return XSI_ETH_VIP_PORT_MASK;
+ if (nbq == 1)
+ return XSI_USB_VIP_PORT_MASK;
+ break;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
static const char * const an7583_xsi_rsts_names[] = {
"xsi-mac",
"hsi0-mac",
@@ -3258,6 +3268,26 @@ static int airoha_an7583_get_src_port_id(struct airoha_gdm_port *port, int nbq)
return -EINVAL;
}
+static u32 airoha_an7583_get_vip_port(struct airoha_gdm_port *port, int nbq)
+{
+ switch (port->id) {
+ case AIROHA_GDM3_IDX:
+ if (!nbq)
+ return XSI_ETH_VIP_PORT_MASK;
+ break;
+ case AIROHA_GDM4_IDX:
+ if (!nbq)
+ return XSI_PCIE0_VIP_PORT_MASK;
+ if (nbq == 1)
+ return XSI_USB_VIP_PORT_MASK;
+ break;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
static const struct airoha_eth_soc_data en7581_soc_data = {
.version = 0x7581,
.xsi_rsts_names = en7581_xsi_rsts_names,
@@ -3265,6 +3295,7 @@ static const struct airoha_eth_soc_data en7581_soc_data = {
.num_ppe = 2,
.ops = {
.get_src_port_id = airoha_en7581_get_src_port_id,
+ .get_vip_port = airoha_en7581_get_vip_port,
},
};
@@ -3275,6 +3306,7 @@ static const struct airoha_eth_soc_data an7583_soc_data = {
.num_ppe = 1,
.ops = {
.get_src_port_id = airoha_an7583_get_src_port_id,
+ .get_vip_port = airoha_an7583_get_vip_port,
},
};
diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h
index 33277cc577990..57e8ddb30a9c5 100644
--- a/drivers/net/ethernet/airoha/airoha_eth.h
+++ b/drivers/net/ethernet/airoha/airoha_eth.h
@@ -536,6 +536,7 @@ struct airoha_gdm_port {
struct airoha_qdma *qdma;
struct net_device *dev;
int id;
+ int nbq;
struct airoha_hw_stats stats;
@@ -576,6 +577,7 @@ struct airoha_eth_soc_data {
int num_ppe;
struct {
int (*get_src_port_id)(struct airoha_gdm_port *port, int nbq);
+ u32 (*get_vip_port)(struct airoha_gdm_port *port, int nbq);
} ops;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 875/957] net: mana: Fix use-after-free in reset service rescan path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (873 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 874/957] net: airoha: Fix VIP configuration for AN7583 SoC Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 876/957] net: mana: Init gf_stats_work before potential error paths in probe Greg Kroah-Hartman
` (87 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Long Li, Dipayaan Roy,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
[ Upstream commit 3387a7ad478b46970ae8254049167d166e398aeb ]
When mana_serv_reset() encounters -ETIMEDOUT or -EPROTO from
mana_gd_resume(), it performs a PCI rescan via mana_serv_rescan().
mana_serv_rescan() calls pci_stop_and_remove_bus_device(), which can
invoke the driver's remove path and free the gdma_context associated
with the device. After returning, mana_serv_reset() currently jumps to
the out label and attempts to clear gc->in_service, dereferencing a
freed gdma_context.
The issue was observed with the following call logs:
[ 698.942636] BUG: unable to handle page fault for address: ff6c2b638088508d
[ 698.943121] #PF: supervisor write access in kernel mode
[ 698.943423] #PF: error_code(0x0002) - not-present page
[S[ 698.943793] Pat Dec 6 07:GD5 100000067 P4D 1002f7067 PUD 1002f8067 PMD 101bef067 PTE 0
0:56 2025] hv_[n e 698.944283] Oops: Oops: 0002 [#1] SMP NOPTI
tvsc f8615163-00[ 698.944611] CPU: 28 UID: 0 PID: 249 Comm: kworker/28:1
...
[Sat Dec 6 07:50:56 2025] R10: [ 699.121594] mana 7870:00:00.0 enP30832s1: Configured vPort 0 PD 18 DB 16
000000000000001b R11: 0000000000000000 R12: ff44cf3f40270000
[Sat Dec 6 07:50:56 2025] R13: 0000000000000001 R14: ff44cf3f402700c8 R15: ff44cf3f4021b405
[Sat Dec 6 07:50:56 2025] FS: 0000000000000000(0000) GS:ff44cf7e9fcf9000(0000) knlGS:0000000000000000
[Sat Dec 6 07:50:56 2025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Sat Dec 6 07:50:56 2025] CR2: ff6c2b638088508d CR3: 000000011fe43001 CR4: 0000000000b73ef0
[Sat Dec 6 07:50:56 2025] Call Trace:
[Sat Dec 6 07:50:56 2025] <TASK>
[Sat Dec 6 07:50:56 2025] mana_serv_func+0x24/0x50 [mana]
[Sat Dec 6 07:50:56 2025] process_one_work+0x190/0x350
[Sat Dec 6 07:50:56 2025] worker_thread+0x2b7/0x3d0
[Sat Dec 6 07:50:56 2025] kthread+0xf3/0x200
[Sat Dec 6 07:50:56 2025] ? __pfx_worker_thread+0x10/0x10
[Sat Dec 6 07:50:56 2025] ? __pfx_kthread+0x10/0x10
[Sat Dec 6 07:50:56 2025] ret_from_fork+0x21a/0x250
[Sat Dec 6 07:50:56 2025] ? __pfx_kthread+0x10/0x10
[Sat Dec 6 07:50:56 2025] ret_from_fork_asm+0x1a/0x30
[Sat Dec 6 07:50:56 2025] </TASK>
Fix this by returning immediately after mana_serv_rescan() to avoid
accessing GC state that may no longer be valid.
Fixes: 9bf66036d686 ("net: mana: Handle hardware recovery events when probing the device")
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Link: https://patch.msgid.link/20251218131054.GA3173@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/gdma_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index 0ad082b566f5e..45ee0774522a1 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -481,7 +481,7 @@ static void mana_serv_reset(struct pci_dev *pdev)
/* Perform PCI rescan on device if we failed on HWC */
dev_err(&pdev->dev, "MANA service: resume failed, rescanning\n");
mana_serv_rescan(pdev);
- goto out;
+ return;
}
if (ret)
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 876/957] net: mana: Init gf_stats_work before potential error paths in probe
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (874 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 875/957] net: mana: Fix use-after-free in reset service rescan path Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 877/957] sched/fair: Fix wakeup_preempt_fair() for not waking up task Greg Kroah-Hartman
` (86 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erni Sri Satya Vennela, Simon Horman,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
[ Upstream commit 6e8bc03349fe4f09567fa76235abf52bdaf83082 ]
Move INIT_DELAYED_WORK(gf_stats_work) to before mana_create_eq(),
while keeping schedule_delayed_work() at its original location.
Previously, if any function between mana_create_eq() and the
INIT_DELAYED_WORK call failed, mana_probe() would call mana_remove()
which unconditionally calls cancel_delayed_work_sync(gf_stats_work)
in __flush_work() or debug object warnings with
CONFIG_DEBUG_OBJECTS_WORK enabled.
Fixes: be4f1d67ec56 ("net: mana: Add standard counter rx_missed_errors")
Signed-off-by: Erni Sri Satya Vennela <ernis@linux.microsoft.com>
Link: https://patch.msgid.link/20260420124741.1056179-3-ernis@linux.microsoft.com
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 4b7e5acba7f76..d1eb77d540427 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3607,6 +3607,8 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
INIT_WORK(&ac->link_change_work, mana_link_state_handle);
}
+ INIT_DELAYED_WORK(&ac->gf_stats_work, mana_gf_stats_work_handler);
+
err = mana_create_eq(ac);
if (err) {
dev_err(dev, "Failed to create EQs: %d\n", err);
@@ -3680,7 +3682,6 @@ int mana_probe(struct gdma_dev *gd, bool resuming)
if (!err)
err = add_adev(gd, "eth");
- INIT_DELAYED_WORK(&ac->gf_stats_work, mana_gf_stats_work_handler);
schedule_delayed_work(&ac->gf_stats_work, MANA_GF_STATS_PERIOD);
out:
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 877/957] sched/fair: Fix wakeup_preempt_fair() for not waking up task
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (875 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 876/957] net: mana: Init gf_stats_work before potential error paths in probe Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 878/957] sched/fair: Revert force wakeup preemption Greg Kroah-Hartman
` (85 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Guittot,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Guittot <vincent.guittot@linaro.org>
[ Upstream commit 9f6d929ee2c6f0266edb564bcd2bd47fd6e884a8 ]
Make sure to only call pick_next_entity() on an non-empty cfs_rq.
The assumption that p is always enqueued and not delayed, is only true for
wakeup. If p was moved while delayed, pick_next_entity() will dequeue it and
the cfs might become empty. Test if there are still queued tasks before trying
again to determine if p could be the next one to be picked.
There are at least 2 cases:
When cfs becomes idle, it tries to pull tasks but if those pulled tasks are
delayed, they will be dequeued when attached to cfs. attach_tasks() ->
attach_task() -> wakeup_preempt(rq, p, 0);
A misfit task running on cfs A triggers a load balance to be pulled on a better
cpu, the load balance on cfs B starts an active load balance to pulled the
running misfit task. If there is a delayed dequeue task on cfs A, it can be
pulled instead of the previously running misfit task. attach_one_task() ->
attach_task() -> wakeup_preempt(rq, p, 0);
Fixes: ac8e69e69363 ("sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue")
Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260503104503.1732682-1-vincent.guittot@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 565a96d6811e7..58f535cc64215 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -8985,9 +8985,10 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
/*
* Because p is enqueued, nse being null can only mean that we
- * dequeued a delayed task.
+ * dequeued a delayed task. If there are still entities queued in
+ * cfs, check if the next one will be p.
*/
- if (!nse)
+ if (!nse && cfs_rq->nr_queued)
goto pick;
if (sched_feat(RUN_TO_PARITY))
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 878/957] sched/fair: Revert force wakeup preemption
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (876 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 877/957] sched/fair: Fix wakeup_preempt_fair() for not waking up task Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 879/957] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
` (84 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Guittot,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Guittot <vincent.guittot@linaro.org>
[ Upstream commit 15257cc2f905dbf5813c0bfdd3c15885f28093c4 ]
This agressively bypasses run_to_parity and slice protection with the
assumpiton that this is what waker wants but there is no garantee that
the wakee will be the next to run. It is a better choice to use
yield_to_task or WF_SYNC in such case.
This increases the number of resched and preemption because a task becomes
quickly "ineligible" when it runs; We update the task vruntime periodically
and before the task exhausted its slice or at least quantum.
Example:
2 tasks A and B wake up simultaneously with lag = 0. Both are
eligible. Task A runs 1st and wakes up task C. Scheduler updates task
A's vruntime which becomes greater than average runtime as all others
have a lag == 0 and didn't run yet. Now task A is ineligible because
it received more runtime than the other task but it has not yet
exhausted its slice nor a min quantum. We force preemption, disable
protection but Task B will run 1st not task C.
Sidenote, DELAY_ZERO increases this effect by clearing positive lag at
wake up.
Fixes: e837456fdca8 ("sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals")
Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260123102858.52428-1-vincent.guittot@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 58f535cc64215..7e0e2044d840b 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -8943,16 +8943,6 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
if ((wake_flags & WF_FORK) || pse->sched_delayed)
return;
- /*
- * If @p potentially is completing work required by current then
- * consider preemption.
- *
- * Reschedule if waker is no longer eligible. */
- if (in_task() && !entity_eligible(cfs_rq, se)) {
- preempt_action = PREEMPT_WAKEUP_RESCHED;
- goto preempt;
- }
-
/* Prefer picking wakee soon if appropriate. */
if (sched_feat(NEXT_BUDDY) &&
set_preempt_buddy(cfs_rq, wake_flags, pse, se)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 879/957] crypto: af_alg - Cap AEAD AD length to 0x80000000
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (877 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 878/957] sched/fair: Revert force wakeup preemption Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 880/957] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
` (83 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yiming Qian, Herbert Xu
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit e4c06479d7059888adf2f22bc1ebcf053bf691a2 upstream.
In order to prevent arithmetic overflows when checking the TX
buffer size, cap the associated data length to 0x80000000.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/af_alg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -586,6 +586,8 @@ static int af_alg_cmsg_send(struct msghd
if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32)))
return -EINVAL;
con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg);
+ if (con->aead_assoclen >= 0x80000000u)
+ return -EINVAL;
break;
default:
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 880/957] i40e: Cleanup PTP pins on probe failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (878 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 879/957] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 881/957] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Greg Kroah-Hartman
` (82 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Matt Vollrath,
Paul Menzel, Aleksandr Loktionov, Sunitha Mekala, Jacob Keller,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Vollrath <tactii@gmail.com>
commit 678b713ece1e853f11e670a84cb887c35e1381b7 upstream.
PTP pin structs are allocated early in probe, but never cleaned up.
Fix this by calling i40e_ptp_free_pins in the error path.
To support this, i40e_ptp_free_pins is added to the header and
pin_config is correctly nullified after being freed.
This has been an issue since i40e_ptp_alloc_pins was introduced.
Fixes: 1050713026a08 ("i40e: add support for PTP external synchronization clock")
Reported-by: Kohei Enju <kohei@enjuk.jp>
Cc: stable@vger.kernel.org
Signed-off-by: Matt Vollrath <tactii@gmail.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Kohei Enju <kohei@enjuk.jp>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-2-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/i40e/i40e.h | 1 +
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 ++-
3 files changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/i40e/i40e.h
+++ b/drivers/net/ethernet/intel/i40e/i40e.h
@@ -1314,6 +1314,7 @@ void i40e_ptp_restore_hw_time(struct i40
void i40e_ptp_init(struct i40e_pf *pf);
void i40e_ptp_stop(struct i40e_pf *pf);
int i40e_ptp_alloc_pins(struct i40e_pf *pf);
+void i40e_ptp_free_pins(struct i40e_pf *pf);
int i40e_update_adq_vsi_queues(struct i40e_vsi *vsi, int vsi_offset);
int i40e_is_vsi_uplink_mode_veb(struct i40e_vsi *vsi);
int i40e_get_partition_bw_setting(struct i40e_pf *pf);
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -16114,6 +16114,7 @@ err_vsis:
i40e_clear_interrupt_scheme(pf);
kfree(pf->vsi);
err_switch_setup:
+ i40e_ptp_free_pins(pf);
i40e_reset_interrupt_capability(pf);
timer_shutdown_sync(&pf->service_timer);
err_mac_addr:
--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
@@ -940,12 +940,13 @@ int i40e_ptp_hwtstamp_get(struct net_dev
*
* Release memory allocated for PTP pins.
**/
-static void i40e_ptp_free_pins(struct i40e_pf *pf)
+void i40e_ptp_free_pins(struct i40e_pf *pf)
{
if (i40e_is_ptp_pin_dev(&pf->hw)) {
kfree(pf->ptp_pins);
kfree(pf->ptp_caps.pin_config);
pf->ptp_pins = NULL;
+ pf->ptp_caps.pin_config = NULL;
}
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 881/957] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (879 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 880/957] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 882/957] net: ena: PHC: Fix potential use-after-free in get_timestamp Greg Kroah-Hartman
` (81 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Breno Leitao, Tejun Heo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 0143033dc22cdff912cfc13419f5db92fea3b4cb upstream.
For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
failure it returns the error directly, bypassing the enomem: label
which holds the only free_percpu(wq->cpu_pwq) in this function.
The caller's error path kfree()s wq without touching wq->cpu_pwq,
leaking one percpu pointer table (nr_cpu_ids * sizeof(void *) bytes) per
failed call.
If kmemleak is enabled, we can see:
unreferenced object (percpu) 0xc0fffa5b121048 (size 8):
comm "insmod", pid 776, jiffies 4294682844
backtrace (crc 0):
pcpu_alloc_noprof+0x665/0xac0
__alloc_workqueue+0x33f/0xa20
alloc_workqueue_noprof+0x60/0x100
Route the error through the existing enomem: cleanup and any error
before this one.
Cc: stable@kernel.org
Fixes: 636b927eba5b ("workqueue: Make unbound workqueues to use per-cpu pool_workqueues")
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/workqueue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -5619,7 +5619,9 @@ static int alloc_and_link_pwqs(struct wo
ret = apply_workqueue_attrs_locked(wq, unbound_std_wq_attrs[highpri]);
}
- return ret;
+ if (ret)
+ goto enomem;
+ return 0;
enomem:
if (wq->cpu_pwq) {
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 882/957] net: ena: PHC: Fix potential use-after-free in get_timestamp
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (880 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 881/957] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 883/957] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
` (80 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arthur Kiyanovski, Vadim Fedorenko,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arthur Kiyanovski <akiyano@amazon.com>
commit e42c755582f0960e684298762f0ab927b3778376 upstream.
Move the phc->active check and resp pointer assignment to after
acquiring the spinlock. Previously, phc->active was checked without
holding the lock, and resp was cached from ena_dev->phc.virt_addr
before the lock was acquired.
If ena_com_phc_destroy() runs between the lockless active check and
the lock acquisition, it sets active=false, releases the lock, frees
the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
then read a NULL virt_addr and dereference it.
With both the active check and the pointer read under the lock,
destroy cannot free the memory while get_timestamp is using it.
Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
Cc: stable@vger.kernel.org
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260508062126.7273-1-akiyano@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/amazon/ena/ena_com.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c
index e67b592e5697..8c86789d867a 100644
--- a/drivers/net/ethernet/amazon/ena/ena_com.c
+++ b/drivers/net/ethernet/amazon/ena/ena_com.c
@@ -1782,20 +1782,23 @@ void ena_com_phc_destroy(struct ena_com_dev *ena_dev)
int ena_com_phc_get_timestamp(struct ena_com_dev *ena_dev, u64 *timestamp)
{
- volatile struct ena_admin_phc_resp *resp = ena_dev->phc.virt_addr;
const ktime_t zero_system_time = ktime_set(0, 0);
struct ena_com_phc_info *phc = &ena_dev->phc;
+ volatile struct ena_admin_phc_resp *resp;
ktime_t expire_time;
ktime_t block_time;
unsigned long flags = 0;
int ret = 0;
+ spin_lock_irqsave(&phc->lock, flags);
+
if (!phc->active) {
+ spin_unlock_irqrestore(&phc->lock, flags);
netdev_err(ena_dev->net_device, "PHC feature is not active in the device\n");
return -EOPNOTSUPP;
}
- spin_lock_irqsave(&phc->lock, flags);
+ resp = ena_dev->phc.virt_addr;
/* Check if PHC is in blocked state */
if (unlikely(ktime_compare(phc->system_time, zero_system_time))) {
--
2.54.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 883/957] netfilter: nf_conntrack_sip: get helper before allocating expectation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (881 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 882/957] net: ena: PHC: Fix potential use-after-free in get_timestamp Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 884/957] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
` (79 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiasong, Pablo Neira Ayuso
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
commit eb6317739b1ea3ab28791e1f91b24781905fa815 upstream.
process_register_request() allocates an expectation and then checks
whether a conntrack helper is available. If helper lookup fails, the
function returns early and the allocated expectation is left behind.
Reorder the code to fetch and validate helper before calling
nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak
path while preserving existing behavior.
Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_sip.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1367,6 +1367,10 @@ static int process_register_request(stru
goto store_cseq;
}
+ helper = rcu_dereference(nfct_help(ct)->helper);
+ if (!helper)
+ return NF_DROP;
+
exp = nf_ct_expect_alloc(ct);
if (!exp) {
nf_ct_helper_log(skb, ct, "cannot alloc expectation");
@@ -1377,10 +1381,6 @@ static int process_register_request(stru
if (sip_direct_signalling)
saddr = &ct->tuplehash[!dir].tuple.src.u3;
- helper = rcu_dereference(nfct_help(ct)->helper);
- if (!helper)
- return NF_DROP;
-
nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
saddr, &daddr, proto, NULL, &port);
exp->timeout.expires = sip_timeout * HZ;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 884/957] audit: fix incorrect inheritable capability in CAPSET records
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (882 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 883/957] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 885/957] net: ena: PHC: Check return code before setting timestamp output Greg Kroah-Hartman
` (78 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Robaina, Sergio Correia,
Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergio Correia <scorreia@redhat.com>
commit e4a640475e43f406fdfd56d370b1f34b0cbbc18d upstream.
__audit_log_capset() records the effective capability set into the
inheritable field due to a copy-paste error. Every CAPSET audit
record therefore reports cap_pi (process inheritable) with the value
of cap_effective instead of cap_inheritable.
This silently corrupts audit data used for compliance and forensic
analysis: an attacker who modifies inheritable capabilities to
prepare for a privilege-escalating exec would have the change masked
in the audit trail.
The bug has been present since the original introduction of CAPSET
audit records in 2008.
Cc: stable@vger.kernel.org
Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2814,7 +2814,7 @@ void __audit_log_capset(const struct cre
context->capset.pid = task_tgid_nr(current);
context->capset.cap.effective = new->cap_effective;
- context->capset.cap.inheritable = new->cap_effective;
+ context->capset.cap.inheritable = new->cap_inheritable;
context->capset.cap.permitted = new->cap_permitted;
context->capset.cap.ambient = new->cap_ambient;
context->type = AUDIT_CAPSET;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 885/957] net: ena: PHC: Check return code before setting timestamp output
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (883 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 884/957] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 886/957] cgroup/dmem: Return -ENOMEM on failed pool preallocation Greg Kroah-Hartman
` (77 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arthur Kiyanovski, Vadim Fedorenko,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arthur Kiyanovski <akiyano@amazon.com>
commit 24a08d7d6218d60c033015cf4870b6096446e734 upstream.
ena_phc_gettimex64() is setting the output parameter regardless
of whether ena_com_phc_get_timestamp() succeeded or failed.
When ena_com_phc_get_timestamp() returns an error, the timestamp
parameter may contain uninitialized stack memory (e.g., when PHC is
disabled or in blocked state) or invalid hardware values. Passing
these to userspace via the PTP ioctl is both a security issue
(information leak) and a correctness bug.
Fix by checking the return code after releasing the lock and only
setting the output timestamp on success.
Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver")
Cc: stable@vger.kernel.org
Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20260507003518.22554-1-akiyano@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/amazon/ena/ena_phc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amazon/ena/ena_phc.c b/drivers/net/ethernet/amazon/ena/ena_phc.c
index 7867e893fd15..c2a3ff1ef645 100644
--- a/drivers/net/ethernet/amazon/ena/ena_phc.c
+++ b/drivers/net/ethernet/amazon/ena/ena_phc.c
@@ -46,9 +46,12 @@ static int ena_phc_gettimex64(struct ptp_clock_info *clock_info,
spin_unlock_irqrestore(&phc_info->lock, flags);
+ if (rc)
+ return rc;
+
*ts = ns_to_timespec64(timestamp_nsec);
- return rc;
+ return 0;
}
static int ena_phc_settime64(struct ptp_clock_info *clock_info,
--
2.54.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 886/957] cgroup/dmem: Return -ENOMEM on failed pool preallocation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (884 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 885/957] net: ena: PHC: Check return code before setting timestamp output Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 887/957] idpf: fix double free and use-after-free in aux device error paths Greg Kroah-Hartman
` (76 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guopeng Zhang, Tejun Heo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guopeng Zhang <zhangguopeng@kylinos.cn>
commit 796ad622040f7f955ccc3973085e953415920496 upstream.
get_cg_pool_unlocked() handles allocation failures under dmemcg_lock by
dropping the lock, preallocating a pool with GFP_KERNEL, and retrying the
locked lookup and creation path.
If the fallback allocation fails too, pool remains NULL. Since the loop
condition is while (!pool), the function can keep retrying instead of
propagating the allocation failure to the caller.
Set pool to ERR_PTR(-ENOMEM) when the fallback allocation fails so the
loop exits through the existing common return path. The callers already
handle ERR_PTR() from get_cg_pool_unlocked(), so this restores the
expected error path.
Fixes: b168ed458dde ("kernel/cgroup: Add "dmem" memory accounting cgroup")
Cc: stable@vger.kernel.org # v6.14+
Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cgroup/dmem.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/cgroup/dmem.c
+++ b/kernel/cgroup/dmem.c
@@ -602,6 +602,7 @@ get_cg_pool_unlocked(struct dmemcg_state
pool = NULL;
continue;
}
+ pool = ERR_PTR(-ENOMEM);
}
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 887/957] idpf: fix double free and use-after-free in aux device error paths
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (885 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 886/957] cgroup/dmem: Return -ENOMEM on failed pool preallocation Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 888/957] Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" Greg Kroah-Hartman
` (75 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Nguyen, Przemek Kitszel,
Andrew Lunn, stable, Aleksandr Loktionov, Paul Menzel,
Jacob Keller, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6c77b9510829a424d1b74409b7db9456e3522871 upstream.
When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or
idpf_plug_core_aux_dev(), the err_aux_dev_add label calls
auxiliary_device_uninit() and falls through to err_aux_dev_init. The
uninit call will trigger put_device(), which invokes the release
callback (idpf_vport_adev_release / idpf_core_adev_release) that frees
iadev. The fall-through then reads adev->id from the freed iadev for
ida_free() and double-frees iadev with kfree().
Free the IDA slot and clear the back-pointer before uninit, while adev
is still valid, then return immediately.
Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization")
fixed the same use-after-free in the matching unplug path in this file but
missed both probe error paths.
Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: stable@kernel.org
Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy")
Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-4-a5ea4dc837a9@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c
index 7e4f4ac92653..b7d6b08fc89e 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
@@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struct iidc_rdma_core_dev_info *cdev_info,
return 0;
err_aux_dev_add:
+ ida_free(&idpf_idc_ida, adev->id);
+ vdev_info->adev = NULL;
auxiliary_device_uninit(adev);
+ return ret;
err_aux_dev_init:
ida_free(&idpf_idc_ida, adev->id);
err_ida_alloc:
@@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct iidc_rdma_core_dev_info *cdev_info)
return 0;
err_aux_dev_add:
+ ida_free(&idpf_idc_ida, adev->id);
+ cdev_info->adev = NULL;
auxiliary_device_uninit(adev);
+ return ret;
err_aux_dev_init:
ida_free(&idpf_idc_ida, adev->id);
err_ida_alloc:
--
2.54.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 888/957] Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn"
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (886 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 887/957] idpf: fix double free and use-after-free in aux device error paths Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 889/957] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
` (74 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kim Phillips, Mario Limonciello,
Rafael J. Wysocki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit db5dadb562cabb6da49959b473ed0d9645b6f2da upstream.
Some older systems don't support CPPC in the firmware and this just makes
noise for them when booting. Drop back to debug.
This reverts commit 21fb59ab4b9767085f4fe1edbdbe3177fbb9ec97.
Fixes: 21fb59ab4b976 ("ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn")
Suggested-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Tested-by: Kim Phillips <kim.phillips@amd.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260504230141.484743-2-mario.limonciello@amd.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/acpi/cppc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/acpi/cppc.c
+++ b/arch/x86/kernel/acpi/cppc.c
@@ -88,19 +88,19 @@ static void amd_set_max_freq_ratio(void)
rc = cppc_get_perf_caps(0, &perf_caps);
if (rc) {
- pr_warn("Could not retrieve perf counters (%d)\n", rc);
+ pr_debug("Could not retrieve perf counters (%d)\n", rc);
return;
}
rc = amd_get_boost_ratio_numerator(0, &numerator);
if (rc) {
- pr_warn("Could not retrieve highest performance (%d)\n", rc);
+ pr_debug("Could not retrieve highest performance (%d)\n", rc);
return;
}
nominal_perf = perf_caps.nominal_perf;
if (!nominal_perf) {
- pr_warn("Could not retrieve nominal performance\n");
+ pr_debug("Could not retrieve nominal performance\n");
return;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 889/957] netfilter: nft_ct: fix missing expect put in obj eval
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (887 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 888/957] Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 890/957] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
` (73 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Xiasong, Pablo Neira Ayuso
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
commit 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 upstream.
nft_ct_expect_obj_eval() allocates an expectation and may call
nf_ct_expect_related(), but never drops its local reference.
Add nf_ct_expect_put(exp) before return to balance allocation.
Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_ct.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1382,6 +1382,8 @@ static void nft_ct_expect_obj_eval(struc
if (nf_ct_expect_related(exp, 0) != 0)
regs->verdict.code = NF_DROP;
+
+ nf_ct_expect_put(exp);
}
static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 890/957] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (888 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 889/957] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 891/957] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
` (72 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zoran Ilievski, Sukhdeep Singh,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zoran Ilievski <goodboy@rexbytes.com>
commit 2c308cf34284420963607d677d576a2b4124d8bd upstream.
The shutdown handler aq_pci_shutdown() unconditionally calls
pci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when
wake-on-LAN has been configured. While aq_nic_shutdown() correctly
programs the NIC firmware via aq_nic_set_power() to listen for magic
packets, the PCI subsystem will not propagate the resulting PME wake
event from D3, so the system never wakes after poweroff.
WOL from suspend (S3) is unaffected because aq_suspend_common() does
not touch pci_wake_from_d3() and relies on the PM core's wake
configuration via device_may_wakeup().
This affects all atlantic-supported NICs (AQC107/108/111/112/113);
users have reported that WOL works if the atlantic driver is never
loaded, but breaks once it has run its shutdown path.
Pass the configured WOL state to pci_wake_from_d3() instead of a
literal false, so the PCI PME_En bit is preserved when the user has
armed WOL via ethtool.
Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback")
Cc: stable@vger.kernel.org
Signed-off-by: Zoran Ilievski <goodboy@rexbytes.com>
Reviewed-by: Sukhdeep Singh <sukhdeeps@marvell.com>
Link: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c
@@ -371,7 +371,7 @@ static void aq_pci_shutdown(struct pci_d
pci_disable_device(pdev);
if (system_state == SYSTEM_POWER_OFF) {
- pci_wake_from_d3(pdev, false);
+ pci_wake_from_d3(pdev, self->aq_hw->aq_nic_cfg->wol);
pci_set_power_state(pdev, PCI_D3hot);
}
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 891/957] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (889 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 890/957] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 892/957] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
` (71 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Robaina, Sergio Correia,
Paul Moore
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergio Correia <scorreia@redhat.com>
commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream.
AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED
and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This
allows a process with CAP_AUDIT_CONTROL to modify directory tree
watches and equivalence mappings even when the audit configuration
has been locked, undermining the purpose of the lock.
Add AUDIT_LOCKED checks to both commands.
Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1462,6 +1462,8 @@ static int audit_receive_msg(struct sk_b
err = audit_list_rules_send(skb, seq);
break;
case AUDIT_TRIM:
+ if (audit_enabled == AUDIT_LOCKED)
+ return -EPERM;
audit_trim_trees();
audit_log_common_recv_msg(audit_context(), &ab,
AUDIT_CONFIG_CHANGE);
@@ -1474,6 +1476,8 @@ static int audit_receive_msg(struct sk_b
size_t msglen = data_len;
char *old, *new;
+ if (audit_enabled == AUDIT_LOCKED)
+ return -EPERM;
err = -EINVAL;
if (msglen < 2 * sizeof(u32))
break;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 892/957] KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (890 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 891/957] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 893/957] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
` (70 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aaron Sacks, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Sacks <contact@xchglabs.com>
commit 577a8d3bae0531f0e5ccfac919cd8192f920a804 upstream.
kvm_reset_dirty_gfn() guards the gfn range with
if (!memslot || (offset + __fls(mask)) >= memslot->npages)
return;
but offset is u64 and the addition is unchecked. The check can be
silently bypassed by a u64 wrap.
The dirty ring backing those entries is MAP_SHARED at
KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the
slot and offset fields of any entry between when the kernel pushes
them and when KVM_RESET_DIRTY_RINGS consumes them. On reset,
kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds
them straight back into this check; only the flags handshake is
treated as the handover, the slot/offset payload is taken on trust.
Crafting two entries
entry[i].offset = 0xffffffffffffffc1
entry[i+1].offset = 0
makes the coalescing loop in kvm_dirty_ring_reset() compute
delta = (s64)(0 - 0xffffffffffffffc1) = 63
which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the
existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn()
call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;
the sum is 0 in u64 and the bounds check passes.
That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()
unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() ==
true, i.e. shadow paging, any VM that has allocated shadow roots, or
a write-tracked slot -- it reaches gfn_to_rmap(), which indexes
slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an
out-of-bounds load of a kvm_rmap_head, followed by a conditional
clear of PT_WRITABLE_MASK in whatever the loaded pointer points at.
The path is reachable from any process holding /dev/kvm.
Range-check offset on its own first, so the addition cannot wrap.
memslot->npages is bounded well below U64_MAX, so once offset <
npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG)
stays in range.
Fixes: fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking")
Cc: stable@vger.kernel.org
Signed-off-by: Aaron Sacks <contact@xchglabs.com>
Link: https://patch.msgid.link/20260512060742.1628959-1-contact@xchglabs.com/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/dirty_ring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/virt/kvm/dirty_ring.c
+++ b/virt/kvm/dirty_ring.c
@@ -63,7 +63,8 @@ static void kvm_reset_dirty_gfn(struct k
memslot = id_to_memslot(__kvm_memslots(kvm, as_id), id);
- if (!memslot || (offset + __fls(mask)) >= memslot->npages)
+ if (!memslot || offset >= memslot->npages ||
+ offset + __fls(mask) >= memslot->npages)
return;
KVM_MMU_LOCK(kvm);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 893/957] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (891 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 892/957] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 894/957] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
` (69 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Christian Borntraeger, Matthew Rosato
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 16d990a15491cf76cd6eef0846e1b4100e63261a upstream.
kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and
aen_host_forward() index the GAIT by manually multiplying the index
with sizeof(struct zpci_gaite).
Since aift->gait is already a struct zpci_gaite pointer, this
double-scales the offset, accessing element aisb*16 instead of aisb.
This causes out-of-bounds accesses when aisb >= 32 (with
ZPCI_NR_DEVICES=512)
Fix by removing the erroneous sizeof multiplication.
Fixes: 3c5a1b6f0a18 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding")
Fixes: 73f91b004321 ("KVM: s390: pci: enable host forwarding of Adapter Event Notifications")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kvm/interrupt.c | 3 +--
arch/s390/kvm/pci.c | 6 ++----
2 files changed, 3 insertions(+), 6 deletions(-)
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -3334,8 +3334,7 @@ static void aen_host_forward(unsigned lo
struct zpci_gaite *gaite;
struct kvm *kvm;
- gaite = (struct zpci_gaite *)aift->gait +
- (si * sizeof(struct zpci_gaite));
+ gaite = aift->gait + si;
if (gaite->count == 0)
return;
if (gaite->aisb != 0)
--- a/arch/s390/kvm/pci.c
+++ b/arch/s390/kvm/pci.c
@@ -291,8 +291,7 @@ static int kvm_s390_pci_aif_enable(struc
phys_to_virt(fib->fmt0.aibv));
spin_lock_irq(&aift->gait_lock);
- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
- sizeof(struct zpci_gaite));
+ gaite = aift->gait + zdev->aisb;
/* If assist not requested, host will get all alerts */
if (assist)
@@ -358,8 +357,7 @@ static int kvm_s390_pci_aif_disable(stru
if (zdev->kzdev->fib.fmt0.aibv == 0)
goto out;
spin_lock_irq(&aift->gait_lock);
- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb *
- sizeof(struct zpci_gaite));
+ gaite = aift->gait + zdev->aisb;
isc = gaite->gisc;
gaite->count--;
if (gaite->count == 0) {
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 894/957] KVM: x86: Fix Xen hypercall tracepoint argument assignment
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (892 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 893/957] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 895/957] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
` (68 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ma, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 2b72f1674e427c56e3772c5ccf785fdda2138820 upstream.
TRACE_EVENT(kvm_xen_hypercall) stores a5 in __entry->a4 instead of
__entry->a5.
That overwrites the recorded a4 argument and leaves a5 unset in the
trace entry. Fix the typo so both arguments are captured correctly.
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Link: https://patch.msgid.link/20260512015313.1685784-1-maqianga@uniontech.com/
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/trace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -154,7 +154,7 @@ TRACE_EVENT(kvm_xen_hypercall,
__entry->a2 = a2;
__entry->a3 = a3;
__entry->a4 = a4;
- __entry->a4 = a5;
+ __entry->a5 = a5;
),
TP_printk("cpl %d nr 0x%lx a0 0x%lx a1 0x%lx a2 0x%lx a3 0x%lx a4 0x%lx a5 %lx",
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 895/957] HID: pass the buffer size to hid_report_raw_event
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (893 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 894/957] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 896/957] HID: core: introduce hid_safe_input_report() Greg Kroah-Hartman
` (67 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires, Johan Hovold,
Jiri Kosina, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
[ Upstream commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a ]
commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
bogus memset()") enforced the provided data to be at least the size of
the declared buffer in the report descriptor to prevent a buffer
overflow. However, we can try to be smarter by providing both the buffer
size and the data size, meaning that hid_report_raw_event() can make
better decision whether we should plaining reject the buffer (buffer
overflow attempt) or if we can safely memset it to 0 and pass it to the
rest of the stack.
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Acked-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Stable-dep-of: 206342541fc8 ("HID: core: introduce hid_safe_input_report()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/bpf/hid_bpf_dispatch.c | 6 +++--
drivers/hid/hid-core.c | 42 ++++++++++++++++++++----------
drivers/hid/hid-gfrm.c | 4 +--
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-vivaldi-common.c | 2 +-
drivers/hid/wacom_sys.c | 6 ++---
drivers/staging/greybus/hid.c | 2 +-
include/linux/hid.h | 4 +--
include/linux/hid_bpf.h | 14 ++++++----
11 files changed, 53 insertions(+), 33 deletions(-)
diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index cf465a5fe43af..eb9f40c988d02 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -24,7 +24,8 @@ EXPORT_SYMBOL(hid_ops);
u8 *
dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data,
- u32 *size, int interrupt, u64 source, bool from_bpf)
+ size_t *buf_size, u32 *size, int interrupt, u64 source,
+ bool from_bpf)
{
struct hid_bpf_ctx_kern ctx_kern = {
.ctx = {
@@ -74,6 +75,7 @@ dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type
*size = ret;
}
+ *buf_size = ctx_kern.ctx.allocated_size;
return ctx_kern.data;
}
EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event);
@@ -508,7 +510,7 @@ __hid_bpf_input_report(struct hid_bpf_ctx *ctx, enum hid_report_type type, u8 *b
if (ret)
return ret;
- return hid_ops->hid_input_report(ctx->hid, type, buf, size, 0, (u64)(long)ctx, true,
+ return hid_ops->hid_input_report(ctx->hid, type, buf, size, size, 0, (u64)(long)ctx, true,
lock_already_taken);
}
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 8be4e06af4636..9e8eb727c6c98 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2029,24 +2029,32 @@ int __hid_request(struct hid_device *hid, struct hid_report *report,
}
EXPORT_SYMBOL_GPL(__hid_request);
-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt)
+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt)
{
struct hid_report_enum *report_enum = hid->report_enum + type;
struct hid_report *report;
struct hid_driver *hdrv;
int max_buffer_size = HID_MAX_BUFFER_SIZE;
u32 rsize, csize = size;
+ size_t bsize = bufsize;
u8 *cdata = data;
int ret = 0;
report = hid_get_report(report_enum, data);
if (!report)
- goto out;
+ return 0;
+
+ if (unlikely(bsize < csize)) {
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ report->id, csize, bsize);
+ return -EINVAL;
+ }
if (report_enum->numbered) {
cdata++;
csize--;
+ bsize--;
}
rsize = hid_compute_report_size(report);
@@ -2059,11 +2067,16 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
else if (rsize > max_buffer_size)
rsize = max_buffer_size;
+ if (bsize < rsize) {
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ report->id, rsize, bsize);
+ return -EINVAL;
+ }
+
if (csize < rsize) {
- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %d)\n",
- report->id, rsize, csize);
- ret = -EINVAL;
- goto out;
+ dbg_hid("report %d is too short, (%d < %d)\n", report->id,
+ csize, rsize);
+ memset(cdata + csize, 0, rsize - csize);
}
if ((hid->claimed & HID_CLAIMED_HIDDEV) && hid->hiddev_report_event)
@@ -2071,7 +2084,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
if (hid->claimed & HID_CLAIMED_HIDRAW) {
ret = hidraw_report_event(hid, data, size);
if (ret)
- goto out;
+ return ret;
}
if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
@@ -2083,15 +2096,15 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
if (hid->claimed & HID_CLAIMED_INPUT)
hidinput_report_event(hid, report);
-out:
+
return ret;
}
EXPORT_SYMBOL_GPL(hid_report_raw_event);
static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
- bool lock_already_taken)
+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
+ bool from_bpf, bool lock_already_taken)
{
struct hid_report_enum *report_enum;
struct hid_driver *hdrv;
@@ -2116,7 +2129,8 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
report_enum = hid->report_enum + type;
hdrv = hid->driver;
- data = dispatch_hid_bpf_device_event(hid, type, data, &size, interrupt, source, from_bpf);
+ data = dispatch_hid_bpf_device_event(hid, type, data, &bufsize, &size, interrupt,
+ source, from_bpf);
if (IS_ERR(data)) {
ret = PTR_ERR(data);
goto unlock;
@@ -2145,7 +2159,7 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
goto unlock;
}
- ret = hid_report_raw_event(hid, type, data, size, interrupt);
+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
unlock:
if (!lock_already_taken)
@@ -2167,7 +2181,7 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
int interrupt)
{
- return __hid_input_report(hid, type, data, size, interrupt, 0,
+ return __hid_input_report(hid, type, data, size, size, interrupt, 0,
false, /* from_bpf */
false /* lock_already_taken */);
}
diff --git a/drivers/hid/hid-gfrm.c b/drivers/hid/hid-gfrm.c
index 699186ff2349e..d2a56bf92b416 100644
--- a/drivers/hid/hid-gfrm.c
+++ b/drivers/hid/hid-gfrm.c
@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
switch (data[1]) {
case GFRM100_SEARCH_KEY_DOWN:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
- sizeof(search_key_dn), 1);
+ sizeof(search_key_dn), sizeof(search_key_dn), 1);
break;
case GFRM100_SEARCH_KEY_AUDIO_DATA:
@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
case GFRM100_SEARCH_KEY_UP:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
- sizeof(search_key_up), 1);
+ sizeof(search_key_up), sizeof(search_key_up), 1);
break;
default:
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index faef80cb2adbd..2eb67d0caebb2 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -3664,7 +3664,7 @@ static int hidpp10_consumer_keys_raw_event(struct hidpp_device *hidpp,
memcpy(&consumer_report[1], &data[3], 4);
/* We are called from atomic context */
hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
- consumer_report, 5, 1);
+ consumer_report, sizeof(consumer_report), 5, 1);
return 1;
}
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 21bfaf9bbd733..a543d48221070 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -531,7 +531,7 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
- size, 0);
+ size, size, 0);
if (ret)
dev_warn(&hdev->dev, "failed to report feature\n");
}
diff --git a/drivers/hid/hid-primax.c b/drivers/hid/hid-primax.c
index e44d79dff8de6..8db054280afbc 100644
--- a/drivers/hid/hid-primax.c
+++ b/drivers/hid/hid-primax.c
@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_device *hid, struct hid_report *report,
data[0] |= (1 << (data[idx] - 0xE0));
data[idx] = 0;
}
- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
return 1;
default: /* unknown report */
diff --git a/drivers/hid/hid-vivaldi-common.c b/drivers/hid/hid-vivaldi-common.c
index bf734055d4b69..b12bb5cc091aa 100644
--- a/drivers/hid/hid-vivaldi-common.c
+++ b/drivers/hid/hid-vivaldi-common.c
@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_device *hdev,
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
- report_len, 0);
+ report_len, report_len, 0);
if (ret) {
dev_warn(&hdev->dev, "failed to report feature %d\n",
field->report->id);
diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 9a57504e51a19..a448cfcca4c47 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -90,7 +90,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
kfree(buf);
continue;
}
- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
if (err) {
hid_warn(hdev, "%s: unable to flush event due to error %d\n",
__func__, err);
@@ -334,7 +334,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n && features->type == HID_GENERIC) {
ret = hid_report_raw_event(hdev,
- HID_FEATURE_REPORT, data, n, 0);
+ HID_FEATURE_REPORT, data, n, n, 0);
} else if (ret == 2 && features->type != HID_GENERIC) {
features->touch_max = data[1];
} else {
@@ -395,7 +395,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n) {
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
- data, n, 0);
+ data, n, n, 0);
} else {
hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
__func__);
diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
index 63c77a3df5911..afa78c96ede89 100644
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid *ghid, struct hid_report *report)
* we just need to setup the input fields, so using
* hid_report_raw_event is safe.
*/
- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
}
static void gb_hid_init_reports(struct gb_hid *ghid)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index a4ddb94e3ee56..d29efcf2e0789 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1258,8 +1258,8 @@ static inline u32 hid_report_len(struct hid_report *report)
return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
}
-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt);
+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt);
/* HID quirks API */
unsigned long hid_lookup_quirk(const struct hid_device *hdev);
diff --git a/include/linux/hid_bpf.h b/include/linux/hid_bpf.h
index a2e47dbcf82c8..19fffa4574a47 100644
--- a/include/linux/hid_bpf.h
+++ b/include/linux/hid_bpf.h
@@ -72,8 +72,8 @@ struct hid_ops {
int (*hid_hw_output_report)(struct hid_device *hdev, __u8 *buf, size_t len,
u64 source, bool from_bpf);
int (*hid_input_report)(struct hid_device *hid, enum hid_report_type type,
- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
- bool lock_already_taken);
+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
+ bool from_bpf, bool lock_already_taken);
struct module *owner;
const struct bus_type *bus_type;
};
@@ -200,7 +200,8 @@ struct hid_bpf {
#ifdef CONFIG_HID_BPF
u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
- u32 *size, int interrupt, u64 source, bool from_bpf);
+ size_t *buf_size, u32 *size, int interrupt, u64 source,
+ bool from_bpf);
int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
unsigned char reportnum, __u8 *buf,
u32 size, enum hid_report_type rtype,
@@ -215,8 +216,11 @@ int hid_bpf_device_init(struct hid_device *hid);
const u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, const u8 *rdesc, unsigned int *size);
#else /* CONFIG_HID_BPF */
static inline u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type,
- u8 *data, u32 *size, int interrupt,
- u64 source, bool from_bpf) { return data; }
+ u8 *data, size_t *buf_size, u32 *size,
+ int interrupt, u64 source, bool from_bpf)
+{
+ return data;
+}
static inline int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
unsigned char reportnum, u8 *buf,
u32 size, enum hid_report_type rtype,
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 896/957] HID: core: introduce hid_safe_input_report()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (894 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 895/957] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
@ 2026-05-20 16:22 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 897/957] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
` (66 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:22 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires, Jiri Kosina,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
[ Upstream commit 206342541fc887ae919774a43942dc883161fece ]
hid_input_report() is used in too many places to have a commit that
doesn't cross subsystem borders. Instead of changing the API, introduce
a new one when things matters in the transport layers:
- usbhid
- i2chid
This effectively revert to the old behavior for those two transport
layers.
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 25 +++++++++++++++++++++++++
drivers/hid/i2c-hid/i2c-hid-core.c | 7 ++++---
drivers/hid/usbhid/hid-core.c | 11 ++++++-----
include/linux/hid.h | 2 ++
4 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 9e8eb727c6c98..e67ea3a7d1395 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2177,6 +2177,7 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
* @interrupt: distinguish between interrupt and control transfers
*
* This is data entry for lower layers.
+ * Legacy, please use hid_safe_input_report() instead.
*/
int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
int interrupt)
@@ -2187,6 +2188,30 @@ int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data
}
EXPORT_SYMBOL_GPL(hid_input_report);
+/**
+ * hid_safe_input_report - report data from lower layer (usb, bt...)
+ *
+ * @hid: hid device
+ * @type: HID report type (HID_*_REPORT)
+ * @data: report contents
+ * @bufsize: allocated size of the data buffer
+ * @size: useful size of data parameter
+ * @interrupt: distinguish between interrupt and control transfers
+ *
+ * This is data entry for lower layers.
+ * Please use this function instead of the non safe version because we provide
+ * here the size of the buffer, allowing hid-core to make smarter decisions
+ * regarding the incoming buffer.
+ */
+int hid_safe_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt)
+{
+ return __hid_input_report(hid, type, data, bufsize, size, interrupt, 0,
+ false, /* from_bpf */
+ false /* lock_already_taken */);
+}
+EXPORT_SYMBOL_GPL(hid_safe_input_report);
+
bool hid_match_one_id(const struct hid_device *hdev,
const struct hid_device_id *id)
{
diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
index 5a183af3d5c6a..e0a302544cef4 100644
--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -574,9 +574,10 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
if (ihid->hid->group != HID_GROUP_RMI)
pm_wakeup_event(&ihid->client->dev, 0);
- hid_input_report(ihid->hid, HID_INPUT_REPORT,
- ihid->inbuf + sizeof(__le16),
- ret_size - sizeof(__le16), 1);
+ hid_safe_input_report(ihid->hid, HID_INPUT_REPORT,
+ ihid->inbuf + sizeof(__le16),
+ ihid->bufsize - sizeof(__le16),
+ ret_size - sizeof(__le16), 1);
}
return;
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index df3cc89dfb37f..4a493b46d9ee7 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -283,9 +283,9 @@ static void hid_irq_in(struct urb *urb)
break;
usbhid_mark_busy(usbhid);
if (!test_bit(HID_RESUME_RUNNING, &usbhid->iofl)) {
- hid_input_report(urb->context, HID_INPUT_REPORT,
- urb->transfer_buffer,
- urb->actual_length, 1);
+ hid_safe_input_report(urb->context, HID_INPUT_REPORT,
+ urb->transfer_buffer, urb->transfer_buffer_length,
+ urb->actual_length, 1);
/*
* autosuspend refused while keys are pressed
* because most keyboards don't wake up when
@@ -482,9 +482,10 @@ static void hid_ctrl(struct urb *urb)
switch (status) {
case 0: /* success */
if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN)
- hid_input_report(urb->context,
+ hid_safe_input_report(urb->context,
usbhid->ctrl[usbhid->ctrltail].report->type,
- urb->transfer_buffer, urb->actual_length, 0);
+ urb->transfer_buffer, urb->transfer_buffer_length,
+ urb->actual_length, 0);
break;
case -ESHUTDOWN: /* unplug */
unplug = 1;
diff --git a/include/linux/hid.h b/include/linux/hid.h
index d29efcf2e0789..204ada8d12e5c 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -990,6 +990,8 @@ struct hid_field *hid_find_field(struct hid_device *hdev, unsigned int report_ty
int hid_set_field(struct hid_field *, unsigned, __s32);
int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
int interrupt);
+int hid_safe_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt);
struct hid_field *hidinput_get_led_field(struct hid_device *hid);
unsigned int hidinput_count_leds(struct hid_device *hid);
__s32 hidinput_calc_abs_res(const struct hid_field *field, __u16 code);
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 897/957] HID: core: Fix size_t specifier in hid_report_raw_event()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (895 preceding siblings ...)
2026-05-20 16:22 ` [PATCH 6.18 896/957] HID: core: introduce hid_safe_input_report() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 898/957] fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0 Greg Kroah-Hartman
` (65 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miguel Ojeda, Nathan Chancellor,
Linus Torvalds, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 ]
When building for 32-bit platforms, for which 'size_t' is
'unsigned int', there are warnings around using the incorrect format
specifier to print bsize in hid_report_raw_event():
drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
| ~~~
| %zu
2054 | report->id, csize, bsize);
| ^~~~~
drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
| ~~~
| %zu
2076 | report->id, rsize, bsize);
| ^~~~~
Use the proper 'size_t' format specifier, '%zu', to clear up the
warnings.
Cc: stable@vger.kernel.org
Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Reported-by: Miguel Ojeda <ojeda@kernel.org>
Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index e67ea3a7d1395..6a1600af30e20 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2046,7 +2046,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
return 0;
if (unlikely(bsize < csize)) {
- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n",
report->id, csize, bsize);
return -EINVAL;
}
@@ -2068,7 +2068,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
rsize = max_buffer_size;
if (bsize < rsize) {
- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
report->id, rsize, bsize);
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 898/957] fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (896 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 897/957] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 899/957] ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands Greg Kroah-Hartman
` (64 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Joanne Koong,
Vlad Poenaru, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Poenaru <vlad.wing@gmail.com>
[ Upstream commit 4ea907108a5c ("fuse: use iomap for readahead") ]
The upstream fix is the iomap conversion in commit 4ea907108a5c
("fuse: use iomap for readahead"), which rewrote fuse_readahead()
entirely and removed the buggy loop along with it. That refactor
is too invasive to backport to the pre-iomap readahead path still
used by 6.18.y (and earlier stable branches), so this is a minimal,
equivalent fix to the same bug on those branches.
When fc->max_read is smaller than PAGE_SIZE (common on aarch64 with
64K base pages if the FUSE server advertises a small max_read in INIT),
max_pages = min(fc->max_pages, fc->max_read / PAGE_SIZE) is 0, so
cur_pages is 0 on every outer iteration.
fuse_io_alloc(NULL, 0) then calls fuse_folios_alloc(0, ...), which
calls kzalloc(0, ...) and gets back ZERO_SIZE_PTR == (void *)16.
The "if (!ia->ap.folios)" guard in fuse_io_alloc does not catch
ZERO_SIZE_PTR, so fuse_io_alloc happily returns an ia whose
ap.folios is 0x10.
The inner "while (pages < cur_pages)" loop runs zero times, then
fuse_send_readpages(ia, ...) dereferences ap->folios[0] in
folio_pos(), faulting at virtual address 0x10:
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000010
fuse_readahead+0x14c/0x490
read_pages+0x80/0x318
page_cache_ra_unbounded+0x1c0/0x2b0
page_cache_ra_order+0xb8/0x368
page_cache_sync_ra+0x210/0x320
filemap_get_pages+0x290/0xdb0
generic_file_read_iter+0xd0/0x540
fuse_file_read_iter+0x8c/0x158
__arm64_sys_read+0x1a0/0x488
addr2line on the aarch64 vmlinux maps fuse_readahead+0x14c to
fs/fuse/file.c:897 inlined into :999, i.e. "folio_pos(ap->folios[0])"
inside fuse_send_readpages. The faulting instruction "ldr x8, [x8]"
loads ap->folios[0]; ap->folios was previously loaded as 0x10
(ZERO_SIZE_PTR).
Without this fix the function would also spin forever, since
"nr_pages -= pages" makes no progress when pages stays 0; in practice
the NULL deref masks the spin.
Bail out of the outer loop if cur_pages is 0 -- there is no work we
can issue via FUSE in this iteration, and remaining folios will be
handled by read_pages() falling back to ->read_folio.
Fixes: 3eab9d7bc2f4 ("fuse: convert readahead to use folios")
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Vlad Poenaru <vlad.wing@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/file.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 00ff6374dc76b..50ade371298b3 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -974,6 +974,16 @@ static void fuse_readahead(struct readahead_control *rac)
unsigned cur_pages = min(max_pages, nr_pages);
unsigned int pages = 0;
+ /*
+ * If max_pages == 0 (e.g. fc->max_read < PAGE_SIZE on a
+ * 64K-page kernel), cur_pages is 0 and we cannot make
+ * progress. Bailing here avoids passing 0 to fuse_io_alloc,
+ * which would return an ia whose ap.folios is ZERO_SIZE_PTR
+ * (0x10) -- later dereferenced by fuse_send_readpages.
+ */
+ if (!cur_pages)
+ break;
+
if (fc->num_background >= fc->congestion_threshold &&
rac->ra->async_size >= readahead_count(rac))
/*
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 899/957] ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (897 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 898/957] fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0 Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 900/957] media: staging: imx: configure src_mux in csi_start Greg Kroah-Hartman
` (63 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Igor Pylypiv,
Niklas Cassel, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Igor Pylypiv <ipylypiv@google.com>
[ Upstream commit 8ebf408e7d463eee02c348a3c8277b95587b710d ]
Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
introduced ata_scsi_requeue_deferred_qc() to handle commands deferred
during resets or NCQ failures. This deferral logic completed commands
with DID_SOFT_ERROR to trigger a retry in the SCSI mid-layer.
However, DID_SOFT_ERROR is subject to scsi_cmd_retry_allowed() checks.
ATA PASS-THROUGH commands sent via SG_IO ioctl have scmd->allowed set
to zero. This causes the mid-layer to fail the command immediately
instead of retrying, even though the command was never actually issued
to the hardware.
Switch to DID_REQUEUE to ensure these commands are inserted back into
the request queue regardless of retry limits.
Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation")
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-scsi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index 88689369db03d..e7c78b8d3c2c0 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -1691,7 +1691,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
/*
* If we have a deferred qc when a reset occurs or NCQ commands fail,
* do not try to be smart about what to do with this deferred command
- * and simply retry it by completing it with DID_SOFT_ERROR.
+ * and simply requeue it by completing it with DID_REQUEUE.
*/
if (!qc)
return;
@@ -1700,7 +1700,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap)
ap->deferred_qc = NULL;
cancel_work(&ap->deferred_qc_work);
ata_qc_free(qc);
- scmd->result = (DID_SOFT_ERROR << 16);
+ scmd->result = (DID_REQUEUE << 16);
scsi_done(scmd);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 900/957] media: staging: imx: configure src_mux in csi_start
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (898 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 899/957] ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 901/957] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Greg Kroah-Hartman
` (62 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Tretter, Frank Li,
Philipp Zabel, Hans Verkuil, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Tretter <m.tretter@pengutronix.de>
[ Upstream commit ebeec2b000a90cd8aae86d1931ff5ef23af8284e ]
After media_pipeline_start() was called, the media graph is assumed to
be validated. It won't be validated again if a second stream starts.
The imx-media-csi driver, however, changes hardware configuration in the
link_validate() callback. This can result in started streams with
misconfigured hardware.
In the concrete example, the ipu2_csi1 is driven by a parallel video
input. After the media pipeline has been started with this
configuration, a second stream is configured to use ipu1_csi0 with
MIPI-CSI input from imx6-mipi-csi2. This may require the reconfiguration
of ipu1_csi0 with ipu_set_csi_src_mux(). Since the media pipeline is
already running, link_validate won't be called, and the ipu1_csi0 won't
be reconfigured. The resulting video is broken, because the ipu1_csi0 is
misconfigured, but no error is reported.
Move ipu_set_csi_src_mux from csi_link_validate to csi_start to ensure
that input to ipu1_csi0 is configured correctly when starting the
stream. This is a local reconfiguration in ipu1_csi0 and is possible
while the media pipeline is running.
Since csi_start() is called with priv->lock already locked,
csi_set_src() must not lock priv->lock again. Thus, the mutex_lock() is
dropped.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Fixes: 4a34ec8e470c ("[media] media: imx: Add CSI subdev driver")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/imx/imx-media-csi.c | 44 ++++++++++++-----------
1 file changed, 24 insertions(+), 20 deletions(-)
diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c
index 55a7d8f38465b..1bc644f73a9d1 100644
--- a/drivers/staging/media/imx/imx-media-csi.c
+++ b/drivers/staging/media/imx/imx-media-csi.c
@@ -744,6 +744,28 @@ static int csi_setup(struct csi_priv *priv,
return 0;
}
+static void csi_set_src(struct csi_priv *priv,
+ struct v4l2_mbus_config *mbus_cfg)
+{
+ bool is_csi2;
+
+ is_csi2 = !is_parallel_bus(mbus_cfg);
+ if (is_csi2) {
+ /*
+ * NOTE! It seems the virtual channels from the mipi csi-2
+ * receiver are used only for routing by the video mux's,
+ * or for hard-wired routing to the CSI's. Once the stream
+ * enters the CSI's however, they are treated internally
+ * in the IPU as virtual channel 0.
+ */
+ ipu_csi_set_mipi_datatype(priv->csi, 0,
+ &priv->format_mbus[CSI_SINK_PAD]);
+ }
+
+ /* select either parallel or MIPI-CSI2 as input to CSI */
+ ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2);
+}
+
static int csi_start(struct csi_priv *priv)
{
struct v4l2_mbus_config mbus_cfg = { .type = 0 };
@@ -760,6 +782,8 @@ static int csi_start(struct csi_priv *priv)
input_fi = &priv->frame_interval[CSI_SINK_PAD];
output_fi = &priv->frame_interval[priv->active_output_pad];
+ csi_set_src(priv, &mbus_cfg);
+
/* start upstream */
ret = v4l2_subdev_call(priv->src_sd, video, s_stream, 1);
ret = (ret && ret != -ENOIOCTLCMD) ? ret : 0;
@@ -1130,7 +1154,6 @@ static int csi_link_validate(struct v4l2_subdev *sd,
{
struct csi_priv *priv = v4l2_get_subdevdata(sd);
struct v4l2_mbus_config mbus_cfg = { .type = 0 };
- bool is_csi2;
int ret;
ret = v4l2_subdev_link_validate_default(sd, link,
@@ -1145,25 +1168,6 @@ static int csi_link_validate(struct v4l2_subdev *sd,
return ret;
}
- mutex_lock(&priv->lock);
-
- is_csi2 = !is_parallel_bus(&mbus_cfg);
- if (is_csi2) {
- /*
- * NOTE! It seems the virtual channels from the mipi csi-2
- * receiver are used only for routing by the video mux's,
- * or for hard-wired routing to the CSI's. Once the stream
- * enters the CSI's however, they are treated internally
- * in the IPU as virtual channel 0.
- */
- ipu_csi_set_mipi_datatype(priv->csi, 0,
- &priv->format_mbus[CSI_SINK_PAD]);
- }
-
- /* select either parallel or MIPI-CSI2 as input to CSI */
- ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2);
-
- mutex_unlock(&priv->lock);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 968+ messages in thread
* [PATCH 6.18 901/957] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (899 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 900/957] media: staging: imx: configure src_mux in csi_start Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 902/957] nvme-apple: Reset q->sq_tail during queue init Greg Kroah-Hartman
` (61 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen,
Luiz Augusto von Dentz, Mikhail Gavrilov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream.
MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.
Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
length before struct access") the status was read from out-of-bounds of
SKB data, which usually would result to success with
BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
check added in that commit returns with error instead, producing
"Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
device unusable.
Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btmtk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -678,8 +678,8 @@ static int btmtk_usb_hci_wmt_sync(struct
case BTMTK_WMT_FUNC_CTRL:
if (!skb_pull_data(data->evt_skb,
sizeof(wmt_evt_funcc->status))) {
- err = -EINVAL;
- goto err_free_skb;
+ status = BTMTK_WMT_ON_UNDONE;
+ break;
}
wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 902/957] nvme-apple: Reset q->sq_tail during queue init
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (900 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 901/957] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 903/957] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
` (60 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuriy Havrylyuk, Sven Peter,
Nick Chan, Keith Busch
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nick Chan <towinchenmi@gmail.com>
commit a6ab75639e23169a741b0b2e12191fd8acb32c73 upstream.
Fixes a "duplicate tag error for tag 0" firmware crash during controller
reset while setting up a queue on Apple A11 / T8015 caused by stale
entries in the submission queue due to an invalid sq_tail offset after
reset.
Fixes: 04d8ecf37b5e ("nvme: apple: Add Apple A11 support")
Cc: stable@vger.kernel.org
Suggested-by: Yuriy Havrylyuk <yhavry@gmail.com>
Reviewed-by: Sven Peter <sven@kernel.org>
Signed-off-by: Nick Chan <towinchenmi@gmail.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/apple.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1009,6 +1009,7 @@ static void apple_nvme_init_queue(struct
unsigned int depth = apple_nvme_queue_depth(q);
struct apple_nvme *anv = queue_to_apple_nvme(q);
+ q->sq_tail = 0;
q->cq_head = 0;
q->cq_phase = 1;
if (anv->hw->has_lsq_nvmmu)
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 903/957] smb/client: fix possible infinite loop and oob read in symlink_data()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (901 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 902/957] nvme-apple: Reset q->sq_tail during queue init Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 904/957] drm/loongson: Use managed KMS polling Greg Kroah-Hartman
` (59 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Ye Bin, Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 7d9a7f1f96cd617ee9e75bb22217c709038e26b8 upstream.
On 32-bit architectures, the infinite loop is as follows:
len = p->ErrorDataLength == 0xfffffff8
u8 *next = p->ErrorContextData + len
next == p
On 32-bit architectures, the out-of-bounds read is as follows:
len = p->ErrorDataLength == 0xfffffff0
u8 *next = p->ErrorContextData + len
next == (u8 *)p - 8
Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: stable@vger.kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2file.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/smb/client/smb2file.c
+++ b/fs/smb/client/smb2file.c
@@ -49,6 +49,9 @@ static struct smb2_symlink_err_rsp *syml
__func__, le32_to_cpu(p->ErrorId));
len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
+ if (len > end - ((u8 *)p + sizeof(*p)))
+ return ERR_PTR(-EINVAL);
+
p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
}
} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 904/957] drm/loongson: Use managed KMS polling
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (902 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 903/957] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 905/957] drm: Replace old pointer to new idr Greg Kroah-Hartman
` (58 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ijae Kim, Thomas Zimmermann,
Jianmin Lv, Huacai Chen, Myeonghun Pak
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit 0a9c56dd387605d17dabeedd9fdd2c4c1d0bab7b upstream.
lsdc_pci_probe() initializes KMS polling before setting up vblank support,
requesting the IRQ and registering the DRM device. If any of those later
steps fails, probe returns without finalizing polling. The driver also
never finalizes polling on regular removal.
Use drmm_kms_helper_poll_init() so polling is tied to the DRM device
lifetime and automatically finalized on probe failure and device removal.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: f39db26c5428 ("drm: Add kms driver for loongson display controller")
Cc: stable@vger.kernel.org
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Acked-by: Jianmin Lv <lvjianmin@loongson.cn>
Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260513065706.23803-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/loongson/lsdc_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/loongson/lsdc_drv.c
+++ b/drivers/gpu/drm/loongson/lsdc_drv.c
@@ -291,7 +291,7 @@ static int lsdc_pci_probe(struct pci_dev
vga_client_register(pdev, lsdc_vga_set_decode);
- drm_kms_helper_poll_init(ddev);
+ drmm_kms_helper_poll_init(ddev);
if (loongson_vblank) {
ret = drm_vblank_init(ddev, descp->num_of_crtc);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 905/957] drm: Replace old pointer to new idr
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (903 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 904/957] drm/loongson: Use managed KMS polling Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 906/957] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
` (57 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d7c9eed171647e421013,
Edward Adam Davis, Dave Airlie
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit dc366607c41c45fd0ae6f3db090f31dd611b644a upstream.
Commit 5e28b7b94408 introduced a logical error by failing to replace the
newly generated IDR pointer to old id's pointer at the correct location
within the "change handle" logic; this resulted in the issue reported by
syzbot [1].
Specifically, the new IDR object pointer is intended to replace the original
id's pointer during the normal execution flow.
Additionally, an unnecessary conditional check for the ret exit path has
been removed.
[1]
!RB_EMPTY_ROOT(&prime_fpriv->dmabufs)
WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x48/0x60 drivers/gpu/drm/drm_prime.c:224, CPU#0: syz.0.17/5833
Call Trace:
drm_file_free.part.0+0x7e6/0xcc0 drivers/gpu/drm/drm_file.c:269
drm_file_free drivers/gpu/drm/drm_file.c:237 [inline]
drm_close_helper.isra.0+0x186/0x200 drivers/gpu/drm/drm_file.c:290
drm_release+0x1ab/0x360 drivers/gpu/drm/drm_file.c:438
Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle")
Reported-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7c9eed171647e421013
Cc: stable@vger.kernel.org
Tested-by: syzbot+d7c9eed171647e421013@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/tencent_C267296443AAA4567771176886DFF364A305@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_gem.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1017,17 +1017,12 @@ int drm_gem_change_handle_ioctl(struct d
spin_unlock(&file_priv->table_lock);
- if (ret < 0)
- goto out_unlock;
-
if (obj->dma_buf) {
ret = drm_prime_add_buf_handle(&file_priv->prime, obj->dma_buf,
handle);
if (ret < 0) {
spin_lock(&file_priv->table_lock);
idr_remove(&file_priv->object_idr, handle);
- idrobj = idr_replace(&file_priv->object_idr, obj, handle);
- WARN_ON(idrobj != NULL);
spin_unlock(&file_priv->table_lock);
goto out_unlock;
}
@@ -1039,7 +1034,9 @@ int drm_gem_change_handle_ioctl(struct d
spin_lock(&file_priv->table_lock);
idr_remove(&file_priv->object_idr, args->handle);
+ idrobj = idr_replace(&file_priv->object_idr, obj, handle);
spin_unlock(&file_priv->table_lock);
+ WARN_ON(idrobj != NULL);
out_unlock:
mutex_unlock(&file_priv->prime.lock);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 906/957] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (904 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 905/957] drm: Replace old pointer to new idr Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 907/957] platform/x86: intel: Move debugfs register before creating devices Greg Kroah-Hartman
` (56 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DeepChirp, Chaitanya Kumar Borah,
Suraj Kandpal, Tvrtko Ursulin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
commit 1ae15b6c7965d137eef21f2cc7d367b29cb88369 upstream.
For RGB, set dynamic_range to CTA or VESA based on
crtc_state->limited_color_range so sinks apply correct
quantization. YCbCr remains limited (CTA) range.
(DP v1.4, Table 5-1)
v2:
- Added Reported-by and Tested-by tags
v3:
- Add back YCbCr comment(Suraj)
Cc: stable@vger.kernel.org #v5.8+
Reported-by: DeepChirp <DeepChirp@outlook.com>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15874
Tested-by: DeepChirp <DeepChirp@outlook.com>
Fixes: 9799c4c3b76e ("drm/i915/dp: Add compute routine for DP VSC SDP")
Assisted-by: GitHub-Copilot:GPT-5.4
Signed-off-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260505090920.2479112-1-chaitanya.kumar.borah@intel.com
(cherry picked from commit 38e10ddae6f8d42a2e8437fcd25a1cac51106c64)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_dp.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -2869,8 +2869,13 @@ static void intel_dp_compute_vsc_colorim
drm_WARN_ON(display->drm,
vsc->bpc == 6 && vsc->pixelformat != DP_PIXELFORMAT_RGB);
- /* all YCbCr are always limited range */
- vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
+ /* All YCbCr formats are always limited range. */
+ if (vsc->pixelformat == DP_PIXELFORMAT_RGB)
+ vsc->dynamic_range = crtc_state->limited_color_range ?
+ DP_DYNAMIC_RANGE_CTA : DP_DYNAMIC_RANGE_VESA;
+ else
+ vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA;
+
vsc->content_type = DP_CONTENT_TYPE_NOT_DEFINED;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 907/957] platform/x86: intel: Move debugfs register before creating devices
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (905 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 906/957] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 908/957] platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers Greg Kroah-Hartman
` (55 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada, Stable,
Ilpo Järvinen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit ad3bff944c0f4f2e913298a9664391af32f87491 upstream.
It is possible that the driver handling device is enumerated before
registering debugfs. If the driver wants to access debugfs by calling
tpmi_get_debugfs_dir(), this will return error in this case.
Hence register debugfs before creating devices.
Fixes: 811f67c51636 ("platform/x86/intel/tpmi: Add new auxiliary driver for performance limits")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: Stable@vger.kernel.org
Link: https://patch.msgid.link/20260430151103.1549733-2-srinivas.pandruvada@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec_tpmi.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/platform/x86/intel/vsec_tpmi.c
+++ b/drivers/platform/x86/intel/vsec_tpmi.c
@@ -813,10 +813,6 @@ static int intel_vsec_tpmi_init(struct a
auxiliary_set_drvdata(auxdev, tpmi_info);
- ret = tpmi_create_devices(tpmi_info);
- if (ret)
- return ret;
-
/*
* Allow debugfs when security policy allows. Everything this debugfs
* interface provides, can also be done via /dev/mem access. If
@@ -826,6 +822,12 @@ static int intel_vsec_tpmi_init(struct a
if (!security_locked_down(LOCKDOWN_DEV_MEM) && capable(CAP_SYS_RAWIO))
tpmi_dbgfs_register(tpmi_info);
+ ret = tpmi_create_devices(tpmi_info);
+ if (ret) {
+ debugfs_remove_recursive(tpmi_info->dbgfs_dir);
+ return ret;
+ }
+
return 0;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 908/957] platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (906 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 907/957] platform/x86: intel: Move debugfs register before creating devices Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 909/957] platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members Greg Kroah-Hartman
` (54 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Rong Zhang,
Derek J. Clark, Ilpo Järvinen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Derek J. Clark <derekjohn.clark@gmail.com>
commit 7e27896e16a1c450085c3fe020eeb1b223880f37 upstream.
In a later patch in the series the thermal mode enum will be accessed
across three separate drivers (wmi-capdata, wmi-gamezonem and wmi-other).
An additional patch in the series will also add a function prototype that
needs to reference this enum in wmi-helpers.h. To avoid having all these
drivers begin to import each others headers, and to avoid declaring an
opaque enum to hande the second case, move the thermal mode enum to
helpers where it can be safely accessed by everything that needs it from
a single import.
While at it, since the gamezone_events_type enum is the only remaining
item in the header, move that as well and remove the gamezone header
entirely.
Cc: stable@vger.kernel.org
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Reviewed-by: Rong Zhang <i@rong.moe>
Tested-by: Rong Zhang <i@rong.moe>
Signed-off-by: Derek J. Clark <derekjohn.clark@gmail.com>
Link: https://patch.msgid.link/20260510042546.436874-8-derekjohn.clark@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/lenovo/wmi-events.c | 2 +-
drivers/platform/x86/lenovo/wmi-gamezone.c | 1 -
drivers/platform/x86/lenovo/wmi-gamezone.h | 20 --------------------
drivers/platform/x86/lenovo/wmi-helpers.h | 13 +++++++++++++
drivers/platform/x86/lenovo/wmi-other.c | 1 -
5 files changed, 14 insertions(+), 23 deletions(-)
delete mode 100644 drivers/platform/x86/lenovo/wmi-gamezone.h
--- a/drivers/platform/x86/lenovo/wmi-events.c
+++ b/drivers/platform/x86/lenovo/wmi-events.c
@@ -17,7 +17,7 @@
#include <linux/wmi.h>
#include "wmi-events.h"
-#include "wmi-gamezone.h"
+#include "wmi-helpers.h"
#define THERMAL_MODE_EVENT_GUID "D320289E-8FEA-41E0-86F9-911D83151B5F"
--- a/drivers/platform/x86/lenovo/wmi-gamezone.c
+++ b/drivers/platform/x86/lenovo/wmi-gamezone.c
@@ -21,7 +21,6 @@
#include <linux/wmi.h>
#include "wmi-events.h"
-#include "wmi-gamezone.h"
#include "wmi-helpers.h"
#include "wmi-other.h"
--- a/drivers/platform/x86/lenovo/wmi-gamezone.h
+++ /dev/null
@@ -1,20 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0-or-later */
-
-/* Copyright (C) 2025 Derek J. Clark <derekjohn.clark@gmail.com> */
-
-#ifndef _LENOVO_WMI_GAMEZONE_H_
-#define _LENOVO_WMI_GAMEZONE_H_
-
-enum gamezone_events_type {
- LWMI_GZ_GET_THERMAL_MODE = 1,
-};
-
-enum thermal_mode {
- LWMI_GZ_THERMAL_MODE_QUIET = 0x01,
- LWMI_GZ_THERMAL_MODE_BALANCED = 0x02,
- LWMI_GZ_THERMAL_MODE_PERFORMANCE = 0x03,
- LWMI_GZ_THERMAL_MODE_EXTREME = 0xE0, /* Ver 6+ */
- LWMI_GZ_THERMAL_MODE_CUSTOM = 0xFF,
-};
-
-#endif /* !_LENOVO_WMI_GAMEZONE_H_ */
--- a/drivers/platform/x86/lenovo/wmi-helpers.h
+++ b/drivers/platform/x86/lenovo/wmi-helpers.h
@@ -14,6 +14,19 @@ struct wmi_method_args_32 {
u32 arg1;
};
+enum lwmi_event_type {
+ LWMI_GZ_GET_THERMAL_MODE = 0x01,
+};
+
+enum thermal_mode {
+ LWMI_GZ_THERMAL_MODE_NONE = 0x00,
+ LWMI_GZ_THERMAL_MODE_QUIET = 0x01,
+ LWMI_GZ_THERMAL_MODE_BALANCED = 0x02,
+ LWMI_GZ_THERMAL_MODE_PERFORMANCE = 0x03,
+ LWMI_GZ_THERMAL_MODE_EXTREME = 0xE0, /* Ver 6+ */
+ LWMI_GZ_THERMAL_MODE_CUSTOM = 0xFF,
+};
+
int lwmi_dev_evaluate_int(struct wmi_device *wdev, u8 instance, u32 method_id,
unsigned char *buf, size_t size, u32 *retval);
--- a/drivers/platform/x86/lenovo/wmi-other.c
+++ b/drivers/platform/x86/lenovo/wmi-other.c
@@ -36,7 +36,6 @@
#include "wmi-capdata01.h"
#include "wmi-events.h"
-#include "wmi-gamezone.h"
#include "wmi-helpers.h"
#include "wmi-other.h"
#include "../firmware_attributes_class.h"
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 909/957] platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (907 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 908/957] platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 910/957] accel/rocket: Fix prep_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
` (53 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Rong Zhang,
Derek J. Clark, Ilpo Järvinen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Derek J. Clark <derekjohn.clark@gmail.com>
commit 71f3843e0f81e3c097a088c1121154bb9a44da0a upstream.
In struct tunable_attr_01 the capdata pointer is unused and the size of
the id members is u32 when it should be u8. Fix these prior to adding
additional members.
No functional change intended.
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Cc: stable@vger.kernel.org
Reviewed-by: Rong Zhang <i@rong.moe>
Tested-by: Rong Zhang <i@rong.moe>
Signed-off-by: Derek J. Clark <derekjohn.clark@gmail.com>
Link: https://patch.msgid.link/20260510042546.436874-6-derekjohn.clark@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/lenovo/wmi-other.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/platform/x86/lenovo/wmi-other.c
+++ b/drivers/platform/x86/lenovo/wmi-other.c
@@ -82,11 +82,10 @@ struct lwmi_om_priv {
};
struct tunable_attr_01 {
- struct capdata01 *capdata;
struct device *dev;
- u32 feature_id;
- u32 device_id;
- u32 type_id;
+ u8 feature_id;
+ u8 device_id;
+ u8 type_id;
};
static struct tunable_attr_01 ppt_pl1_spl = {
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 910/957] accel/rocket: Fix prep_bo ioctl leaking positive return from dma_resv_wait_timeout()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (908 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 909/957] platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 911/957] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx Greg Kroah-Hartman
` (52 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gyeyoung Baek, Tomeu Vizoso,
Steven Price
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gyeyoung Baek <gye976@gmail.com>
commit 74570e12b4705ea11dcdfbfbd0a0b0fdaeff3059 upstream.
dma_resv_wait_timeout() returns a positive 'remaining jiffies' value
on success, 0 on timeout, and -errno on failure.
rocket_ioctl_prep_bo() returns this 'long' result from an int-typed
ioctl handler, so positive values reach userspace as bogus errors.
Explicitly set ret to 0 on the success path.
Fixes: 525ad89dd904 ("accel/rocket: Add IOCTLs for synchronizing memory accesses")
Cc: stable@vger.kernel.org
Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
Reviewed-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
Link: https://patch.msgid.link/c0ebf83b345721701b22d8f5bc41c52c0ecf5e16.1776581974.git.gye976@gmail.com
Signed-off-by: Steven Price <steven.price@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/rocket/rocket_gem.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/accel/rocket/rocket_gem.c
+++ b/drivers/accel/rocket/rocket_gem.c
@@ -144,6 +144,8 @@ int rocket_ioctl_prep_bo(struct drm_devi
ret = dma_resv_wait_timeout(gem_obj->resv, DMA_RESV_USAGE_WRITE, true, timeout);
if (!ret)
ret = timeout ? -ETIMEDOUT : -EBUSY;
+ else if (ret > 0)
+ ret = 0;
shmem_obj = &to_rocket_bo(gem_obj)->base;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 911/957] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (909 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 910/957] accel/rocket: Fix prep_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 912/957] ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone Greg Kroah-Hartman
` (51 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrien Burnett, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrien Burnett <an.arctic.pigeon@gmail.com>
commit 7d1051ad68df3d584b5f24bfa1fb19f3a24db278 upstream.
Add a SND_PCI_QUIRK entry for the HP Pavilion Laptop 16-ag0xxx
(subsystem 0x103c:0x8cbc, Realtek ALC245). The
ALC245_FIXUP_HP_X360_MUTE_LEDS fixup is already used by the
neighbouring HP Pavilion Aero Laptop 13-bg0xxx (0x103c:0x8cbd);
it chains the master-mute COEF handler with the GPIO mic-mute
LED handler, which is what this machine needs.
Tested on the affected hardware: both the mute and mic-mute key
LEDs respond correctly to the keyboard hotkeys after this change.
Cc: <stable@vger.kernel.org>
Signed-off-by: Adrien Burnett <an.arctic.pigeon@gmail.com>
Link: https://patch.msgid.link/20260514165905.21175-1-an.arctic.pigeon@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -6960,6 +6960,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x8caf, "HP Elite mt645 G8 Mobile Thin Client", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8cbc, "HP Pavilion Laptop 16-ag0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
SND_PCI_QUIRK(0x103c, 0x8cbd, "HP Pavilion Aero Laptop 13-bg0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
SND_PCI_QUIRK(0x103c, 0x8cdd, "HP Spectre", ALC245_FIXUP_HP_SPECTRE_X360_EU0XXX),
SND_PCI_QUIRK(0x103c, 0x8cde, "HP OmniBook Ultra Flip Laptop 14t", ALC245_FIXUP_HP_SPECTRE_X360_EU0XXX),
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 912/957] ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (910 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 911/957] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 913/957] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans Greg Kroah-Hartman
` (50 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Markus Kramer, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Kramer <linux@markus-kramer.de>
commit fd87b510f5f543125ecf51e7c706a9f4bc3352be upstream.
The Samsung Galaxy Book5 360 (NP750QHA, PCI subsystem ID 0x144d:0xc902)
has severe audio distortion on the 3.5mm headphone jack. Applying
ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET corrects the output path
configuration, consistent with fixes already applied to other Samsung
Galaxy Book models using the same ALC256 codec.
Cc: stable@vger.kernel.org
Link: https://github.com/thesofproject/linux/issues/5648
Signed-off-by: Markus Kramer <linux@markus-kramer.de>
Link: https://patch.msgid.link/20260513222818.14351-1-linux@markus-kramer.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -7240,6 +7240,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x144d, 0xc870, "Samsung Galaxy Book2 Pro (NP950XED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS),
SND_PCI_QUIRK(0x144d, 0xc872, "Samsung Galaxy Book2 Pro (NP950XEE)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS),
SND_PCI_QUIRK(0x144d, 0xc886, "Samsung Galaxy Book3 Pro (NP964XFG)", ALC298_FIXUP_SAMSUNG_AMP_V2_4_AMPS),
+ SND_PCI_QUIRK(0x144d, 0xc902, "Samsung Galaxy Book5 360 (NP750QHA)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
SND_PCI_QUIRK(0x144d, 0xc1ca, "Samsung Galaxy Book3 Pro 360 (NP960QFG)", ALC298_FIXUP_SAMSUNG_AMP_V2_4_AMPS),
SND_PCI_QUIRK(0x144d, 0xc1cb, "Samsung Galaxy Book3 Pro 360 (NP965QFG)", ALC298_FIXUP_SAMSUNG_AMP_V2_4_AMPS),
SND_PCI_QUIRK(0x144d, 0xc1cc, "Samsung Galaxy Book3 Ultra (NT960XFH)", ALC298_FIXUP_SAMSUNG_AMP_V2_4_AMPS),
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 913/957] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (911 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 912/957] ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 914/957] ALSA: usb-audio: Bound MIDI " Greg Kroah-Hartman
` (49 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 918be519c7876329e1b6e2ea1c59f0b75e792dca upstream.
The USB MIDI 2.0 endpoint parser has the same descriptor walking
pattern as the legacy MIDI parser. It validates bLength against
bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the
remaining bytes in the endpoint-extra scan.
A malformed device can therefore make later baAssoGrpTrmBlkID[] reads
consume bytes past the walked descriptor.
Reject zero-length and overlong descriptors while walking endpoint
extras.
Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-2-329d7348160e@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi2.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/sound/usb/midi2.c
+++ b/sound/usb/midi2.c
@@ -496,15 +496,17 @@ static void *find_usb_ms_endpoint_descri
while (extralen > 3) {
struct usb_ms_endpoint_descriptor *ms_ep =
(struct usb_ms_endpoint_descriptor *)extra;
+ int length = ms_ep->bLength;
- if (ms_ep->bLength > 3 &&
+ if (!length || length > extralen)
+ break;
+
+ if (length > 3 &&
ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
ms_ep->bDescriptorSubtype == subtype)
return ms_ep;
- if (!extra[0])
- break;
- extralen -= extra[0];
- extra += extra[0];
+ extralen -= length;
+ extra += length;
}
return NULL;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 914/957] ALSA: usb-audio: Bound MIDI endpoint descriptor scans
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (912 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 913/957] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 915/957] ALSA: usb-audio: qcom: Check offload mapping failures Greg Kroah-Hartman
` (48 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit d6854daa67be623860f4e1873fd3d3c275aba4ed upstream.
snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
descriptor size before using baAssocJackID[], but the descriptor walker can
still return a class-specific endpoint descriptor whose bLength exceeds the
remaining bytes in the endpoint-extra scan.
That leaves later flexible-array reads bounded by bLength, but not by the
remaining bytes in the endpoint-extra scan.
Stop walking when bLength is zero or
extends past the remaining endpoint-extra scan.
Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1947,15 +1947,17 @@ static struct usb_ms_endpoint_descriptor
while (extralen > 3) {
struct usb_ms_endpoint_descriptor *ms_ep =
(struct usb_ms_endpoint_descriptor *)extra;
+ int length = ms_ep->bLength;
- if (ms_ep->bLength > 3 &&
+ if (!length || length > extralen)
+ break;
+
+ if (length > 3 &&
ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
return ms_ep;
- if (!extra[0])
- break;
- extralen -= extra[0];
- extra += extra[0];
+ extralen -= length;
+ extra += length;
}
return NULL;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 915/957] ALSA: usb-audio: qcom: Check offload mapping failures
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (913 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 914/957] ALSA: usb-audio: Bound MIDI " Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 916/957] btrfs: only release the dirty pages io tree after successful writes Greg Kroah-Hartman
` (47 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 814b2c9b30e56074e11fc0a6e5419b3fee0639bc upstream.
uaudio_transfer_buffer_setup() calls dma_get_sgtable() and then passes
the sg_table to uaudio_iommu_map_xfer_buf() without checking whether sg
table construction succeeded. If dma_get_sgtable() fails, the sg_table
contents are not valid.
uaudio_iommu_map_pa() also ignores iommu_map() failures for the event and
transfer rings and still returns the allocated IOVA to the QMI response.
That can expose an unmapped IOVA to the audio DSP. For transfer rings,
the failed mapping also leaves the IOVA allocator state marked in use.
Check both operations. Free the coherent transfer buffer when sg table
construction fails, free the sg table when transfer-buffer IOMMU mapping
fails, and release the transfer-ring IOVA if iommu_map() fails. Also
return the existing event-ring IOVA when the event ring is already mapped,
matching the pre-split helper behavior.
Fixes: 326bbc348298 ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
Fixes: 44499ecb4f28 ("ALSA: usb: qcom: Fix false-positive address space check")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260511-alsa-usb-qcom-offload-map-errors-v1-1-6502695e58bc@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/qcom/qc_audio_offload.c | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
--- a/sound/usb/qcom/qc_audio_offload.c
+++ b/sound/usb/qcom/qc_audio_offload.c
@@ -565,6 +565,7 @@ static unsigned long uaudio_iommu_map_pa
unsigned long iova = 0;
bool map = true;
int prot = uaudio_iommu_map_prot(dma_coherent);
+ int ret;
switch (mtype) {
case MEM_EVENT_RING:
@@ -582,10 +583,24 @@ static unsigned long uaudio_iommu_map_pa
dev_err(uaudio_qdev->data->dev, "unknown mem type %d\n", mtype);
}
- if (!iova || !map)
+ if (!iova)
return 0;
- iommu_map(uaudio_qdev->data->domain, iova, pa, size, prot, GFP_KERNEL);
+ if (!map)
+ return iova;
+
+ ret = iommu_map(uaudio_qdev->data->domain, iova, pa, size, prot,
+ GFP_KERNEL);
+ if (ret) {
+ dev_err(uaudio_qdev->data->dev,
+ "failed to map %zu bytes at iova 0x%08lx: %d\n",
+ size, iova, ret);
+ if (mtype == MEM_XFER_RING)
+ uaudio_put_iova(iova, size,
+ &uaudio_qdev->xfer_ring_list,
+ &uaudio_qdev->xfer_ring_iova_size);
+ return 0;
+ }
return iova;
}
@@ -1054,15 +1069,17 @@ static int uaudio_transfer_buffer_setup(
if (!xfer_buf)
return -ENOMEM;
- dma_get_sgtable(subs->dev->bus->sysdev, &xfer_buf_sgt, xfer_buf,
- xfer_buf_dma, len);
+ ret = dma_get_sgtable(subs->dev->bus->sysdev, &xfer_buf_sgt, xfer_buf,
+ xfer_buf_dma, len);
+ if (ret)
+ goto free_xfer_buf;
/* map the physical buffer into sysdev as well */
xfer_buf_dma_sysdev = uaudio_iommu_map_xfer_buf(dma_coherent,
len, &xfer_buf_sgt);
if (!xfer_buf_dma_sysdev) {
ret = -ENOMEM;
- goto unmap_sync;
+ goto free_sgt;
}
mem_info->dma = xfer_buf_dma;
@@ -1073,7 +1090,9 @@ static int uaudio_transfer_buffer_setup(
return 0;
-unmap_sync:
+free_sgt:
+ sg_free_table(&xfer_buf_sgt);
+free_xfer_buf:
usb_free_coherent(subs->dev, len, xfer_buf, xfer_buf_dma);
return ret;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 916/957] btrfs: only release the dirty pages io tree after successful writes
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (914 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 915/957] ALSA: usb-audio: qcom: Check offload mapping failures Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 917/957] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
` (46 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 4066c55e109475a06d18a1f127c939d551211956 upstream.
[WARNING]
With extra warning on dirty extent buffers at umount (aka, the next
patch in the series), test case generic/388 can trigger the following
warning about dirty extent buffers at unmount time:
BTRFS critical (device dm-2 state E): emergency shutdown
BTRFS error (device dm-2 state E): error while writing out transaction: -30
BTRFS warning (device dm-2 state E): Skipping commit of aborted transaction.
BTRFS error (device dm-2 state EA): Transaction 9 aborted (error -30)
BTRFS: error (device dm-2 state EA) in cleanup_transaction:2068: errno=-30 Readonly filesystem
BTRFS info (device dm-2 state EA): forced readonly
BTRFS info (device dm-2 state EA): last unmount of filesystem 4fbf2e15-f941-49a0-bc7c-716315d2777c
------------[ cut here ]------------
WARNING: disk-io.c:3311 at invalidate_and_check_btree_folios+0xfd/0x1ca [btrfs], CPU#8: umount/914368
CPU: 8 UID: 0 PID: 914368 Comm: umount Tainted: G OE 7.1.0-rc1-custom+ #372 PREEMPT(full) 2de38db8d1deae71fde295430a0ff3ab98ccf596
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
RIP: 0010:invalidate_and_check_btree_folios+0xfd/0x1ca [btrfs]
Call Trace:
<TASK>
close_ctree+0x52e/0x574 [btrfs d2f0b1cd330d1287e7a9919d112eadfc0e914efd]
generic_shutdown_super+0x89/0x1a0
kill_anon_super+0x16/0x40
btrfs_kill_super+0x16/0x20 [btrfs d2f0b1cd330d1287e7a9919d112eadfc0e914efd]
deactivate_locked_super+0x2d/0xb0
cleanup_mnt+0xdc/0x140
task_work_run+0x5a/0xa0
exit_to_user_mode_loop+0x123/0x4b0
do_syscall_64+0x243/0x7c0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30539776 owner 9 gen 9 refs 2 flags 0x7
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30621696 owner 257 gen 9 refs 2 flags 0x7
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30638080 owner 258 gen 9 refs 2 flags 0x7
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30654464 owner 7 gen 9 refs 2 flags 0x7
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30703616 owner 2 gen 9 refs 2 flags 0x7
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30720000 owner 10 gen 9 refs 2 flags 0x7
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30736384 owner 4 gen 9 refs 2 flags 0x7
BTRFS warning (device dm-2 state EA): unable to release extent buffer 30752768 owner 11 gen 9 refs 2 flags 0x7
I'm using a stripped down version, which seems to trigger the warning
more reliably:
_fsstress_pid=""
workload()
{
dmesg -C
mkfs.btrfs -f -K $dev > /dev/null
echo 1 > /sys/kernel/debug/clear_warn_once
mount $dev $mnt
$fsstress -w -n 1024 -p 4 -d $mnt &
_fsstress_pid=$!
sleep 0
$godown $mnt
pkill --echo -PIPE fsstress > /dev/null
wait $_fsstress_pid
unset _fsstress_pid
umount $mnt
if dmesg | grep -q "WARNING"; then
fail
fi
}
for (( i = 0; i < $runtime; i++ )); do
echo "=== $i/$runtime ==="
workload
done
[CAUSE]
Inside btrfs_write_and_wait_transaction(), we first try to write all
dirty ebs, then wait for them to finish.
After that we call btrfs_extent_io_tree_release() to free all
extent states from dirty_pages io tree.
However if we hit an error from btrfs_write_marked_extent(), then we
still call btrfs_extent_io_tree_release() to clear that dirty_pages io
tree, which may contain dirty records that we haven't yet submitted.
Furthermore, the later transaction cleanup path will utilize that
dirty_pages io tree to properly cleanup those dirty ebs, but since it's
already empty, no dirty ebs are properly cleaned up, thus will later
trigger the warnings inside invalidate_btree_folios().
[FIX]
Normally such dirty ebs won't cause problems, as when the iput() is
called on the btree inode, the dirty ebs will be forcibly written back,
and since the fs is already in an error status, such writeback will not
reach disk and finish immediately.
But it's still better to get rid of such dirty ebs, if we ended up with
dirty ebs but the fs is not in an error status, then such writeback at
iput() time will be too late, as all workers are already stopped but
writeback will utilize workers, which will lead to NULL pointer
dereferences.
Instead of unconditionally calling btrfs_extent_io_tree_release(), only
call it if btrfs_write_and_wait_transaction() finished successfully, so
that @dirty_pages extent io tree is kept untouched for transaction
cleanup.
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 1 +
fs/btrfs/transaction.c | 9 ++++-----
2 files changed, 5 insertions(+), 5 deletions(-)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4646,6 +4646,7 @@ static void btrfs_destroy_marked_extents
free_extent_buffer_stale(eb);
}
}
+ btrfs_extent_io_tree_release(dirty_pages);
}
static void btrfs_destroy_pinned_extent(struct btrfs_fs_info *fs_info,
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -1268,14 +1268,13 @@ static int btrfs_write_and_wait_transact
blk_finish_plug(&plug);
ret2 = btrfs_wait_extents(fs_info, dirty_pages);
- btrfs_extent_io_tree_release(&trans->transaction->dirty_pages);
-
if (ret)
return ret;
- else if (ret2)
+ if (ret2)
return ret2;
- else
- return 0;
+
+ btrfs_extent_io_tree_release(&trans->transaction->dirty_pages);
+ return 0;
}
/*
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 917/957] ceph: fix a buffer leak in __ceph_setxattr()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (915 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 916/957] btrfs: only release the dirty pages io tree after successful writes Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 918/957] ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size Greg Kroah-Hartman
` (45 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, Alex Markuze,
Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
commit 5d3cc36b4e77a27ce7b686b7c59c7072bcb3fa8e upstream.
The old_blob in __ceph_setxattr() can store
ci->i_xattrs.prealloc_blob value during the retry.
However, it is never called the ceph_buffer_put()
for the old_blob object. This patch fixes the issue of
the buffer leak.
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/xattr.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1296,6 +1296,7 @@ retry:
do_sync:
spin_unlock(&ci->i_ceph_lock);
+ ceph_buffer_put(old_blob);
do_sync_unlocked:
if (lock_snap_rwsem)
up_read(&mdsc->snap_rwsem);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 918/957] ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (916 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 917/957] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 919/957] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
` (44 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, Alex Markuze,
Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
commit 0c22d9511cbde746622f8e4c11aaa63fe76d45f9 upstream.
The generic/642 test-case can reproduce the kernel crash:
[40243.605254] ------------[ cut here ]------------
[40243.605956] kernel BUG at fs/ceph/xattr.c:918!
[40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI
[40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full)
[40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[40243.611820] Workqueue: ceph-msgr ceph_con_workfn
[40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0
[40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc
[40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287
[40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000
[40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000
[40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000
[40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000
[40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd
[40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000
[40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0
[40243.627408] Call Trace:
[40243.627839] <TASK>
[40243.628188] __prep_cap+0x3fd/0x4a0
[40243.628789] ? do_raw_spin_unlock+0x4e/0xe0
[40243.629474] ceph_check_caps+0x46a/0xc80
[40243.630094] ? __lock_acquire+0x4a2/0x2650
[40243.630773] ? find_held_lock+0x31/0x90
[40243.631347] ? handle_cap_grant+0x79f/0x1060
[40243.632068] ? lock_release+0xd9/0x300
[40243.632696] ? __mutex_unlock_slowpath+0x3e/0x340
[40243.633429] ? lock_release+0xd9/0x300
[40243.634052] handle_cap_grant+0xcf6/0x1060
[40243.634745] ceph_handle_caps+0x122b/0x2110
[40243.635415] mds_dispatch+0x5bd/0x2160
[40243.636034] ? ceph_con_process_message+0x65/0x190
[40243.636828] ? lock_release+0xd9/0x300
[40243.637431] ceph_con_process_message+0x7a/0x190
[40243.638184] ? kfree+0x311/0x4f0
[40243.638749] ? kfree+0x311/0x4f0
[40243.639268] process_message+0x16/0x1a0
[40243.639915] ? sg_free_table+0x39/0x90
[40243.640572] ceph_con_v2_try_read+0xf58/0x2120
[40243.641255] ? lock_acquire+0xc8/0x300
[40243.641863] ceph_con_workfn+0x151/0x820
[40243.642493] process_one_work+0x22f/0x630
[40243.643093] ? process_one_work+0x254/0x630
[40243.643770] worker_thread+0x1e2/0x400
[40243.644332] ? __pfx_worker_thread+0x10/0x10
[40243.645020] kthread+0x109/0x140
[40243.645560] ? __pfx_kthread+0x10/0x10
[40243.646125] ret_from_fork+0x3f8/0x480
[40243.646752] ? __pfx_kthread+0x10/0x10
[40243.647316] ? __pfx_kthread+0x10/0x10
[40243.647919] ret_from_fork_asm+0x1a/0x30
[40243.648556] </TASK>
[40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore
[40243.654766] ---[ end trace 0000000000000000 ]---
Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS
maximum xattr size") moved the required_blob_size computation to before
the __build_xattrs() call, introducing a race.
__build_xattrs() releases and reacquires i_ceph_lock during execution.
In that window, handle_cap_grant() may update i_xattrs.blob with a
newer MDS-provided blob and bump i_xattrs.version. When
__build_xattrs() detects that index_version < version, it destroys and
rebuilds the entire xattr rb-tree from the new blob, potentially
increasing count, names_size, and vals_size.
The prealloc_blob size check that follows still uses the stale
required_blob_size computed before the rebuild, so it passes even when
prealloc_blob is too small for the now-larger tree. After __set_xattr()
adds one more xattr on top, __ceph_build_xattrs_blob() is called from
the cap flush path and hits:
BUG_ON(need > ci->i_xattrs.prealloc_blob->alloc_len);
Fix this by recomputing required_blob_size after __build_xattrs()
returns, using the current tree state. Also re-validate against
m_max_xattr_size to fall back to the sync path if the rebuilt tree now
exceeds the MDS limit.
Cc: stable@vger.kernel.org
Fixes: d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size")
Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/xattr.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1256,6 +1256,22 @@ retry:
ceph_vinop(inode), name, ceph_cap_string(issued));
__build_xattrs(inode);
+ /*
+ * __build_xattrs() may have released and reacquired i_ceph_lock,
+ * during which handle_cap_grant() could have replaced i_xattrs.blob
+ * with a newer MDS-provided blob and bumped i_xattrs.version. If that
+ * caused __build_xattrs() to rebuild the rb-tree from the new blob,
+ * count/names_size/vals_size may now be larger than when
+ * required_blob_size was computed above. Recompute it here so the
+ * prealloc_blob size check below reflects the current tree state.
+ */
+ required_blob_size = __get_required_blob_size(ci, name_len, val_len);
+ if (required_blob_size > mdsc->mdsmap->m_max_xattr_size) {
+ doutc(cl, "sync (size too large): %d > %llu\n",
+ required_blob_size, mdsc->mdsmap->m_max_xattr_size);
+ goto do_sync;
+ }
+
if (!ci->i_xattrs.prealloc_blob ||
required_blob_size > ci->i_xattrs.prealloc_blob->alloc_len) {
struct ceph_buffer *blob;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 919/957] io-wq: check that the predecessor is hashed in io_wq_remove_pending()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (917 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 918/957] ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 920/957] iommu/amd: Bounds-check devid in __rlookup_amd_iommu() Greg Kroah-Hartman
` (43 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicholas Carlini, Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Carlini <nicholas@carlini.com>
commit d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc upstream.
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled
work was the tail of its hash bucket. When doing this, it checks whether
the preceding entry in acct->work_list has the same hash value, but
never checks that the predecessor is hashed at all. io_get_work_hash()
is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash
bits are never set for non-hashed work, so it returns 0. Thus, when a
hashed bucket-0 work is cancelled while a non-hashed work is its list
predecessor, the check spuriously passes and a pointer to the non-hashed
io_kiocb is stored in wq->hash_tail[0].
Because non-hashed work is dequeued via the fast path in
io_get_next_work(), which never touches hash_tail[], the stale pointer
is never cleared. Therefore, after the non-hashed io_kiocb completes and
is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The
io_wq is per-task (tctx->io_wq) and survives ring open/close, so the
dangling pointer persists for the lifetime of the task; the next hashed
bucket-0 enqueue dereferences it in io_wq_insert_work() and
wq_list_add_after() writes through freed memory.
Add the missing io_wq_is_hashed() check so a non-hashed predecessor
never inherits a hash_tail[] slot.
Cc: stable@vger.kernel.org
Fixes: 204361a77f40 ("io-wq: fix hang after cancelling pending hashed work")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io-wq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -1125,7 +1125,8 @@ static inline void io_wq_remove_pending(
if (io_wq_is_hashed(work) && work == wq->hash_tail[hash]) {
if (prev)
prev_work = container_of(prev, struct io_wq_work, list);
- if (prev_work && io_get_work_hash(prev_work) == hash)
+ if (prev_work && io_wq_is_hashed(prev_work) &&
+ io_get_work_hash(prev_work) == hash)
wq->hash_tail[hash] = prev_work;
else
wq->hash_tail[hash] = NULL;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 920/957] iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (918 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 919/957] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 921/957] x86/kexec: Push kjump return address even for non-kjump kexec Greg Kroah-Hartman
` (42 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ziyuan Chen, Josef Bacik,
Jose Fernandez (Anthropic), Joerg Roedel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Fernandez (Anthropic) <jose.fernandez@linux.dev>
commit 07d0f496fe7ec5abe3bee7e38be709521567bb33 upstream.
iommu_device_register() walks every device on the PCI bus via
bus_for_each_dev() and calls amd_iommu_probe_device() for each. The
inlined check_device() path computes the device's sbdf, calls
rlookup_amd_iommu() to find the owning IOMMU, and only afterwards
verifies devid <= pci_seg->last_bdf. __rlookup_amd_iommu() indexes
rlookup_table[devid] with no bounds check of its own, so for a PCI
device whose BDF is not described by the IVRS, the lookup reads past
the end of the allocation before the caller's bounds check can run.
This was harmless before commit e874c666b15b ("iommu/amd: Change
rlookup, irq_lookup, and alias to use kvalloc()"): the table was a
zeroed page-order allocation, so the over-read returned NULL and the
caller's NULL check skipped the device. After that commit the table is
a tight kvcalloc() and the over-read returns adjacent slab contents,
which check_device() then dereferences as a struct amd_iommu *,
causing a boot-time GPF.
Seen on Google Compute Engine ct6e VMs, where the virtualized IVRS
describes only the four TPU endpoints 00:04.0-07.0; the gVNIC at
00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation,
into the adjacent kmalloc-512 slab object:
pci 0000:00:04.0: Adding to iommu group 0
pci 0000:00:05.0: Adding to iommu group 1
pci 0000:00:06.0: Adding to iommu group 2
pci 0000:00:07.0: Adding to iommu group 3
Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025
RIP: 0010:amd_iommu_probe_device+0x54/0x3a0
Call Trace:
__iommu_probe_device+0x107/0x520
probe_iommu_group+0x29/0x50
bus_for_each_dev+0x7e/0xe0
iommu_device_register+0xc9/0x240
iommu_go_to_state+0x9c0/0x1c60
amd_iommu_init+0x14/0x40
pci_iommu_init+0x16/0x60
do_one_initcall+0x47/0x2f0
Guard the array access in __rlookup_amd_iommu(). With the fix applied
on 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots.
Fixes: e874c666b15b ("iommu/amd: Change rlookup, irq_lookup, and alias to use kvalloc()")
Cc: stable@vger.kernel.org
Reported-by: Ziyuan Chen <zc@anthropic.com>
Tested-by: Ziyuan Chen <zc@anthropic.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Assisted-by: Claude:unspecified
Signed-off-by: Jose Fernandez (Anthropic) <jose.fernandez@linux.dev>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/iommu.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -329,8 +329,12 @@ static struct amd_iommu *__rlookup_amd_i
struct amd_iommu_pci_seg *pci_seg;
for_each_pci_segment(pci_seg) {
- if (pci_seg->id == seg)
- return pci_seg->rlookup_table[devid];
+ if (pci_seg->id != seg)
+ continue;
+ /* IVRS may not describe every device on the bus */
+ if (devid > pci_seg->last_bdf)
+ return NULL;
+ return pci_seg->rlookup_table[devid];
}
return NULL;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 921/957] x86/kexec: Push kjump return address even for non-kjump kexec
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (919 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 920/957] iommu/amd: Bounds-check devid in __rlookup_amd_iommu() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 922/957] xfs: fix memory leak on error in xfs_alloc_zone_info() Greg Kroah-Hartman
` (41 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rohan Kakulawaram, David Woodhouse,
Borislav Petkov (AMD), Dave Hansen, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 786a45757dcdf8f2beb9d4a6db605db16c18b2b4 upstream.
The version of purgatory code shipped by kexec-tools attempts to look above
the top of its stack to find a return address for a kjump, even in a non-kjump
kexec.
After the commit in Fixes: the word above the stack might not be there,
leading to a fault (which is at least now caught by my exception-handling code
in kexec).
That commit fixed things for the actual kjump path, but no longer
"gratuitously" pushes the unused return address to the stack in the non-kjump
path. Put that *back* in the non-kjump path, to prevent purgatory from
crashing when trying to access it.
Fixes: 2cacf7f23a02 ("x86/kexec: Fix stack and handling of re-entry point for ::preserve_context")
Reported-by: Rohan Kakulawaram <rohanka@google.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Tested-by: Rohan Kakulawaram <rohanka@google.com>
Cc: <stable@kernel.org>
Link: https://patch.msgid.link/32d627134143ffd957891cb697138e839c623211.camel@infradead.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/relocate_kernel_64.S | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/arch/x86/kernel/relocate_kernel_64.S
+++ b/arch/x86/kernel/relocate_kernel_64.S
@@ -133,6 +133,14 @@ SYM_CODE_START_LOCAL_NOALIGN(identity_ma
* %r13 original CR4 when relocate_kernel() was invoked
*/
+ /*
+ * Set return address to 0 if not preserving context. The purgatory
+ * shipped in kexec-tools will unconditionally look for the return
+ * address on the stack and set a kexec_jump_back_entry= command
+ * line option if it's non-zero. There's no other way that it can
+ * tell a preserve-context (kjump) kexec from a normal one.
+ */
+ pushq $0
/* store the start address on the stack */
pushq %rdx
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 922/957] xfs: fix memory leak on error in xfs_alloc_zone_info()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (920 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 921/957] x86/kexec: Push kjump return address even for non-kjump kexec Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 923/957] virt: sev-guest: Do not use host-controlled page order in cleanup path Greg Kroah-Hartman
` (40 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Carlos Maiolino,
Wilfred Mallawa, Hans Holmberg, Christoph Hellwig,
Darrick J. Wong, Carlos Maiolino
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
commit 592975da8c3ca87b043077e6eafa37665eae7936 upstream.
Currently, the 0th index of the zi_used_bucket_bitmap array is not freed
on error due to the pre-decrement then evaluate semantic of the while
loop used in xfs_alloc_zone_info(). Fix it by allowing for the i == 0
case to be covered.
Fixes: 080d01c41d44 ("xfs: implement zoned garbage collection")
Cc: stable@vger.kernel.org # v6.15
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Reviewed-by: Hans Holmberg <hans.holmberg@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_zone_alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/xfs_zone_alloc.c
+++ b/fs/xfs/xfs_zone_alloc.c
@@ -1178,7 +1178,7 @@ xfs_alloc_zone_info(
return zi;
out_free_bitmaps:
- while (--i > 0)
+ while (--i >= 0)
kvfree(zi->zi_used_bucket_bitmap[i]);
kfree(zi);
return NULL;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 923/957] virt: sev-guest: Do not use host-controlled page order in cleanup path
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (921 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 922/957] xfs: fix memory leak on error in xfs_alloc_zone_info() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 924/957] riscv: misaligned: Make enabling delegation depend on NONPORTABLE Greg Kroah-Hartman
` (39 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos López,
Borislav Petkov (AMD), Michael Roth, stable, Linus Torvalds
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos López <clopez@suse.de>
commit 23e6a1ca04ae44806439a5a446e62e4d42e80bb4 upstream.
When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.
However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.
Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.
Fixes: 3e385c0d6ce8 ("virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex")
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Michael Roth <michael.roth@amd.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virt/coco/sev-guest/sev-guest.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/drivers/virt/coco/sev-guest/sev-guest.c
+++ b/drivers/virt/coco/sev-guest/sev-guest.c
@@ -176,7 +176,6 @@ static int get_ext_report(struct snp_gue
struct snp_guest_req req = {};
int ret, npages = 0, resp_len;
sockptr_t certs_address;
- struct page *page;
if (sockptr_is_null(io->req_data) || sockptr_is_null(io->resp_data))
return -EINVAL;
@@ -211,16 +210,15 @@ static int get_ext_report(struct snp_gue
* zeros to indicate that certificate data was not provided.
*/
npages = report_req->certs_len >> PAGE_SHIFT;
- page = alloc_pages(GFP_KERNEL_ACCOUNT | __GFP_ZERO,
- get_order(report_req->certs_len));
- if (!page)
+ req.certs_data = alloc_pages_exact(npages << PAGE_SHIFT,
+ GFP_KERNEL_ACCOUNT | __GFP_ZERO);
+ if (!req.certs_data)
return -ENOMEM;
- req.certs_data = page_address(page);
ret = set_memory_decrypted((unsigned long)req.certs_data, npages);
if (ret) {
pr_err("failed to mark page shared, ret=%d\n", ret);
- __free_pages(page, get_order(report_req->certs_len));
+ free_pages_exact(req.certs_data, npages << PAGE_SHIFT);
return -EFAULT;
}
@@ -277,7 +275,7 @@ e_free_data:
if (set_memory_encrypted((unsigned long)req.certs_data, npages))
WARN_ONCE(ret, "failed to restore encryption mask (leak it)\n");
else
- __free_pages(page, get_order(report_req->certs_len));
+ free_pages_exact(req.certs_data, npages << PAGE_SHIFT);
}
return ret;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 924/957] riscv: misaligned: Make enabling delegation depend on NONPORTABLE
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (922 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 923/957] virt: sev-guest: Do not use host-controlled page order in cleanup path Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 925/957] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
` (38 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vivian Wang, Conor Dooley,
Paul Walmsley, Songsong Zhang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
commit b69bcb13ed7024a84d6cd8ad330f1e32782fcf28 upstream.
The unaligned access emulation code in Linux has various deficiencies.
For example, it doesn't emulate vector instructions [1] [2], and doesn't
emulate KVM guest accesses. Therefore, requesting misaligned exception
delegation with SBI FWFT actually regresses vector instructions' and KVM
guests' behavior.
Until Linux can handle it properly, guard these sbi_fwft_set() calls
behind RISCV_SBI_FWFT_DELEGATE_MISALIGNED, which in turn depends on
NONPORTABLE. Those who are sure that this wouldn't be a problem can
enable this option, perhaps getting better performance.
The rest of the existing code proceeds as before, except as if
SBI_FWFT_MISALIGNED_EXC_DELEG is not available, to handle any remaining
address misaligned exceptions on a best-effort basis. The KVM SBI FWFT
implementation is also not touched, but it is disabled if the firmware
emulates unaligned accesses.
Cc: stable@vger.kernel.org
Fixes: cf5a8abc6560 ("riscv: misaligned: request misaligned exception from SBI")
Reported-by: Songsong Zhang <U2FsdGVkX1@gmail.com> # KVM
Link: https://lore.kernel.org/linux-riscv/38ce44c1-08cf-4e3f-8ade-20da224f529c@iscas.ac.cn/ [1]
Link: https://lore.kernel.org/linux-riscv/b3cfcdac-0337-4db0-a611-258f2868855f@iscas.ac.cn/ [2]
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/20260401-riscv-misaligned-dont-delegate-v2-1-5014a288c097@iscas.ac.cn
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/Kconfig | 22 ++++++++++++++++++++++
arch/riscv/kernel/traps_misaligned.c | 2 +-
2 files changed, 23 insertions(+), 1 deletion(-)
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -925,6 +925,28 @@ config RISCV_VECTOR_MISALIGNED
help
Enable detecting support for vector misaligned loads and stores.
+config RISCV_SBI_FWFT_DELEGATE_MISALIGNED
+ bool "Request firmware delegation of unaligned access exceptions"
+ depends on RISCV_SBI
+ depends on NONPORTABLE
+ help
+ Use SBI FWFT to request delegation of load address misaligned and
+ store address misaligned exceptions, if possible, and prefer Linux
+ kernel emulation of these accesses to firmware emulation.
+
+ Unfortunately, Linux's emulation is still incomplete. Namely, it
+ currently does not handle vector instructions and KVM guest accesses.
+ On platforms where these accesses would have been handled by firmware,
+ enabling this causes unexpected kernel oopses, userspaces crashes and
+ KVM guest crashes. If you are sure that these are not a problem for
+ your platform, you can say Y here, which may improve performance.
+
+ Saying N here will not worsen emulation support for unaligned accesses
+ even in the case where the firmware also has incomplete support. It
+ simply keeps the firmware's emulation enabled.
+
+ If you don't know what to do here, say N.
+
choice
prompt "Unaligned Accesses Support"
default RISCV_PROBE_UNALIGNED_ACCESS
--- a/arch/riscv/kernel/traps_misaligned.c
+++ b/arch/riscv/kernel/traps_misaligned.c
@@ -584,7 +584,7 @@ static int cpu_online_check_unaligned_ac
static bool misaligned_traps_delegated;
-#ifdef CONFIG_RISCV_SBI
+#if defined(CONFIG_RISCV_SBI_FWFT_DELEGATE_MISALIGNED)
static int cpu_online_sbi_unaligned_setup(unsigned int cpu)
{
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 925/957] powerpc/warp: Fix error handling in pika_dtm_thread
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (923 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 924/957] riscv: misaligned: Make enabling delegation depend on NONPORTABLE Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 926/957] netfs: fix error handling in netfs_extract_user_iter() Greg Kroah-Hartman
` (37 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Christophe Leroy,
Madhavan Srinivasan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 108d7f951271cbd36ca36efc5e5d106966f5180c upstream.
pika_dtm_thread() acquires client through of_find_i2c_device_by_node()
but fails to release it in error handling path. This could result in a
reference count leak, preventing proper cleanup and potentially
leading to resource exhaustion. Add put_device() to release the
reference in the error handling path.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 3984114f0562 ("powerpc/warp: Platform fix for i2c change")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251116024411.21968-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/44x/warp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/powerpc/platforms/44x/warp.c
+++ b/arch/powerpc/platforms/44x/warp.c
@@ -293,6 +293,8 @@ static int pika_dtm_thread(void __iomem
schedule_timeout(HZ);
}
+ put_device(&client->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 926/957] netfs: fix error handling in netfs_extract_user_iter()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (924 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 925/957] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 927/957] nfsd: fix file change detection in CB_GETATTR Greg Kroah-Hartman
` (36 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaoli Feng,
Paulo Alcantara (Red Hat), David Howells, netfs, linux-cifs,
linux-fsdevel, Christian Brauner
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paulo Alcantara <pc@manguebit.org>
commit 0aad5704c6b4d14007d4eab15883e8524e4310f4 upstream.
In netfs_extract_user_iter(), if iov_iter_extract_pages() failed to
extract user pages, bail out on -ENOMEM, otherwise return the error
code only if @npages == 0, allowing short DIO reads and writes to be
issued.
This fixes mmapstress02 from LTP tests against CIFS.
Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into a BVEC iterator")
Reported-by: Xiaoli Feng <xifeng@redhat.com>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/20260512123404.719402-10-dhowells@redhat.com
Cc: netfs@lists.linux.dev
Cc: stable@vger.kernel.org
Cc: linux-cifs@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/netfs/iterator.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/fs/netfs/iterator.c
+++ b/fs/netfs/iterator.c
@@ -22,7 +22,7 @@
*
* Extract the page fragments from the given amount of the source iterator and
* build up a second iterator that refers to all of those bits. This allows
- * the original iterator to disposed of.
+ * the original iterator to be disposed of.
*
* @extraction_flags can have ITER_ALLOW_P2PDMA set to request peer-to-peer DMA be
* allowed on the pages extracted.
@@ -67,8 +67,8 @@ ssize_t netfs_extract_user_iter(struct i
ret = iov_iter_extract_pages(orig, &pages, count,
max_pages - npages, extraction_flags,
&offset);
- if (ret < 0) {
- pr_err("Couldn't get user pages (rc=%zd)\n", ret);
+ if (unlikely(ret <= 0)) {
+ ret = ret ?: -EIO;
break;
}
@@ -97,6 +97,13 @@ ssize_t netfs_extract_user_iter(struct i
npages += cur_npages;
}
+ if (ret < 0 && (ret == -ENOMEM || npages == 0)) {
+ for (i = 0; i < npages; i++)
+ unpin_user_page(bv[i].bv_page);
+ kvfree(bv);
+ return ret;
+ }
+
iov_iter_bvec(new, orig->data_source, bv, npages, orig_len - count);
return npages;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 927/957] nfsd: fix file change detection in CB_GETATTR
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (925 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 926/957] netfs: fix error handling in netfs_extract_user_iter() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 928/957] irqchip/riscv-imsic: Clear interrupt move state during CPU offlining Greg Kroah-Hartman
` (35 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Scott Mayhew, Chuck Lever
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
commit 304d81a2fbf2b454def4debcb38ea173911b72cd upstream.
RFC 8881, section 10.4.3 doesn't say anything about caching the file
size in the delegation record, nor does it say anything about comparing
a cached file size with the size reported by the client in the
CB_GETATTR reply for the purpose of determining if the client holds
modified data for the file.
What section 10.4.3 of RFC 8881 does say is that the server should
compare the *current* file size with the size reported by the client
holding the delegation in the CB_GETATTR reply, and if they differ to
treat it as a modification regardless of the change attribute retrieved
via the CB_GETATTR.
Doing otherwise would cause the server to believe the client holding the
delegation has a modified version of the file, even if the client
flushed the modifications to the server prior to the CB_GETATTR. This
would have the added side effect of subsequent CB_GETATTRs causing
updates to the mtime, ctime, and change attribute even if the client
holding the delegation makes no further updates to the file.
Modify nfsd4_deleg_getattr_conflict() to obtain the current file size
via i_size_read(). Retain the ncf_cur_fsize field, since it's a
convenient way to return the file size back to nfsd4_encode_fattr4(),
but don't use it for the purpose of detecting file changes. Remove the
unnecessary initialization of ncf_cur_fsize in nfs4_open_delegation().
Also, if we recall the delegation (because the client didn't respond to
the CB_GETATTR), then skip the logic that checks the nfs4_cb_fattr
fields.
Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation")
Cc: stable@vger.kernel.org
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6350,7 +6350,6 @@ nfs4_open_delegation(struct svc_rqst *rq
}
open->op_delegate_type = deleg_ts ? OPEN_DELEGATE_WRITE_ATTRS_DELEG :
OPEN_DELEGATE_WRITE;
- dp->dl_cb_fattr.ncf_cur_fsize = stat.size;
dp->dl_cb_fattr.ncf_initial_cinfo = nfsd4_change_attribute(&stat);
dp->dl_atime = stat.atime;
dp->dl_ctime = stat.ctime;
@@ -9396,11 +9395,15 @@ nfsd4_deleg_getattr_conflict(struct svc_
if (status != nfserr_jukebox ||
!nfsd_wait_for_delegreturn(rqstp, inode))
goto out_status;
+ status = nfs_ok;
+ goto out_status;
+ }
+ if (!ncf->ncf_file_modified) {
+ if (ncf->ncf_initial_cinfo != ncf->ncf_cb_change)
+ ncf->ncf_file_modified = true;
+ else if (i_size_read(inode) != ncf->ncf_cb_fsize)
+ ncf->ncf_file_modified = true;
}
- if (!ncf->ncf_file_modified &&
- (ncf->ncf_initial_cinfo != ncf->ncf_cb_change ||
- ncf->ncf_cur_fsize != ncf->ncf_cb_fsize))
- ncf->ncf_file_modified = true;
if (ncf->ncf_file_modified) {
int err;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 928/957] irqchip/riscv-imsic: Clear interrupt move state during CPU offlining
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (926 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 927/957] nfsd: fix file change detection in CB_GETATTR Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 929/957] irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type() Greg Kroah-Hartman
` (34 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yong-Xuan Wang, Thomas Gleixner
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yong-Xuan Wang <yongxuan.wang@sifive.com>
commit cefafbd561402b0fe6447449364a30315b9b1570 upstream.
Affinity changes of IMSIC interrupts have to be careful to not lose an
interrupt in the process. Each vector keeps track of an affinity change in
progress with two pointers in struct imsic_vector.
imsic_vector::move_prev points to the previous CPU target data and
imsic_vector::move_next to the designated new CPU target data.
imsic_vector::move_prev on the new CPU can only be cleared after the
previous CPU has cleared imsic_vector::move_next, which ususally happens in
__imsic_remote_sync().
In case of CPU hot-unplug __imsic_remote_sync() is not invoked because the
CPU is already marked offline. That means imsic_vector::move_prev becomes
stale until the CPU is onlined again.
The stale pointer prevents further affinity changes for the affected
interrupts.
Solve this by clearing the imsic_vector::move_prev pointers in the CPU
hotplug offline path.
[ tglx: Replace word salad in change log ]
Fixes: 0f67911e821c ("irqchip/riscv-imsic: Separate next and previous pointers in IMSIC vector")
Signed-off-by: Yong-Xuan Wang <yongxuan.wang@sifive.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260508-imsic-v2-1-e9f08dd46cf5@sifive.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-riscv-imsic-early.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/irqchip/irq-riscv-imsic-early.c
+++ b/drivers/irqchip/irq-riscv-imsic-early.c
@@ -163,6 +163,8 @@ static int imsic_dying_cpu(unsigned int
/* Cleanup IPIs */
imsic_ipi_dying_cpu();
+ imsic_local_sync_all(false);
+
/* Mark per-CPU IMSIC state as offline */
imsic_state_offline();
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 929/957] irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (927 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 928/957] irqchip/riscv-imsic: Clear interrupt move state during CPU offlining Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 930/957] irqchip/gic-v5: Move LPI allocation into the LPI domain Greg Kroah-Hartman
` (33 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xianwei Zhao, Thomas Gleixner
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xianwei Zhao <xianwei.zhao@amlogic.com>
commit 5363b67ac8ebcc3e227dbf59fc8061949109841d upstream.
meson_s4_gpio_irq_set_type() uses the both-edge trigger register for
configuring level type and single edge mode interrupts, which is not
correct.
Use REG_EDGE_POL instead.
Fixes: bbd6fcc76b39 ("irqchip: Add support for Amlogic A4 and A5 SoCs")
Signed-off-by: Xianwei Zhao <xianwei.zhao@amlogic.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260508-a9-gpio-irqchip-v1-1-9dc5f3e022e0@amlogic.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-meson-gpio.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/irqchip/irq-meson-gpio.c
+++ b/drivers/irqchip/irq-meson-gpio.c
@@ -404,8 +404,7 @@ static int meson_s4_gpio_irq_set_type(st
if (type & (IRQ_TYPE_EDGE_RISING | IRQ_TYPE_EDGE_FALLING))
val |= BIT(ctl->params->edge_single_offset + idx);
- meson_gpio_irq_update_bits(ctl, params->edge_pol_reg,
- BIT(idx) | BIT(12 + idx), val);
+ meson_gpio_irq_update_bits(ctl, REG_EDGE_POL, BIT(idx) | BIT(12 + idx), val);
return 0;
};
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 930/957] irqchip/gic-v5: Move LPI allocation into the LPI domain
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (928 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 929/957] irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 931/957] irqchip/gic-v5: Support range allocation for LPIs Greg Kroah-Hartman
` (32 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sascha Bischoff, Thomas Gleixner,
Marc Zyngier, Lorenzo Pieralisi
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sascha Bischoff <Sascha.Bischoff@arm.com>
commit dec85d2fbd20de3711a71e65397dfdb40c3fa953 upstream.
The IPI and ITS MSI domains currently allocate and release LPIs
directly, then pass the selected LPI ID to the parent LPI domain. This
leaks the LPI domain's allocation policy into its child domains and
forces each child to duplicate part of the parent domain's teardown.
Make the LPI domain allocate LPIs in its .alloc() callback and release
them in a matching .free() callback. Child domains can then request a
parent interrupt without passing an implementation-specific LPI ID,
and the LPI lifetime is tied to the domain that owns the LPI
namespace.
Remove the gicv5_alloc_lpi() and gicv5_free_lpi() wrappers now that no
external caller needs to manage LPIs directly.
This is a preparatory change for an actual leakage problem in the
allocation code and therefore tagged with the same Fixes tag.
Fixes: 0f0101325876 ("irqchip/gic-v5: Add GICv5 LPI/IPI support")
Signed-off-by: Sascha Bischoff <sascha.bischoff@arm.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260506093634.382062-2-sascha.bischoff@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v5-its.c | 14 +--------
drivers/irqchip/irq-gic-v5.c | 53 ++++++++++++++++++-------------------
include/linux/irqchip/arm-gic-v5.h | 3 --
3 files changed, 28 insertions(+), 42 deletions(-)
--- a/drivers/irqchip/irq-gic-v5-its.c
+++ b/drivers/irqchip/irq-gic-v5-its.c
@@ -927,8 +927,8 @@ static void gicv5_its_free_eventid(struc
static int gicv5_its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq,
unsigned int nr_irqs, void *arg)
{
- u32 device_id, event_id_base, lpi;
struct gicv5_its_dev *its_dev;
+ u32 device_id, event_id_base;
msi_alloc_info_t *info = arg;
irq_hw_number_t hwirq;
struct irq_data *irqd;
@@ -947,16 +947,8 @@ static int gicv5_its_irq_domain_alloc(st
device_id = its_dev->device_id;
for (i = 0; i < nr_irqs; i++) {
- ret = gicv5_alloc_lpi();
- if (ret < 0) {
- pr_debug("Failed to find free LPI!\n");
- goto out_free_irqs;
- }
- lpi = ret;
-
- ret = irq_domain_alloc_irqs_parent(domain, virq + i, 1, &lpi);
+ ret = irq_domain_alloc_irqs_parent(domain, virq + i, 1, NULL);
if (ret) {
- gicv5_free_lpi(lpi);
goto out_free_irqs;
}
@@ -981,7 +973,6 @@ static int gicv5_its_irq_domain_alloc(st
out_free_irqs:
while (--i >= 0) {
irqd = irq_domain_get_irq_data(domain, virq + i);
- gicv5_free_lpi(irqd->parent_data->hwirq);
irq_domain_reset_irq_data(irqd);
irq_domain_free_irqs_parent(domain, virq + i, 1);
}
@@ -1011,7 +1002,6 @@ static void gicv5_its_irq_domain_free(st
for (i = 0; i < nr_irqs; i++) {
d = irq_domain_get_irq_data(domain, virq + i);
- gicv5_free_lpi(d->parent_data->hwirq);
irq_domain_reset_irq_data(d);
irq_domain_free_irqs_parent(domain, virq + i, 1);
}
--- a/drivers/irqchip/irq-gic-v5.c
+++ b/drivers/irqchip/irq-gic-v5.c
@@ -58,16 +58,6 @@ static void release_lpi(u32 lpi)
ida_free(&lpi_ida, lpi);
}
-int gicv5_alloc_lpi(void)
-{
- return alloc_lpi();
-}
-
-void gicv5_free_lpi(u32 lpi)
-{
- release_lpi(lpi);
-}
-
static void gicv5_ppi_priority_init(void)
{
write_sysreg_s(REPEAT_BYTE(GICV5_IRQ_PRI_MI), SYS_ICC_PPI_PRIORITYR0_EL1);
@@ -751,18 +741,36 @@ static void gicv5_lpi_config_reset(struc
gicv5_lpi_irq_write_pending_state(d, false);
}
+static void gicv5_irq_lpi_domain_free(struct irq_domain *domain, unsigned int virq,
+ unsigned int nr_irqs)
+{
+ struct irq_data *d;
+
+ if (WARN_ON_ONCE(nr_irqs != 1))
+ return;
+
+ d = irq_domain_get_irq_data(domain, virq);
+
+ release_lpi(d->hwirq);
+
+ irq_set_handler(virq, NULL);
+ irq_domain_reset_irq_data(d);
+}
+
static int gicv5_irq_lpi_domain_alloc(struct irq_domain *domain, unsigned int virq,
unsigned int nr_irqs, void *arg)
{
irq_hw_number_t hwirq;
struct irq_data *irqd;
- u32 *lpi = arg;
int ret;
if (WARN_ON_ONCE(nr_irqs != 1))
return -EINVAL;
- hwirq = *lpi;
+ ret = alloc_lpi();
+ if (ret < 0)
+ return ret;
+ hwirq = ret;
irqd = irq_domain_get_irq_data(domain, virq);
@@ -771,8 +779,10 @@ static int gicv5_irq_lpi_domain_alloc(st
irqd_set_single_target(irqd);
ret = gicv5_irs_iste_alloc(hwirq);
- if (ret < 0)
+ if (ret < 0) {
+ release_lpi(hwirq);
return ret;
+ }
gicv5_hwirq_init(hwirq, GICV5_IRQ_PRI_MI, GICV5_HWIRQ_TYPE_LPI);
gicv5_lpi_config_reset(irqd);
@@ -782,7 +792,7 @@ static int gicv5_irq_lpi_domain_alloc(st
static const struct irq_domain_ops gicv5_irq_lpi_domain_ops = {
.alloc = gicv5_irq_lpi_domain_alloc,
- .free = gicv5_irq_domain_free,
+ .free = gicv5_irq_lpi_domain_free,
};
void __init gicv5_init_lpi_domain(void)
@@ -804,21 +814,12 @@ static int gicv5_irq_ipi_domain_alloc(st
{
struct irq_data *irqd;
int ret, i;
- u32 lpi;
for (i = 0; i < nr_irqs; i++) {
- ret = gicv5_alloc_lpi();
- if (ret < 0)
+ ret = irq_domain_alloc_irqs_parent(domain, virq + i, 1, NULL);
+ if (ret)
return ret;
- lpi = ret;
-
- ret = irq_domain_alloc_irqs_parent(domain, virq + i, 1, &lpi);
- if (ret) {
- gicv5_free_lpi(lpi);
- return ret;
- }
-
irqd = irq_domain_get_irq_data(domain, virq + i);
irq_domain_set_hwirq_and_chip(domain, virq + i, i,
@@ -844,8 +845,6 @@ static void gicv5_irq_ipi_domain_free(st
if (!d)
return;
- gicv5_free_lpi(d->parent_data->hwirq);
-
irq_set_handler(virq + i, NULL);
irq_domain_reset_irq_data(d);
irq_domain_free_irqs_parent(domain, virq + i, 1);
--- a/include/linux/irqchip/arm-gic-v5.h
+++ b/include/linux/irqchip/arm-gic-v5.h
@@ -387,8 +387,5 @@ struct gicv5_its_itt_cfg {
void gicv5_init_lpis(u32 max);
void gicv5_deinit_lpis(void);
-int gicv5_alloc_lpi(void);
-void gicv5_free_lpi(u32 lpi);
-
void __init gicv5_its_of_probe(struct device_node *parent);
#endif
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 931/957] irqchip/gic-v5: Support range allocation for LPIs
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (929 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 930/957] irqchip/gic-v5: Move LPI allocation into the LPI domain Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 932/957] irqchip/gic-v5: Allocate ITS parent LPIs as a range Greg Kroah-Hartman
` (31 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sascha Bischoff, Thomas Gleixner,
Marc Zyngier, Lorenzo Pieralisi
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sascha Bischoff <Sascha.Bischoff@arm.com>
commit eb6f6d523813ead9dc2799194a2839d42c049734 upstream.
The per-IPI parent allocation loop returns immediately on failure and leaks
any parent interrupts allocated by earlier iterations.
The GICv5 LPI domain now owns LPI allocation and teardown internally,
but its irq_domain callbacks still reject requests where nr_irqs is
greater than one. This forces child domains to allocate and free LPIs
one at a time even when the interrupt core requests a contiguous
range.
Handle multi-interrupt allocation and teardown in the LPI domain by
iterating over the requested range and unwinding any partially
allocated state on failure.
Allocate the parent LPIs for the IPI domain with a single range
request as well, which cures the leakage problem.
Fixes: 0f0101325876 ("irqchip/gic-v5: Add GICv5 LPI/IPI support")
Signed-off-by: Sascha Bischoff <sascha.bischoff@arm.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260506093634.382062-3-sascha.bischoff@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v5.c | 77 +++++++++++++++++++++++--------------------
1 file changed, 42 insertions(+), 35 deletions(-)
--- a/drivers/irqchip/irq-gic-v5.c
+++ b/drivers/irqchip/irq-gic-v5.c
@@ -746,15 +746,14 @@ static void gicv5_irq_lpi_domain_free(st
{
struct irq_data *d;
- if (WARN_ON_ONCE(nr_irqs != 1))
- return;
+ for (unsigned int i = 0; i < nr_irqs; i++, virq++) {
+ d = irq_domain_get_irq_data(domain, virq);
- d = irq_domain_get_irq_data(domain, virq);
+ release_lpi(d->hwirq);
- release_lpi(d->hwirq);
-
- irq_set_handler(virq, NULL);
- irq_domain_reset_irq_data(d);
+ irq_set_handler(virq, NULL);
+ irq_domain_reset_irq_data(d);
+ }
}
static int gicv5_irq_lpi_domain_alloc(struct irq_domain *domain, unsigned int virq,
@@ -762,32 +761,39 @@ static int gicv5_irq_lpi_domain_alloc(st
{
irq_hw_number_t hwirq;
struct irq_data *irqd;
+ unsigned int i;
int ret;
- if (WARN_ON_ONCE(nr_irqs != 1))
- return -EINVAL;
-
- ret = alloc_lpi();
- if (ret < 0)
- return ret;
- hwirq = ret;
+ for (i = 0; i < nr_irqs; i++) {
+ ret = alloc_lpi();
+ if (ret < 0)
+ goto out_free_lpis;
+ hwirq = ret;
+
+ ret = gicv5_irs_iste_alloc(hwirq);
+ if (ret < 0) {
+ /* Undo partial state first, then clean up the rest */
+ release_lpi(hwirq);
+ goto out_free_lpis;
+ }
- irqd = irq_domain_get_irq_data(domain, virq);
+ irqd = irq_domain_get_irq_data(domain, virq + i);
- irq_domain_set_info(domain, virq, hwirq, &gicv5_lpi_irq_chip, NULL,
- handle_fasteoi_irq, NULL, NULL);
- irqd_set_single_target(irqd);
+ irq_domain_set_info(domain, virq + i, hwirq, &gicv5_lpi_irq_chip,
+ NULL, handle_fasteoi_irq, NULL, NULL);
+ irqd_set_single_target(irqd);
- ret = gicv5_irs_iste_alloc(hwirq);
- if (ret < 0) {
- release_lpi(hwirq);
- return ret;
+ gicv5_hwirq_init(hwirq, GICV5_IRQ_PRI_MI, GICV5_HWIRQ_TYPE_LPI);
+ gicv5_lpi_config_reset(irqd);
}
- gicv5_hwirq_init(hwirq, GICV5_IRQ_PRI_MI, GICV5_HWIRQ_TYPE_LPI);
- gicv5_lpi_config_reset(irqd);
-
return 0;
+
+out_free_lpis:
+ if (i)
+ gicv5_irq_lpi_domain_free(domain, virq, i);
+
+ return ret;
}
static const struct irq_domain_ops gicv5_irq_lpi_domain_ops = {
@@ -813,21 +819,21 @@ static int gicv5_irq_ipi_domain_alloc(st
unsigned int nr_irqs, void *arg)
{
struct irq_data *irqd;
- int ret, i;
+ int ret;
- for (i = 0; i < nr_irqs; i++) {
- ret = irq_domain_alloc_irqs_parent(domain, virq + i, 1, NULL);
- if (ret)
- return ret;
+ ret = irq_domain_alloc_irqs_parent(domain, virq, nr_irqs, arg);
+ if (ret)
+ return ret;
- irqd = irq_domain_get_irq_data(domain, virq + i);
+ for (unsigned int i = 0; i < nr_irqs; i++, virq++) {
+ irqd = irq_domain_get_irq_data(domain, virq);
- irq_domain_set_hwirq_and_chip(domain, virq + i, i,
- &gicv5_ipi_irq_chip, NULL);
+ irq_domain_set_hwirq_and_chip(domain, virq, i,
+ &gicv5_ipi_irq_chip, NULL);
irqd_set_single_target(irqd);
- irq_set_handler(virq + i, handle_percpu_irq);
+ irq_set_handler(virq, handle_percpu_irq);
}
return 0;
@@ -847,8 +853,9 @@ static void gicv5_irq_ipi_domain_free(st
irq_set_handler(virq + i, NULL);
irq_domain_reset_irq_data(d);
- irq_domain_free_irqs_parent(domain, virq + i, 1);
}
+
+ irq_domain_free_irqs_parent(domain, virq, nr_irqs);
}
static const struct irq_domain_ops gicv5_irq_ipi_domain_ops = {
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 932/957] irqchip/gic-v5: Allocate ITS parent LPIs as a range
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (930 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 931/957] irqchip/gic-v5: Support range allocation for LPIs Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 933/957] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
` (30 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sascha Bischoff, Thomas Gleixner,
Marc Zyngier, Lorenzo Pieralisi
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sascha Bischoff <Sascha.Bischoff@arm.com>
commit a7c7e42654b6a8676610ee09d22901432c4851af upstream.
The ITS MSI domain no longer manages LPI allocation directly. LPIs are
allocated and freed by the parent LPI domain, which can now handle a
full range of interrupts and unwind partial allocations internally.
Make the ITS domain request and release the parent IRQs as a single
range instead of iterating over each interrupt. The ITS allocation
path then only needs to reserve EventIDs, allocate the parent range,
and fill in the ITS irq_data for each MSI. Since no operation in the
per-MSI loop can fail, the partial parent-free unwind becomes
unnecessary.
On teardown, reset the ITS irq_data for the range and then release the
parent range in one call, leaving LPI teardown to the LPI domain.
Fixes: 0f0101325876 ("irqchip/gic-v5: Add GICv5 LPI/IPI support")
Signed-off-by: Sascha Bischoff <sascha.bischoff@arm.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260506093634.382062-4-sascha.bischoff@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-gic-v5-its.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
--- a/drivers/irqchip/irq-gic-v5-its.c
+++ b/drivers/irqchip/irq-gic-v5-its.c
@@ -935,6 +935,7 @@ static int gicv5_its_irq_domain_alloc(st
int ret, i;
its_dev = info->scratchpad[0].ptr;
+ device_id = its_dev->device_id;
ret = gicv5_its_alloc_eventid(its_dev, info, nr_irqs, &event_id_base);
if (ret)
@@ -944,14 +945,11 @@ static int gicv5_its_irq_domain_alloc(st
if (ret)
goto out_eventid;
- device_id = its_dev->device_id;
+ ret = irq_domain_alloc_irqs_parent(domain, virq, nr_irqs, NULL);
+ if (ret)
+ goto out_eventid;
for (i = 0; i < nr_irqs; i++) {
- ret = irq_domain_alloc_irqs_parent(domain, virq + i, 1, NULL);
- if (ret) {
- goto out_free_irqs;
- }
-
/*
* Store eventid and deviceid into the hwirq for later use.
*
@@ -970,12 +968,6 @@ static int gicv5_its_irq_domain_alloc(st
return 0;
-out_free_irqs:
- while (--i >= 0) {
- irqd = irq_domain_get_irq_data(domain, virq + i);
- irq_domain_reset_irq_data(irqd);
- irq_domain_free_irqs_parent(domain, virq + i, 1);
- }
out_eventid:
gicv5_its_free_eventid(its_dev, event_id_base, nr_irqs);
return ret;
@@ -998,14 +990,14 @@ static void gicv5_its_irq_domain_free(st
bitmap_release_region(its_dev->event_map, event_id_base,
get_count_order(nr_irqs));
- /* Hierarchically free irq data */
for (i = 0; i < nr_irqs; i++) {
d = irq_domain_get_irq_data(domain, virq + i);
-
irq_domain_reset_irq_data(d);
- irq_domain_free_irqs_parent(domain, virq + i, 1);
}
+ /* Hierarchically free irq data */
+ irq_domain_free_irqs_parent(domain, virq, nr_irqs);
+
gicv5_its_syncr(its, its_dev);
gicv5_irs_syncr();
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 933/957] libceph: Fix potential out-of-bounds access in osdmap_decode()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (931 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 932/957] irqchip/gic-v5: Allocate ITS parent LPIs as a range Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 934/957] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
` (29 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 35d0ed82d03e5ee77ea4f31f20e29562a7721649 upstream.
When decoding osd_state and osd_weight from an incoming osdmap in
osdmap_decode(), both are decoded for each osd, i.e., map->max_osd
times. The ceph_decode_need() check only accounts for
sizeof(*map->osd_weight) once. This can potentially result in an
out-of-bounds memory access if the incoming message is corrupted such
that the max_osd value exceeds the actual content of the osdmap message.
This patch fixes the issue by changing the corresponding part in the
ceph_decode_need() check to account for
map->max_osd*sizeof(*map->osd_weight).
Cc: stable@vger.kernel.org
Fixes: dcbc919a5dc8 ("libceph: switch osdmap decoding to use ceph_decode_entity_addr")
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1703,7 +1703,7 @@ static int osdmap_decode(void **p, void
ceph_decode_need(p, end, 3*sizeof(u32) +
map->max_osd*(struct_v >= 5 ? sizeof(u32) :
sizeof(u8)) +
- sizeof(*map->osd_weight), e_inval);
+ map->max_osd*sizeof(*map->osd_weight), e_inval);
if (ceph_decode_32(p) != map->max_osd)
goto e_inval;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 934/957] libceph: Fix potential null-ptr-deref in decode_choose_args()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (932 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 933/957] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 935/957] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
` (28 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf upstream.
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an
array of max_buckets CRUSH buckets is decoded, where some indices may
not refer to actual buckets and are therefore set to NULL. The received
CRUSH map may optionally contain choose_args that get decoded in
decode_choose_args(). When decoding a crush_choose_arg_map, a series of
choose_args for different buckets is decoded, with the bucket_index
being read from the incoming message. It is only checked that the bucket
index does not exceed max_buckets, but not that it doesn't point to an
index with a NULL bucket. If a (potentially corrupted) message contains
a crush_choose_arg_map including such a bucket_index, a null pointer
dereference may occur in the subsequent processing when attempting to
access the bucket with the given index.
This patch fixes the issue by extending the affected check. Now, it is
only attempted to access the bucket if it is not NULL.
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -390,7 +390,8 @@ static int decode_choose_args(void **p,
goto fail;
if (arg->ids_size &&
- arg->ids_size != c->buckets[bucket_index]->size)
+ (!c->buckets[bucket_index] ||
+ arg->ids_size != c->buckets[bucket_index]->size))
goto e_inval;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 935/957] libceph: Fix potential out-of-bounds access in crush_decode()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (933 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 934/957] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 936/957] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
` (27 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit 4c79fc2d598694bda845b46229c9d48b65042970 upstream.
A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.
This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/crush/crush.c | 6 +-----
net/ceph/osdmap.c | 4 ++++
2 files changed, 5 insertions(+), 5 deletions(-)
--- a/net/ceph/crush/crush.c
+++ b/net/ceph/crush/crush.c
@@ -47,7 +47,6 @@ int crush_get_bucket_item_weight(const s
void crush_destroy_bucket_uniform(struct crush_bucket_uniform *b)
{
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_list(struct crush_bucket_list *b)
@@ -55,14 +54,12 @@ void crush_destroy_bucket_list(struct cr
kfree(b->item_weights);
kfree(b->sum_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_tree(struct crush_bucket_tree *b)
{
kfree(b->h.items);
kfree(b->node_weights);
- kfree(b);
}
void crush_destroy_bucket_straw(struct crush_bucket_straw *b)
@@ -70,14 +67,12 @@ void crush_destroy_bucket_straw(struct c
kfree(b->straws);
kfree(b->item_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket_straw2(struct crush_bucket_straw2 *b)
{
kfree(b->item_weights);
kfree(b->h.items);
- kfree(b);
}
void crush_destroy_bucket(struct crush_bucket *b)
@@ -99,6 +94,7 @@ void crush_destroy_bucket(struct crush_b
crush_destroy_bucket_straw2((struct crush_bucket_straw2 *)b);
break;
}
+ kfree(b);
}
/**
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -518,6 +518,10 @@ static struct crush_map *crush_decode(vo
b->id = ceph_decode_32(p);
b->type = ceph_decode_16(p);
b->alg = ceph_decode_8(p);
+ if (b->alg != alg) {
+ b->alg = 0;
+ goto bad;
+ }
b->hash = ceph_decode_8(p);
b->weight = ceph_decode_32(p);
b->size = ceph_decode_32(p);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 936/957] libceph: handle rbtree insertion error in decode_choose_args()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (934 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 935/957] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 937/957] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
` (26 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
commit d289478cfc0bcf81c7914200d6abdcb78bd04ded upstream.
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself
contains a CRUSH map. The received CRUSH map may optionally contain
choose_args that get decoded in decode_choose_args(). In this function,
num_choose_arg_maps is read from the message, and a corresponding number
of crush_choose_arg_maps gets decoded afterwards. Each
crush_choose_arg_map has a choose_args_index, which serves as the key
when inserting it into the choose_args rbtree of the decoded crush_map.
If a (potentially corrupted) message contains two crush_choose_arg_maps
with the same index, the assertion in insert_choose_arg_map() triggers a
kernel BUG when trying to insert the second crush_choose_arg_map.
This patch fixes the issue by switching to the non-asserting rbtree
insertion function and rejecting the message if the insertion fails.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -395,7 +395,10 @@ static int decode_choose_args(void **p,
goto e_inval;
}
- insert_choose_arg_map(&c->choose_args, arg_map);
+ if (!__insert_choose_arg_map(&c->choose_args, arg_map)) {
+ ret = -EEXIST;
+ goto fail;
+ }
}
return 0;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 937/957] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (935 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 936/957] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 938/957] iommu/vt-d: Fix oops due to out of scope access Greg Kroah-Hartman
` (25 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naval Alcalá, Lu Baolu,
Joerg Roedel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naval Alcalá <ari@naval.cat>
commit 2cda2e10dc8343ae01eae9e999a876b7e7d37861 upstream.
Intel Q35 integrated graphics (8086:29b2) exhibits broken DMAR
behaviour similar to other G4x/GM45 devices for which DMAR is
already disabled via quirks.
When DMAR is enabled, the system may hard lock up during boot or
early device initialization, requiring a reset.
Add the missing PCI ID to the existing quirk list to disable
DMAR for this device.
Fixes: 1f76249cc3be ("iommu/vt-d: Declare Broadwell igfx dmar support snafu")
Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=201185
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216064
Signed-off-by: Naval Alcalá <ari@naval.cat>
Link: https://lore.kernel.org/r/20260410161622.13549-1-ari@naval.cat
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -4517,6 +4517,9 @@ static void quirk_iommu_igfx(struct pci_
disable_igfx_iommu = 1;
}
+/* Q35 integrated gfx dmar support is totally busted. */
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x29b2, quirk_iommu_igfx);
+
/* G4x/GM45 integrated gfx dmar support is totally busted. */
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_igfx);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_igfx);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 938/957] iommu/vt-d: Fix oops due to out of scope access
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (936 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 937/957] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 939/957] iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Greg Kroah-Hartman
` (24 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenzhong Duan, Kevin Tian, Lu Baolu,
Joerg Roedel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
commit a6dea58d8625c06b9654c0555f101742481335c3 upstream.
Below oops triggers when kill QEMU process:
Oops: general protection fault, probably for non-canonical address 0x7fffffff844eaaa7: 0000 [#1] SMP NOPTI
Call Trace:
<TASK>
do_raw_spin_lock+0xaa/0xc0
_raw_spin_lock_irqsave+0x21/0x40
domain_remove_dev_pasid+0x52/0x160
intel_nested_set_dev_pasid+0x1b9/0x1e0
__iommu_set_group_pasid+0x56/0x120
pci_dev_reset_iommu_done+0xe3/0x180
pcie_flr+0x65/0x160
__pci_reset_function_locked+0x5b/0x120
vfio_pci_core_close_device+0x63/0xe0 [vfio_pci_core]
vfio_df_close+0x4f/0xa0
vfio_df_unbind_iommufd+0x2d/0x60
vfio_device_fops_release+0x3e/0x40
__fput+0xe5/0x2c0
task_work_run+0x58/0xa0
do_exit+0x2c8/0x600
do_group_exit+0x2f/0xa0
get_signal+0x863/0x8c0
arch_do_signal_or_restart+0x24/0x100
exit_to_user_mode_loop+0x87/0x380
do_syscall_64+0x2ff/0x11e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The global static blocked domain is a dummy domain without corresponding
dmar_domain structure, accessing beyond iommu_domain structure triggers
oops easily. Fix it by return early in domain_remove_dev_pasid() like
identity domain.
Fixes: 7d0c9da6c150 ("iommu/vt-d: Add set_dev_pasid callback for dma domain")
Cc: stable@vger.kernel.org
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260421031347.1408890-1-zhenzhong.duan@intel.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -4068,8 +4068,8 @@ void domain_remove_dev_pasid(struct iomm
if (!domain)
return;
- /* Identity domain has no meta data for pasid. */
- if (domain->type == IOMMU_DOMAIN_IDENTITY)
+ /* Identity domain and blocked domain have no meta data for pasid. */
+ if (domain->type == IOMMU_DOMAIN_IDENTITY || domain->type == IOMMU_DOMAIN_BLOCKED)
return;
dmar_domain = to_dmar_domain(domain);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 939/957] iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (937 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 938/957] iommu/vt-d: Fix oops due to out of scope access Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 940/957] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
` (23 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Tian, Zhenzhong Duan, Lu Baolu,
Joerg Roedel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
commit 79ea2feb917b05366b49d85573c9c5331f043b2c upstream.
Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE")
fixed a NULL pointer dereference in an unlikely situation partly.
If dev_pasid is not found in the dev_pasids list, it remains NULL.
However, the teardown operations are executed unconditionally, this lead
to a NULL pointer dereference or refcount corruption.
If the domain was never attached to this IOMMU, info will be NULL, which
would cause an immediate dereference when checking --info->refcnt.
Even if info is not NULL, decrementing the refcount without having removed
a valid PASID might unbalance the count. This could lead to premature
dropping of the refcount to 0, potentially causing a use-after-free for the
remaining active devices sharing the domain.
Fix it by returning early if dev_pasid is NULL, before executing the
teardown operations.
Issue found by AI review and suggested by Kevin Tian.
https://sashiko.dev/#/patchset/20260421031347.1408890-1-zhenzhong.duan%40intel.com
Fixes: 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE")
Cc: stable@vger.kernel.org
Suggested-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20260422033538.95000-1-zhenzhong.duan@intel.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/intel/iommu.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -4083,12 +4083,13 @@ void domain_remove_dev_pasid(struct iomm
}
spin_unlock_irqrestore(&dmar_domain->lock, flags);
+ if (WARN_ON_ONCE(!dev_pasid))
+ return;
+
cache_tag_unassign_domain(dmar_domain, dev, pasid);
domain_detach_iommu(dmar_domain, iommu);
- if (!WARN_ON_ONCE(!dev_pasid)) {
- intel_iommu_debugfs_remove_dev_pasid(dev_pasid);
- kfree(dev_pasid);
- }
+ intel_iommu_debugfs_remove_dev_pasid(dev_pasid);
+ kfree(dev_pasid);
}
static int blocking_domain_set_dev_pasid(struct iommu_domain *domain,
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 940/957] drm/i915: skip __i915_request_skip() for already signaled requests
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (938 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 939/957] iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 941/957] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
` (22 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Brzezinka, Krzysztof Karas,
Andi Shyti, Tvrtko Ursulin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
commit 4cfe4c0efbdcde742a47813180cc69b132d7598e upstream.
After a GPU reset the HWSP is zeroed, so previously completed
requests appear incomplete. If such a request is picked up during
reset_rewind() and marked guilty, i915_request_set_error_once()
returns early (fence already signaled), leaving fence.error without
a fatal error code. The subsequent __i915_request_skip() then hits:
```
GEM_BUG_ON(!fatal_error(rq->fence.error))
```
Fixes a kernel BUG observed on Sandy Bridge (Gen6) during
heartbeat-triggered engine resets.
```
kernel BUG at drivers/gpu/drm/i915/i915_request.c:556!
RIP: __i915_request_skip+0x15e/0x1d0 [i915]
...
__i915_request_reset+0x212/0xa70 [i915]
reset_rewind+0xe4/0x280 [i915]
intel_gt_reset+0x30d/0x5b0 [i915]
heartbeat+0x516/0x530 [i915]
```
Guard __i915_request_skip() with i915_request_signaled(), if the
fence is already signaled, the ring content is committed and there
is nothing left to skip.
Fixes: 36e191f0644b ("drm/i915: Apply i915_request_skip() on submission")
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/13729
Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Cc: stable@vger.kernel.org # v5.7+
Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/fe76921d35b6ae85aa651822726d0d9815aa5362.1776339012.git.sebastian.brzezinka@intel.com
(cherry picked from commit 5ba54393dcd7adf75a9f39f5a933b1538349cad5)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gt/intel_reset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/gt/intel_reset.c
+++ b/drivers/gpu/drm/i915/gt/intel_reset.c
@@ -132,7 +132,8 @@ void __i915_request_reset(struct i915_re
rcu_read_lock(); /* protect the GEM context */
if (guilty) {
i915_request_set_error_once(rq, -EIO);
- __i915_request_skip(rq);
+ if (!i915_request_signaled(rq))
+ __i915_request_skip(rq);
banned = mark_guilty(rq);
} else {
i915_request_set_error_once(rq, -EAGAIN);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 941/957] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (939 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 940/957] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 942/957] drm/xe/dma-buf: handle empty bo and UAF races Greg Kroah-Hartman
` (21 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gyeyoung Baek, Adrián Larumbe,
Boris Brezillon, Steven Price
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gyeyoung Baek <gye976@gmail.com>
commit 459d75523b71c0ec254d153d8850d0b7008af396 upstream.
dma_resv_wait_timeout() returns a positive 'remaining jiffies' value
on success, 0 on timeout, and -errno on failure.
panfrost_ioctl_wait_bo() returns this 'long' result from an int-typed
ioctl handler, so positive values reach userspace as bogus errors.
Explicitly set ret to 0 on the success path.
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Cc: stable@vger.kernel.org
Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
Reviewed-by: Adrián Larumbe <adrian.larumbe@collabora.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Link: https://patch.msgid.link/fe33f82fded7be1c18e2e0eb2db451d5a738cf39.1776581974.git.gye976@gmail.com
Signed-off-by: Steven Price <steven.price@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panfrost/panfrost_drv.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
+++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
@@ -365,6 +365,8 @@ panfrost_ioctl_wait_bo(struct drm_device
true, timeout);
if (!ret)
ret = timeout ? -ETIMEDOUT : -EBUSY;
+ else if (ret > 0)
+ ret = 0;
drm_gem_object_put(gem_obj);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 942/957] drm/xe/dma-buf: handle empty bo and UAF races
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (940 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 941/957] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 943/957] drm/xe/dma-buf: fix UAF with retry loop Greg Kroah-Hartman
` (20 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Thomas Hellström,
Matthew Brost, Rodrigo Vivi
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Auld <matthew.auld@intel.com>
commit 981bedbbe61364fcc3a3b87ebaf648a66cd07108 upstream.
There look to be some nasty races here when triggering the
invalidate_mappings hook:
1) We do xe_bo_alloc() followed by the attach, before the actual full bo
init step in xe_dma_buf_init_obj(). However the bo is visible on the
attachments list after the attach. This is bad since exporter driver,
say amdgpu, can at any time call back into our invalidate_mappings hook,
with an empty/bogus bo, leading to potential bugs/crashes.
2) Similar to 1) but here we get a UAF, when the invalidate_mappings
hook is triggered. For example, we get as far as xe_bo_init_locked()
but this fails in some way. But here the bo will be freed on error, but
we still have it attached from dma-buf pov, so if the
invalidate_mappings is now triggered then the bo we access is gone and
we trigger UAF and more bugs/crashes.
To fix this, move the attach step until after we actually have a fully
set up buffer object. Note that the bo is not published to userspace
until later, so not sure what the comment "Don't publish the bo
until we have a valid attachment", is referring to.
We have at least two different customers reporting hitting a NULL ptr
deref in evict_flags when importing something from amdgpu, followed by
triggering the evict flow. Hit rate is also pretty low, which would
hint at some kind of race, so something like 1) or 2) might explain
this.
v2:
- Shuffle the order of the ops slightly (no functional change)
- Improve the comment to better explain the ordering (Matt B)
Assisted-by: Gemini:gemini-3 #debug
Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/7903
Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/4055
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org> # v6.8+
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Acked-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Link: https://patch.msgid.link/20260508102635.149172-3-matthew.auld@intel.com
(cherry picked from commit af1f2ad0c59fe4e2f924c526f66e968289d77971)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_dma_buf.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
--- a/drivers/gpu/drm/xe/xe_dma_buf.c
+++ b/drivers/gpu/drm/xe/xe_dma_buf.c
@@ -326,15 +326,25 @@ struct drm_gem_object *xe_gem_prime_impo
}
}
- /*
- * Don't publish the bo until we have a valid attachment, and a
- * valid attachment needs the bo address. So pre-create a bo before
- * creating the attachment and publish.
- */
bo = xe_bo_alloc();
if (IS_ERR(bo))
return ERR_CAST(bo);
+ /*
+ * xe_dma_buf_init_obj() takes ownership of the raw bo, so do not touch
+ * on fail, since it will already take care of cleanup. On success we
+ * still need to drop the ref, if something later fails.
+ *
+ * In addition this needs to happen before the attach, since
+ * it will create a new attachment for this, and add it to the list of
+ * attachments, at which point it is globally visible, and at any point
+ * the export side can call into on invalidate_mappings callback, which
+ * require a working object.
+ */
+ obj = xe_dma_buf_init_obj(dev, bo, dma_buf);
+ if (IS_ERR(obj))
+ return obj;
+
attach_ops = &xe_dma_buf_attach_ops;
#if IS_ENABLED(CONFIG_DRM_XE_KUNIT_TEST)
if (test)
@@ -347,21 +357,12 @@ struct drm_gem_object *xe_gem_prime_impo
goto out_err;
}
- /*
- * xe_dma_buf_init_obj() takes ownership of bo on both success
- * and failure, so we must not touch bo after this call.
- */
- obj = xe_dma_buf_init_obj(dev, bo, dma_buf);
- if (IS_ERR(obj)) {
- dma_buf_detach(dma_buf, attach);
- return obj;
- }
get_dma_buf(dma_buf);
obj->import_attach = attach;
return obj;
out_err:
- xe_bo_free(bo);
+ xe_bo_put(bo);
return obj;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 943/957] drm/xe/dma-buf: fix UAF with retry loop
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (941 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 942/957] drm/xe/dma-buf: handle empty bo and UAF races Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 944/957] drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC Greg Kroah-Hartman
` (19 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Thomas Hellström,
Matthew Brost, Rodrigo Vivi
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Auld <matthew.auld@intel.com>
commit 155a372a1cc50fa93387c5d3cdfd614a61e1afd1 upstream.
Retry doesn't work here, since bo will be freed on error, leading to
UAF. However, now that we do the alloc & init before the attach, we can
now combine this as one unit and have the init do the alloc for us. This
should make the retry safe.
Reported by Sashiko.
v2: Fix up the error unwind (CI)
Closes: https://sashiko.dev/#/patchset/20260506184332.86743-2-matthew.auld%40intel.com
Fixes: eb289a5f6cc6 ("drm/xe: Convert xe_dma_buf.c for exhaustive eviction")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org> # v6.18+
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Link: https://patch.msgid.link/20260508102635.149172-4-matthew.auld@intel.com
(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_dma_buf.c | 49 +++++++++-------------------------------
1 file changed, 12 insertions(+), 37 deletions(-)
--- a/drivers/gpu/drm/xe/xe_dma_buf.c
+++ b/drivers/gpu/drm/xe/xe_dma_buf.c
@@ -227,16 +227,8 @@ struct dma_buf *xe_gem_prime_export(stru
return buf;
}
-/*
- * Takes ownership of @storage: on success it is transferred to the returned
- * drm_gem_object; on failure it is freed before returning the error.
- * This matches the contract of xe_bo_init_locked() which frees @storage on
- * its error paths, so callers need not (and must not) free @storage after
- * this call.
- */
static struct drm_gem_object *
-xe_dma_buf_init_obj(struct drm_device *dev, struct xe_bo *storage,
- struct dma_buf *dma_buf)
+xe_dma_buf_create_obj(struct drm_device *dev, struct dma_buf *dma_buf)
{
struct dma_resv *resv = dma_buf->resv;
struct xe_device *xe = to_xe_device(dev);
@@ -247,10 +239,8 @@ xe_dma_buf_init_obj(struct drm_device *d
int ret = 0;
dummy_obj = drm_gpuvm_resv_object_alloc(&xe->drm);
- if (!dummy_obj) {
- xe_bo_free(storage);
+ if (!dummy_obj)
return ERR_PTR(-ENOMEM);
- }
dummy_obj->resv = resv;
xe_validation_guard(&ctx, &xe->val, &exec, (struct xe_val_flags) {}, ret) {
@@ -259,8 +249,7 @@ xe_dma_buf_init_obj(struct drm_device *d
if (ret)
break;
- /* xe_bo_init_locked() frees storage on error */
- bo = xe_bo_init_locked(xe, storage, NULL, resv, NULL, dma_buf->size,
+ bo = xe_bo_init_locked(xe, NULL, NULL, resv, NULL, dma_buf->size,
0, /* Will require 1way or 2way for vm_bind */
ttm_bo_type_sg, XE_BO_FLAG_SYSTEM, &exec);
drm_exec_retry_on_contention(&exec);
@@ -311,7 +300,6 @@ struct drm_gem_object *xe_gem_prime_impo
const struct dma_buf_attach_ops *attach_ops;
struct dma_buf_attachment *attach;
struct drm_gem_object *obj;
- struct xe_bo *bo;
if (dma_buf->ops == &xe_dmabuf_ops) {
obj = dma_buf->priv;
@@ -326,22 +314,14 @@ struct drm_gem_object *xe_gem_prime_impo
}
}
- bo = xe_bo_alloc();
- if (IS_ERR(bo))
- return ERR_CAST(bo);
-
/*
- * xe_dma_buf_init_obj() takes ownership of the raw bo, so do not touch
- * on fail, since it will already take care of cleanup. On success we
- * still need to drop the ref, if something later fails.
- *
- * In addition this needs to happen before the attach, since
- * it will create a new attachment for this, and add it to the list of
- * attachments, at which point it is globally visible, and at any point
- * the export side can call into on invalidate_mappings callback, which
- * require a working object.
+ * This needs to happen before the attach, since it will create a new
+ * attachment for this, and add it to the list of attachments, at which
+ * point it is globally visible, and at any point the export side can
+ * call into on invalidate_mappings callback, which require a working
+ * object.
*/
- obj = xe_dma_buf_init_obj(dev, bo, dma_buf);
+ obj = xe_dma_buf_create_obj(dev, dma_buf);
if (IS_ERR(obj))
return obj;
@@ -351,20 +331,15 @@ struct drm_gem_object *xe_gem_prime_impo
attach_ops = test->attach_ops;
#endif
- attach = dma_buf_dynamic_attach(dma_buf, dev->dev, attach_ops, &bo->ttm.base);
+ attach = dma_buf_dynamic_attach(dma_buf, dev->dev, attach_ops, obj);
if (IS_ERR(attach)) {
- obj = ERR_CAST(attach);
- goto out_err;
+ xe_bo_put(gem_to_xe_bo(obj));
+ return ERR_CAST(attach);
}
get_dma_buf(dma_buf);
obj->import_attach = attach;
return obj;
-
-out_err:
- xe_bo_put(bo);
-
- return obj;
}
#if IS_ENABLED(CONFIG_DRM_XE_KUNIT_TEST)
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 944/957] drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (942 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 943/957] drm/xe/dma-buf: fix UAF with retry loop Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 945/957] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
` (18 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Friedrich Vock, Maarten Lankhorst,
Tejun Heo, Maxime Ripard, Christian Koenig, dri-devel,
Thomas Hellström, Maarten Lankhorst
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellström <thomas.hellstrom@linux.intel.com>
commit 591711b32681a04b57d00c2a404658f8419a081c upstream.
dmem_cgroup_try_charge() returns -EAGAIN when the cgroup limit is
hit and the charge fails. TTM has no concept of -EAGAIN from resource
allocation; -ENOSPC is the canonical error meaning "no space, try
eviction". Convert at the source in ttm_resource_alloc() so no caller
needs to handle an unexpected error code, and clean up the now-redundant
-EAGAIN check in ttm_bo_alloc_resource().
Without this, -EAGAIN escaping ttm_resource_alloc() during an eviction
walk causes the walk to terminate early instead of continuing to the
next candidate.
Cc: Friedrich Vock <friedrich.vock@gmx.de>
Cc: Maarten Lankhorst <dev@lankhorst.se>
Cc: Tejun Heo <tj@kernel.org>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Christian Koenig <christian.koenig@amd.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.14+
Fixes: 2b624a2c1865 ("drm/ttm: Handle cgroup based eviction in TTM")
Assisted-by: GitHub_Copilot:claude-sonnet-4.6
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Maarten Lankhorst <dev@lankhrost.se>
Link: https://patch.msgid.link/20260508160920.230339-1-thomas.hellstrom@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/ttm/ttm_bo.c | 2 +-
drivers/gpu/drm/ttm/ttm_resource.c | 5 ++++-
2 files changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -739,7 +739,7 @@ static int ttm_bo_alloc_resource(struct
may_evict = (force_space && place->mem_type != TTM_PL_SYSTEM);
ret = ttm_resource_alloc(bo, place, res, force_space ? &limit_pool : NULL);
if (ret) {
- if (ret != -ENOSPC && ret != -EAGAIN) {
+ if (ret != -ENOSPC) {
dmem_cgroup_pool_state_put(limit_pool);
return ret;
}
--- a/drivers/gpu/drm/ttm/ttm_resource.c
+++ b/drivers/gpu/drm/ttm/ttm_resource.c
@@ -384,8 +384,11 @@ int ttm_resource_alloc(struct ttm_buffer
if (man->cg) {
ret = dmem_cgroup_try_charge(man->cg, bo->base.size, &pool, ret_limit_pool);
- if (ret)
+ if (ret) {
+ if (ret == -EAGAIN)
+ ret = -ENOSPC;
return ret;
+ }
}
ret = man->func->alloc(man, bo, place, res_ptr);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 945/957] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (943 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 944/957] drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 946/957] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
` (17 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Patrik Jakobsson
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 950953f774b3f69da6f413e045ef075e1f3da2df upstream.
Make sure to drop the reference taken to the I2C adapter (and its
module) when setting up HDMI to allow the adapter to be deregistered.
Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
Cc: stable@vger.kernel.org # 3.3
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
@@ -579,6 +579,7 @@ static int oaktrail_hdmi_get_modes(struc
} else {
edid = (struct edid *)raw_edid;
/* FIXME ? edid = drm_get_edid(connector, i2c_adap); */
+ i2c_put_adapter(i2c_adap);
}
if (edid) {
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 946/957] drm/gma500/oaktrail_lvds: fix hang on init failure
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (944 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 945/957] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 947/957] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
` (16 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Patrik Jakobsson, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 657a091ab6d01d0091b77660c75cfed573c9a53e upstream.
The LVDS init code looks up an I2C adapter using i2c_get_adapter() and
tries to read the EDID before falling back to allocating and registering
its own adapter.
The error handling does not separate these cases so on a late init
failure it will try to deregister and free also an adapter that had
previously been registered. Since i2c_get_adapter() takes another
reference to the adapter, deregistration hangs indefinitely while
waiting for the reference to be released.
Fix this by only destroying adapters allocated during LVDS init on
errors.
Fixes: a57ebfc0b4da ("drm/gma500: Make oaktrail lvds use ddc adapter from drm_connector")
Cc: stable@vger.kernel.org # 6.0
Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_lvds.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/gma500/oaktrail_lvds.c
+++ b/drivers/gpu/drm/gma500/oaktrail_lvds.c
@@ -292,7 +292,7 @@ void oaktrail_lvds_init(struct drm_devic
{
struct gma_encoder *gma_encoder;
struct gma_connector *gma_connector;
- struct gma_i2c_chan *ddc_bus;
+ struct gma_i2c_chan *ddc_bus = NULL;
struct drm_connector *connector;
struct drm_encoder *encoder;
struct drm_psb_private *dev_priv = to_drm_psb_private(dev);
@@ -420,7 +420,8 @@ out:
err_unlock:
mutex_unlock(&dev->mode_config.mutex);
- gma_i2c_destroy(to_gma_i2c_chan(connector->ddc));
+ if (!IS_ERR_OR_NULL(ddc_bus))
+ gma_i2c_destroy(ddc_bus);
drm_encoder_cleanup(encoder);
err_connector_cleanup:
drm_connector_cleanup(connector);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 947/957] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (945 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 946/957] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 948/957] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
` (15 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Patrik Jakobsson
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 84d1c9b416d54afe760ca4c378bd95c89261254c upstream.
The LVDS init code looks up an I2C adapter using i2c_get_adapter() and
tries to read the EDID before falling back to allocating and registering
its own adapter.
Make sure to drop the references taken by i2c_get_adapter() when falling
back to allocating an adapter as well as on late errors to allow the
looked up adapter to be deregistered.
Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
Cc: stable@vger.kernel.org # 3.3
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patch.msgid.link/20260508144446.59722-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/oaktrail_lvds.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/gma500/oaktrail_lvds.c
+++ b/drivers/gpu/drm/gma500/oaktrail_lvds.c
@@ -366,6 +366,8 @@ void oaktrail_lvds_init(struct drm_devic
if (edid == NULL && dev_priv->lpc_gpio_base) {
ddc_bus = oaktrail_lvds_i2c_init(dev);
if (!IS_ERR(ddc_bus)) {
+ if (i2c_adap)
+ i2c_put_adapter(i2c_adap);
i2c_adap = &ddc_bus->base;
edid = drm_get_edid(connector, i2c_adap);
}
@@ -422,6 +424,8 @@ err_unlock:
mutex_unlock(&dev->mode_config.mutex);
if (!IS_ERR_OR_NULL(ddc_bus))
gma_i2c_destroy(ddc_bus);
+ else if (i2c_adap)
+ i2c_put_adapter(i2c_adap);
drm_encoder_cleanup(encoder);
err_connector_cleanup:
drm_connector_cleanup(connector);
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 948/957] drm/v3d: Reject empty multisync extension to prevent infinite loop
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (946 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 947/957] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 949/957] eventfs: Use list_add_tail_rcu() for SRCU-protected children list Greg Kroah-Hartman
` (14 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ashutosh Desai, Maíra Canal
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit fb44d589bf3148e13452185a6e772a7efbf2d684 upstream.
v3d_get_extensions() walks a userspace-provided singly-linked list of
ioctl extensions without any bound on the chain length. A local user
can craft a self-referential extension (ext->next == &ext) with zero
in_sync_count and out_sync_count, which bypasses the existing duplicate-
extension guard:
if (se->in_sync_count || se->out_sync_count)
return -EINVAL;
The guard never fires because v3d_get_multisync_post_deps() returns
immediately when count is zero, leaving both fields at zero on every
iteration. The result is an infinite loop in kernel context, blocking
the calling thread and pegging a CPU core indefinitely.
Fix this by rejecting a multisync extension where both in_sync_count
and out_sync_count are zero in v3d_get_multisync_submit_deps(). An
empty multisync carries no synchronization information and serves no
useful purpose, so returning -EINVAL for such an extension is the
correct defense against this attack vector.
Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support")
Cc: stable@vger.kernel.org
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/v3d/v3d_submit.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -390,6 +390,11 @@ v3d_get_multisync_submit_deps(struct drm
if (multisync.pad)
return -EINVAL;
+ if (!multisync.in_sync_count && !multisync.out_sync_count) {
+ DRM_DEBUG("Empty multisync extension\n");
+ return -EINVAL;
+ }
+
ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count,
multisync.out_syncs);
if (ret)
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 949/957] eventfs: Use list_add_tail_rcu() for SRCU-protected children list
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (947 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 948/957] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 950/957] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
` (13 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Steven Rostedt,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit f67950b2887fa10df50c4317a1fe98a65bc6875b ]
Commit d2603279c7d6 ("eventfs: Use list_del_rcu() for SRCU protected
list variable") converted the removal side to pair with the
list_for_each_entry_srcu() walker in eventfs_iterate(). The insertion
in eventfs_create_dir() was left as a plain list_add_tail(), which on
weakly-ordered architectures can expose a new entry to the SRCU reader
before its list pointers and fields are observable.
Use list_add_tail_rcu() so the publication pairs with the existing
list_del_rcu() and list_for_each_entry_srcu().
Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260418152251.199343-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[ adapted scoped_guard(mutex, &eventfs_mutex) block to explicit mutex_lock()/mutex_unlock() pair ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/tracefs/event_inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/tracefs/event_inode.c
+++ b/fs/tracefs/event_inode.c
@@ -732,7 +732,7 @@ struct eventfs_inode *eventfs_create_dir
mutex_lock(&eventfs_mutex);
if (!parent->is_freed)
- list_add_tail(&ei->list, &parent->children);
+ list_add_tail_rcu(&ei->list, &parent->children);
mutex_unlock(&eventfs_mutex);
/* Was the parent freed? */
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 950/957] smb: client: Use FullSessionKey for AES-256 encryption key derivation
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (948 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 949/957] eventfs: Use list_add_tail_rcu() for SRCU-protected children list Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 951/957] btrfs: do not mark inode incompressible after inline attempt fails Greg Kroah-Hartman
` (12 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Piyush Sachdeva,
Piyush Sachdeva, Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piyush Sachdeva <s.piyush1024@gmail.com>
[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ]
When Kerberos authentication is used with AES-256 encryption (AES-256-CCM
or AES-256-GCM), the SMB3 encryption and decryption keys must be derived
using the full session key (Session.FullSessionKey) rather than just the
first 16 bytes (Session.SessionKey).
Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and
Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey
must be set to the full cryptographic key from the GSS authentication
context. The encryption and decryption key derivation (SMBC2SCipherKey,
SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The
signing key derivation continues to use Session.SessionKey (first 16
bytes) in all cases.
Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the
HMAC-SHA256 key input length for all derivations. When Kerberos with
AES-256 provides a 32-byte session key, the KDF for encryption/decryption
was using only the first 16 bytes, producing keys that did not match the
server's, causing mount failures with sec=krb5 and require_gcm_256=1.
Add a full_key_size parameter to generate_key() and pass the appropriate
size from generate_smb3signingkey():
- Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes)
- Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16
Also fix cifs_dump_full_key() to report the actual session key length for
AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools
like Wireshark receive the correct key for decryption.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Piyush Sachdeva <psachdeva@microsoft.com>
Signed-off-by: Piyush Sachdeva <s.piyush1024@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/ioctl.c | 2 +-
fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++-------
2 files changed, 26 insertions(+), 8 deletions(-)
--- a/fs/smb/client/ioctl.c
+++ b/fs/smb/client/ioctl.c
@@ -297,7 +297,7 @@ search_end:
break;
case SMB2_ENCRYPTION_AES256_CCM:
case SMB2_ENCRYPTION_AES256_GCM:
- out.session_key_length = CIFS_SESS_KEY_SIZE;
+ out.session_key_length = ses->auth_key.len;
out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE;
break;
default:
--- a/fs/smb/client/smb2transport.c
+++ b/fs/smb/client/smb2transport.c
@@ -259,7 +259,8 @@ smb2_calc_signature(struct smb_rqst *rqs
}
static int generate_key(struct cifs_ses *ses, struct kvec label,
- struct kvec context, __u8 *key, unsigned int key_size)
+ struct kvec context, __u8 *key, unsigned int key_size,
+ unsigned int full_key_size)
{
unsigned char zero = 0x0;
__u8 i[4] = {0, 0, 0, 1};
@@ -280,7 +281,7 @@ static int generate_key(struct cifs_ses
}
hmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response,
- SMB2_NTLMV2_SESSKEY_SIZE);
+ full_key_size);
hmac_sha256_update(&hmac_ctx, i, 4);
hmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len);
hmac_sha256_update(&hmac_ctx, &zero, 1);
@@ -314,6 +315,7 @@ generate_smb3signingkey(struct cifs_ses
struct TCP_Server_Info *server,
const struct derivation_triplet *ptriplet)
{
+ unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE;
int rc;
bool is_binding = false;
int chan_index = 0;
@@ -348,17 +350,31 @@ generate_smb3signingkey(struct cifs_ses
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
ses->chans[chan_index].signkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
} else {
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
ses->smb3signingkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
+ /*
+ * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey
+ * (first 16 bytes). Encryption/decryption keys use
+ * Session.FullSessionKey when dialect is 3.1.1 and cipher is
+ * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey.
+ */
+
+ if (server->dialect == SMB311_PROT_ID &&
+ (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
+ server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ full_key_size = ses->auth_key.len;
+
/* safe to access primary channel, since it will never go away */
spin_lock(&ses->chan_lock);
memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey,
@@ -368,13 +384,15 @@ generate_smb3signingkey(struct cifs_ses
rc = generate_key(ses, ptriplet->encryption.label,
ptriplet->encryption.context,
ses->smb3encryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
rc = generate_key(ses, ptriplet->decryption.label,
ptriplet->decryption.context,
ses->smb3decryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
}
@@ -389,7 +407,7 @@ generate_smb3signingkey(struct cifs_ses
&ses->Suid);
cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type);
cifs_dbg(VFS, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);
+ (int)ses->auth_key.len, ses->auth_key.response);
cifs_dbg(VFS, "Signing Key %*ph\n",
SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);
if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 951/957] btrfs: do not mark inode incompressible after inline attempt fails
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (949 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 950/957] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 952/957] perf/x86/intel: Disable PMI for self-reloaded ACR events Greg Kroah-Hartman
` (11 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 2e0e3716c7b6f8d71df2fbe709b922e54700f71b ]
[BUG]
The following sequence will set the file with nocompress flag:
# mkfs.btrfs -f $dev
# mount $dev $mnt -o max_inline=4,compress
# xfs_io -f -c "pwrite 0 2k" -c sync $mnt/foobar
The inode will have NOCOMPRESS flag, even if the content itself (all 0xcd)
can still be compressed very well:
item 4 key (257 INODE_ITEM 0) itemoff 15879 itemsize 160
generation 9 transid 10 size 2097152 nbytes 1052672
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 257 flags 0x8(NOCOMPRESS)
Please note that, this behavior is there even before commit 59615e2c1f63
("btrfs: reject single block sized compression early").
[CAUSE]
At compress_file_range(), after btrfs_compress_folios() call, we try
making an inlined extent by calling cow_file_range_inline().
But cow_file_range_inline() calls can_cow_file_range_inline() which has
more accurate checks on if the range can be inlined.
One of the user configurable conditions is the "max_inline=" mount
option. If that value is set low (like the example, 4 bytes, which
cannot store any header), or the compressed content is just slightly
larger than 2K (the default value, meaning a 50% compression ratio),
cow_file_range_inline() will return 1 immediately.
And since we're here only to try inline the compressed data, the range
is no larger than a single fs block.
Thus compression is never going to make it a win, we fall back to
marking the inode incompressible unavoidably.
[FIX]
Just add an extra check after inline attempt, so that if the inline
attempt failed, do not set the nocompress flag.
As there is no way to remove that flag, and the default 50% compression
ratio is way too strict for the whole inode.
CC: stable@vger.kernel.org # 6.12+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1006,6 +1006,12 @@ again:
mapping_set_error(mapping, -EIO);
goto free_pages;
}
+ /*
+ * If a single block at file offset 0 cannot be inlined, fall back to
+ * regular writes without marking the file incompressible.
+ */
+ if (start == 0 && end <= blocksize)
+ goto cleanup_and_bail_uncompressed;
/*
* We aren't doing an inline extent. Round the compressed size up to a
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 952/957] perf/x86/intel: Disable PMI for self-reloaded ACR events
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (950 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 951/957] btrfs: do not mark inode incompressible after inline attempt fails Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 953/957] sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new Greg Kroah-Hartman
` (10 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andi Kleen, Dapeng Mi,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
[ Upstream commit 1271aeccc307066315b2d3b0d5af2510e27018b5 ]
On platforms with Auto Counter Reload (ACR) support, such as NVL, a
"NMI received for unknown reason 30" warning is observed when running
multiple events in a group with ACR enabled:
$ perf record -e '{instructions/period=20000,acr_mask=0x2/u,\
cycles/period=40000,acr_mask=0x3/u}' ./test
The warning occurs because the Performance Monitoring Interrupt (PMI)
is enabled for the self-reloaded event (the cycles event in this case).
According to the Intel SDM, the overflow bit
(IA32_PERF_GLOBAL_STATUS.PMCn_OVF) is never set for self-reloaded events.
Since the bit is not set, the perf NMI handler cannot identify the source
of the interrupt, leading to the "unknown reason" message.
Furthermore, enabling PMI for self-reloaded events is unnecessary and
can lead to extraneous records that pollute the user's requested data.
Disable the interrupt bit for all events configured with ACR self-reload.
Fixes: ec980e4facef ("perf/x86/intel: Support auto counter reload")
Reported-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260430002558.712334-4-dapeng1.mi@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/core.c | 17 +++++++++++++----
arch/x86/events/perf_event.h | 10 ++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -2866,11 +2866,11 @@ static void intel_pmu_enable_fixed(struc
intel_set_masks(event, idx);
/*
- * Enable IRQ generation (0x8), if not PEBS,
- * and enable ring-3 counting (0x2) and ring-0 counting (0x1)
- * if requested:
+ * Enable IRQ generation (0x8), if not PEBS or self-reloaded
+ * ACR event, and enable ring-3 counting (0x2) and ring-0
+ * counting (0x1) if requested:
*/
- if (!event->attr.precise_ip)
+ if (!event->attr.precise_ip && !is_acr_self_reload_event(event))
bits |= INTEL_FIXED_0_ENABLE_PMI;
if (hwc->config & ARCH_PERFMON_EVENTSEL_USR)
bits |= INTEL_FIXED_0_USER;
@@ -2955,6 +2955,15 @@ static void intel_pmu_enable_event(struc
enable_mask |= ARCH_PERFMON_EVENTSEL_BR_CNTR;
intel_set_masks(event, idx);
static_call_cond(intel_pmu_enable_acr_event)(event);
+ /*
+ * For self-reloaded ACR event, don't enable PMI since
+ * HW won't set overflow bit in GLOBAL_STATUS. Otherwise,
+ * the PMI would be recognized as a suspicious NMI.
+ */
+ if (is_acr_self_reload_event(event))
+ hwc->config &= ~ARCH_PERFMON_EVENTSEL_INT;
+ else if (!event->attr.precise_ip)
+ hwc->config |= ARCH_PERFMON_EVENTSEL_INT;
__x86_pmu_enable_event(hwc, enable_mask);
break;
case INTEL_PMC_IDX_FIXED ... INTEL_PMC_IDX_FIXED_BTS - 1:
--- a/arch/x86/events/perf_event.h
+++ b/arch/x86/events/perf_event.h
@@ -133,6 +133,16 @@ static inline bool is_acr_event_group(st
return check_leader_group(event->group_leader, PERF_X86_EVENT_ACR);
}
+static inline bool is_acr_self_reload_event(struct perf_event *event)
+{
+ struct hw_perf_event *hwc = &event->hw;
+
+ if (hwc->idx < 0)
+ return false;
+
+ return test_bit(hwc->idx, (unsigned long *)&hwc->config1);
+}
+
struct amd_nb {
int nb_id; /* NorthBridge id */
int refcnt; /* reference count */
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 953/957] sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (951 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 952/957] perf/x86/intel: Disable PMI for self-reloaded ACR events Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 954/957] sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before Greg Kroah-Hartman
` (9 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Tejun Heo, Andrea Righi,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 4fda9f0e7c950da4fe03cedeb2ac818edf5d03e9 ]
bpf_iter_scx_dsq_new() clears kit->dsq on failure and
bpf_iter_scx_dsq_{next,destroy}() guard against that. scx_dsq_move() doesn't -
it dereferences kit->dsq immediately, so a BPF program that calls
scx_bpf_dsq_move[_vtime]() after a failed iter_new oopses the kernel.
Return false if kit->dsq is NULL.
Fixes: 4c30f5ce4f7a ("sched_ext: Implement scx_bpf_dispatch[_vtime]_from_dsq()")
Cc: stable@vger.kernel.org # v6.12+
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
[ dropped upstream `sch = src_dsq->sched` reordering since stable initializes `sch` from `scx_root` instead ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -5650,6 +5650,14 @@ static bool scx_dsq_move(struct bpf_iter
bool in_balance;
unsigned long flags;
+ /*
+ * The verifier considers an iterator slot initialized on any
+ * KF_ITER_NEW return, so a BPF program may legally reach here after
+ * bpf_iter_scx_dsq_new() failed and left @kit->dsq NULL.
+ */
+ if (unlikely(!src_dsq))
+ return false;
+
if (!scx_kf_allowed_if_unlocked() &&
!scx_kf_allowed(sch, SCX_KF_DISPATCH))
return false;
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 954/957] sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (952 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 953/957] sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 955/957] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
` (8 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Tejun Heo, Andrea Righi,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 4155fb489fa175ec74eedde7d02219cf2fe74303 ]
scx_prio_less() runs from core-sched's pick_next_task() path with rq
locked but invokes ops.core_sched_before() with NULL locked_rq, leaving
scx_locked_rq_state NULL. If the BPF callback calls a kfunc that
re-acquires rq based on scx_locked_rq() - e.g. scx_bpf_cpuperf_set(cpu)
- it re-acquires the already-held rq.
Pass task_rq(a).
Fixes: 7b0888b7cc19 ("sched_ext: Implement core-sched support")
Cc: stable@vger.kernel.org # v6.12+
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
[ adapted call to use stable's single `sch`/`SCX_KF_REST` mask and `scx_rq_bypassing(task_rq(a))` signature ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -2522,7 +2522,7 @@ bool scx_prio_less(const struct task_str
if (SCX_HAS_OP(sch, core_sched_before) &&
!scx_rq_bypassing(task_rq(a)))
return SCX_CALL_OP_2TASKS_RET(sch, SCX_KF_REST, core_sched_before,
- NULL,
+ task_rq(a),
(struct task_struct *)a,
(struct task_struct *)b);
else
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 955/957] f2fs: fix false alarm of lockdep on cp_global_sem lock
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (953 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 954/957] sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 956/957] spi: sifive: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
` (7 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Shinichiro Kawasaki, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6a5e3de9c2bb0b691d16789a5d19e9276a09b308 ]
lockdep reported a potential deadlock:
a) TCMU device removal context:
- call del_gendisk() to get q->q_usage_counter
- call start_flush_work() to get work_completion of wb->dwork
b) f2fs writeback context:
- in wb_workfn(), which holds work_completion of wb->dwork
- call f2fs_balance_fs() to get sbi->gc_lock
c) f2fs vfs_write context:
- call f2fs_gc() to get sbi->gc_lock
- call f2fs_write_checkpoint() to get sbi->cp_global_sem
d) f2fs mount context:
- call recover_fsync_data() to get sbi->cp_global_sem
- call f2fs_check_and_fix_write_pointer() to call blkdev_report_zones()
that goes down to blk_mq_alloc_request and get q->q_usage_counter
Original callstack is in Closes tag.
However, I think this is a false alarm due to before mount returns
successfully (context d), we can not access file therein via vfs_write
(context c).
Let's introduce per-sb cp_global_sem_key, and assign the key for
cp_global_sem, so that lockdep can recognize cp_global_sem from
different super block correctly.
A lot of work are done by Shin'ichiro Kawasaki, thanks a lot for
the work.
Fixes: c426d99127b1 ("f2fs: Check write pointer consistency of open zones")
Cc: stable@kernel.org
Reported-and-tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/20260218125237.3340441-1-shinichiro.kawasaki@wdc.com
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ adapted context to use plain `init_f2fs_rwsem` instead of mainline's `init_f2fs_rwsem_trace` macro ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 3 +++
fs/f2fs/super.c | 11 +++++++++++
2 files changed, 14 insertions(+)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1967,6 +1967,9 @@ struct f2fs_sb_info {
spinlock_t iostat_lat_lock;
struct iostat_lat_info *iostat_io_lat;
#endif
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lock_class_key cp_global_sem_key;
+#endif
};
/* Definitions to access f2fs_sb_info */
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4889,6 +4889,11 @@ try_onemore:
init_f2fs_rwsem(&sbi->gc_lock);
mutex_init(&sbi->writepages);
init_f2fs_rwsem(&sbi->cp_global_sem);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_register_key(&sbi->cp_global_sem_key);
+ lockdep_set_class(&sbi->cp_global_sem.internal_rwsem,
+ &sbi->cp_global_sem_key);
+#endif
init_f2fs_rwsem(&sbi->node_write);
init_f2fs_rwsem(&sbi->node_change);
spin_lock_init(&sbi->stat_lock);
@@ -5360,6 +5365,9 @@ free_options:
free_sb_buf:
kfree(raw_super);
free_sbi:
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
sb->s_fs_info = NULL;
@@ -5441,6 +5449,9 @@ static void kill_f2fs_super(struct super
/* Release block devices last, after fscrypt_destroy_keyring(). */
if (sbi) {
destroy_device_list(sbi);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
sb->s_fs_info = NULL;
}
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 956/957] spi: sifive: Simplify clock handling with devm_clk_get_enabled()
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (954 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 955/957] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
@ 2026-05-20 16:23 ` Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.18 957/957] spi: sifive: fix controller deregistration Greg Kroah-Hartman
` (6 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:23 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pei Xiao, Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 140039c23aca067b9ff0242e3c0ce96276bb95f3 ]
Replace devm_clk_get() followed by clk_prepare_enable() with
devm_clk_get_enabled() for the bus clock. This reduces boilerplate code
and error handling, as the managed API automatically disables the clock
when the device is removed or if probe fails.
Remove the now-unnecessary clk_disable_unprepare() calls from the probe
error path and the remove callback. Adjust the error handling to use the
existing put_host label.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/73d0d8ecb4e1af5a558d6a7866c0f886d94fe3d1.1773885292.git.xiaopei01@kylinos.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0f25236694a2 ("spi: sifive: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sifive.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)
--- a/drivers/spi/spi-sifive.c
+++ b/drivers/spi/spi-sifive.c
@@ -312,7 +312,8 @@ static int sifive_spi_probe(struct platf
goto put_host;
}
- spi->clk = devm_clk_get(&pdev->dev, NULL);
+ /* Spin up the bus clock before hitting registers */
+ spi->clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(spi->clk)) {
dev_err(&pdev->dev, "Unable to find bus clock\n");
ret = PTR_ERR(spi->clk);
@@ -342,13 +343,6 @@ static int sifive_spi_probe(struct platf
goto put_host;
}
- /* Spin up the bus clock before hitting registers */
- ret = clk_prepare_enable(spi->clk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable bus clock\n");
- goto put_host;
- }
-
/* probe the number of CS lines */
spi->cs_inactive = sifive_spi_read(spi, SIFIVE_SPI_REG_CSDEF);
sifive_spi_write(spi, SIFIVE_SPI_REG_CSDEF, 0xffffffffU);
@@ -357,14 +351,14 @@ static int sifive_spi_probe(struct platf
if (!cs_bits) {
dev_err(&pdev->dev, "Could not auto probe CS lines\n");
ret = -EINVAL;
- goto disable_clk;
+ goto put_host;
}
num_cs = ilog2(cs_bits) + 1;
if (num_cs > SIFIVE_SPI_MAX_CS) {
dev_err(&pdev->dev, "Invalid number of spi targets\n");
ret = -EINVAL;
- goto disable_clk;
+ goto put_host;
}
/* Define our host */
@@ -393,7 +387,7 @@ static int sifive_spi_probe(struct platf
dev_name(&pdev->dev), spi);
if (ret) {
dev_err(&pdev->dev, "Unable to bind to interrupt\n");
- goto disable_clk;
+ goto put_host;
}
dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n",
@@ -402,13 +396,11 @@ static int sifive_spi_probe(struct platf
ret = devm_spi_register_controller(&pdev->dev, host);
if (ret < 0) {
dev_err(&pdev->dev, "spi_register_host failed\n");
- goto disable_clk;
+ goto put_host;
}
return 0;
-disable_clk:
- clk_disable_unprepare(spi->clk);
put_host:
spi_controller_put(host);
@@ -422,7 +414,6 @@ static void sifive_spi_remove(struct pla
/* Disable all the interrupts just in case */
sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0);
- clk_disable_unprepare(spi->clk);
}
static int sifive_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 968+ messages in thread
* [PATCH 6.18 957/957] spi: sifive: fix controller deregistration
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (955 preceding siblings ...)
2026-05-20 16:23 ` [PATCH 6.18 956/957] spi: sifive: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-05-20 16:24 ` Greg Kroah-Hartman
2026-05-20 17:21 ` [PATCH 6.18 000/957] 6.18.32-rc1 review Barry K. Nathan
` (5 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-20 16:24 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yash Shah, Johan Hovold, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0f25236694a2854627c1597465a071e6bb6fe572 ]
Make sure to deregister the controller before disabling underlying
resources like interrupts during driver unbind.
Note that clocks were also disabled before the recent commit
140039c23aca ("spi: sifive: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 484a9a68d669 ("spi: sifive: Add driver for the SiFive SPI controller")
Cc: stable@vger.kernel.org # 5.1
Cc: Yash Shah <yash.shah@sifive.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-15-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sifive.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sifive.c
+++ b/drivers/spi/spi-sifive.c
@@ -393,7 +393,7 @@ static int sifive_spi_probe(struct platf
dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n",
irq, host->num_chipselect);
- ret = devm_spi_register_controller(&pdev->dev, host);
+ ret = spi_register_controller(host);
if (ret < 0) {
dev_err(&pdev->dev, "spi_register_host failed\n");
goto put_host;
@@ -412,8 +412,14 @@ static void sifive_spi_remove(struct pla
struct spi_controller *host = platform_get_drvdata(pdev);
struct sifive_spi *spi = spi_controller_get_devdata(host);
+ spi_controller_get(host);
+
+ spi_unregister_controller(host);
+
/* Disable all the interrupts just in case */
sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0);
+
+ spi_controller_put(host);
}
static int sifive_spi_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 000/957] 6.18.32-rc1 review
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (956 preceding siblings ...)
2026-05-20 16:24 ` [PATCH 6.18 957/957] spi: sifive: fix controller deregistration Greg Kroah-Hartman
@ 2026-05-20 17:21 ` Barry K. Nathan
2026-05-20 17:42 ` Florian Fainelli
` (4 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Barry K. Nathan @ 2026-05-20 17:21 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 5/20/26 9:08 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.32 release.
> There are 957 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 22 May 2026 16:20:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.32-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
I hope you don't mind me asking, but shouldn't this be 6.18.33-rc1, since
6.18.32 was released a few days ago? I think you forgot to increment
the version number.
--
-Barry K. Nathan <barryn@pobox.com>
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 010/957] erofs: verify metadata accesses for file-backed mounts
2026-05-20 16:08 ` [PATCH 6.18 010/957] erofs: verify metadata accesses for file-backed mounts Greg Kroah-Hartman
@ 2026-05-20 17:22 ` Gao Xiang
0 siblings, 0 replies; 968+ messages in thread
From: Gao Xiang @ 2026-05-20 17:22 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Amir Goldstein, Chunhai Guo, Gao Xiang,
Sasha Levin
Hi Greg,
On Wed, May 20, 2026 at 06:08:13PM +0200, Greg Kroah-Hartman wrote:
> 6.18-stable review patch. If anyone has any objections, please let me know.
>
Could you please help drop this too, the same reason as:
https://lore.kernel.org/r/ag3qlMOcTYM2FBUQ@debian
I will address this backport manually later.
Thanks,
Gao Xiang
> ------------------
>
> From: Gao Xiang <hsiangkao@linux.alibaba.com>
>
> [ Upstream commit 307210c262a29f41d7177851295ea1703bd04175 ]
>
> For file-backed mounts, metadata is fetched via the page cache of
> backing inodes to avoid double caching and redundant copy ops out
> of RO uptodate folios, which is used by Android APEXes, ComposeFS,
> containerd. However, rw_verify_area() was missing prior to
> metadata accesses.
>
> Similar to vfs_iocb_iter_read(), fix this by:
> - Enabling fanotify pre-content hooks on metadata accesses;
> - security_file_permission() for security modules.
>
> Verified that fanotify pre-content hooks now works correctly.
>
> Fixes: fb176750266a ("erofs: add file-backed mount support")
> Acked-by: Amir Goldstein <amir73il@gmail.com>
> Reviewed-by: Chunhai Guo <guochunhai@vivo.com>
> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> fs/erofs/data.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/fs/erofs/data.c b/fs/erofs/data.c
> index 8ca29962a3dde..58aea2b48580c 100644
> --- a/fs/erofs/data.c
> +++ b/fs/erofs/data.c
> @@ -29,6 +29,20 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offset, bool need_kmap)
> {
> pgoff_t index = (buf->off + offset) >> PAGE_SHIFT;
> struct folio *folio = NULL;
> + loff_t fpos;
> + int err;
> +
> + /*
> + * Metadata access for file-backed mounts reuses page cache of backing
> + * fs inodes (only folio data will be needed) to prevent double caching.
> + * However, the data access range must be verified here in advance.
> + */
> + if (buf->file) {
> + fpos = index << PAGE_SHIFT;
> + err = rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE);
> + if (err < 0)
> + return ERR_PTR(err);
> + }
>
> if (buf->page) {
> folio = page_folio(buf->page);
> --
> 2.53.0
>
>
>
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 000/957] 6.18.32-rc1 review
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (957 preceding siblings ...)
2026-05-20 17:21 ` [PATCH 6.18 000/957] 6.18.32-rc1 review Barry K. Nathan
@ 2026-05-20 17:42 ` Florian Fainelli
2026-05-21 6:06 ` Wentao Guan
` (3 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Florian Fainelli @ 2026-05-20 17:42 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 5/20/26 09:08, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.32 release.
> There are 957 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 22 May 2026 16:20:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.32-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 052/957] sched: Make class_schedulers avoid pushing current, and get rid of proxy_tag_curr()
2026-05-20 16:08 ` [PATCH 6.18 052/957] sched: Make class_schedulers avoid pushing current, and get rid of proxy_tag_curr() Greg Kroah-Hartman
@ 2026-05-20 18:32 ` John Stultz
0 siblings, 0 replies; 968+ messages in thread
From: John Stultz @ 2026-05-20 18:32 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, K Prateek Nayak, Peter Zijlstra, Sasha Levin
On Wed, May 20, 2026 at 10:18 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 6.18-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: John Stultz <jstultz@google.com>
>
> [ Upstream commit e0ca8991b2de6c9dfe6fcd8a0364951b2bd56797 ]
>
> With proxy-execution, the scheduler selects the donor, but for
> blocked donors, we end up running the lock owner.
Eh, I'm not sure of the urgency of this going back to 6.18-stable, and
I'm not sure its worth the churn.
Proxy-exec is still in development and requires CONFIG_EXPERT to be
enabled, so I'm not sure how many folks are actively using it with
vanilla 6.18-stable, as it wouldn't bring much benefit, and even if
folks are experimenting, the downside of not ideally balancing tasks
isn't likely to cause a crash, just not ideal performance.
And I've already pulled this change back to android17-6.18 where we
are using the full proxy-exec series, where the actual usage of
proxy-exec is likely to be. So I'm just not sure this is worth the
churn/risk.
thanks
-john
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 346/957] fuse: new work queue to periodically invalidate expired dentries
2026-05-20 16:13 ` [PATCH 6.18 346/957] fuse: new work queue to periodically invalidate expired dentries Greg Kroah-Hartman
@ 2026-05-20 18:45 ` Miklos Szeredi
0 siblings, 0 replies; 968+ messages in thread
From: Miklos Szeredi @ 2026-05-20 18:45 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Luis Henriques, Sasha Levin
On Wed, May 20, 2026 at 7:31 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 6.18-stable review patch. If anyone has any objections, please let me know.
This is not stable material, and I don't think the dependency is real.
Just need to resolve the trivial conflict when applying 5a6baf204610
("fuse: fix uninit-value in fuse_dentry_revalidate()")
Thanks,
Miklos
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 000/957] 6.18.32-rc1 review
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (958 preceding siblings ...)
2026-05-20 17:42 ` Florian Fainelli
@ 2026-05-21 6:06 ` Wentao Guan
2026-05-21 6:14 ` Peter Schneider
` (2 subsequent siblings)
962 siblings, 0 replies; 968+ messages in thread
From: Wentao Guan @ 2026-05-21 6:06 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Wentao Guan
Build tested in our x86,arm64,loongarch,riscv config successfully without error.
Tested-by: Wentao Guan <guanwentao@uniontech.com>
BRs
Wentao Guan
defconfigs:
https://gist.github.com/opsiff/a840ae9e3d6857f5b7bacb9cdc49f8e9
I means that 6.18.32-rc1 is 6.18.33-rc1.
Log:
Linux version 6.18.32-rc1-gb7adc4ce3f26 (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT
Linux version 6.18.32-rc1-gb7adc4ce3f26 (guanwentao@uos-PC) (aarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #2 SMP PREEMPT Thu May 21 12:18:48 CST 2026
Linux version 6.18.32-rc1-gb7adc4ce3f26 (guanwentao@uos-PC) (loongarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT_DYNAMIC
Linux version 6.18.32-rc1-gb7adc4ce3f26 (guanwentao@uos-PC) (loongarch64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #3 SMP PREEMPT_DYNAMIC Thu May 21 12:33:52 CST 2026
Linux version 6.18.32-rc1+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP
Linux version 6.18.32-rc1+ (guanwentao@uos-PC) (riscv64-linux-gnu-gcc-12 (Deepin 12.3.0-17deepin8) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #4 SMP Thu May 21 12:49:11 CST 2026
Linux version 6.18.32-rc1-gb7adc4ce3f26 (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) # SMP PREEMPT_DYNAMIC
Linux version 6.18.32-rc1-gb7adc4ce3f26 (guanwentao@uos-PC) (gcc (Deepin 12.3.0-17deepin15) 12.3.0, GNU ld (GNU Binutils for Deepin) 2.41) #1 SMP PREEMPT_DYNAMIC Thu May 21 12:01:24 CST 2026
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 000/957] 6.18.32-rc1 review
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (959 preceding siblings ...)
2026-05-21 6:06 ` Wentao Guan
@ 2026-05-21 6:14 ` Peter Schneider
2026-05-21 8:26 ` Greg Kroah-Hartman
2026-05-21 9:06 ` Pavel Machek
2026-05-21 9:18 ` Jon Hunter
962 siblings, 1 reply; 968+ messages in thread
From: Peter Schneider @ 2026-05-21 6:14 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Hi Greg,
Am 20.05.2026 um 18:08 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.18.32 release.
Now I'm severely confused. You released 6.18.32 on May 17th, if I'm not mistaken.
Shouldn't this new 6.18 RC be subversion 33? Did you miss to increment the version number?
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.18.y&id=b7adc4ce3f26a74d49d3703c6390645cb313e52d
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 000/957] 6.18.32-rc1 review
2026-05-21 6:14 ` Peter Schneider
@ 2026-05-21 8:26 ` Greg Kroah-Hartman
0 siblings, 0 replies; 968+ messages in thread
From: Greg Kroah-Hartman @ 2026-05-21 8:26 UTC (permalink / raw)
To: Peter Schneider
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, May 21, 2026 at 08:14:32AM +0200, Peter Schneider wrote:
> Hi Greg,
>
> Am 20.05.2026 um 18:08 schrieb Greg Kroah-Hartman:
> > This is the start of the stable review cycle for the 6.18.32 release.
>
> Now I'm severely confused. You released 6.18.32 on May 17th, if I'm not mistaken.
>
> Shouldn't this new 6.18 RC be subversion 33? Did you miss to increment the version number?
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-6.18.y&id=b7adc4ce3f26a74d49d3703c6390645cb313e52d
Ah crap, yes, I had to do it "by hand" due to some mess on my side and I
forgot to bump that number. I should rely on my scripts to do it
instead, as that's the correct way forward.
When this is released, it will have the correct number.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 000/957] 6.18.32-rc1 review
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (960 preceding siblings ...)
2026-05-21 6:14 ` Peter Schneider
@ 2026-05-21 9:06 ` Pavel Machek
2026-05-21 9:18 ` Jon Hunter
962 siblings, 0 replies; 968+ messages in thread
From: Pavel Machek @ 2026-05-21 9:06 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 504 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.18.32 release.
> There are 957 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.18.y
Tested-by: Pavel Machek (CIP) <pavel@nabladev.com>
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 968+ messages in thread
* Re: [PATCH 6.18 000/957] 6.18.32-rc1 review
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
` (961 preceding siblings ...)
2026-05-21 9:06 ` Pavel Machek
@ 2026-05-21 9:18 ` Jon Hunter
962 siblings, 0 replies; 968+ messages in thread
From: Jon Hunter @ 2026-05-21 9:18 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, f.fainelli, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr, linux-tegra@vger.kernel.org
On 20/05/2026 17:08, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.32 release.
> There are 957 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 22 May 2026 16:20:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.32-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.18:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
158 tests: 158 pass, 0 fail
Linux version: 6.18.32-rc1-gb7adc4ce3f26
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra234-p3737-0000+p3701-0000,
tegra234-p3768-0000+p3767-0005, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
--
nvpublic
^ permalink raw reply [flat|nested] 968+ messages in thread
end of thread, other threads:[~2026-05-21 9:19 UTC | newest]
Thread overview: 968+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 16:08 [PATCH 6.18 000/957] 6.18.32-rc1 review Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 001/957] blk-cgroup: wait for blkcg cleanup before initializing new disk Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 002/957] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 003/957] fs/mbcache: cancel shrink work before destroying the cache Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 004/957] md/raid1: fix the comparing region of interval tree Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 005/957] drbd: Balance RCU calls in drbd_adm_dump_devices() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 006/957] loop: fix partition scan race between udev and loop_reread_partitions() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 007/957] nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 008/957] blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 009/957] pstore/ram: fix resource leak when ioremap() fails Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 010/957] erofs: verify metadata accesses for file-backed mounts Greg Kroah-Hartman
2026-05-20 17:22 ` Gao Xiang
2026-05-20 16:08 ` [PATCH 6.18 011/957] erofs: include the trailing NUL in FS_IOC_GETFSLABEL Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 012/957] md: fix array_state=clear sysfs deadlock Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 013/957] erofs: handle 48-bit blocks/uniaddr for extra devices Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 014/957] dm: add WQ_PERCPU to alloc_workqueue users Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 015/957] md: remove unused static md_wq workqueue Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 016/957] md: wake raid456 reshape waiters before suspend Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 017/957] btrfs: fix deadlock between reflink and transaction commit when using flushoncommit Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 018/957] OPP: debugfs: Use performance level if available to distinguish between rates Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 019/957] OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 020/957] ACPI: x86: cmos_rtc: Clean up address space handler driver Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 021/957] ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 022/957] devres: fix missing node debug info in devm_krealloc() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 023/957] thermal/drivers/spear: Fix error condition for reading st,thermal-flags Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 024/957] debugfs: check for NULL pointer in debugfs_create_str() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 025/957] debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 026/957] soundwire: debugfs: initialize firmware_file to empty string Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 027/957] amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 028/957] amd-pstate: Update cppc_req_cached in fast_switch case Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 029/957] cpufreq: Pass the policy to cpufreq_driver->adjust_perf() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 030/957] PCI: use generic driver_override infrastructure Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 031/957] platform/wmi: " Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 032/957] vdpa: " Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 033/957] s390/cio: " Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 034/957] bus: fsl-mc: " Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 035/957] irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 036/957] hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 037/957] hrtimer: Reduce trace noise in hrtimer_start() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 038/957] perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 039/957] perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 040/957] x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 041/957] rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()` Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 042/957] sparc64: vdso: Link with -z noexecstack Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 043/957] scripts/gdb: timerlist: Adapt to move of tk_core Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 044/957] locking: Fix rwlock support in <linux/spinlock_up.h> Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 045/957] sched/topology: Compute sd_weight considering cpuset partitions Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 046/957] sched/topology: Fix sched_domain_span() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 047/957] irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 048/957] ASoC: Intel: avs: Check maximum valid CPUID leaf Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 049/957] ASoC: Intel: avs: Include CPUID header at file scope Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 050/957] x86/vdso: Clean up remnants of VDSO32_NOTE_MASK Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 051/957] firmware: dmi: Correct an indexing error in dmi.h Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 052/957] sched: Make class_schedulers avoid pushing current, and get rid of proxy_tag_curr() Greg Kroah-Hartman
2026-05-20 18:32 ` John Stultz
2026-05-20 16:08 ` [PATCH 6.18 053/957] sched/rt: Skip group schedulable check with rt_group_sched=0 Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 054/957] wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 055/957] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet Greg Kroah-Hartman
2026-05-20 16:08 ` [PATCH 6.18 056/957] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 057/957] wifi: ieee80211: split mesh definitions out Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 058/957] wifi: ieee80211: split HT " Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 059/957] wifi: ieee80211: split VHT " Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 060/957] wifi: ieee80211: split HE " Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 061/957] wifi: ieee80211: split EHT " Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 062/957] wifi: ieee80211: fix definition of EHT-MCS 15 in MRU Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 063/957] dpaa2: add independent dependencies for FSL_DPAA2_SWITCH Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 064/957] dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 065/957] s390/bpf: Zero-extend bpf prog return values and kfunc arguments Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 066/957] powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 067/957] params: Replace __modinit with __init_or_module Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 068/957] module: Fix freeing of charp module parameters when CONFIG_SYSFS=n Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 069/957] wifi: libertas: use USB anchors for tracking in-flight URBs Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 070/957] wifi: libertas: dont kill URBs in interrupt context Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 071/957] tools/nolibc: implement %m if errno is not defined Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 072/957] tools/nolibc/printf: Change variables c to ch and tmpbuf[] to outbuf[] Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 073/957] tools/nolibc/printf: Move snprintf length check to callback Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 074/957] wifi: mt76: mt7996: fix the behavior of radar detection Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 075/957] wifi: mt76: mt7996: fix iface combination for different chipsets Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 076/957] wifi: mt76: mt7996: Set mtxq->wcid just for primary link Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 077/957] wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in mt7996_vif_link_remove() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 078/957] wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 079/957] wifi: mt76: mt7996: Reset ampdu_state state in case of failure in mt7996_tx_check_aggr() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 080/957] wifi: mt76: mt7921: Reset ampdu_state state in case of failure in mt76_connac2_tx_check_aggr() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 081/957] wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 082/957] wifi: mt76: mt7615: fix use_cts_prot support Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 083/957] wifi: mt76: mt7915: " Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 084/957] wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 085/957] wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 086/957] wifi: mt76: mt7996: fix FCS error flag check in RX descriptor Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 087/957] wifi: mt76: mt7921: Place upper limit on station AID Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 088/957] wifi: mt76: Fix memory leak destroying device Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 089/957] wifi: mt76: mt7925: cqm rssi low/high event notify Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 090/957] wifi: mt76: mt7925: drop puncturing handling from BSS change path Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 091/957] wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 092/957] wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 093/957] wifi: mt76: fix deadlock in remain-on-channel Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 094/957] arm64: cpufeature: Make PMUVer and PerfMon unsigned Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 095/957] wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 096/957] wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 097/957] wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 098/957] wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 099/957] wifi: mt76: mt7921: fix 6GHz regulatory update on connection Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 100/957] wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 101/957] wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 102/957] wifi: mt76: mt7996: use correct link_id when filling TXD and TXP Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 103/957] wifi: mt76: mt7996: Switch to the secondary link if the default one is removed Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 104/957] wifi: mt76: mt7996: Decrement sta counter removing the link in mt7996_mac_reset_sta_iter() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 105/957] wifi: mt76: fix multi-radio on-channel scanning Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 106/957] wifi: mt76: support upgrading passive scans to active Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 107/957] wifi: mt76: mt7996: fix RRO EMU configuration Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 108/957] bpf: Fix refcount check in check_struct_ops_btf_id() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 109/957] bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 110/957] bpf: Fix variable length stack write over spilled pointers Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 111/957] bpf,arc_jit: Fix missing newline in pr_err messages Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 112/957] wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 113/957] vfio: refactor vfio_pci_mmap_huge_fault function Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 114/957] drivers/vfio_pci_core: Change PXD_ORDER check from switch case to if/else block Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 115/957] r8152: fix incorrect register write to USB_UPHY_XTAL Greg Kroah-Hartman
2026-05-20 16:09 ` [PATCH 6.18 116/957] powerpc/crash: fix backup region offset update to elfcorehdr Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 117/957] powerpc/crash: Update backup region offset in elfcorehdr on memory hotplug Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 118/957] selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15 Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 119/957] bpf: Fix abuse of kprobe_write_ctx via freplace Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 120/957] macvlan: annotate data-races around port->bc_queue_len_used Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 121/957] bpf: fix end-of-list detection in cgroup_storage_get_next_key() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 122/957] bpf: Fix stale offload->prog pointer after constant blinding Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 123/957] net: ethernet: ti-cpsw:: rename soft_reset() function Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 124/957] net: ethernet: ti-cpsw: fix linking built-in code to modules Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 125/957] wifi: brcmfmac: Fix error pointer dereference Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 126/957] wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 127/957] bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 128/957] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 129/957] wifi: ath10k: fix station lookup failure during disconnect Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 130/957] bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 131/957] bpf: Fix linked reg delta tracking when src_reg == dst_reg Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 132/957] arm64: entry: Dont preempt with SError or Debug masked Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 133/957] ACPI: AGDI: fix missing newline in error message Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 134/957] arm64: kexec: Remove duplicate allocation for trans_pgd Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 135/957] macsec: Support VLAN-filtering lower devices Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 136/957] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 137/957] net: bcmgenet: fix leaking free_bds Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 138/957] net: bcmgenet: fix racing timeout handler Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 139/957] net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 140/957] eth: fbnic: Use wake instead of start Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 141/957] netfilter: xt_socket: enable defrag after all other checks Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 142/957] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 143/957] bpf: fix mm lifecycle in open-coded task_vma iterator Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 144/957] bpf: switch task_vma iterator from mmap_lock to per-VMA locks Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 145/957] bpf: return VMA snapshot from task_vma iterator Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 146/957] bpf: Fix RCU stall in bpf_fd_array_map_clear() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 147/957] net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 148/957] net: airoha: Add airoha_ppe_get_num_stats_entries() and airoha_ppe_get_num_total_stats_entries() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 149/957] net: airoha: Add airoha_eth_soc_data struct Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 150/957] net: airoha: Generalize airoha_ppe2_is_enabled routine Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 151/957] net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 152/957] bpf: Relax scalar id equivalence for state pruning Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 153/957] bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 154/957] selftests/bpf: fix __jited_unpriv tag name Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 155/957] net/sched: act_ct: Only release RCU read lock after ct_ft Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 156/957] selftests: netfilter: nft_tproxy.sh: adjust to socat changes Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 157/957] net: mana: Use pci_name() for debugfs directory naming Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 158/957] net: mana: Support HW link state events Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 159/957] net: mana: Move current_speed debugfs file to mana_init_port() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 160/957] net: airoha: Add missing RX_CPU_IDX() configuration in airoha_qdma_cleanup_rx_queue() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 161/957] bpf: Allow instructions with arena source and non-arena dest registers Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 162/957] selftests/bpf: Fix reg_bounds to match new tnum-based refinement Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 163/957] net/rds: Optimize rds_ib_laddr_check Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 164/957] net/rds: Restrict use of RDS/IB to the initial network namespace Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 165/957] bpf: Fix OOB in pcpu_init_value Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 166/957] ppp: require CAP_NET_ADMIN in target netns for unattached ioctls Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 167/957] net: ipa: Fix programming of QTIME_TIMESTAMP_CFG Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 168/957] net: ipa: Fix decoding EV_PER_EE for IPA v5.0+ Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 169/957] dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110 Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 170/957] net: phy: fix a return path in get_phy_c45_ids() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 171/957] net/mlx5e: Fix features not applied during netdev registration Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 172/957] net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic() Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 173/957] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 174/957] Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 175/957] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error Greg Kroah-Hartman
2026-05-20 16:10 ` [PATCH 6.18 176/957] Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 177/957] Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 178/957] Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to sco_pi(sk)->codec Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 179/957] net: phy: qcom: at803x: Use the correct bit to disable extended next page Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 180/957] udp: Force compute_score to always inline Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 181/957] tcp: Dont set treq->req_usec_ts in cookie_tcp_reqsk_init() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 182/957] sctp: fix missing encap_port propagation for GSO fragments Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 183/957] net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 184/957] net: airoha: Add missing PPE configurations in airoha_ppe_hw_init() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 185/957] selftests/futex: Fix incorrect result reporting of futex_requeue test item Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 186/957] drm/komeda: fix integer overflow in AFBC framebuffer size check Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 187/957] drm/virtio: Allow importing prime buffers when 3D is enabled Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 188/957] ASoC: soc-compress: use function to clear symmetric params Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 189/957] PCI/TPH: Allow TPH enable for RCiEPs Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 190/957] PCI: endpoint: pci-epf-test: Dont free doorbell IRQ unless requested Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 191/957] PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 192/957] drm/sun4i: backend: fix error pointer dereference Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 193/957] PCI: imx6: Fix device node reference leak in imx_pcie_probe() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 194/957] ASoC: SDCA: Update counting of SU/GE DAPM routes Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 195/957] crypto: inside-secure/eip93 - fix register definition Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 196/957] ASoC: sti: Return errors from regmap_field_alloc() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 197/957] ASoC: sti: use managed regmap_field allocations Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 198/957] dm cache: fix null-deref with concurrent writes in passthrough mode Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 199/957] dm cache: fix write path cache coherency " Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 200/957] dm cache: fix write hang " Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 201/957] dm cache policy smq: fix missing locks in invalidating cache blocks Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 202/957] dm cache: fix concurrent write failure in passthrough mode Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 203/957] dm cache: fix dirty mapping checking in passthrough mode switching Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 204/957] dm-mpath: dont stop probing paths at presuspend Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 205/957] platform/chrome: chromeos_tbmc: Drop wakeup source on remove Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 206/957] PCI: dwc: ep: Fix MSI-X Table Size configuration in dw_pcie_ep_set_msix() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 207/957] PCI: dwc: Invoke post_init in dw_pcie_resume_noirq() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 208/957] PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 209/957] dm cache metadata: fix memory leak on metadata abort retry Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 210/957] dm log: fix out-of-bounds write due to region_count overflow Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 211/957] iopoll: fix function parameter names in read_poll_timeout_atomic() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 212/957] drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 213/957] drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to drm_bridge_funcs Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 214/957] drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge atomic check Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 215/957] spi: nxp-fspi: Use reinit_completion() for repeated operations Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 216/957] spi: fsl-qspi: " Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 217/957] media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 218/957] drm/amd/pm: Fix xgmi max speed reporting Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 219/957] selftests/sched_ext: Add missing error check for exit__load() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 220/957] drm/v3d: Handle error from drm_sched_entity_init() Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 221/957] drm/sun4i: Fix resource leaks Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 222/957] crypto: inside-secure/eip93 - register hash before authenc algorithms Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 223/957] iommu/riscv: Add IOTINVAL after updating DDT/PDT entries Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 224/957] iommu/riscv: Add missing GENERIC_MSI_IRQ Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 225/957] iommu/riscv: Stop polling when CQCSR reports an error Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 226/957] drm/amdgpu: Add default case in DVI mode validation Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 227/957] dm init: ensure device probing has finished in dm-mod.waitfor= Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 228/957] fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 229/957] crypto: tegra - Disable softirqs before finalizing request Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 230/957] crypto: atmel - Use unregister_{aeads,ahashes,skciphers} Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 231/957] crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 232/957] padata: Remove cpu online check from cpu add and removal Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 233/957] padata: Put CPU offline callback in ONLINE section to allow failure Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 234/957] PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the documentation Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 235/957] drm/amdgpu/gfx10: look at the right prop for gfx queue priority Greg Kroah-Hartman
2026-05-20 16:11 ` [PATCH 6.18 236/957] drm/amdgpu/gfx11: " Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 237/957] spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 238/957] drm/imagination: Switch reset_reason fields from enum to u32 Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 239/957] iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 240/957] iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 241/957] drm/msm: add missing MODULE_DEVICE_ID definitions Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 242/957] drm/msm/dpu: fix mismatch between power and frequency Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 243/957] drm/msm/dsi: add the missing parameter description Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 244/957] drm/msm/dpu: dont try using 2 LMs if only one DSC is available Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 245/957] drm/msm/dsi: fix bits_per_pclk Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 246/957] drm/msm/dsi: fix hdisplay calculation for CMD mode panel Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 247/957] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 248/957] ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 249/957] drm/panel: sharp-ls043t1le01: make use of prepare_prev_first Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 250/957] drm/panel: simple: Correct G190EAN01 prepare timing Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 251/957] PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 252/957] PCI: Use res_to_dev_res() in reassign_resources_sorted() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 253/957] PCI: Fix premature removal from realloc_head list during resource assignment Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 254/957] crypto: hisilicon/sec2 - prevent req used-after-free for sec Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 255/957] PCI: Fix alignment calculation for resource size larger than align Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 256/957] iommu/riscv: Skip IRQ count check when using MSI interrupts Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 257/957] iommu/riscv: Fix signedness bug Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 258/957] ALSA: core: Validate compress device numbers without dynamic minors Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 259/957] ASoC: amd: acp: update dmic_num logic for acp pdm dmic Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 260/957] drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 261/957] drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 262/957] drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 263/957] drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 264/957] drm/amd/pm/ci: Clear EnabledForActivity field for memory levels Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 265/957] drm/amd/pm/ci: Fill DW8 fields from SMC Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 266/957] drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 267/957] drm/amdgpu/uvd4.2: Dont initialize UVD 4.2 when DPM is disabled Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 268/957] PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 269/957] hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 270/957] ALSA: hda/realtek: fix code style (ERROR: else should follow close brace }) Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 271/957] ASoC: SOF: Intel: hda: Place check before dereference Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 272/957] drm/msm/vma: Avoid lock in VM_BIND fence signaling path Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 273/957] drm/msm: Reject fb creation from _NO_SHARE objs Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 274/957] drm/msm: Fix VM_BIND UNMAP locking Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 275/957] drm/msm/a6xx: Fix HLSQ register dumping Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 276/957] drm/msm/shrinker: Fix can_block() logic Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 277/957] drm/msm/a6xx: Fix dumping A650+ debugbus blocks Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 278/957] drm/msm/a6xx: Use barriers while updating HFI Q headers Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 279/957] ALSA: hda/cmedia: Remove duplicate pin configuration parsing Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 280/957] pmdomain: ti: omap_prm: Fix a reference leak on device node Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 281/957] pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 282/957] PM: domains: De-constify fields in struct dev_pm_domain_attach_data Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 283/957] drm/msm/dpu: drop INTF_0 on MSM8953 Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 284/957] ASoC: fsl_micfil: Add access property for "VAD Detected" Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 285/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_enable() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 286/957] ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 287/957] ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 288/957] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 289/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 290/957] ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 291/957] ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 292/957] ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits() Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 293/957] ASoC: fsl_easrc: Change the type for iec958 channel status controls Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 294/957] iommu/amd: Fix clone_alias() to use the original devices devid Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 295/957] iommu/riscv: Remove overflows on the invalidation path Greg Kroah-Hartman
2026-05-20 16:12 ` [PATCH 6.18 296/957] ASoC: qcom: qdsp6: topology: check widget type before accessing data Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 297/957] PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 298/957] crypto: qat - disable 4xxx AE cluster when lead engine is fused off Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 299/957] crypto: qat - disable 420xx " Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 300/957] crypto: qat - fix compression instance leak Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 301/957] crypto: qat - fix type mismatch in RAS sysfs show functions Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 302/957] crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table() Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 303/957] crypto: qat - use swab32 macro Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 304/957] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 305/957] PCI: Enable AtomicOps only if Root Port supports them Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 306/957] PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 307/957] gpu: nova-core: register: use field type for Into implementation Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 308/957] gpu: nova-core: bitfield: Move bitfield-specific code from register! into new macro Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 309/957] gpu: nova-core: bitfield: fix broken Default implementation Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 310/957] selftests/mm: skip migration tests if NUMA is unavailable Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 311/957] kho: make debugfs interface optional Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 312/957] Documentation: fix a hugetlbfs reservation statement Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 313/957] selftest: memcg: skip memcg_sock test if address family not supported Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 314/957] ALSA: scarlett2: Add missing sentinel initializer field Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 315/957] ASoC: SOF: compress: return the configured codec from get_params Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 316/957] PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 317/957] ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 318/957] PCI: tegra194: Fix polling delay for L2 state Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 319/957] PCI: tegra194: Increase LTSSM poll time on surprise link down Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 320/957] PCI: tegra194: Disable LTSSM after transition to Detect " Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 321/957] PCI: tegra194: Dont force the device into the D0 state before L2 Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 322/957] PCI: tegra194: Disable PERST# IRQ only in Endpoint mode Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 323/957] PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select" Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 324/957] PCI: tegra194: Disable direct speed change for Endpoint mode Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 325/957] PCI: tegra194: Set LTR message request before PCIe link up in " Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 326/957] PCI: tegra194: Allow system suspend when the Endpoint link is not up Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 327/957] PCI: tegra194: Free up Endpoint resources during remove() Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 328/957] PCI: tegra194: Use DWC IP core version Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 329/957] PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 330/957] PCI: tegra194: Remove unnecessary L1SS disable code Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 331/957] PCI: tegra194: Disable L1.2 capability of Tegra234 EP Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 332/957] PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 333/957] spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 334/957] ALSA: sc6000: Keep the programmed board state in card-private data Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 335/957] dm cache: fix missing return in invalidate_committeds error path Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 336/957] sched_ext: Track @ps rq lock across set_cpus_allowed_scx -> ops.set_cpumask Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 337/957] sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 338/957] crypto: jitterentropy - replace long-held spinlock with mutex Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 339/957] ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 340/957] ALSA: hda/realtek - fixed speaker no sound update Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 341/957] gfs2: Call unlock_new_inode before d_instantiate Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 342/957] fanotify: avoid/silence premature LSM capability checks Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 343/957] fanotify: call fanotify_events_supported() before path_permission() and security_path_notify() Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 344/957] fuse: fix premature writetrhough request for large folio Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 345/957] dcache: export shrink_dentry_list() and add new helper d_dispose_if_unused() Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 346/957] fuse: new work queue to periodically invalidate expired dentries Greg Kroah-Hartman
2026-05-20 18:45 ` Miklos Szeredi
2026-05-20 16:13 ` [PATCH 6.18 347/957] fuse: fix uninit-value in fuse_dentry_revalidate() Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 348/957] ktest: Avoid undef warning when WARNINGS_FILE is unset Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 349/957] ktest: Honor empty per-test option overrides Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 350/957] ktest: Run POST_KTEST hooks on failure and cancellation Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 351/957] rtla: Fix -C/--cgroup interface Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 352/957] rtla: Replace atoi() with a robust strtoi() Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 353/957] rtla/utils: Fix resource leak in set_comm_sched_attr() Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 354/957] gfs2: less aggressive low-memory log flushing Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 355/957] quota: Fix race of dquot_scan_active() with quota deactivation Greg Kroah-Hartman
2026-05-20 16:13 ` [PATCH 6.18 356/957] vfio: unhide vdev->debug_root Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 357/957] gfs2: add some missing log locking Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 358/957] gfs2: prevent NULL pointer dereference during unmount Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 359/957] efi/capsule-loader: fix incorrect sizeof in phys array reallocation Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 360/957] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 361/957] arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 362/957] ARM: dts: mediatek: mt7623: fix efuse fallback compatible Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 363/957] memory: tegra124-emc: Fix dll_change check Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 364/957] memory: tegra30-emc: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 365/957] arm64: dts: imx8-apalis: Fix LEDs name collision Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 366/957] arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 367/957] arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 368/957] arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 369/957] iommufd: vfio compatibility extension check for noiommu mode Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 370/957] arm64: dts: qcom: sm6125-ginkgo: Fix missing msm-id subtype Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 371/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 372/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 373/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 374/957] arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 375/957] arm64: dts: qcom: talos: Add missing clock-names to GCC Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 376/957] arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 377/957] arm64: dts: mediatek: mt7981b: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 378/957] arm64: dts: mediatek: mt7986a: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 379/957] iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy} Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 380/957] arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 381/957] arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC eval carrier Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 382/957] arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 383/957] arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 384/957] arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 385/957] arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 386/957] Revert "arm64: dts: rockchip: add SPDIF audio to Beelink A1" Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 387/957] arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 388/957] arm64: dts: rockchip: Correct Joystick Axes on " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 389/957] soc: qcom: ocmem: make the core clock optional Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 390/957] soc: qcom: ocmem: register reasons for probe deferrals Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 391/957] soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 392/957] arm64: dts: rockchip: Fix RK3562 EVB2 model name Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 393/957] arm64: dts: rockchip: Add mphy reset to ufshc node Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 394/957] bus: rifsc: fix RIF configuration check for peripherals Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 395/957] arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 396/957] arm64: dts: qcom: lemans: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 397/957] arm64: dts: qcom: monaco: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 398/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 399/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 400/957] arm64: dts: qcom: sm8450: Fix GIC_ITS range length Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 401/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 402/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 403/957] arm64: dts: qcom: sm8750: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 404/957] arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 405/957] arm64: dts: qcom: sm8650: Fix xo clock supply of " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 406/957] arm64: dts: qcom: hamoa: Fix xo clock supply of platform " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 407/957] arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 408/957] arm64: dts: qcom: sm8550: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 409/957] arm64: dts: qcom: sm8650: " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 410/957] arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 411/957] arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 412/957] arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 413/957] arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 414/957] arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 " Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 415/957] arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label Greg Kroah-Hartman
2026-05-20 16:14 ` [PATCH 6.18 416/957] arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 417/957] arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 418/957] arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3 Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 419/957] arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 420/957] arm64: dts: lx2160a: remove duplicate pinmux nodes Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 421/957] arm64: dts: lx2160a: rename pinmux nodes for readability Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 422/957] arm64: dts: lx2160a: add sda gpio references for i2c bus recovery Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 423/957] arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 424/957] arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 425/957] arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 426/957] arm64: dts: imx8qxp-mek: " Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 427/957] soc/tegra: cbb: Set ERD on resume for err interrupt Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 428/957] soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 429/957] soc/tegra: cbb: Fix cross-fabric target timeout lookup Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 430/957] unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 431/957] ocfs2/dlm: validate qr_numregions in dlm_match_regions() Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 432/957] ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 433/957] soc: qcom: llcc: fix v1 SB syndrome register offset Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 434/957] soc: qcom: aoss: compare against normalized cooling state Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 435/957] arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 436/957] ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 437/957] arm64/xor: fix conflicting attributes for xor_block_template Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 438/957] slab: Introduce kmalloc_obj() and family Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 439/957] lib: kunit_iov_iter: fix memory leaks Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 440/957] ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 441/957] firmware: arm_ffa: Use the correct buffer size during RXTX_MAP Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 442/957] fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 443/957] ocfs2: fix listxattr handling when the buffer is full Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 444/957] ocfs2: validate bg_bits during freefrag scan Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 445/957] ocfs2: validate group add input before caching Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 446/957] dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 447/957] soundwire: bus: demote UNATTACHED state warnings to dev_dbg() Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 448/957] soundwire: Intel: test bus.bpt_stream before assigning it Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 449/957] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 450/957] soundwire: cadence: Clear message complete before signaling waiting thread Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 451/957] tracing: remove size parameter in __trace_puts() Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 452/957] tracing: move tracing declarations from kernel.h to a dedicated header Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 453/957] tracing: move __printf() attribute on __ftrace_vbprintk() Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 454/957] tracing: Rebuild full_name on each hist_field_name() call Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 455/957] hte: tegra194: remove Kconfig dependency on Tegra194 SoC Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 456/957] remoteproc: xlnx: Fix sram property parsing Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 457/957] stop_machine: Fix the documentation for a NULL cpus argument Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 458/957] remoteproc: imx_rproc: Check return value of regmap_attach_dev() in imx_rproc_mmio_detect_mode() Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 459/957] ima: check return value of crypto_shash_final() in boot aggregate Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 460/957] HID: asus: make asus_resume adhere to linux kernel coding standards Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 461/957] HID: asus: do not abort probe when not necessary Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 462/957] mtd: physmap_of_gemini: Fix disabled pinctrl state check Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 463/957] ima_fs: Correctly create securityfs files for unsupported hash algos Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 464/957] dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 465/957] mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 466/957] mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 467/957] mtd: spi-nor: sfdp: introduce smpt_map_id " Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 468/957] mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 469/957] mtd: spi-nor: swp: check SR_TB flag when getting tb_mask Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 470/957] mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 471/957] mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 472/957] cxl/pci: Check memdev driver binding status in cxl_reset_done() Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 473/957] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 474/957] mtd: spinand: Add missing check Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 475/957] mtd: spinand: Decouple write enable and write disable operations Greg Kroah-Hartman
2026-05-20 16:15 ` [PATCH 6.18 476/957] mtd: spinand: Create an array of operation templates Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 477/957] mtd: spinand: winbond: Rename IO_MODE register macro Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 478/957] mtd: spinand: winbond: Configure the IO mode after the dummy cycles Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 479/957] mtd: spinand: Gather all the bus interface steps in one single function Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 480/957] mtd: spinand: Add support for setting a bus interface Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 481/957] mtd: spinand: Give the bus interface to the configuration helper Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 482/957] mtd: spinand: winbond: Clarify when to enable the HS bit Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 483/957] HID: usbhid: fix deadlock in hid_post_reset() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 484/957] ext4: fix possible null-ptr-deref in mbt_kunit_exit() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 485/957] bpf, arm64: Fix off-by-one in check_imm signed range check Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 486/957] bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 487/957] bpf, riscv: " Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 488/957] bpf, sockmap: Fix af_unix iter deadlock Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 489/957] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 490/957] bpf, sockmap: Take state lock for af_unix iter Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 491/957] bpf: Fix precedence bug in convert_bpf_ld_abs alignment check Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 492/957] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 493/957] bpf: allow UTF-8 literals in bpf_bprintf_prepare() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 494/957] libbpf: Prevent double close and leak of btf objects Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 495/957] bpf: Validate node_id in arena_alloc_pages() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 496/957] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 497/957] perf trace: Fix IS_ERR() vs NULL check bug Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 498/957] pinctrl: pinctrl-pic32: Fix resource leak Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 499/957] perf trace: Avoid an ERR_PTR in syscall_stats Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 500/957] pinctrl: cy8c95x0: remove duplicate error message Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 501/957] pinctrl: cy8c95x0: Unify messages with help of dev_err_probe() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 502/957] pinctrl: cy8c95x0: Avoid returning positive values to user space Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 503/957] perf branch: Avoid incrementing NULL Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 504/957] perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 505/957] pinctrl: pinconf-generic: Fully validate pinmux property Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 506/957] pinctrl: realtek: Fix function signature for config argument Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 507/957] pinctrl: abx500: Fix type of argument variable Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 508/957] pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 509/957] perf lock: Fix option value type in parse_max_stack Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 510/957] perf stat: Fix opt->value type for parse_cache_level Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 511/957] memblock: reserve_mem: fix end caclulation in reserve_mem_release_by_name() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 512/957] perf tools: Fix module symbol resolution for non-zero .text sh_addr Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 513/957] perf expr: Return -EINVAL for syntax error in expr__find_ids() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 514/957] ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 515/957] ipmi: ssif_bmc: fix message desynchronization after truncated response Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 516/957] ipmi: ssif_bmc: change log level to dbg in irq callback Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 517/957] perf cgroup: Update metric leader in evlist__expand_cgroup Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 518/957] pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 519/957] pinctrl: sophgo: pinctrl-sg2044: " Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 520/957] perf maps: Fix fixup_overlap_and_insert that can break sorted by name order Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 521/957] perf maps: Fix copy_from " Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 522/957] perf util: Kill die() prototype, dead for a long time Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 523/957] i3c: master: dw-i3c: Fix missing reset assertion in remove() callback Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 524/957] i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 525/957] i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 526/957] i3c: master: Fix error codes at send_ccc_cmd Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 527/957] i3c: master: adi: Fix error propagation for CCCs Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 528/957] i3c: mipi-i3c-hci: fix IBI payload length calculation for final status Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 529/957] backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt() Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 530/957] platform/surface: surfacepro3_button: Drop wakeup source on remove Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 531/957] leds: lgm-sso: Remove duplicate assignments for priv->mmap Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 532/957] usb: typec: Fix error pointer dereference Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 533/957] tty: hvc_iucv: fix off-by-one in number of supported devices Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 534/957] usb: typec: ps883x: Fix Oops at unbind Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 535/957] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup Greg Kroah-Hartman
2026-05-20 16:16 ` [PATCH 6.18 536/957] platform/x86: barco-p50-gpio: normalize return value of gpio_get Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 537/957] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 538/957] nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 539/957] NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 540/957] platform/x86: asus-wmi: adjust screenpad power/brightness handling Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 541/957] platform/x86: asus-wmi: fix screenpad brightness range Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 542/957] tty: serial: ip22zilog: Fix section mispatch warning Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 543/957] fs/ntfs3: terminate the cached volume label after UTF-8 conversion Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 544/957] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 545/957] platform/x86: dell-wmi-sysman: bound enumeration string aggregation Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 546/957] RDMA/core: Prefer NLA_NUL_STRING Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 547/957] dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 548/957] clk: qcom: gcc-glymur: Add video axi clock resets for glymur Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 549/957] clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 550/957] clk: qcom: dispcc-sm8450: " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 551/957] clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 552/957] scsi: sg: Fix sysctl sg-big-buff register during sg_init() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 553/957] scsi: sg: Resolve soft lockup issue when opening /dev/sgX Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 554/957] clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 555/957] clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 556/957] clk: qcom: dispcc-milos: " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 557/957] clk: qcom: dispcc-sm4450: " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 558/957] clk: qcom: dispcc[01]-sa8775p: " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 559/957] clk: renesas: r9a09g057: Add clock and reset entries for RTC Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 560/957] clk: renesas: r9a09g057: Add entries for RSCIs Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 561/957] clk: renesas: r9a09g057: Fix ordering of module clocks array Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 562/957] clk: renesas: r9a09g057: Remove entries for WDT{0,2,3} Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 563/957] scsi: target: core: Fix integer overflow in UNMAP bounds check Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 564/957] scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 565/957] dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 566/957] clk: qcom: gcc-sc8180x: " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 567/957] clk: qcom: gcc-sc8180x: Use retention for USB power domains Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 568/957] clk: qcom: gcc-sc8180x: Use retention for PCIe " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 569/957] clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 570/957] clk: qcom: dispcc-sm8250: Enable parents for pixel clocks Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 571/957] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 572/957] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 573/957] clk: imx8mq: Correct the CSI PHY sels Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 574/957] x86/um/vdso: Drop VDSO64-y from Makefile Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 575/957] x86/um: fix vDSO installation Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 576/957] clk: qoriq: avoid format string warning Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 577/957] clk: xgene: Fix mapping leak in xgene_pllclk_init() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 578/957] dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 579/957] clk: qcom: dispcc-sc7180: Add missing " Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 580/957] clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 581/957] f2fs: use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 582/957] f2fs: avoid reading already updated pages during GC Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 583/957] clk: qcom: gdsc: Fix error path on registration of multiple pm subdomains Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 584/957] lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 585/957] f2fs: expand scalability of f2fs mount option Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 586/957] f2fs: fix to preserve previous reserve_{blocks,node} value when remount Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 587/957] clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 588/957] clk: visconti: pll: initialize clk_init_data to zero Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 589/957] f2fs: allow empty mount string for Opt_usr|grp|projjquota Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 590/957] f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 591/957] drm/i915/wm: Verify the correct plane DDB entry Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 592/957] virt: arm-cca-guest: fix error check for RSI_INCOMPLETE Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 593/957] crypto: eip93 - fix hmac setkey algo selection Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 594/957] crypto: sa2ul - Fix AEAD fallback algorithm names Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 595/957] crypto: ccp - copy IV using skcipher ivsize Greg Kroah-Hartman
2026-05-20 16:17 ` [PATCH 6.18 596/957] erofs: unify lcn as u64 for 32-bit platforms Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 597/957] arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 598/957] arm64: dts: imx8mp-debix-som-a: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 599/957] arm64: dts: imx8mp-navqp: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 600/957] arm64: dts: imx8mp-icore-mx8mp: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 601/957] arm64: dts: imx8mp-edm-g: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 602/957] arm64: dts: imx8mp-aristainetos3a-som-v1: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 603/957] arm64: dts: imx8mp-nitrogen-som: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 604/957] arm64: dts: imx8mp-sr-som: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 605/957] arm64: dts: imx8mp-ultra-mach-sbc: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 606/957] arm64: dts: imx8mp-dhcom-som: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 607/957] arm64: dts: imx8mp-data-modul-edm-sbc: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 608/957] PCMCIA: Fix garbled log messages for KERN_CONT Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 609/957] reset: amlogic: t7: Fix null reset ops Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 610/957] arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 611/957] arm64: dts: imx8mn-tqma8mqnl: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 612/957] arm64: dts: imx8mm-tqma8mqml: " Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 613/957] arm64: dts: marvell: armada-37xx: use usb2-phy in USB3 controllers phy-names Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 614/957] pwm: stm32: Fix rounding issue for requests with inverted polarity Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 615/957] net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 616/957] macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 617/957] net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 618/957] nexthop: fix IPv6 route referencing IPv4 nexthop Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 619/957] net: airoha: Wait for NPU PPE configuration to complete in airoha_ppe_offload_setup() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 620/957] net/sched: taprio: fix use-after-free in advance_sched() on schedule switch Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 621/957] net: dsa: cpu_dp->orig_ethtool_ops might be NULL Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 622/957] net: dsa: use kernel data types for ethtool ops on conduit Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 623/957] net: dsa: append ethtool counters of all hidden ports to conduit Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 624/957] net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 625/957] net: enetc: correct the command BD ring consumer index Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 626/957] net: enetc: fix NTMP DMA use-after-free issue Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 627/957] smb: move smb_version_values to common/smbglob.h Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 628/957] ksmbd: fix use-after-free in smb2_open during durable reconnect Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 629/957] tcp: move tp->chrono_type next tp->chrono_stat[] Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 630/957] tcp: inline tcp_chrono_start() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 631/957] tcp: annotate data-races in tcp_get_info_chrono_stats() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 632/957] tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 633/957] tcp: add data-races annotations around tp->reordering, tp->snd_cwnd Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 634/957] tcp: annotate data-races around tp->snd_ssthresh Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 635/957] tcp: annotate data-races around tp->delivered and tp->delivered_ce Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 636/957] tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 637/957] tcp: annotate data-races around tp->bytes_sent Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 638/957] tcp: annotate data-races around tp->bytes_retrans Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 639/957] tcp: annotate data-races around tp->dsack_dups Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 640/957] tcp: annotate data-races around tp->reord_seen Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 641/957] tcp: better handle TCP_TX_DELAY on established flows Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 642/957] tcp: annotate data-races around tp->srtt_us Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 643/957] tcp: annotate data-races around tp->timeout_rehash Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 644/957] tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 645/957] tcp: annotate data-races around tp->plb_rehash Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 646/957] ice: fix adjust timer programming for E830 devices Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 647/957] ice: update PCS latency settings for E825 10G/25Gb modes Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 648/957] ice: Remove jumbo_remove step from TX path Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 649/957] ice: fix double-free of tx_buf skb Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 650/957] ice: fix ICE_AQ_LINK_SPEED_M for 200G Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 651/957] i40e: dont advertise IFF_SUPP_NOFCS Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 652/957] iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2 Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 653/957] e1000e: Unroll PTP in probe error handling Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 654/957] ipv6: fix possible UAF in icmpv6_rcv() Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 655/957] sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks Greg Kroah-Hartman
2026-05-20 16:18 ` [PATCH 6.18 656/957] pppoe: drop PFC frames Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 657/957] net/mlx5: Fix HCA caps leak on notifier init failure Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 658/957] openvswitch: cap upcall PID array size and pre-size vport replies Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 659/957] net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 660/957] netfilter: nft_osf: restrict it to ipv4 Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 661/957] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 662/957] netfilter: conntrack: remove sprintf usage Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 663/957] netfilter: xtables: restrict several matches to inet family Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 664/957] netfilter: nat: use kfree_rcu to release ops Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 665/957] ipvs: fix MTU check for GSO packets in tunnel mode Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 666/957] netfilter: nfnetlink_osf: fix out-of-bounds read on option matching Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 667/957] netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 668/957] slip: reject VJ receive packets on instances with no rstate array Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 669/957] slip: bound decode() reads against the compressed packet length Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 670/957] net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 671/957] arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0 Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 672/957] arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 673/957] pwm: atmel-tcb: Cache clock rates and mark chip as atomic Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 674/957] ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 675/957] ksmbd: destroy async_ida in ksmbd_conn_free() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 676/957] ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 677/957] ksmbd: scope conn->binding slowpath to bound sessions only Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 678/957] net: validate skb->napi_id in RX tracepoints Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 679/957] bnge: fix initial HWRM sequence Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 680/957] bnge: remove unsupported backing store type Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 681/957] net/rds: zero per-item info buffer before handing it to visitors Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 682/957] ice: fix timestamp interrupt configuration for E825C Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 683/957] ice: perform PHY soft reset for E825C ports at initialization Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 684/957] ice: fix ready bitmap check for non-E822 devices Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 685/957] ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 686/957] net_sched: sch_hhf: annotate data-races in hhf_dump_stats() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 687/957] net/sched: sch_pie: annotate data-races in pie_dump_stats() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 688/957] net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 689/957] net/sched: sch_red: annotate data-races in red_dump_stats() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 690/957] net/sched: sch_sfb: annotate data-races in sfb_dump_stats() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 691/957] net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 692/957] net: airoha: ppe: Move PPE memory info in airoha_eth_soc_data struct Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 693/957] net: airoha: Refactor src port configuration in airhoha_set_gdm2_loopback Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 694/957] net: airoha: Add AN7583 SoC support Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 695/957] net: airoha: Add the capability to consume out-of-order DMA tx descriptors Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 696/957] net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 697/957] net: dsa: realtek: rtl8365mb: fix mode mask calculation Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 698/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 699/957] net: airoha: Rework the code flow in airoha_remove() and in airoha_probe() error path Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 700/957] net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 701/957] net: mana: Init link_change_work before potential error paths in probe Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 702/957] net: mana: Guard mana_remove against double invocation Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 703/957] net: mana: Move hardware counter stats from per-port to per-VF context Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 704/957] net: mana: Add standard counter rx_missed_errors Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 705/957] net: mana: Dont overwrite port probe error with add_adev result Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 706/957] net: mana: Handle SKB if TX SGEs exceed hardware limit Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 707/957] net: mana: Handle hardware recovery events when probing the device Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 708/957] net: mana: Implement ndo_tx_timeout and serialize queue resets per port Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 709/957] net: mana: Fix EQ leak in mana_remove on NULL port Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 710/957] vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 711/957] virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 712/957] nfp: fix swapped arguments in nfp_encode_basic_qdr() calls Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 713/957] tcp: send a challenge ACK on SEG.ACK > SND.NXT Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 714/957] tipc: fix double-free in tipc_buf_append() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 715/957] vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() Greg Kroah-Hartman
2026-05-20 16:19 ` [PATCH 6.18 716/957] nstree: fix func. parameter kernel-doc warnings Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 717/957] eventpoll: use hlist_is_singular_node() in __ep_remove() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 718/957] eventpoll: split __ep_remove() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 719/957] eventpoll: kill __ep_remove() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 720/957] eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 721/957] eventpoll: move epi_fget() up Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 722/957] eventpoll: fix ep_remove struct eventpoll / struct file UAF Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 723/957] fs/adfs: validate nzones in adfs_validate_bblk() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 724/957] rtc: abx80x: Disable alarm feature if no interrupt attached Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 725/957] kbuild: builddeb - avoid recompiles for non-cross-compiles Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 726/957] fbdev: offb: fix PCI device reference leak on probe failure Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 727/957] tools/power turbostat.8: Document the "--force" option Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 728/957] tools/power turbostat: Use strtoul() for iteration parsing Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 729/957] tools/power turbostat: Fix and document --header_iterations Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 730/957] tools/power turbostat: Fix unrecognized option -P Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 731/957] kbuild: Never respect CONFIG_WERROR / W=e to fixdep Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 732/957] mailbox: mtk-cmdq: Fix CURR and END addr for task insert case Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 733/957] mailbox: mailbox-test: free channels on probe error Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 734/957] sched/psi: fix race between file release and pressure write Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 735/957] cgroup/rdma: fix integer overflow in rdmacg_try_charge() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 736/957] mailbox: add sanity check for channel array Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 737/957] mailbox: mailbox-test: dont free the reused channel Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 738/957] mailbox: mailbox-test: initialize struct earlier Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 739/957] mailbox: mailbox-test: make data_ready a per-instance variable Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 740/957] fsnotify: fix inode reference leak in fsnotify_recalc_mask() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 741/957] btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 742/957] cgroup: Increment nr_dying_subsys_* from rmdir context Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 743/957] tracing: branch: Fix inverted check on stat tracer registration Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 744/957] nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 745/957] netfilter: arp_tables: fix IEEE1394 ARP payload parsing Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 746/957] netfilter: nf_tables: use list_del_rcu for netlink hooks Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 747/957] nvme-pci: fix missed admin queue sq doorbell write Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 748/957] drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 749/957] drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 750/957] drm/amdgpu/uvd3.1: Dont validate the firmware when already validated Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 751/957] drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 752/957] netfilter: xt_policy: fix strict mode inbound policy matching Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 753/957] netfilter: nf_conntrack_sip: dont use simple_strtoul Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 754/957] ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 755/957] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 756/957] ASoC: tas2764: Mark die temp register as volatile Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 757/957] ASoC: tas2770: Fix order of operations for temperature calculation Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 758/957] drm/sysfb: ofdrm: fix PCI device reference leaks Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 759/957] drm/color-mgmt: Typo s/R332/RGB332/ Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 760/957] arm64/scs: Fix potential sign extension issue of advance_loc4 Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 761/957] ACPICA: Provide #defines for EINJV2 error types Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 762/957] ACPI: APEI: EINJ: Fix EINJV2 memory error injection Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 763/957] cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 764/957] netdevsim: zero initialize struct iphdr in dummy sk_buff Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 765/957] net/sched: netem: fix probability gaps in 4-state loss model Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 766/957] net/sched: netem: fix queue limit check to include reordered packets Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 767/957] net/sched: netem: only reseed PRNG when seed is explicitly provided Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 768/957] net/sched: netem: validate slot configuration Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 769/957] net/sched: netem: fix slot delay calculation overflow Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 770/957] net/sched: netem: check for negative latency and jitter Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 771/957] net: airoha: stop net_device TX queue before updating CPU index Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 772/957] net: airoha: fix typo in function name Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 773/957] net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 774/957] net: airoha: Do not read uninitialized fragment address in airoha_dev_xmit() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 775/957] net/sched: sch_choke: annotate data-races in choke_dump_stats() Greg Kroah-Hartman
2026-05-20 16:20 ` [PATCH 6.18 776/957] net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 777/957] vrf: Fix a potential NPD when removing a port from a VRF Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 778/957] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 779/957] net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 780/957] spi: amlogic-spisg: initialize completion before requesting IRQ Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 781/957] NFC: trf7970a: Ignore antenna noise when checking for RF field Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 782/957] net/sched: taprio: fix NULL pointer dereference in class dump Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 783/957] neigh: let neigh_xmit take skb ownership Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 784/957] tcp: make probe0 timer handle expired user timeout Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 785/957] netpoll: fix IPv6 local-address corruption Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 786/957] ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 787/957] sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 788/957] sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 789/957] sched/fair: Clear rel_deadline when initializing forked entities Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 790/957] net: mctp i2c: check length before marking flow active Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 791/957] md/raid1,raid10: dont fail devices for invalid IO errors Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 792/957] md: add fallback to correct bitmap_ops on version mismatch Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 793/957] md: factor bitmap creation away from sysfs handling Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 794/957] md/md-bitmap: split bitmap sysfs groups Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 795/957] md/md-bitmap: add a none backend for bitmap grow Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 796/957] s390/mm: Fix phys_to_folio() usage in do_secure_storage_access() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 797/957] net: phy: dp83869: fix setting CLK_O_SEL field Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 798/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 799/957] drm/amdgpu/vcn: set no_user_fence for VCN v2.5 " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 800/957] drm/amdgpu/vcn: set no_user_fence for VCN v3.0 " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 801/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 802/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 803/957] drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 804/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 805/957] drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 806/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 807/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 808/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 809/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 810/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 811/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 812/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 813/957] drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 814/957] io_uring/napi: cap busy_poll_to 10 msec Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 815/957] net: psp: check for device unregister when creating assoc Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 816/957] net: psp: require admin permission for dev-set and key-rotate Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 817/957] ASoC: codecs: ab8500: Fix casting of private data Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 818/957] netfilter: skip recording stale or retransmitted INIT Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 819/957] sctp: discard stale INIT after handshake completion Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 820/957] bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 821/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (III) Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 822/957] net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 823/957] netconsole: propagate device name truncation in dev_name_store() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 824/957] ALSA: hda/conexant: Fix missing error check for jack detection Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 825/957] ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 826/957] ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0 pages >1 Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 827/957] futex: Prevent lockup in requeue-PI during signal/ timeout wakeup Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 828/957] drm/amd/display: Allow DCE link encoder without AUX registers Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 829/957] drm/amd/display: Allow constructing DCE6 link encoder without DDC Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 830/957] drm/amd/display: Allow constructing DCE8 " Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 831/957] drm/amd/display: Read EDID from VBIOS embedded panel info Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 832/957] drm/xe/debugfs: Correct printing of register whitelist ranges Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 833/957] drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 834/957] drm/xe/eustall: Fix drm_dev_put called before stream disable in close Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 835/957] drm/xe/gsc: Fix BO leak on error in query_compatibility_version() Greg Kroah-Hartman
2026-05-20 16:21 ` [PATCH 6.18 836/957] net: airoha: fix BQL imbalance in TX path Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 837/957] net: airoha: Do not return err in ndo_stop() callback Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 838/957] bonding: print churn state via netlink Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 839/957] bonding: 3ad: implement proper RCU rules for port->aggregator Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 840/957] page_pool: fix memory-provider leak in page_pool_create_percpu() error path Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 841/957] iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 842/957] iavf: stop removing VLAN filters from PF on interface down Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 843/957] iavf: wait for PF confirmation before removing VLAN filters Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 844/957] iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 845/957] ice: fix NULL pointer dereference in ice_reset_all_vfs() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 846/957] ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 847/957] ice: fix missing SMA pin initialization in DPLL subsystem Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 848/957] ice: fix SMA and U.FL pin state changes affecting paired pin Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 849/957] ice: fix missing dpll notifications for SW pins Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 850/957] dpll: Allow associating dpll pin with a firmware node Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 851/957] dpll: Add notifier chain for dpll events Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 852/957] dpll: export __dpll_pin_change_ntf() for use under dpll_lock Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 853/957] ice: add dpll peer notification for paired SMA and U.FL pins Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 854/957] net: tls: fix strparser anchor skb leak on offload RX setup failure Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 855/957] sfc: fix error code in efx_devlink_info_running_versions() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 856/957] net/sched: cls_flower: revert unintended changes Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 857/957] kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 858/957] arm64: Reserve an extra page for early kernel mapping Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 859/957] futex: Drop CLONE_THREAD requirement for private default hash alloc Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 860/957] Revert "pseries/papr-hvpipe: Fix race with interrupt handler" Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 861/957] Revert "papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()" Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 862/957] PCI: Initialize temporary device in new_id_store() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 863/957] erofs: fix offset truncation when shifting pgoff on 32-bit platforms Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 864/957] bpf: Fix sync_linked_regs regarding BPF_ADD_CONST32 zext propagation Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 865/957] net: airoha: Fix a copy and paste bug in probe() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 866/957] fuse: fix race when disposing stale dentries Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 867/957] fuse: make sure dentry is evicted if stale Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 868/957] rtla: Fix parse_cpu_set() bug introduced by strtoi() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 869/957] net: airoha: Move entries to queue head in case of DMA mapping failure in airoha_dev_xmit() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 870/957] net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 871/957] net/sched: sch_pie: annotate more data-races in pie_dump_stats() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 872/957] net: airoha: Remove code duplication in airoha_regs.h Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 873/957] net: airoha: Use gdm port enum value whenever possible Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 874/957] net: airoha: Fix VIP configuration for AN7583 SoC Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 875/957] net: mana: Fix use-after-free in reset service rescan path Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 876/957] net: mana: Init gf_stats_work before potential error paths in probe Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 877/957] sched/fair: Fix wakeup_preempt_fair() for not waking up task Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 878/957] sched/fair: Revert force wakeup preemption Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 879/957] crypto: af_alg - Cap AEAD AD length to 0x80000000 Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 880/957] i40e: Cleanup PTP pins on probe failure Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 881/957] workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 882/957] net: ena: PHC: Fix potential use-after-free in get_timestamp Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 883/957] netfilter: nf_conntrack_sip: get helper before allocating expectation Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 884/957] audit: fix incorrect inheritable capability in CAPSET records Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 885/957] net: ena: PHC: Check return code before setting timestamp output Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 886/957] cgroup/dmem: Return -ENOMEM on failed pool preallocation Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 887/957] idpf: fix double free and use-after-free in aux device error paths Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 888/957] Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 889/957] netfilter: nft_ct: fix missing expect put in obj eval Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 890/957] net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 891/957] audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 892/957] KVM: Reject wrapped offset in kvm_reset_dirty_gfn() Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 893/957] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 894/957] KVM: x86: Fix Xen hypercall tracepoint argument assignment Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 895/957] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
2026-05-20 16:22 ` [PATCH 6.18 896/957] HID: core: introduce hid_safe_input_report() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 897/957] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 898/957] fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0 Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 899/957] ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 900/957] media: staging: imx: configure src_mux in csi_start Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 901/957] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 902/957] nvme-apple: Reset q->sq_tail during queue init Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 903/957] smb/client: fix possible infinite loop and oob read in symlink_data() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 904/957] drm/loongson: Use managed KMS polling Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 905/957] drm: Replace old pointer to new idr Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 906/957] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 907/957] platform/x86: intel: Move debugfs register before creating devices Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 908/957] platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 909/957] platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 910/957] accel/rocket: Fix prep_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 911/957] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 912/957] ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 913/957] ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 914/957] ALSA: usb-audio: Bound MIDI " Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 915/957] ALSA: usb-audio: qcom: Check offload mapping failures Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 916/957] btrfs: only release the dirty pages io tree after successful writes Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 917/957] ceph: fix a buffer leak in __ceph_setxattr() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 918/957] ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 919/957] io-wq: check that the predecessor is hashed in io_wq_remove_pending() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 920/957] iommu/amd: Bounds-check devid in __rlookup_amd_iommu() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 921/957] x86/kexec: Push kjump return address even for non-kjump kexec Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 922/957] xfs: fix memory leak on error in xfs_alloc_zone_info() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 923/957] virt: sev-guest: Do not use host-controlled page order in cleanup path Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 924/957] riscv: misaligned: Make enabling delegation depend on NONPORTABLE Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 925/957] powerpc/warp: Fix error handling in pika_dtm_thread Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 926/957] netfs: fix error handling in netfs_extract_user_iter() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 927/957] nfsd: fix file change detection in CB_GETATTR Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 928/957] irqchip/riscv-imsic: Clear interrupt move state during CPU offlining Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 929/957] irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 930/957] irqchip/gic-v5: Move LPI allocation into the LPI domain Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 931/957] irqchip/gic-v5: Support range allocation for LPIs Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 932/957] irqchip/gic-v5: Allocate ITS parent LPIs as a range Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 933/957] libceph: Fix potential out-of-bounds access in osdmap_decode() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 934/957] libceph: Fix potential null-ptr-deref in decode_choose_args() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 935/957] libceph: Fix potential out-of-bounds access in crush_decode() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 936/957] libceph: handle rbtree insertion error in decode_choose_args() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 937/957] iommu/vt-d: Disable DMAR for Intel Q35 IGFX Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 938/957] iommu/vt-d: Fix oops due to out of scope access Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 939/957] iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 940/957] drm/i915: skip __i915_request_skip() for already signaled requests Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 941/957] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 942/957] drm/xe/dma-buf: handle empty bo and UAF races Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 943/957] drm/xe/dma-buf: fix UAF with retry loop Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 944/957] drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 945/957] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 946/957] drm/gma500/oaktrail_lvds: fix hang on init failure Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 947/957] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 948/957] drm/v3d: Reject empty multisync extension to prevent infinite loop Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 949/957] eventfs: Use list_add_tail_rcu() for SRCU-protected children list Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 950/957] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 951/957] btrfs: do not mark inode incompressible after inline attempt fails Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 952/957] perf/x86/intel: Disable PMI for self-reloaded ACR events Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 953/957] sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 954/957] sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 955/957] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
2026-05-20 16:23 ` [PATCH 6.18 956/957] spi: sifive: Simplify clock handling with devm_clk_get_enabled() Greg Kroah-Hartman
2026-05-20 16:24 ` [PATCH 6.18 957/957] spi: sifive: fix controller deregistration Greg Kroah-Hartman
2026-05-20 17:21 ` [PATCH 6.18 000/957] 6.18.32-rc1 review Barry K. Nathan
2026-05-20 17:42 ` Florian Fainelli
2026-05-21 6:06 ` Wentao Guan
2026-05-21 6:14 ` Peter Schneider
2026-05-21 8:26 ` Greg Kroah-Hartman
2026-05-21 9:06 ` Pavel Machek
2026-05-21 9:18 ` Jon Hunter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox